Edit tour

Windows Analysis Report
WgnsGjhA3P.exe

Overview

General Information

Sample name:	WgnsGjhA3P.exe renamed because original name is a hash value
Original sample name:	7766c46c93d028e2e11517cfcf797fbb.exe
Analysis ID:	1585664
MD5:	7766c46c93d028e2e11517cfcf797fbb
SHA1:	147b40c5fe1e860d77c7e02a0c986cb1eaac3ceb
SHA256:	52e5833f1dedcc6f05d9585c6b4b52bab86c592061eddf38356492373583f8a0
Tags:	exeValleyRATuser-abuse_ch
Infos:

Detection

GhostRat

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GhostRat

AI detected suspicious sample

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Found stalling execution ending in API Sleep call

Sample is not signed and drops a device driver

Sigma detected: Potentially Suspicious Malware Callback Communication

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates driver files

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain checking for process token information

Installs a global mouse hook

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Stores large binary data to the registry

Classification

Process Tree

System is w10x64

WgnsGjhA3P.exe (PID: 7604 cmdline: "C:\Users\user\Desktop\WgnsGjhA3P.exe" MD5: 7766C46C93D028E2E11517CFCF797FBB)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
WgnsGjhA3P.exe	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: WgnsGjhA3P.exe PID: 7604	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.WgnsGjhA3P.exe.7ff61b730000.0.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.0.WgnsGjhA3P.exe.7ff61b730000.0.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 192.238.134.52, DestinationIsIpv6: false, DestinationPort: 4433, EventID: 3, Image: C:\Users\user\Desktop\WgnsGjhA3P.exe, Initiated: true, ProcessId: 7604, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Suricata Signatures

ET MALWARE Anonymous RAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T00:12:01.585527+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49730	192.238.134.52	4433	TCP
2025-01-08T00:13:08.671511+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49730	192.238.134.52	4433	TCP
2025-01-08T00:14:17.530330+0100	2052875	1	A Network Trojan was detected	192.168.2.4	50003	192.238.134.52	10443	TCP
2025-01-08T00:15:24.190279+0100	2052875	1	A Network Trojan was detected	192.168.2.4	50006	192.238.134.52	4433	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: WgnsGjhA3P.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: WgnsGjhA3P.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: [:	Jump to behavior

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B73F410 GetLastInputInfo,GetTickCount,wsprintfW,GetForegroundWindow,GetWindowTextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,SHGetFolderPathW,lstrcatW,CreateFileW,lstrlenW,WriteFile,CloseHandle,FindFirstFileW,FindClose,_invalid_parameter_noinfo_noreturn,		0_2_00007FF61B73F410
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B763EF0 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00007FF61B763EF0

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF61B7362F0 gethostname,gethostbyname,inet_ntoa,inet_ntoa,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,LoadLibraryW,GetProcAddress,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,GetSystemInfo,wsprintfW,GetDriveTypeW,GetDiskFreeSpaceExW,GlobalMemoryStatusEx,GetForegroundWindow,GetWindowTextW,lstrlenW,GetLocalTime,wsprintfW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,CloseHandle,CoInitializeEx,CoCreateInstance,SysFreeString,CoUninitialize,RegOpenKeyExW,RegQueryInfoKeyW,RegEnumKeyExW,lstrlenW,lstrlenW,RegCloseKey,lstrlenW,GetTickCount,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,lstrcpyW,lstrcatW,lstrlenW,GetLocalTime,wsprintfW,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,RegCreateKeyW,lstrlenW,RegSetValueExW,RegCloseKey,RegCloseKey,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,

0_2_00007FF61B7362F0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49730 -> 192.238.134.52:4433
Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:50003 -> 192.238.134.52:10443
Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:50006 -> 192.238.134.52:4433

Source: Joe Sandbox View

ASN Name: LEASEWEB-USA-LAX-11US LEASEWEB-USA-LAX-11US

Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF61B733B00 select,recv,timeGetTime,

0_2_00007FF61B733B00

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: [esc]

0_2_00007FF61B73ADB0

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF61B740E20 _invalid_parameter_noinfo_noreturn,lstrlenW,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF61B740E20

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF61B740E20

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF61B740E20

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF61B73FD10 GetVersion,GetDesktopWindow,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,GetDIBits,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,_invalid_parameter_noinfo_noreturn,

0_2_00007FF61B73FD10

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF61B737250 MultiByteToWideChar,MultiByteToWideChar,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,CreateMutexExW,GetLastError,Sleep,CreateMutexW,GetLastError,lstrlenW,lstrcmpW,SleepEx,GetModuleHandleW,GetConsoleWindow,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,

0_2_00007FF61B737250

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Jump to behavior

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF61B74C2E0: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,

0_2_00007FF61B74C2E0

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B73E4EE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_00007FF61B73E4EE
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B73E46D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_00007FF61B73E46D
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B73E3E9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	0_2_00007FF61B73E3E9

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

File created: C:\ProgramData\kernelquick.sys

Jump to behavior

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B731500	0_2_00007FF61B731500
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B74B500	0_2_00007FF61B74B500
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B73FD10	0_2_00007FF61B73FD10
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B73F410	0_2_00007FF61B73F410
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B758C10	0_2_00007FF61B758C10
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B7362F0	0_2_00007FF61B7362F0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B737250	0_2_00007FF61B737250
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B7379E0	0_2_00007FF61B7379E0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B738040	0_2_00007FF61B738040
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B74AD80	0_2_00007FF61B74AD80
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B761DA8	0_2_00007FF61B761DA8
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B75A4F8	0_2_00007FF61B75A4F8
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B75C51C	0_2_00007FF61B75C51C
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B765D34	0_2_00007FF61B765D34
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B75FD30	0_2_00007FF61B75FD30
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B75AC80	0_2_00007FF61B75AC80
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B73B410	0_2_00007FF61B73B410
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B73D410	0_2_00007FF61B73D410
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B757340	0_2_00007FF61B757340
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B75B350	0_2_00007FF61B75B350
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B75536C	0_2_00007FF61B75536C
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B739320	0_2_00007FF61B739320
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B75D320	0_2_00007FF61B75D320
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B749250	0_2_00007FF61B749250
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B75F21C	0_2_00007FF61B75F21C
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B756228	0_2_00007FF61B756228
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B76714C	0_2_00007FF61B76714C
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B755168	0_2_00007FF61B755168
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B7478F0	0_2_00007FF61B7478F0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B740900	0_2_00007FF61B740900
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B762024	0_2_00007FF61B762024
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B756F3C	0_2_00007FF61B756F3C
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B762744	0_2_00007FF61B762744
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B754F5C	0_2_00007FF61B754F5C
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B763760	0_2_00007FF61B763760
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B75577C	0_2_00007FF61B75577C
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B7397A0	0_2_00007FF61B7397A0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B742EC0	0_2_00007FF61B742EC0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B763EF0	0_2_00007FF61B763EF0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B732E50	0_2_00007FF61B732E50
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B75F6B0	0_2_00007FF61B75F6B0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B73CD40	0_2_00007FF61B73CD40
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B754D58	0_2_00007FF61B754D58
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B755578	0_2_00007FF61B755578
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B768584	0_2_00007FF61B768584
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B74A5A0	0_2_00007FF61B74A5A0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B7565AC	0_2_00007FF61B7565AC
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B73ADB0	0_2_00007FF61B73ADB0

Source: classification engine

Classification label: mal96.troj.spyw.evad.winEXE@1/1@0/1

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B74B500 SleepEx,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,RegOpenKeyExW,RegDeleteValueW,RegSetValueExW,RegCloseKey,SleepEx,CreateEventA,Sleep,Sleep,CloseHandle,_invalid_parameter_noinfo_noreturn,IsDebuggerPresent,LoadLibraryW,GetProcAddress,FreeLibrary,GetLocalTime,wsprintfW,CreateFileW,FreeLibrary,GetCurrentThreadId,GetCurrentProcessId,GetCurrentProcess,CloseHandle,FreeLibrary,	0_2_00007FF61B74B500
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B73E4EE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_00007FF61B73E4EE
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B73E46D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_00007FF61B73E46D
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B73E3E9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	0_2_00007FF61B73E3E9
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B739320 GetSystemDirectoryA,CreateProcessA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread,	0_2_00007FF61B739320

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF61B7362F0

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF61B73F410 GetLastInputInfo,GetTickCount,wsprintfW,GetForegroundWindow,GetWindowTextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,SHGetFolderPathW,lstrcatW,CreateFileW,lstrlenW,WriteFile,CloseHandle,FindFirstFileW,FindClose,_invalid_parameter_noinfo_noreturn,

0_2_00007FF61B73F410

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF61B7362F0

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Mutant created: \Sessions\1\BaseNamedObjects\????

Source: WgnsGjhA3P.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: WgnsGjhA3P.exe

ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32

Jump to behavior

Source: WgnsGjhA3P.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: WgnsGjhA3P.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: WgnsGjhA3P.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF61B74B500 SleepEx,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,RegOpenKeyExW,RegDeleteValueW,RegSetValueExW,RegCloseKey,SleepEx,CreateEventA,Sleep,Sleep,CloseHandle,_invalid_parameter_noinfo_noreturn,IsDebuggerPresent,LoadLibraryW,GetProcAddress,FreeLibrary,GetLocalTime,wsprintfW,CreateFileW,FreeLibrary,GetCurrentThreadId,GetCurrentProcessId,GetCurrentProcess,CloseHandle,FreeLibrary,

0_2_00007FF61B74B500

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

File created: C:\ProgramData\kernelquick.sys

Jump to behavior

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF61B73E36A OpenEventLogW,ClearEventLogW,CloseEventLog,

0_2_00007FF61B73E36A

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE VenkernalData_info

Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Stalling execution: Execution stalls by calling Sleep

graph_0-22187

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{05DF8D13-C355-47F4-A11E-851B338CEFB8}

Jump to behavior

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF61B7362F0

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Window / User API: threadDelayed 1271	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Window / User API: threadDelayed 3258	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Window / User API: threadDelayed 4888	Jump to behavior

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-22042

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe TID: 7664	Thread sleep count: 1271 > 30	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe TID: 7664	Thread sleep time: -1271000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe TID: 7688	Thread sleep count: 3258 > 30	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe TID: 7688	Thread sleep time: -32580s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe TID: 7664	Thread sleep count: 4888 > 30	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe TID: 7664	Thread sleep time: -4888000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B73F410 GetLastInputInfo,GetTickCount,wsprintfW,GetForegroundWindow,GetWindowTextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,SHGetFolderPathW,lstrcatW,CreateFileW,lstrlenW,WriteFile,CloseHandle,FindFirstFileW,FindClose,_invalid_parameter_noinfo_noreturn,		0_2_00007FF61B73F410
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B763EF0 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00007FF61B763EF0

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF61B7362F0

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF61B7362F0

Source: WgnsGjhA3P.exe, 00000000.00000002.4113113501.000001A31230C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF61B74B500

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF61B74C70C GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF61B74C70C

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF61B7362F0

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF61B74B500

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF61B738690 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree,

0_2_00007FF61B738690

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B74BCD0 SetUnhandledExceptionFilter,GetConsoleWindow,ShowWindow,GetCurrentThreadId,PostThreadMessageA,GetInputState,CreateThread,WaitForSingleObject,CloseHandle,Sleep,	0_2_00007FF61B74BCD0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B74B500 SleepEx,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,RegOpenKeyExW,RegDeleteValueW,RegSetValueExW,RegCloseKey,SleepEx,CreateEventA,Sleep,Sleep,CloseHandle,_invalid_parameter_noinfo_noreturn,IsDebuggerPresent,LoadLibraryW,GetProcAddress,FreeLibrary,GetLocalTime,wsprintfW,CreateFileW,FreeLibrary,GetCurrentThreadId,GetCurrentProcessId,GetCurrentProcess,CloseHandle,FreeLibrary,	0_2_00007FF61B74B500
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B753A6C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF61B753A6C
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B74E8E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF61B74E8E0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B74E6F4 SetUnhandledExceptionFilter,	0_2_00007FF61B74E6F4
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF61B74E54C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF61B74E54C

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF61B739320 GetSystemDirectoryA,CreateProcessA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread,

0_2_00007FF61B739320

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF61B739320

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: GetSystemDirectoryA,CreateProcessA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe

0_2_00007FF61B739320

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF61B74B500

Source: WgnsGjhA3P.exe, 00000000.00000002.4113113501.000001A31238E000.00000004.00000020.00020000.00000000.sdmp, WgnsGjhA3P.exe, 00000000.00000003.3736336309.000001A3123AC000.00000004.00000020.00020000.00000000.sdmp, WgnsGjhA3P.exe, 00000000.00000003.3736336309.000001A31238E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0 minProgram Manager
Source: WgnsGjhA3P.exe, 00000000.00000002.4113113501.000001A3123BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF61B76C8C0 cpuid

0_2_00007FF61B76C8C0

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: gethostname,gethostbyname,inet_ntoa,inet_ntoa,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,LoadLibraryW,GetProcAddress,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,GetSystemInfo,wsprintfW,GetDriveTypeW,GetDiskFreeSpaceExW,GlobalMemoryStatusEx,GetForegroundWindow,GetWindowTextW,lstrlenW,GetLocalTime,wsprintfW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,CloseHandle,CoInitializeEx,CoCreateInstance,SysFreeString,CoUninitialize,RegOpenKeyExW,RegQueryInfoKeyW,RegEnumKeyExW,lstrlenW,lstrlenW,RegCloseKey,lstrlenW,GetTickCount,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,lstrcpyW,lstrcatW,lstrlenW,GetLocalTime,wsprintfW,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,RegCreateKeyW,lstrlenW,RegSetValueExW,RegCloseKey,RegCloseKey,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,	0_2_00007FF61B7362F0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: GetLocaleInfoW,	0_2_00007FF61B760D10
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF61B767BA0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: EnumSystemLocalesW,	0_2_00007FF61B767B08
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: EnumSystemLocalesW,	0_2_00007FF61B767A38
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF61B768124
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: EnumSystemLocalesW,	0_2_00007FF61B760838
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: GetLocaleInfoW,	0_2_00007FF61B767FF0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF61B767F40
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00007FF61B7676DC
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: GetLocaleInfoW,	0_2_00007FF61B767DE8

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF61B74B500

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF61B761DA8 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF61B761DA8

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF61B73FD10

Source: WgnsGjhA3P.exe, 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmp, WgnsGjhA3P.exe, 00000000.00000000.1655178184.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: KSafeTray.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match	File source: WgnsGjhA3P.exe, type: SAMPLE
Source: Yara match	File source: 0.2.WgnsGjhA3P.exe.7ff61b730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.WgnsGjhA3P.exe.7ff61b730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: WgnsGjhA3P.exe PID: 7604, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match	File source: WgnsGjhA3P.exe, type: SAMPLE
Source: Yara match	File source: 0.2.WgnsGjhA3P.exe.7ff61b730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.WgnsGjhA3P.exe.7ff61b730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: WgnsGjhA3P.exe PID: 7604, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Native API	1 Windows Service	1 Access Token Manipulation	1 Modify Registry	121 Input Capture	2 System Time Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Windows Service	1 Virtualization/Sandbox Evasion	LSASS Memory	151 Security Software Discovery	Remote Desktop Protocol	121 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	211 Process Injection	1 Access Token Manipulation	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	211 Process Injection	NTDS	3 Process Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Indicator Removal	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	11 Peripheral Device Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	26 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
WgnsGjhA3P.exe	50%	ReversingLabs	Win64.Backdoor.GhostRAT

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.238.134.52	unknown	United States		395954	LEASEWEB-USA-LAX-11US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585664
Start date and time:	2025-01-08 00:11:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WgnsGjhA3P.exe renamed because original name is a hash value
Original Sample Name:	7766c46c93d028e2e11517cfcf797fbb.exe
Detection:	MAL
Classification:	mal96.troj.spyw.evad.winEXE@1/1@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 44 Number of non-executed functions: 118
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
VT rate limit hit for: WgnsGjhA3P.exe

Simulations

Behavior and APIs

Time	Type	Description
18:12:29	API Interceptor	6261546x Sleep call for process: WgnsGjhA3P.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LEASEWEB-USA-LAX-11US	Mes_Drivers_3.0.4.exe	Get hash	malicious	Unknown	Browse	23.83.76.85
	fuckunix.sh4.elf	Get hash	malicious	Mirai	Browse	23.85.171.227
	armv7l.elf	Get hash	malicious	Unknown	Browse	23.83.17.216
	f3fBEUL66b.exe	Get hash	malicious	GhostRat	Browse	192.238.134.113
	f3fBEUL66b.exe	Get hash	malicious	GhostRat	Browse	192.238.134.113
	nabarm7.elf	Get hash	malicious	Unknown	Browse	23.84.102.105
	52C660192933BE09807FC4895F376764A2BE35AA68567819BB854E83CF5F9E5C.dll	Get hash	malicious	Unknown	Browse	192.238.132.206
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	23.87.203.7
	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse	108.187.71.205
	la.bot.sparc.elf	Get hash	malicious	Mirai	Browse	23.87.103.174

Process:	C:\Users\user\Desktop\WgnsGjhA3P.exe
File Type:	data
Category:	dropped
Size (bytes):	30
Entropy (8bit):	2.6616157143988106
Encrypted:	false
SSDEEP:	3:tblM6lEjln:tbhEZn
MD5:	AE50B29A0B8DCC411F24F1863B0EAFDE
SHA1:	D415A55627B1ADED8E4B2CBBA402F816B0461155
SHA-256:	6B4BBBCE480FBC50D39A8EC4B72CDB7D781B151921E063DD899FD9B736ADCF68
SHA-512:	D9A9BA42D99BE32D26667060BE1D523DCD20EAFA187A67F7919002CC6DA349FD058053C9C6F721D6FDB730EA02FBAA3013E51C0C653368BD6B3F57A4C0FCABA8
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.060388863278636
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	WgnsGjhA3P.exe
File size:	389'632 bytes
MD5:	7766c46c93d028e2e11517cfcf797fbb
SHA1:	147b40c5fe1e860d77c7e02a0c986cb1eaac3ceb
SHA256:	52e5833f1dedcc6f05d9585c6b4b52bab86c592061eddf38356492373583f8a0
SHA512:	18c849a8de6220e2109c24352016d82201184738197acf4b8c37999ba36cd6b27540048095d3903212b52c44a064ab57a4f3f9f0dc48e4c042881c4d166e7a8c
SSDEEP:	6144:4KtL0RSVgMoEao8ItdKwzBFdYmT+xmCiRLBVmLhkM:NtwSqEao8It4wlDCxm/qx
TLSH:	1F848E49F79405F8E5678138C9634916EBB27C6D03A09BDF33A4866A2F237D0AD3E711
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........A...A...A.......D...............@.......@...Q(..K...Q(..S...Q(..........U.......X...A...m....)..S....)..@...RichA..........

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14001e13c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x677168BF [Sun Dec 29 15:20:31 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d7444b6dc7c8cddb50fba5269ad57bce

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FD1C47E65E0h
dec eax
add esp, 28h
jmp 00007FD1C47E5E37h
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007FD1C47E5FD2h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007FD1C47E5FD5h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007FD1C47E5FCDh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007FD1C47E5FDAh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [00036E59h]
jne 00007FD1C47E5FD2h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007FD1C47E5FC3h
ret
dec eax
ror ecx, 10h
jmp 00007FD1C47E66DBh
int3
int3
dec eax
mov dword ptr [esp+00h], ebx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x523b0	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x60000	0x3420	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x64000	0xc80	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4c7b0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4c980	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4c670	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3f000	0x918	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3dbf0	0x3dc00	d3f6189e43bbd290b28f7518c02b76a1	False	0.5461593813259109	data	6.462564110280856	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3f000	0x1519e	0x15200	6edb872335ad42db6aa2ce85a47a3af5	False	0.4149986131656805	data	4.932101759530432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x55000	0xaa6c	0x7c00	b1cb403515f9a2e2bde815147bd596cd	False	0.10622479838709678	DOS executable (block device driver \377\3)	1.5580115815014906	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x60000	0x3420	0x3600	20b7b9769859dd90801ea597a1d992be	False	0.4626736111111111	data	5.517914471579984	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x64000	0xc80	0xe00	316f5780e4a2c74c1946985bacab1ae4	False	0.4916294642857143	data	5.228910762857474	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	QueryDosDeviceW, WriteProcessMemory, GetCommandLineW, GetCurrentProcess, WriteFile, OutputDebugStringA, GetModuleFileNameW, GetProcessId, CreateMutexW, GetLocaleInfoW, LocalAlloc, CreateFileW, GetVersionExW, K32GetProcessImageFileNameW, GetSystemDirectoryW, ResumeThread, GetModuleHandleA, OpenProcess, GetVersion, GetLogicalDriveStringsW, CreateToolhelp32Snapshot, MultiByteToWideChar, Process32NextW, GetDiskFreeSpaceExW, GetSystemDirectoryA, LoadLibraryA, lstrcatW, GlobalAlloc, Process32FirstW, GlobalFree, GetSystemInfo, LoadLibraryW, GetLocalTime, VirtualProtectEx, GetThreadContext, GetProcAddress, VirtualAllocEx, LocalFree, ExitProcess, GetCurrentProcessId, GlobalMemoryStatusEx, CreateProcessW, GetModuleHandleW, FreeLibrary, GetConsoleWindow, lstrcpyW, CreateRemoteThread, CreateProcessA, SetThreadContext, GetModuleFileNameA, GetTickCount, lstrcmpW, GetDriveTypeW, GetExitCodeProcess, SetFilePointer, ReleaseMutex, GlobalSize, DeleteFileW, GlobalLock, GetFileSize, GlobalUnlock, FindFirstFileW, ExpandEnvironmentStringsW, FindClose, GetFileAttributesW, TerminateThread, VirtualProtect, IsBadReadPtr, CreateThread, IsDebuggerPresent, SetUnhandledExceptionFilter, WriteConsoleW, GetCurrentThreadId, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, SetFilePointerEx, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, LCMapStringW, CompareStringW, FlsFree, FlsSetValue, GetStartupInfoW, CreateWaitableTimerW, SetWaitableTimer, TryEnterCriticalSection, WideCharToMultiByte, ResetEvent, CreateEventW, lstrlenW, CancelIo, GetNativeSystemInfo, SetLastError, lstrcmpiW, CreateEventA, CloseHandle, SetEvent, Sleep, HeapFree, WaitForSingleObject, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, EnterCriticalSection, HeapCreate, GetProcessHeap, DeleteCriticalSection, HeapDestroy, DecodePointer, HeapAlloc, HeapReAlloc, GetLastError, HeapSize, InitializeCriticalSectionEx, VirtualAlloc, VirtualFree, FlsGetValue, FlsAlloc, GetFileType, GetCommandLineA, GetStdHandle, VirtualQuery, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, RtlPcToFileHeader, RtlUnwindEx, lstrcpyA, CreateFileA, GetSystemDefaultLangID, DeviceIoControl, TerminateProcess, InitializeSListHead, GetSystemTimeAsFileTime, QueryPerformanceCounter, IsProcessorFeaturePresent, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, SleepConditionVariableSRW, WakeAllConditionVariable, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, GetCPInfo, LCMapStringEx, EncodePointer, CompareStringEx, GetStringTypeW, RaiseException, OutputDebugStringW, SwitchToThread
USER32.dll	MsgWaitForMultipleObjects, GetWindowTextW, wsprintfW, GetForegroundWindow, GetLastInputInfo, GetClipboardData, CloseClipboard, OpenClipboard, GetKeyState, ReleaseDC, GetDesktopWindow, SetClipboardData, ExitWindowsEx, EmptyClipboard, GetSystemMetrics, GetDC, GetInputState, PostThreadMessageA, TranslateMessage, DispatchMessageW, PeekMessageW, ShowWindow
GDI32.dll	CreateCompatibleBitmap, SelectObject, CreateDIBSection, SetDIBColorTable, CreateCompatibleDC, StretchBlt, GetDIBits, GetDeviceCaps, GetObjectW, SetStretchBltMode, DeleteObject, DeleteDC
ADVAPI32.dll	OpenProcessToken, RegQueryValueExW, AllocateAndInitializeSid, FreeSid, CheckTokenMembership, ClearEventLogW, CloseEventLog, OpenEventLogW, LookupPrivilegeValueW, AdjustTokenPrivileges, GetCurrentHwProfileW, RegCloseKey, RegQueryInfoKeyW, GetSidSubAuthorityCount, GetSidSubAuthority, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, LookupAccountSidW, GetTokenInformation
SHELL32.dll	SHGetFolderPathW
ole32.dll	CreateStreamOnHGlobal, GetHGlobalFromStream, CoInitialize, CoUninitialize, CoCreateInstance
OLEAUT32.dll	SysFreeString
WS2_32.dll	WSASetLastError, WSAEventSelect, WSAResetEvent, WSAWaitForMultipleEvents, WSAEnumNetworkEvents, WSAGetLastError, WSACleanup, WSAIoctl, closesocket, WSACreateEvent, select, WSAStartup, send, socket, connect, recv, htons, setsockopt, inet_ntoa, WSACloseEvent, gethostbyname, gethostname, shutdown
WINMM.dll	timeGetTime
gdiplus.dll	GdipCreateBitmapFromStream, GdipBitmapUnlockBits, GdipCloneImage, GdipAlloc, GdiplusShutdown, GdipDrawImageI, GdipCreateBitmapFromScan0, GdipCreateBitmapFromHBITMAP, GdipGetImageWidth, GdipGetImagePalette, GdipDeleteGraphics, GdipGetImageEncodersSize, GdipGetImageGraphicsContext, GdipFree, GdipGetImagePixelFormat, GdipDisposeImage, GdipSaveImageToStream, GdipBitmapLockBits, GdipGetImagePaletteSize, GdiplusStartup, GdipGetImageHeight, GdipGetImageEncoders
dxgi.dll	CreateDXGIFactory
DINPUT8.dll	DirectInput8Create

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 00:12:00.202624083 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:12:00.207495928 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:12:00.207586050 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:12:00.907207012 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:12:00.912353992 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:12:00.912365913 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:12:00.912373066 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:12:00.912970066 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:12:01.453531027 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:12:01.498518944 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:12:01.579081059 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:12:01.585473061 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:12:01.585485935 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:12:01.585494995 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:12:01.585526943 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:12:01.587110996 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:12:01.591562986 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:12:17.483025074 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:12:17.489440918 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:12:17.804632902 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:12:17.857949018 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:12:34.936197996 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:12:34.941112041 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:12:35.256238937 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:12:35.311120033 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:12:51.952037096 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:12:52.264276028 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:12:52.279103994 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:12:52.279117107 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:12:52.595305920 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:12:52.639446974 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:13:08.671510935 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:13:08.826009989 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:13:09.141424894 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:13:09.186274052 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:13:24.373775959 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:13:24.379800081 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:13:24.695079088 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:13:24.748718023 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:13:39.998878956 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:13:40.005362034 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:13:40.324783087 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:13:40.373740911 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:13:55.780076981 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:13:55.780126095 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:13:55.784955978 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:13:55.785008907 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:14:00.858652115 CET	50003	10443	192.168.2.4	192.238.134.52
Jan 8, 2025 00:14:00.865443945 CET	10443	50003	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:00.865545988 CET	50003	10443	192.168.2.4	192.238.134.52
Jan 8, 2025 00:14:01.911205053 CET	50003	10443	192.168.2.4	192.238.134.52
Jan 8, 2025 00:14:01.918189049 CET	10443	50003	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:01.918201923 CET	10443	50003	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:01.918210983 CET	10443	50003	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:01.920358896 CET	10443	50003	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:02.495383978 CET	10443	50003	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:02.670469046 CET	50003	10443	192.168.2.4	192.238.134.52
Jan 8, 2025 00:14:02.677465916 CET	10443	50003	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:02.677476883 CET	10443	50003	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:02.677488089 CET	10443	50003	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:02.677509069 CET	50003	10443	192.168.2.4	192.238.134.52
Jan 8, 2025 00:14:02.679085970 CET	10443	50003	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:02.684648037 CET	10443	50003	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:17.530329943 CET	50003	10443	192.168.2.4	192.238.134.52
Jan 8, 2025 00:14:17.532785892 CET	50003	10443	192.168.2.4	192.238.134.52
Jan 8, 2025 00:14:17.536575079 CET	10443	50003	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:17.536627054 CET	50003	10443	192.168.2.4	192.238.134.52
Jan 8, 2025 00:14:22.608628988 CET	50004	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:14:22.614841938 CET	4433	50004	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:22.614942074 CET	50004	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:14:23.587145090 CET	50004	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:14:23.593871117 CET	4433	50004	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:23.593888998 CET	4433	50004	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:23.593898058 CET	4433	50004	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:23.595498085 CET	4433	50004	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:24.168555975 CET	4433	50004	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:24.276314020 CET	50004	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:14:24.283138037 CET	4433	50004	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:24.283150911 CET	4433	50004	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:24.283178091 CET	4433	50004	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:24.283190966 CET	50004	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:14:24.284925938 CET	4433	50004	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:24.289897919 CET	4433	50004	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:39.827176094 CET	50004	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:14:39.827224016 CET	50004	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:14:39.834100962 CET	4433	50004	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:39.834156036 CET	50004	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:14:44.780755997 CET	50005	10443	192.168.2.4	192.238.134.52
Jan 8, 2025 00:14:44.786494017 CET	10443	50005	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:44.786582947 CET	50005	10443	192.168.2.4	192.238.134.52
Jan 8, 2025 00:14:45.569356918 CET	50005	10443	192.168.2.4	192.238.134.52
Jan 8, 2025 00:14:45.575814009 CET	10443	50005	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:45.575828075 CET	10443	50005	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:45.575838089 CET	10443	50005	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:45.577475071 CET	10443	50005	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:46.146478891 CET	10443	50005	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:46.280150890 CET	50005	10443	192.168.2.4	192.238.134.52
Jan 8, 2025 00:14:46.303646088 CET	50005	10443	192.168.2.4	192.238.134.52
Jan 8, 2025 00:14:46.311610937 CET	10443	50005	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:46.311625004 CET	10443	50005	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:46.311641932 CET	10443	50005	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:46.311659098 CET	50005	10443	192.168.2.4	192.238.134.52
Jan 8, 2025 00:14:46.314043999 CET	10443	50005	192.238.134.52	192.168.2.4
Jan 8, 2025 00:14:46.318022013 CET	10443	50005	192.238.134.52	192.168.2.4
Jan 8, 2025 00:15:01.124195099 CET	50005	10443	192.168.2.4	192.238.134.52
Jan 8, 2025 00:15:01.130754948 CET	10443	50005	192.238.134.52	192.168.2.4
Jan 8, 2025 00:15:01.442296028 CET	10443	50005	192.238.134.52	192.168.2.4
Jan 8, 2025 00:15:01.577071905 CET	50005	10443	192.168.2.4	192.238.134.52
Jan 8, 2025 00:15:17.186532974 CET	50005	10443	192.168.2.4	192.238.134.52
Jan 8, 2025 00:15:17.186613083 CET	50005	10443	192.168.2.4	192.238.134.52
Jan 8, 2025 00:15:17.191467047 CET	10443	50005	192.238.134.52	192.168.2.4
Jan 8, 2025 00:15:17.191550016 CET	50005	10443	192.168.2.4	192.238.134.52
Jan 8, 2025 00:15:22.231259108 CET	50006	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:15:22.237684965 CET	4433	50006	192.238.134.52	192.168.2.4
Jan 8, 2025 00:15:22.237838030 CET	50006	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:15:23.538778067 CET	50006	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:15:23.632702112 CET	4433	50006	192.238.134.52	192.168.2.4
Jan 8, 2025 00:15:23.632863998 CET	4433	50006	192.238.134.52	192.168.2.4
Jan 8, 2025 00:15:23.632910967 CET	4433	50006	192.238.134.52	192.168.2.4
Jan 8, 2025 00:15:23.632972956 CET	4433	50006	192.238.134.52	192.168.2.4
Jan 8, 2025 00:15:23.998034954 CET	4433	50006	192.238.134.52	192.168.2.4
Jan 8, 2025 00:15:24.108369112 CET	50006	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:15:24.185384989 CET	50006	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:15:24.190228939 CET	4433	50006	192.238.134.52	192.168.2.4
Jan 8, 2025 00:15:24.190241098 CET	4433	50006	192.238.134.52	192.168.2.4
Jan 8, 2025 00:15:24.190253019 CET	4433	50006	192.238.134.52	192.168.2.4
Jan 8, 2025 00:15:24.190279007 CET	50006	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:15:24.190288067 CET	4433	50006	192.238.134.52	192.168.2.4
Jan 8, 2025 00:15:24.195049047 CET	4433	50006	192.238.134.52	192.168.2.4
Jan 8, 2025 00:15:38.858520031 CET	50006	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:15:38.864381075 CET	4433	50006	192.238.134.52	192.168.2.4
Jan 8, 2025 00:15:39.174294949 CET	4433	50006	192.238.134.52	192.168.2.4
Jan 8, 2025 00:15:39.217792988 CET	50006	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:15:54.608483076 CET	50006	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:15:54.615223885 CET	4433	50006	192.238.134.52	192.168.2.4
Jan 8, 2025 00:15:54.925074100 CET	4433	50006	192.238.134.52	192.168.2.4
Jan 8, 2025 00:15:54.967819929 CET	50006	4433	192.168.2.4	192.238.134.52

Target ID:	0
Start time:	18:11:53
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\WgnsGjhA3P.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\WgnsGjhA3P.exe"
Imagebase:	0x7ff61b730000
File size:	389'632 bytes
MD5 hash:	7766C46C93D028E2E11517CFCF797FBB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	39.4%
Total number of Nodes:	1053
Total number of Limit Nodes:	42

Executed Functions

Function 00007FF61B7362F0 Relevance: 193.3, APIs: 81, Strings: 29, Instructions: 845
registrystringprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

gethostname.WS2_32 ref: 00007FF61B736394
gethostbyname.WS2_32 ref: 00007FF61B73639E
inet_ntoa.WS2_32 ref: 00007FF61B7363BB
inet_ntoa.WS2_32 ref: 00007FF61B73640B
MultiByteToWideChar.KERNEL32 ref: 00007FF61B736469
MultiByteToWideChar.KERNEL32 ref: 00007FF61B73648D
GetLastInputInfo.USER32 ref: 00007FF61B7364A5
GetTickCount.KERNEL32 ref: 00007FF61B7364AB
wsprintfW.USER32 ref: 00007FF61B7364DE
MultiByteToWideChar.KERNEL32 ref: 00007FF61B73651F
LoadLibraryW.KERNEL32 ref: 00007FF61B73652C
GetProcAddress.KERNEL32 ref: 00007FF61B736548
RegOpenKeyExW.KERNEL32 ref: 00007FF61B7365ED
RegQueryValueExW.KERNEL32 ref: 00007FF61B736618
RegCloseKey.KERNEL32 ref: 00007FF61B736645
FreeLibrary.KERNEL32 ref: 00007FF61B736656
GetSystemInfo.KERNEL32 ref: 00007FF61B73666F
wsprintfW.USER32 ref: 00007FF61B736687
GetDriveTypeW.KERNEL32 ref: 00007FF61B7366B6
GetDiskFreeSpaceExW.KERNEL32 ref: 00007FF61B7366D9
GlobalMemoryStatusEx.KERNEL32 ref: 00007FF61B73671D
GetForegroundWindow.USER32 ref: 00007FF61B736799
GetWindowTextW.USER32 ref: 00007FF61B7367B4
lstrlenW.KERNEL32 ref: 00007FF61B7367C4
GetLocalTime.KERNEL32 ref: 00007FF61B736803
wsprintfW.USER32 ref: 00007FF61B73681D
MultiByteToWideChar.KERNEL32 ref: 00007FF61B7364FB

Part of subcall function 00007FF61B7587A0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61B7587C6

lstrlenW.KERNEL32 ref: 00007FF61B736845
GetModuleHandleW.KERNEL32 ref: 00007FF61B73688E
GetProcAddress.KERNEL32 ref: 00007FF61B73689E
GetNativeSystemInfo.KERNEL32 ref: 00007FF61B7368AD
GetSystemInfo.KERNEL32 ref: 00007FF61B7368B1
wsprintfW.USER32 ref: 00007FF61B7368F8
GetCurrentProcessId.KERNEL32 ref: 00007FF61B73690D
OpenProcess.KERNEL32 ref: 00007FF61B73692B
K32GetProcessImageFileNameW.KERNEL32 ref: 00007FF61B73694D
GetLogicalDriveStringsW.KERNEL32 ref: 00007FF61B736967
lstrcmpiW.KERNEL32 ref: 00007FF61B7369A8
lstrcmpiW.KERNEL32 ref: 00007FF61B7369BC
QueryDosDeviceW.KERNEL32 ref: 00007FF61B7369F6

Part of subcall function 00007FF61B74DE98: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF61B74DEC8
Part of subcall function 00007FF61B74DE98: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF61B74DECE

Part of subcall function 00007FF61B7391A0: GetModuleHandleW.KERNEL32 ref: 00007FF61B7391BD
Part of subcall function 00007FF61B7391A0: GetProcAddress.KERNEL32 ref: 00007FF61B7391CD
Part of subcall function 00007FF61B7391A0: GetNativeSystemInfo.KERNEL32 ref: 00007FF61B7391DD

lstrlenW.KERNEL32 ref: 00007FF61B736A07
lstrcpyW.KERNEL32 ref: 00007FF61B736A48
CloseHandle.KERNEL32 ref: 00007FF61B736A51
CoInitializeEx.COMBASE ref: 00007FF61B736A62
CoCreateInstance.COMBASE ref: 00007FF61B736A87
SysFreeString.OLEAUT32 ref: 00007FF61B736B3C
CoUninitialize.OLE32 ref: 00007FF61B736B7E
RegOpenKeyExW.KERNEL32 ref: 00007FF61B736BE7
RegQueryInfoKeyW.ADVAPI32 ref: 00007FF61B736C47
RegEnumKeyExW.ADVAPI32 ref: 00007FF61B736CDF
lstrlenW.KERNEL32 ref: 00007FF61B736CEC
lstrlenW.KERNEL32 ref: 00007FF61B736CFE
RegCloseKey.ADVAPI32 ref: 00007FF61B736D4C
lstrlenW.KERNEL32 ref: 00007FF61B736D59

Part of subcall function 00007FF61B759248: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61B75927B

Part of subcall function 00007FF61B7379E0: CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF61B737A6B
Part of subcall function 00007FF61B7379E0: Process32FirstW.KERNEL32 ref: 00007FF61B737A88
Part of subcall function 00007FF61B7379E0: Process32NextW.KERNEL32 ref: 00007FF61B737AC3
Part of subcall function 00007FF61B7379E0: CloseHandle.KERNEL32 ref: 00007FF61B737AD0
Part of subcall function 00007FF61B7379E0: CoCreateInstance.COMBASE ref: 00007FF61B737B1F

GetTickCount.KERNEL32 ref: 00007FF61B736DA1

Part of subcall function 00007FF61B758B9C: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF61B758BB0

wsprintfW.USER32 ref: 00007FF61B736E19
GetLocaleInfoW.KERNEL32 ref: 00007FF61B736E36
GetSystemDirectoryW.KERNEL32 ref: 00007FF61B736E48
GetCurrentHwProfileW.ADVAPI32 ref: 00007FF61B736E5C
lstrlenW.KERNEL32 ref: 00007FF61B736EDB
GetLocalTime.KERNEL32 ref: 00007FF61B736F17
wsprintfW.USER32 ref: 00007FF61B736F31
RegOpenKeyExW.KERNEL32 ref: 00007FF61B736F56
RegDeleteValueW.KERNEL32 ref: 00007FF61B736F6A
RegCloseKey.ADVAPI32 ref: 00007FF61B736F77
RegCreateKeyW.ADVAPI32 ref: 00007FF61B736F8E
lstrlenW.KERNEL32 ref: 00007FF61B736F9B
RegSetValueExW.KERNEL32 ref: 00007FF61B736FC3
RegCloseKey.ADVAPI32 ref: 00007FF61B736FD4
RegCloseKey.ADVAPI32 ref: 00007FF61B736FE1
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF61B736FEE
Process32FirstW.KERNEL32 ref: 00007FF61B737029
Process32NextW.KERNEL32 ref: 00007FF61B73707E
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF61B737098
Process32FirstW.KERNEL32 ref: 00007FF61B7370D3
Process32NextW.KERNEL32 ref: 00007FF61B73712E
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF61B737148
Process32FirstW.KERNEL32 ref: 00007FF61B737183
Process32NextW.KERNEL32 ref: 00007FF61B7371DA

Strings

Network, xrefs: 00007FF61B736EF0
VenGROUP, xrefs: 00007FF61B7367EB
X64 %s, xrefs: 00007FF61B7368EA
GetNativeSystemInfo, xrefs: 00007FF61B736897
A:\, xrefs: 00007FF61B73699A
Software, xrefs: 00007FF61B7367D1
WxWork.exe, xrefs: 00007FF61B737033
d91774dd-ee7f-4c3d-8560-05242810d920, xrefs: 00007FF61B736352
WeChat.exe, xrefs: 00007FF61B7370DD
VenREMARK, xrefs: 00007FF61B73684B
Software\Tencent\Plugin\VAS, xrefs: 00007FF61B736BD9
x64, xrefs: 00007FF61B7368D8
ntdll.dll, xrefs: 00007FF61B736525
ProductName, xrefs: 00007FF61B7365FF
%d.%d, xrefs: 00007FF61B73680E, 00007FF61B736F22
FriendlyName, xrefs: 00007FF61B736B22
Telegram.exe, xrefs: 00007FF61B73718D
AppEvents, xrefs: 00007FF61B736EE1
%d min, xrefs: 00007FF61B7364D7
VenNetwork, xrefs: 00007FF61B7367E0
x86, xrefs: 00007FF61B7368DF
HDD:%d, xrefs: 00007FF61B736727
INSTALLTIME, xrefs: 00007FF61B736EF7, 00007FF61B736F63, 00007FF61B736FA8
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00007FF61B7365C5
kernel32.dll, xrefs: 00007FF61B73687B
RtlGetNtVersionNumbers, xrefs: 00007FF61B73653E
%sFree%d Gb , xrefs: 00007FF61B73676E
%d.%d.%d, xrefs: 00007FF61B73657D
B:\, xrefs: 00007FF61B7369B2

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Process32lstrlen$CloseCreateInfo$Systemwsprintf$ByteCharFirstHandleMultiNextOpenSnapshotTimeToolhelp32Wide$AddressFreeProcProcessQueryValue$Concurrency::cancel_current_taskCountCurrentDriveFileInstanceLibraryLocalModuleNativeTickWindow_invalid_parameter_noinfoinet_ntoalstrcmpi$DeleteDeviceDirectoryDiskEnumForegroundGlobalImageInitializeInputLastLoadLocaleLogicalMemoryNameProfileSpaceStatusStringStringsTextTypeUninitializegethostbynamegethostnamelstrcpy
String ID: %d min$%d.%d$%d.%d.%d$%sFree%d Gb $A:\$AppEvents$B:\$FriendlyName$GetNativeSystemInfo$HDD:%d$INSTALLTIME$Network$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Software$Software\Tencent\Plugin\VAS$Telegram.exe$VenGROUP$VenNetwork$VenREMARK$WeChat.exe$WxWork.exe$X64 %s$d91774dd-ee7f-4c3d-8560-05242810d920$kernel32.dll$ntdll.dll$x64$x86
API String ID: 4136965836-1533849582
Opcode ID: 43d19849282b6b05c610e9ddc3815cd0487b65068ac44ff9c992812d734889d8
Instruction ID: b7d21ad75c5670fc6901f01381a31530baf417c159b9c34578887d7c5f89211e
Opcode Fuzzy Hash: 43d19849282b6b05c610e9ddc3815cd0487b65068ac44ff9c992812d734889d8
Instruction Fuzzy Hash: 2E924132A08E9286FB24DF25D8446E92361FB88B64F846132DA5D877B4EF7CD64DC700

Function 00007FF61B74B500 Relevance: 103.7, APIs: 41, Strings: 18, Instructions: 406
registrylibrarysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 00007FF61B74B531
CloseHandle.KERNEL32 ref: 00007FF61B74B56D
GetCurrentProcess.KERNEL32 ref: 00007FF61B74B580
OpenProcessToken.ADVAPI32 ref: 00007FF61B74B595
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF61B74B5B5
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF61B74B5E1
CloseHandle.KERNEL32 ref: 00007FF61B74B5EE
GetModuleHandleA.KERNEL32 ref: 00007FF61B74B5FB
GetProcAddress.KERNEL32 ref: 00007FF61B74B60B
GetCurrentProcessId.KERNEL32 ref: 00007FF61B74B623
OpenProcess.KERNEL32 ref: 00007FF61B74B632
GetLocalTime.KERNEL32 ref: 00007FF61B74B654
wsprintfW.USER32 ref: 00007FF61B74B69A
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF61B74B6A7
CloseHandle.KERNEL32 ref: 00007FF61B74B6CD
AllocateAndInitializeSid.ADVAPI32 ref: 00007FF61B74B751
CheckTokenMembership.KERNELBASE ref: 00007FF61B74B76B

Part of subcall function 00007FF61B758940: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61B75896B

FreeSid.ADVAPI32 ref: 00007FF61B74B783
RegOpenKeyExW.KERNEL32 ref: 00007FF61B74B7B5
RegDeleteValueW.KERNEL32 ref: 00007FF61B74B7C9
RegSetValueExW.KERNEL32 ref: 00007FF61B74B7FA
RegCloseKey.ADVAPI32 ref: 00007FF61B74B807
SleepEx.KERNEL32 ref: 00007FF61B74B923
CreateEventA.KERNEL32 ref: 00007FF61B74B99F

Part of subcall function 00007FF61B7587A0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61B7587C6

Part of subcall function 00007FF61B7362F0: gethostname.WS2_32 ref: 00007FF61B736394
Part of subcall function 00007FF61B7362F0: gethostbyname.WS2_32 ref: 00007FF61B73639E
Part of subcall function 00007FF61B7362F0: inet_ntoa.WS2_32 ref: 00007FF61B7363BB
Part of subcall function 00007FF61B7362F0: inet_ntoa.WS2_32 ref: 00007FF61B73640B
Part of subcall function 00007FF61B7362F0: MultiByteToWideChar.KERNEL32 ref: 00007FF61B736469
Part of subcall function 00007FF61B7362F0: MultiByteToWideChar.KERNEL32 ref: 00007FF61B73648D

Sleep.KERNEL32 ref: 00007FF61B74BA41
Sleep.KERNEL32 ref: 00007FF61B74BA77
CloseHandle.KERNEL32 ref: 00007FF61B74BADE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B74BAE9
IsDebuggerPresent.KERNEL32 ref: 00007FF61B74BAFC
LoadLibraryW.KERNEL32 ref: 00007FF61B74BB28
GetProcAddress.KERNEL32 ref: 00007FF61B74BB52
FreeLibrary.KERNEL32 ref: 00007FF61B74BB63

Strings

NtSetInformationProcess, xrefs: 00007FF61B74B604
4433, xrefs: 00007FF61B74B841
%s-%04d%02d%02d-%02d%02d%02d.dmp, xrefs: 00007FF61B74BBD2
SOFTWARE, xrefs: 00007FF61B74B7A7
SeDebugPrivilege, xrefs: 00007FF61B74B5AC
4433, xrefs: 00007FF61B74B84D, 00007FF61B74B879, 00007FF61B74B8DA, 00007FF61B74B933, 00007FF61B74B967
MiniDumpWriteDump, xrefs: 00007FF61B74BB40
loginconfig, xrefs: 00007FF61B74B7D7
192.238.134.52, xrefs: 00007FF61B74B825, 00007FF61B74B8C2, 00007FF61B74B942, 00007FF61B74B9D1
%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 00007FF61B74B68C
192.238.134.52, xrefs: 00007FF61B74B835
192.238.134.52, xrefs: 00007FF61B74B8B6
NtDll.dll, xrefs: 00007FF61B74B5F4
!analyze -v, xrefs: 00007FF61B74BBDE
VenkernalData_info, xrefs: 00007FF61B74B7BB, 00007FF61B74B7EC
10443, xrefs: 00007FF61B74B86D
DbgHelp.dll, xrefs: 00007FF61B74BB19
192.238.134.52, xrefs: 00007FF61B74B861

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CloseHandle$ProcessSleep$OpenTokenValue$AddressByteCharCurrentFreeLibraryMultiProcWide_invalid_parameter_noinfoinet_ntoa$AdjustAllocateCheckCreateDebuggerDeleteEventExceptionFilterInitializeLoadLocalLookupMembershipModulePresentPrivilegePrivilegesTimeUnhandled_invalid_parameter_noinfo_noreturngethostbynamegethostnamewsprintf
String ID: !analyze -v$%4d.%2d.%2d-%2d:%2d:%2d$%s-%04d%02d%02d-%02d%02d%02d.dmp$10443$192.238.134.52$192.238.134.52$192.238.134.52$192.238.134.52$4433$4433$DbgHelp.dll$MiniDumpWriteDump$NtDll.dll$NtSetInformationProcess$SOFTWARE$SeDebugPrivilege$VenkernalData_info$loginconfig
API String ID: 905065789-3740111702
Opcode ID: 2290415987536a99476877d9ea12a47fc619f31b1382f2d977d81a2622406585
Instruction ID: 2b712bdbfe26e2ed145d2c19646344af984c8d98456e329e4c0ba167494aa29b
Opcode Fuzzy Hash: 2290415987536a99476877d9ea12a47fc619f31b1382f2d977d81a2622406585
Instruction Fuzzy Hash: 7B221B72A08F8286E720AF21E8442A977A5FB8CB65F502535DA4DC7AB4DF3CE54DD700

Function 00007FF61B73F410 Relevance: 81.0, APIs: 35, Strings: 11, Instructions: 532
registryprocessfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastInputInfo.USER32 ref: 00007FF61B73F45C
GetTickCount.KERNEL32 ref: 00007FF61B73F462
wsprintfW.USER32 ref: 00007FF61B73F490
GetForegroundWindow.USER32 ref: 00007FF61B73F496
GetWindowTextW.USER32 ref: 00007FF61B73F4AE
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF61B73F4C3
Process32FirstW.KERNEL32 ref: 00007FF61B73F4F7
Process32NextW.KERNEL32 ref: 00007FF61B73F54B
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF61B73F565
Process32FirstW.KERNEL32 ref: 00007FF61B73F59F
Process32NextW.KERNEL32 ref: 00007FF61B73F5EE
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF61B73F608
Process32FirstW.KERNEL32 ref: 00007FF61B73F642
Process32NextW.KERNEL32 ref: 00007FF61B73F69E
RegOpenKeyExW.ADVAPI32 ref: 00007FF61B73F6EC
RegQueryValueExW.KERNEL32 ref: 00007FF61B73F71F
RegQueryValueExW.KERNEL32 ref: 00007FF61B73F783
RegCloseKey.ADVAPI32 ref: 00007FF61B73F90D
RegOpenKeyExW.ADVAPI32 ref: 00007FF61B73F943
RegQueryValueExW.KERNEL32 ref: 00007FF61B73F976
RegQueryValueExW.ADVAPI32 ref: 00007FF61B73F9D5
RegCloseKey.ADVAPI32 ref: 00007FF61B73F9EC
RegOpenKeyExW.ADVAPI32 ref: 00007FF61B73FA22
RegQueryValueExW.KERNEL32 ref: 00007FF61B73FA55
RegCloseKey.ADVAPI32 ref: 00007FF61B73FACB

Part of subcall function 00007FF61B74DE98: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF61B74DEC8
Part of subcall function 00007FF61B74DE98: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF61B74DECE

RegQueryValueExW.ADVAPI32 ref: 00007FF61B73FAB4
SHGetFolderPathW.SHELL32 ref: 00007FF61B73FAEF
lstrcatW.KERNEL32 ref: 00007FF61B73FB03
CreateFileW.KERNEL32 ref: 00007FF61B73FB34
lstrlenW.KERNEL32 ref: 00007FF61B73FB44
WriteFile.KERNEL32 ref: 00007FF61B73FB61
CloseHandle.KERNEL32 ref: 00007FF61B73FB6A
FindFirstFileW.KERNEL32 ref: 00007FF61B73FB7E
FindClose.KERNEL32 ref: 00007FF61B73FB94
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B73FCFE

Strings

C:\ProgramData\Mylnk, xrefs: 00007FF61B73F896
WXWork.exe, xrefs: 00007FF61B73F501
Startup, xrefs: 00007FF61B73F718, 00007FF61B73F77C
OpenAi_Service, xrefs: 00007FF61B73F96F, 00007FF61B73F9CE, 00007FF61B73FA4E, 00007FF61B73FAAD
WeChat.exe, xrefs: 00007FF61B73F5A9
Telegram.exe, xrefs: 00007FF61B73F64C
C:\Users, xrefs: 00007FF61B73F812
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 00007FF61B73F6B1
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 00007FF61B73F935, 00007FF61B73FA14
\kernelquick.sys, xrefs: 00007FF61B73FAF5
%d min, xrefs: 00007FF61B73F489

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Process32QueryValue$Close$CreateFirst$FileNextOpenSnapshotToolhelp32$Concurrency::cancel_current_taskFindWindow$CountFolderForegroundHandleInfoInputLastPathTextTickWrite_invalid_parameter_noinfo_noreturnlstrcatlstrlenwsprintf
String ID: %d min$C:\ProgramData\Mylnk$C:\Users$OpenAi_Service$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$Startup$Telegram.exe$WXWork.exe$WeChat.exe$\kernelquick.sys
API String ID: 3029130142-1423135667
Opcode ID: e62539a16d3ca5b5cc7c3476556dc898a7606d9ab66eaf610e565dd4e6f3647a
Instruction ID: 0c2d1506b1fb73a6deb91ee6ea83eb8f91439260e35860d1d0f14a773a7c094a
Opcode Fuzzy Hash: e62539a16d3ca5b5cc7c3476556dc898a7606d9ab66eaf610e565dd4e6f3647a
Instruction Fuzzy Hash: 4232A322A08E8285EB20DF25D8146BD77A0FB59FA4F846131DA9D8B7B5DF7CE548C700

Function 00007FF61B74AD80 Relevance: 75.8, APIs: 27, Strings: 16, Instructions: 529stringregistryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 00007FF61B74ADB5
RegQueryValueExW.KERNEL32 ref: 00007FF61B74ADE6
RegQueryValueExW.ADVAPI32 ref: 00007FF61B74AE45
lstrlenW.KERNEL32 ref: 00007FF61B74AE52
lstrlenW.KERNEL32 ref: 00007FF61B74AE73
lstrlenW.KERNEL32 ref: 00007FF61B74AE86
lstrlenW.KERNEL32 ref: 00007FF61B74AF1F
lstrlenW.KERNEL32 ref: 00007FF61B74AF40
lstrlenW.KERNEL32 ref: 00007FF61B74AF53
lstrlenW.KERNEL32 ref: 00007FF61B74AFEB
lstrlenW.KERNEL32 ref: 00007FF61B74AFFE
lstrlenW.KERNEL32 ref: 00007FF61B74B081
lstrlenW.KERNEL32 ref: 00007FF61B74B0A2
lstrlenW.KERNEL32 ref: 00007FF61B74B0B5
lstrlenW.KERNEL32 ref: 00007FF61B74B14F
lstrlenW.KERNEL32 ref: 00007FF61B74B170
lstrlenW.KERNEL32 ref: 00007FF61B74B183
lstrlenW.KERNEL32 ref: 00007FF61B74B21B
lstrlenW.KERNEL32 ref: 00007FF61B74B22E
lstrlenW.KERNEL32 ref: 00007FF61B74B2B1
lstrlenW.KERNEL32 ref: 00007FF61B74B2D2
lstrlenW.KERNEL32 ref: 00007FF61B74B2E5
lstrlenW.KERNEL32 ref: 00007FF61B74B37F
lstrlenW.KERNEL32 ref: 00007FF61B74B3A0
lstrlenW.KERNEL32 ref: 00007FF61B74B3B3
lstrlenW.KERNEL32 ref: 00007FF61B74B44B
lstrlenW.KERNEL32 ref: 00007FF61B74B45E

Strings

4433, xrefs: 00007FF61B74AF18, 00007FF61B74AF27, 00007FF61B74AFD9
Vendata, xrefs: 00007FF61B74ADDF, 00007FF61B74AE3E
o3:, xrefs: 00007FF61B74B3A6
o2:, xrefs: 00007FF61B74B176
t2:, xrefs: 00007FF61B74B221
Console, xrefs: 00007FF61B74ADA7
t1:, xrefs: 00007FF61B74AFF1
t3:, xrefs: 00007FF61B74B451
p2:, xrefs: 00007FF61B74B0A8
192.238.134.52, xrefs: 00007FF61B74AE4B, 00007FF61B74AE5A, 00007FF61B74AF09
o1:, xrefs: 00007FF61B74AF46
192.238.134.52, xrefs: 00007FF61B74B2AA, 00007FF61B74B2B9, 00007FF61B74B369
p1:, xrefs: 00007FF61B74AE79
10443, xrefs: 00007FF61B74B148, 00007FF61B74B157, 00007FF61B74B209
p3:, xrefs: 00007FF61B74B2D8
192.238.134.52, xrefs: 00007FF61B74B07A, 00007FF61B74B089, 00007FF61B74B139

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: lstrlen$QueryValue$Open
String ID: 10443$192.238.134.52$192.238.134.52$192.238.134.52$4433$Console$Vendata$o1:$o2:$o3:$p1:$p2:$p3:$t1:$t2:$t3:
API String ID: 1772312705-2005200276
Opcode ID: c599fbb0e57935ebe8c3f9b158b0f14cad8e83e9b9ac755a95a7fb9a9d72626c
Instruction ID: 3b56a328266204bbe73e897a27f93b5cad294b39df741314edc7bbc2556a74f4
Opcode Fuzzy Hash: c599fbb0e57935ebe8c3f9b158b0f14cad8e83e9b9ac755a95a7fb9a9d72626c
Instruction Fuzzy Hash: 4F22B161E18E6B81FB24AB14E5546797361EF9CF66F816031C64EC2AB1EF7CE54D8300

Function 00007FF61B73FD10 Relevance: 56.3, APIs: 27, Strings: 5, Instructions: 326
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 00007FF61B73FD2B
GetDesktopWindow.USER32 ref: 00007FF61B73FD8C
GetDC.USER32 ref: 00007FF61B73FD95
CreateCompatibleDC.GDI32 ref: 00007FF61B73FDA1
GetDC.USER32 ref: 00007FF61B73FDAC
GetDeviceCaps.GDI32 ref: 00007FF61B73FDBD
GetDeviceCaps.GDI32 ref: 00007FF61B73FDCD
ReleaseDC.USER32 ref: 00007FF61B73FDEA
GetSystemMetrics.USER32 ref: 00007FF61B73FE13
GetSystemMetrics.USER32 ref: 00007FF61B73FE4E
GetSystemMetrics.USER32 ref: 00007FF61B73FE82
GetSystemMetrics.USER32 ref: 00007FF61B73FE9C
GetSystemMetrics.USER32 ref: 00007FF61B73FEB6
CreateCompatibleBitmap.GDI32 ref: 00007FF61B73FED4
SelectObject.GDI32 ref: 00007FF61B73FEE8
SetStretchBltMode.GDI32 ref: 00007FF61B73FEF6
GetSystemMetrics.USER32 ref: 00007FF61B73FF01
GetSystemMetrics.USER32 ref: 00007FF61B73FF1B
StretchBlt.GDI32 ref: 00007FF61B73FF5C
GetDIBits.GDI32 ref: 00007FF61B740022
DeleteObject.GDI32 ref: 00007FF61B7400E9
DeleteObject.GDI32 ref: 00007FF61B7400F2
ReleaseDC.USER32 ref: 00007FF61B7400FD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B740290

Strings

6, xrefs: 00007FF61B73FFC2
gfff, xrefs: 00007FF61B73FE58
(, xrefs: 00007FF61B73FF65
, xrefs: 00007FF61B73FF21
gfff, xrefs: 00007FF61B73FE32

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: MetricsSystem$Object$CapsCompatibleCreateDeleteDeviceReleaseStretch$BitmapBitsDesktopModeSelectVersionWindow_invalid_parameter_noinfo_noreturn
String ID: $($6$gfff$gfff
API String ID: 3905184151-2922166585
Opcode ID: 9eafb342d491789966fcdb852ac60d50250fc806a3a0662fbf213cd29233fd2c
Instruction ID: d9193f6ea500915ca4fe90f18b52c15151e89e6dbf88a5e063a21d0eb949ef55
Opcode Fuzzy Hash: 9eafb342d491789966fcdb852ac60d50250fc806a3a0662fbf213cd29233fd2c
Instruction Fuzzy Hash: 0AE1B272A18BC186E7259F25E40436EA3A1FB9DF94F409235DA8D9BB75DF3CD4888700

Function 00007FF61B737250 Relevance: 54.7, APIs: 26, Strings: 5, Instructions: 457
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF61B73A300: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B73A4A0
Part of subcall function 00007FF61B73A300: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF61B73A4A6

MultiByteToWideChar.KERNEL32 ref: 00007FF61B7375FF
MultiByteToWideChar.KERNEL32 ref: 00007FF61B737626

Strings

X64, xrefs: 00007FF61B737471, 00007FF61B73748E
\DisplaySessionContainers.log, xrefs: 00007FF61B737823
<, xrefs: 00007FF61B73795D
key, xrefs: 00007FF61B7377B2
open, xrefs: 00007FF61B7377A6

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ByteCharMultiWide$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: <$X64$\DisplaySessionContainers.log$key$open
API String ID: 143101810-941791203
Opcode ID: b6f9b1fd57430f77313be91243793a102745fc176dedbb318d5ad7af9560adf6
Instruction ID: 6bdadda156e59779c17a5829eadf98f8cbb69fef212ab4da5ce2f0dcb91d7e85
Opcode Fuzzy Hash: b6f9b1fd57430f77313be91243793a102745fc176dedbb318d5ad7af9560adf6
Instruction Fuzzy Hash: B4229372A18E8692EB10DF25E4446AE7361FB88FA4F506231DA5E87BB4DF3CD548C740

Function 00007FF61B7379E0 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 216
stringregistrycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF61B737A6B
Process32FirstW.KERNEL32 ref: 00007FF61B737A88
Process32NextW.KERNEL32 ref: 00007FF61B737AC3
CloseHandle.KERNEL32 ref: 00007FF61B737AD0
CoCreateInstance.COMBASE ref: 00007FF61B737B1F
wsprintfW.USER32 ref: 00007FF61B737C25
RegOpenKeyExW.ADVAPI32 ref: 00007FF61B737C55
RegQueryValueExW.KERNEL32 ref: 00007FF61B737CB6
lstrcatW.KERNEL32 ref: 00007FF61B737CCA
lstrcatW.KERNEL32 ref: 00007FF61B737CDA
RegCloseKey.ADVAPI32 ref: 00007FF61B737CE7
lstrlenW.KERNEL32 ref: 00007FF61B737D24
lstrcatW.KERNEL32 ref: 00007FF61B737D38
CloseHandle.KERNEL32 ref: 00007FF61B737D65
lstrcatW.KERNEL32 ref: 00007FF61B737D7D
lstrcatW.KERNEL32 ref: 00007FF61B737D8D

Strings

CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 00007FF61B737C17
Windows Defender IOfficeAntiVirus implementation , xrefs: 00007FF61B737A04

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: lstrcat$Close$CreateHandleProcess32$FirstInstanceNextOpenQuerySnapshotToolhelp32Valuelstrlenwsprintf
String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
API String ID: 582347850-1583895642
Opcode ID: 134265c9e40a9f760aa4fceb9a534aa5a21de15c77527937ae6ae4b8d1d4e22b
Instruction ID: 4365acd8bef32fdb4aa71c6bd24d0086bb8e44b57894b0eff521ba8a35f8aeb9
Opcode Fuzzy Hash: 134265c9e40a9f760aa4fceb9a534aa5a21de15c77527937ae6ae4b8d1d4e22b
Instruction Fuzzy Hash: EDA18422A08E8286F760DF25E8406AA77A1FB89F58F445135DE4D87B78DF3CD648C700

Function 00007FF61B738690 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 149
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE ref: 00007FF61B73870B
GetLastError.KERNEL32 ref: 00007FF61B738715
GetProcessHeap.KERNEL32 ref: 00007FF61B73872B
HeapAlloc.KERNEL32 ref: 00007FF61B73873C
GetTokenInformation.KERNELBASE ref: 00007FF61B73876E
LookupAccountSidW.ADVAPI32 ref: 00007FF61B7387B6
GetLastError.KERNEL32 ref: 00007FF61B7387C0
GetProcessHeap.KERNEL32 ref: 00007FF61B7388C4
HeapFree.KERNEL32 ref: 00007FF61B7388D2

Strings

NONE_MAPPED, xrefs: 00007FF61B7387CD

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Heap$ErrorInformationLastProcessToken$AccountAllocFreeLookup
String ID: NONE_MAPPED
API String ID: 162735656-2950899194
Opcode ID: fc7d76223dfa6cbbf8efa4015a3b0f0cb7eb74909b040ee270e83bc7d35c4934
Instruction ID: c97c959c1d022bbd4d4209a6240e0c8065a39aca1e960ed4aa6311a41e9a5f78
Opcode Fuzzy Hash: fc7d76223dfa6cbbf8efa4015a3b0f0cb7eb74909b040ee270e83bc7d35c4934
Instruction Fuzzy Hash: A0519162A29F8196EA60DF01E4402AE63A0FB49FE4F845536DB5D97BB4DF3CD548C340

Function 00007FF61B74C2E0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 128
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfW.USER32 ref: 00007FF61B74C30F
CreateFileW.KERNEL32 ref: 00007FF61B74C33A
DeviceIoControl.KERNEL32 ref: 00007FF61B74C38A
DeviceIoControl.KERNEL32 ref: 00007FF61B74C3F1

Part of subcall function 00007FF61B74C520: WideCharToMultiByte.KERNEL32 ref: 00007FF61B74C555
Part of subcall function 00007FF61B74C520: WideCharToMultiByte.KERNEL32 ref: 00007FF61B74C590

DeviceIoControl.KERNEL32 ref: 00007FF61B74C451
DeviceIoControl.KERNEL32 ref: 00007FF61B74C4B0

Part of subcall function 00007FF61B74C1B0: CreateFileA.KERNEL32 ref: 00007FF61B74C259
Part of subcall function 00007FF61B74C1B0: DeviceIoControl.KERNEL32 ref: 00007FF61B74C2A1

CloseHandle.KERNEL32 ref: 00007FF61B74C4DE
CloseHandle.KERNEL32 ref: 00007FF61B74C503

Strings

\\.\HCD%d, xrefs: 00007FF61B74C303

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ControlDevice$ByteCharCloseCreateFileHandleMultiWide$wsprintf
String ID: \\.\HCD%d
API String ID: 2324936672-2696249065
Opcode ID: 5ce96b038b44017890316f80b403f2fc54911078eba5beeafb1223e05245f713
Instruction ID: c7d67b1165a9b8889db5007a24585ad311c29b606c21113b8d5ebbe7d4346721
Opcode Fuzzy Hash: 5ce96b038b44017890316f80b403f2fc54911078eba5beeafb1223e05245f713
Instruction Fuzzy Hash: 8A51633160CB8186EB609F21B54076EB794FB89BA4F542135DA8E87BB5EF3CD419CB00

Function 00007FF61B74BCD0 Relevance: 15.0, APIs: 10, Instructions: 33threadsleepsynchronizationCOMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF61B74BCDB
GetConsoleWindow.KERNEL32 ref: 00007FF61B74BCE1
ShowWindow.USER32 ref: 00007FF61B74BCEC
GetCurrentThreadId.KERNEL32 ref: 00007FF61B74BCF2
PostThreadMessageA.USER32 ref: 00007FF61B74BD02
GetInputState.USER32 ref: 00007FF61B74BD08
CreateThread.KERNEL32 ref: 00007FF61B74BD27
WaitForSingleObject.KERNEL32 ref: 00007FF61B74BD3C
CloseHandle.KERNEL32 ref: 00007FF61B74BD49
Sleep.KERNEL32 ref: 00007FF61B74BD54

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Thread$Window$CloseConsoleCreateCurrentExceptionFilterHandleInputMessageObjectPostShowSingleSleepStateUnhandledWait
String ID:
API String ID: 2277684705-0
Opcode ID: 6f2be5bc360ff60992bf957455bd65437668e6ddaf6ac78ef69b290b53bfb88b
Instruction ID: ea3a35ae6506e53506c6f55cdea033ed7c99a706f30da7ab065d1dae64490deb
Opcode Fuzzy Hash: 6f2be5bc360ff60992bf957455bd65437668e6ddaf6ac78ef69b290b53bfb88b
Instruction Fuzzy Hash: A601D625A18E8282F714BB71AC5457937A1FF8CF36B857535D51ECA670DE3CA44D8700

Function 00007FF61B761DA8 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF61B761DED

Part of subcall function 00007FF61B761464: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61B761478

Part of subcall function 00007FF61B75E6BC: RtlFreeHeap.NTDLL(?,?,?,00007FF61B7665C2,?,?,?,00007FF61B76693F,?,?,00000000,00007FF61B766D85,?,?,?,00007FF61B766CB7), ref: 00007FF61B75E6D2
Part of subcall function 00007FF61B75E6BC: GetLastError.KERNEL32(?,?,?,00007FF61B7665C2,?,?,?,00007FF61B76693F,?,?,00000000,00007FF61B766D85,?,?,?,00007FF61B766CB7), ref: 00007FF61B75E6DC

Part of subcall function 00007FF61B753D88: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF61B753D37,?,?,?,?,?,00007FF61B753C22), ref: 00007FF61B753D91
Part of subcall function 00007FF61B753D88: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF61B753D37,?,?,?,?,?,00007FF61B753C22), ref: 00007FF61B753DB6

Part of subcall function 00007FF61B769F14: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61B769E5F

_get_daylight.LIBCMT ref: 00007FF61B761DDC

Part of subcall function 00007FF61B7614C4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61B7614D8

_get_daylight.LIBCMT ref: 00007FF61B762052
_get_daylight.LIBCMT ref: 00007FF61B762063
_get_daylight.LIBCMT ref: 00007FF61B762074
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF61B7622B4), ref: 00007FF61B76209B

Strings

Eastern Summer Time, xrefs: 00007FF61B762159
Eastern Standard Time, xrefs: 00007FF61B762141

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: e4d215210ab8a5127c723f465f4324ebd8545cea5875ff9c0ed7522d57f15f04
Instruction ID: 14f4bf91aa04ae7209ff0194e1cb54372c90d7788a5f5f6a15de24b735a434d3
Opcode Fuzzy Hash: e4d215210ab8a5127c723f465f4324ebd8545cea5875ff9c0ed7522d57f15f04
Instruction Fuzzy Hash: E4D1B076E08A8245FB249F22E8541B96761EF4CFA4F44A435EA0D87AB5DF3CE849C740

Function 00007FF61B738040 Relevance: 10.9, APIs: 7, Instructions: 424COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61B74C2E0: wsprintfW.USER32 ref: 00007FF61B74C30F
Part of subcall function 00007FF61B74C2E0: CreateFileW.KERNEL32 ref: 00007FF61B74C33A
Part of subcall function 00007FF61B74C2E0: DeviceIoControl.KERNEL32 ref: 00007FF61B74C38A
Part of subcall function 00007FF61B74C2E0: DeviceIoControl.KERNEL32 ref: 00007FF61B74C3F1
Part of subcall function 00007FF61B74C2E0: DeviceIoControl.KERNEL32 ref: 00007FF61B74C451
Part of subcall function 00007FF61B74C2E0: DeviceIoControl.KERNEL32 ref: 00007FF61B74C4B0

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B738670
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B738676
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B73867C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B738682

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ControlDevice_invalid_parameter_noinfo_noreturn$CreateFilewsprintf
String ID:
API String ID: 3155671162-0
Opcode ID: ca3a5f53a69bd94d5085424c179d366c67bc8047cf41c0a47e4941c75c49cf7e
Instruction ID: 7ee88a46c81e00bf9b2858b0d8644332796e7bc93e3c0b985e72612359d01c11
Opcode Fuzzy Hash: ca3a5f53a69bd94d5085424c179d366c67bc8047cf41c0a47e4941c75c49cf7e
Instruction Fuzzy Hash: 96028222F18F8185FB00DB61E4502AD23A1AB59FB8F006635DE5D97BFADE3CD4899340

Function 00007FF61B762024 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF61B762052

Part of subcall function 00007FF61B7614C4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61B7614D8

_get_daylight.LIBCMT ref: 00007FF61B762063

Part of subcall function 00007FF61B761464: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61B761478

_get_daylight.LIBCMT ref: 00007FF61B762074

Part of subcall function 00007FF61B761494: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61B7614A8

Part of subcall function 00007FF61B75E6BC: RtlFreeHeap.NTDLL(?,?,?,00007FF61B7665C2,?,?,?,00007FF61B76693F,?,?,00000000,00007FF61B766D85,?,?,?,00007FF61B766CB7), ref: 00007FF61B75E6D2
Part of subcall function 00007FF61B75E6BC: GetLastError.KERNEL32(?,?,?,00007FF61B7665C2,?,?,?,00007FF61B76693F,?,?,00000000,00007FF61B766D85,?,?,?,00007FF61B766CB7), ref: 00007FF61B75E6DC

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF61B7622B4), ref: 00007FF61B76209B

Strings

Eastern Summer Time, xrefs: 00007FF61B762159
Eastern Standard Time, xrefs: 00007FF61B762141

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: d39622db5b0ee5333b178c37cbbab90ca343d8bae9bfc90199294d5daa5d9118
Instruction ID: 9b63d44b30b5a3cf38d426b3a99319d6add82339144e1a00868dd5f2704092d1
Opcode Fuzzy Hash: d39622db5b0ee5333b178c37cbbab90ca343d8bae9bfc90199294d5daa5d9118
Instruction Fuzzy Hash: 7A517F32E18A8286F750DF22E8905A96760FF4CFA4F446535EA4DC7AB6DF3CE5488740

Function 00007FF61B758C10 Relevance: 9.2, APIs: 6, Instructions: 249COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61B758C32
_get_daylight.LIBCMT ref: 00007FF61B758C92
_get_daylight.LIBCMT ref: 00007FF61B758CA3
_get_daylight.LIBCMT ref: 00007FF61B758CB4
_isindst.LIBCMT ref: 00007FF61B758D05
_isindst.LIBCMT ref: 00007FF61B758D58

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
String ID:
API String ID: 1405656091-0
Opcode ID: bc1b3b9caf7716422d15d8d8075c51535e8cc771750b1ef0c981aa63b125a24c
Instruction ID: 6b363f7f29b492569820197f9f6f613eb3397542c66ba31bded5d6e7121fb10a
Opcode Fuzzy Hash: bc1b3b9caf7716422d15d8d8075c51535e8cc771750b1ef0c981aa63b125a24c
Instruction Fuzzy Hash: C791E8B2B057864BEB588F25C9412B863A1EB5CF98F44A035DA0DCBBB5EF3CE4458744

Function 00007FF61B733B00 Relevance: 4.7, APIs: 3, Instructions: 151timenetworkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00007FF61B733BF5
recv.WS2_32 ref: 00007FF61B733C1B

Part of subcall function 00007FF61B731500: VirtualAlloc.KERNEL32 ref: 00007FF61B731575
Part of subcall function 00007FF61B731500: VirtualFree.KERNELBASE ref: 00007FF61B7315AF

timeGetTime.WINMM ref: 00007FF61B733D04

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Virtual$AllocFreeTimerecvselecttime
String ID:
API String ID: 1996171534-0
Opcode ID: 12d6ea6a5e9638a2a12ebf09b867218817c5d33edb793a075e5ebf3298344bd1
Instruction ID: 482ffc9d1affd1d360f410f68f9dfbbcf10a231f63cacf6b1fa1e283805c6f7b
Opcode Fuzzy Hash: 12d6ea6a5e9638a2a12ebf09b867218817c5d33edb793a075e5ebf3298344bd1
Instruction Fuzzy Hash: 01713D62A18E8581EB20DF29D4446BD3360FB99F98F55A235DB8D477B5EF38E488C700

Function 00007FF61B731500 Relevance: 2.6, APIs: 2, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF61B731575
VirtualFree.KERNELBASE ref: 00007FF61B7315AF

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 7adfbc43d79927e24f2f975998fe396b12a3d4926a19e200812a52629311d3ed
Instruction ID: 0fb6920b1ce9af8cea85769e8e8cd46d4d206215380fe22e4358f1917dce0753
Opcode Fuzzy Hash: 7adfbc43d79927e24f2f975998fe396b12a3d4926a19e200812a52629311d3ed
Instruction Fuzzy Hash: 3D410472708A818AE709CF2BF4506696765FB88F94F045139EE0EC7B74EE38D885C740

Function 00007FF61B738900 Relevance: 45.7, APIs: 22, Strings: 4, Instructions: 225
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF61B738B10), ref: 00007FF61B73891C
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF61B738B10), ref: 00007FF61B73892C
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF61B738B10), ref: 00007FF61B738954
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF61B738B10), ref: 00007FF61B738961
CloseHandle.KERNEL32 ref: 00007FF61B7389F0
CloseHandle.KERNEL32 ref: 00007FF61B7389F9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B738AB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B738ABB
GetCurrentProcessId.KERNEL32 ref: 00007FF61B738AEB
wsprintfW.USER32 ref: 00007FF61B738B02
GetVersionExW.KERNEL32 ref: 00007FF61B738B31
GetCurrentProcess.KERNEL32 ref: 00007FF61B738B5D
OpenProcessToken.ADVAPI32 ref: 00007FF61B738B73
GetTokenInformation.KERNELBASE ref: 00007FF61B738BA8
GetLastError.KERNEL32 ref: 00007FF61B738BB6
LocalAlloc.KERNEL32 ref: 00007FF61B738BD5
GetTokenInformation.KERNELBASE ref: 00007FF61B738C08
GetSidSubAuthorityCount.ADVAPI32 ref: 00007FF61B738C15
GetSidSubAuthority.ADVAPI32 ref: 00007FF61B738C23
LocalFree.KERNEL32 ref: 00007FF61B738C2E
CloseHandle.KERNEL32 ref: 00007FF61B738C44
wsprintfW.USER32 ref: 00007FF61B738CA3

Strings

VenNetwork, xrefs: 00007FF61B738AD0
NO/, xrefs: 00007FF61B738C89
-N/, xrefs: 00007FF61B738C80
None/%s, xrefs: 00007FF61B738C92

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Process$CloseHandleToken$CurrentOpen$AuthorityInformationLocal_invalid_parameter_noinfo_noreturnwsprintf$AllocCountErrorFreeLastVersion
String ID: -N/$NO/$None/%s$VenNetwork
API String ID: 3589523989-819860926
Opcode ID: d42ba7504cebbf2a51a649e7bef0d695714f0f5e07d95865d6b26a32d06dfaba
Instruction ID: 064951337e74231c72e3c84b62f20494f2438690ffbd95e325a488b6469f2d64
Opcode Fuzzy Hash: d42ba7504cebbf2a51a649e7bef0d695714f0f5e07d95865d6b26a32d06dfaba
Instruction Fuzzy Hash: CFA14F61A0DFC282FA60DB25E4443B96361FB89FA0F946235DA9D87AB4DF3CD549C700

Function 00007FF61B7402A0 Relevance: 45.3, APIs: 30, Instructions: 260
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32 ref: 00007FF61B7402D8
GlobalLock.KERNEL32 ref: 00007FF61B7402E4
GlobalUnlock.KERNEL32 ref: 00007FF61B7402FB
CreateStreamOnHGlobal.OLE32 ref: 00007FF61B740311
GlobalFree.KERNEL32 ref: 00007FF61B740674

Part of subcall function 00007FF61B7361E0: InitializeCriticalSectionEx.KERNEL32 ref: 00007FF61B736231
Part of subcall function 00007FF61B7361E0: GetLastError.KERNEL32 ref: 00007FF61B73623B

EnterCriticalSection.KERNEL32 ref: 00007FF61B74035F
LeaveCriticalSection.KERNEL32 ref: 00007FF61B74036C
GdipCreateBitmapFromStream.GDIPLUS ref: 00007FF61B74039A
GdipDisposeImage.GDIPLUS ref: 00007FF61B7403B0
GdipDisposeImage.GDIPLUS ref: 00007FF61B7403CE
CreateStreamOnHGlobal.OLE32 ref: 00007FF61B7403EB
GetHGlobalFromStream.OLE32 ref: 00007FF61B740412
GlobalLock.KERNEL32 ref: 00007FF61B74041C
GlobalFree.KERNEL32 ref: 00007FF61B74043B
DeleteObject.GDI32 ref: 00007FF61B74046B
EnterCriticalSection.KERNEL32 ref: 00007FF61B74047D
EnterCriticalSection.KERNEL32 ref: 00007FF61B74048D
GdiplusShutdown.GDIPLUS ref: 00007FF61B74049B
LeaveCriticalSection.KERNEL32 ref: 00007FF61B7404A8
LeaveCriticalSection.KERNEL32 ref: 00007FF61B7404B2
DeleteObject.GDI32 ref: 00007FF61B740624
EnterCriticalSection.KERNEL32 ref: 00007FF61B740636
EnterCriticalSection.KERNEL32 ref: 00007FF61B740646
GdiplusShutdown.GDIPLUS ref: 00007FF61B740654
LeaveCriticalSection.KERNEL32 ref: 00007FF61B740661
LeaveCriticalSection.KERNEL32 ref: 00007FF61B74066B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B740698

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CriticalSection$Global$EnterLeave$Stream$CreateGdip$DeleteDisposeFreeFromGdiplusImageLockObjectShutdown$AllocBitmapErrorInitializeLastUnlock_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 953580087-0
Opcode ID: 6a47932f2d824f93bffde5a913d367a737229ea91dfede279ec8d7f768a18219
Instruction ID: 3d36060a00767317fe259446624c0992369d760f3a4974ffbb5d6f9aeb19bd51
Opcode Fuzzy Hash: 6a47932f2d824f93bffde5a913d367a737229ea91dfede279ec8d7f768a18219
Instruction Fuzzy Hash: 36C11A36B08F428AEB00EB65E8442AD2375EB48F69F406135CE5E97AB9DF38D45DD340

Function 00007FF61B73C340 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 297
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GdipGetImagePixelFormat.GDIPLUS ref: 00007FF61B73C377
GdipGetImageHeight.GDIPLUS ref: 00007FF61B73C3F4
GdipGetImageWidth.GDIPLUS ref: 00007FF61B73C41A
GdipGetImagePaletteSize.GDIPLUS ref: 00007FF61B73C470
GdipGetImagePalette.GDIPLUS ref: 00007FF61B73C4F1
CreateCompatibleDC.GDI32 ref: 00007FF61B73C588
SelectObject.GDI32 ref: 00007FF61B73C599
SetDIBColorTable.GDI32 ref: 00007FF61B73C5B7
SelectObject.GDI32 ref: 00007FF61B73C5CC
DeleteDC.GDI32 ref: 00007FF61B73C5F6
GdipBitmapLockBits.GDIPLUS ref: 00007FF61B73C646
GdipBitmapUnlockBits.GDIPLUS ref: 00007FF61B73C6D3
GdipCreateBitmapFromScan0.GDIPLUS ref: 00007FF61B73C702
GdipGetImageGraphicsContext.GDIPLUS ref: 00007FF61B73C71D
GdipDrawImageI.GDIPLUS ref: 00007FF61B73C737
GdipDeleteGraphics.GDIPLUS ref: 00007FF61B73C740
GdipDisposeImage.GDIPLUS ref: 00007FF61B73C74D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61B73C79F

Strings

&, xrefs: 00007FF61B73C3D4

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Gdip$Image$Bitmap$BitsCreateDeleteGraphicsObjectPaletteSelect$ColorCompatibleContextDisposeDrawFormatFromHeightLockPixelScan0SizeTableUnlockWidth_invalid_parameter_noinfo
String ID: &
API String ID: 4034434136-3042966939
Opcode ID: dd11024c4d0ee26c12cb960423acbe48478663fb147fae3e010d538c7f7c31a7
Instruction ID: 430ba43baeaf7b44365f9427b0ee1ce43f5c42060a90dcac5a3f1db5a8dbbefe
Opcode Fuzzy Hash: dd11024c4d0ee26c12cb960423acbe48478663fb147fae3e010d538c7f7c31a7
Instruction Fuzzy Hash: CCD1A072608B828AE760DF26D9446A937A4FB08FA8F416035DF1D9BB74DF38E548C740

Function 00007FF61B733820 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 157
networkstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32 ref: 00007FF61B733840
timeGetTime.WINMM ref: 00007FF61B73384F
socket.WS2_32 ref: 00007FF61B73387C
lstrlenW.KERNEL32 ref: 00007FF61B73389E
WideCharToMultiByte.KERNEL32 ref: 00007FF61B7338C2
lstrlenW.KERNEL32 ref: 00007FF61B7338DA
WideCharToMultiByte.KERNEL32 ref: 00007FF61B7338FD
gethostbyname.WS2_32 ref: 00007FF61B73390A
htons.WS2_32 ref: 00007FF61B733938
connect.WS2_32 ref: 00007FF61B733962
setsockopt.WS2_32 ref: 00007FF61B73399E
setsockopt.WS2_32 ref: 00007FF61B7339D1
setsockopt.WS2_32 ref: 00007FF61B733A04
setsockopt.WS2_32 ref: 00007FF61B733A2D
WSAIoctl.WS2_32 ref: 00007FF61B733A80

Strings

0u, xrefs: 00007FF61B7339EB

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: setsockopt$ByteCharMultiWidelstrlen$EventIoctlResetTimeconnectgethostbynamehtonssockettime
String ID: 0u
API String ID: 3082052849-3203441087
Opcode ID: d7dedfdc74d27028bc8071cb557e224e85a0c6efb35fccbc3b8993d6d1d3f93e
Instruction ID: 9bce246c59077145d61380d68f67cd855a00375c878cf1e26807effec9d0398c
Opcode Fuzzy Hash: d7dedfdc74d27028bc8071cb557e224e85a0c6efb35fccbc3b8993d6d1d3f93e
Instruction Fuzzy Hash: 03713172608B8186E724DF21F44076AB7A5FB88B64F405239EA9E47B78DF3DD149CB04

Function 00007FF61B738AD0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF61B738AEB
wsprintfW.USER32 ref: 00007FF61B738B02

Part of subcall function 00007FF61B738900: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF61B738B10), ref: 00007FF61B73891C
Part of subcall function 00007FF61B738900: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF61B738B10), ref: 00007FF61B73892C
Part of subcall function 00007FF61B738900: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF61B738B10), ref: 00007FF61B738954
Part of subcall function 00007FF61B738900: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF61B738B10), ref: 00007FF61B738961

GetVersionExW.KERNEL32 ref: 00007FF61B738B31
GetCurrentProcess.KERNEL32 ref: 00007FF61B738B5D
OpenProcessToken.ADVAPI32 ref: 00007FF61B738B73
GetTokenInformation.KERNELBASE ref: 00007FF61B738BA8
GetLastError.KERNEL32 ref: 00007FF61B738BB6
LocalAlloc.KERNEL32 ref: 00007FF61B738BD5
GetTokenInformation.KERNELBASE ref: 00007FF61B738C08
GetSidSubAuthorityCount.ADVAPI32 ref: 00007FF61B738C15
GetSidSubAuthority.ADVAPI32 ref: 00007FF61B738C23
LocalFree.KERNEL32 ref: 00007FF61B738C2E
CloseHandle.KERNEL32 ref: 00007FF61B738C44
wsprintfW.USER32 ref: 00007FF61B738CA3

Strings

VenNetwork, xrefs: 00007FF61B738AD0

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion
String ID: VenNetwork
API String ID: 4155081256-3057682757
Opcode ID: 544014d16ea7105ca2918a4ebfd3314dfb4a8e47be3c755dc7ae7334bb45691a
Instruction ID: f5ff45bb9c49f031090c7c5e4ec820267cf6317efb7314f965432ad04fb37a0f
Opcode Fuzzy Hash: 544014d16ea7105ca2918a4ebfd3314dfb4a8e47be3c755dc7ae7334bb45691a
Instruction Fuzzy Hash: C1413D31A0DE8286FB61DB61E4547B96360EB89FA1F846135CA4E866F4DE3CD94DC700

Function 00007FF61B74BDD0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 223
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeviceIoControl.KERNEL32 ref: 00007FF61B74BE74
DeviceIoControl.KERNEL32 ref: 00007FF61B74BEE3
GlobalAlloc.KERNEL32 ref: 00007FF61B74BF12
DeviceIoControl.KERNEL32 ref: 00007FF61B74BF5C
GlobalFree.KERNEL32 ref: 00007FF61B74BF7E
DeviceIoControl.KERNEL32 ref: 00007FF61B74BFCD
GlobalAlloc.KERNEL32 ref: 00007FF61B74BFF5
DeviceIoControl.KERNEL32 ref: 00007FF61B74C037
GlobalFree.KERNEL32 ref: 00007FF61B74C050
GlobalFree.KERNEL32 ref: 00007FF61B74C06F

Strings

%s-%s|, xrefs: 00007FF61B74C0DB
- External Hub, xrefs: 00007FF61B74C05B

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ControlDeviceGlobal$Free$Alloc
String ID: - External Hub$%s-%s|
API String ID: 3253977144-729331614
Opcode ID: 6b626a0ebb27f4899b856dfdbd77a6afa44de305ba64ec9147ca6ca1ee3b1713
Instruction ID: 51c750c204f0f1b29fa28b74ed5fef9d30a5f91f51ffe96883c7e95e64eb2ff5
Opcode Fuzzy Hash: 6b626a0ebb27f4899b856dfdbd77a6afa44de305ba64ec9147ca6ca1ee3b1713
Instruction Fuzzy Hash: 8AB17072A18B8185E760CF21A8403AEB7A0FB89BA4F545135DB8D977B5DF3CD549CB00

Function 00007FF61B73D9C0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 137
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B73DA44
GetLastInputInfo.USER32 ref: 00007FF61B73DAAB
GetTickCount.KERNEL32 ref: 00007FF61B73DAB1
wsprintfW.USER32 ref: 00007FF61B73DAE4
RegOpenKeyExW.KERNEL32 ref: 00007FF61B73DB72
RegQueryValueExW.KERNEL32 ref: 00007FF61B73DBA3

Strings

IpDatespecial, xrefs: 00007FF61B73DB9C
%d min, xrefs: 00007FF61B73DADD
Console, xrefs: 00007FF61B73DB64

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CountInfoInputLastOpenQueryTickValue_invalid_parameter_noinfo_noreturnwsprintf
String ID: %d min$Console$IpDatespecial
API String ID: 357503962-2712035571
Opcode ID: efa53836958f32f8ab0cb54a8671f626514f8aa22354df529298ed1da135f9ea
Instruction ID: 433dad3063e0dad06cfdcc02497ff4c725e298c78c69eca71017e8fbee46f5a3
Opcode Fuzzy Hash: efa53836958f32f8ab0cb54a8671f626514f8aa22354df529298ed1da135f9ea
Instruction Fuzzy Hash: 05519C72608EC585EB60DF28EC543B927A4EB48FA9F845131DA4C8B6B9DF3DC589C700

Function 00007FF61B73C7B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS ref: 00007FF61B73C7E4
GdipGetImageEncoders.GDIPLUS ref: 00007FF61B73C871
GdipCreateBitmapFromScan0.GDIPLUS ref: 00007FF61B73C915
GdipCreateBitmapFromHBITMAP.GDIPLUS ref: 00007FF61B73C92D
GdipSaveImageToStream.GDIPLUS ref: 00007FF61B73C944
GdipDisposeImage.GDIPLUS ref: 00007FF61B73C951
GdipDisposeImage.GDIPLUS ref: 00007FF61B73C95E

Strings

&, xrefs: 00007FF61B73C8FD

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Gdip$Image$BitmapCreateDisposeEncodersFrom$SaveScan0SizeStream
String ID: &
API String ID: 370471037-3042966939
Opcode ID: 4526caf998ada3252c84406b8f766584f007c4df05e28e230d859843c7169577
Instruction ID: b0b2cc2ef8b911e03347536829480078da2f6d1def044593646ed5f89be336d9
Opcode Fuzzy Hash: 4526caf998ada3252c84406b8f766584f007c4df05e28e230d859843c7169577
Instruction Fuzzy Hash: 0C516132A08F8296EB11DB2698005B863A1FB4CFB8F456131DE5D97BB4DF3CE54A8340

Function 00007FF61B7391A0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF61B7391BD
GetProcAddress.KERNEL32 ref: 00007FF61B7391CD
GetNativeSystemInfo.KERNEL32 ref: 00007FF61B7391DD
GetSystemInfo.KERNEL32 ref: 00007FF61B7391E1

Strings

kernel32.dll, xrefs: 00007FF61B7391A7
GetNativeSystemInfo, xrefs: 00007FF61B7391C6

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 3433367815-192647395
Opcode ID: 882c301155eb64aee104ed8b19a7cf0e71553aaaeea973eafe02328fb5bce8a2
Instruction ID: b4a956b5e8ec5caba5aee5769cb91fa3dc90b0e42333fd5a444c058b4147f4a5
Opcode Fuzzy Hash: 882c301155eb64aee104ed8b19a7cf0e71553aaaeea973eafe02328fb5bce8a2
Instruction Fuzzy Hash: E4F04F15E29E8682FA61E710A8142792251FB9CB15F907236E98E81674EE5CE7998B00

Function 00007FF61B738CD0 Relevance: 9.1, APIs: 6, Instructions: 67registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 00007FF61B738D32
RegQueryValueExW.KERNEL32 ref: 00007FF61B738D89
lstrcmpW.KERNEL32 ref: 00007FF61B738D9F
RegCloseKey.KERNEL32 ref: 00007FF61B738DCF
RegCloseKey.ADVAPI32 ref: 00007FF61B738DDD

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Close$OpenQueryValuelstrcmp
String ID:
API String ID: 4288439342-0
Opcode ID: 898e3f92dd09ced9f59f1214a1bb77de0c366a7caab65dc6ea004482ae0e6425
Instruction ID: 45bd8028779c45516c1f29b957f6d1e70732e476d923d365aa3bc0da0dcc9157
Opcode Fuzzy Hash: 898e3f92dd09ced9f59f1214a1bb77de0c366a7caab65dc6ea004482ae0e6425
Instruction Fuzzy Hash: 6C31643161CE8182E760CB25E88866A7364FB9CFA0F905231DA9D837B8DF3DD548DB40

Function 00007FF61B738E00 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 239COMMON

Download Yara Rule

APIs

CreateDXGIFactory.DXGI ref: 00007FF61B738E4C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B739191
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B739197

Strings

%s%s %d*%d , xrefs: 00007FF61B739094
%s%s %d %d , xrefs: 00007FF61B738F3F

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CreateFactory
String ID: %s%s %d %d $%s%s %d*%d
API String ID: 2331002265-1924168580
Opcode ID: 8fa00d72778a232c14932e728595a13cc51c5fe8bf1a07966f1b6ffb0567861c
Instruction ID: 4aa91e66aeff47dc3e87449a961e378b1de1a10b56a09787b77a4d61ca0ba003
Opcode Fuzzy Hash: 8fa00d72778a232c14932e728595a13cc51c5fe8bf1a07966f1b6ffb0567861c
Instruction Fuzzy Hash: F3A19032B08F8589EB10CF65D4442AE7761FB88BA8F541622DE9D97BB8DF38D485C700

Function 00007FF61B758940 Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61B75896B
CreateThread.KERNEL32 ref: 00007FF61B7589AC
GetLastError.KERNEL32 ref: 00007FF61B7589BA
CloseHandle.KERNEL32 ref: 00007FF61B7589D0
FreeLibrary.KERNEL32 ref: 00007FF61B7589DF

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 2067211477-0
Opcode ID: bf8243345e757f2f55ee74e3b164a4444cec9f217b6620c703edaf3e446c73ac
Instruction ID: cb7365a1f40b7a51b235dd9420032500bdc171b078482ea7a2d2415d8f43ab04
Opcode Fuzzy Hash: bf8243345e757f2f55ee74e3b164a4444cec9f217b6620c703edaf3e446c73ac
Instruction Fuzzy Hash: A8216A25A0DF8286EA15AF66A40017AB3A0EF8CFA0F445535EE4D87775EF3CE4088708

Function 00007FF61B74C1B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FF61B74C259
DeviceIoControl.KERNEL32 ref: 00007FF61B74C2A1

Strings

\\.\, xrefs: 00007FF61B74C1FE
L, xrefs: 00007FF61B74C289

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ControlCreateDeviceFile
String ID: L$\\.\
API String ID: 107608037-1891537229
Opcode ID: 0cbf31d1c7ae4fdc9b9f59bce1c389b46034841fd4249985a256846f0105b842
Instruction ID: 97df11e47fb2289cea21121a518b34500f02eb61cee528d03db99f62a074f791
Opcode Fuzzy Hash: 0cbf31d1c7ae4fdc9b9f59bce1c389b46034841fd4249985a256846f0105b842
Instruction Fuzzy Hash: CD31C472608B8481E7408F61B0503797BA0EB89FF4F085235EAAA477E5CF7CC5098B00

Function 00007FF61B733E30 Relevance: 6.1, APIs: 4, Instructions: 120threadnetworkCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF61B733E51
send.WS2_32 ref: 00007FF61B733F43
send.WS2_32 ref: 00007FF61B733F90
GetCurrentThreadId.KERNEL32 ref: 00007FF61B733FBA

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CurrentThreadsend
String ID:
API String ID: 302076607-0
Opcode ID: 8fc84bb4e0a68a1d65a8e1ac48c208ce2ab72bf0ff2939eb6e9be73f1c549aff
Instruction ID: be980203ad7fa4122fa66c5caefbedb174125c91f5513eb833e4e82ffb7099a7
Opcode Fuzzy Hash: 8fc84bb4e0a68a1d65a8e1ac48c208ce2ab72bf0ff2939eb6e9be73f1c549aff
Instruction Fuzzy Hash: 17518F22A04B4687E724DF26E08436A77B0FB48F94F45A035DB5987B75DF39E45A8340

Function 00007FF61B7337A0 Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FF61B7337DD
CancelIo.KERNEL32 ref: 00007FF61B7337EA
closesocket.WS2_32 ref: 00007FF61B7337FA
SetEvent.KERNEL32 ref: 00007FF61B733804

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CancelEventclosesocketsetsockopt
String ID:
API String ID: 852421847-0
Opcode ID: 2fb1975f05564cd4b635324778d61c2216334fb941b2a99bb5b0bfd9df8af0fc
Instruction ID: cc278f388b608fb4700a04d240fc2c6d81ef268dd76b082f3da1fe5084b94e43
Opcode Fuzzy Hash: 2fb1975f05564cd4b635324778d61c2216334fb941b2a99bb5b0bfd9df8af0fc
Instruction Fuzzy Hash: B8F01D36604A8187E7149F25E55436AB371FB88B64F905335CBAD4BAB4CF39D4698700

Function 00007FF61B74C5C0 Relevance: 4.6, APIs: 3, Instructions: 79stringCOMMON

Download Yara Rule

APIs

GetSystemDefaultLangID.KERNEL32 ref: 00007FF61B74C603
DeviceIoControl.KERNEL32 ref: 00007FF61B74C653

Part of subcall function 00007FF61B74C520: WideCharToMultiByte.KERNEL32 ref: 00007FF61B74C555
Part of subcall function 00007FF61B74C520: WideCharToMultiByte.KERNEL32 ref: 00007FF61B74C590

lstrcpyA.KERNEL32 ref: 00007FF61B74C6D2

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ByteCharMultiWide$ControlDefaultDeviceLangSystemlstrcpy
String ID:
API String ID: 3058672631-0
Opcode ID: f9daac3b4797e4e4ed63acccb6d7f5589fa86b82bdaf3d0711c722ad5586c17b
Instruction ID: e38f6a6df8768cb1670b948921a86002f220e4b57fb84c55a16fae3c2779716b
Opcode Fuzzy Hash: f9daac3b4797e4e4ed63acccb6d7f5589fa86b82bdaf3d0711c722ad5586c17b
Instruction Fuzzy Hash: EE31C73160CA8285EB10DB11E4443AAA7A5EB8DFA1F54A135FA9DC7BB5DF3DD444CB00

Function 00007FF61B73C9B0 Relevance: 4.5, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61B7361E0: InitializeCriticalSectionEx.KERNEL32 ref: 00007FF61B736231
Part of subcall function 00007FF61B7361E0: GetLastError.KERNEL32 ref: 00007FF61B73623B

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF61B73C7D4), ref: 00007FF61B73C9DA
GdiplusStartup.GDIPLUS ref: 00007FF61B73CA0F
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF61B73C7D4), ref: 00007FF61B73CA27

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CriticalSection$EnterErrorGdiplusInitializeLastLeaveStartup
String ID:
API String ID: 2723390537-0
Opcode ID: 65629aaaa719a2e99d15e3f5434e13b9281ffa3b8c64cff51ac5a9778f412de6
Instruction ID: 6ced40fde7c0670967b0b0bb020227e065c5ccbec97acf9070c9f0513969a1b0
Opcode Fuzzy Hash: 65629aaaa719a2e99d15e3f5434e13b9281ffa3b8c64cff51ac5a9778f412de6
Instruction Fuzzy Hash: 18014032508B8586E750DF25E44436A77E5F789F55F882025EA8997674CF3CD059CB40

Function 00007FF61B758878 Relevance: 4.5, APIs: 3, Instructions: 27threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61B75EBE8: GetLastError.KERNEL32(?,?,000054315B38B81F,00007FF61B758B05,?,?,?,?,00007FF61B762546,?,?,00000000,00007FF61B75A3FB,?,?,?), ref: 00007FF61B75EBF7
Part of subcall function 00007FF61B75EBE8: SetLastError.KERNEL32(?,?,000054315B38B81F,00007FF61B758B05,?,?,?,?,00007FF61B762546,?,?,00000000,00007FF61B75A3FB,?,?,?), ref: 00007FF61B75EC97

CloseHandle.KERNEL32(?,?,?,00007FF61B758A25,?,?,?,?,00007FF61B758869), ref: 00007FF61B7588B3
FreeLibraryAndExitThread.KERNEL32(?,?,?,00007FF61B758A25,?,?,?,?,00007FF61B758869), ref: 00007FF61B7588C9
ExitThread.KERNEL32 ref: 00007FF61B7588D2

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: 9d899525cbf94069d0aecb2dad8b7ed7b52f5d6c34f84ba4291cfdf2ce1d2a7a
Instruction ID: d6f0719dc975e4af600b0257cdfe840cb72cd261e5a6f93ada963e100d55031f
Opcode Fuzzy Hash: 9d899525cbf94069d0aecb2dad8b7ed7b52f5d6c34f84ba4291cfdf2ce1d2a7a
Instruction Fuzzy Hash: DCF06221A29EC692FE546B2094442BD2264EF48F35F5C6735D63C962F5DF3CE84D8344

Function 00007FF61B74C520 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF61B74C555
WideCharToMultiByte.KERNEL32 ref: 00007FF61B74C590

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: bb8afed493b508f7922d7b4954a12e94e0c77452b6319c2f16ef211ca1375834
Instruction ID: db963061250dc2416aa08d3bcf058fdd93c8e33ac71cfb2b6f68cbd49480648b
Opcode Fuzzy Hash: bb8afed493b508f7922d7b4954a12e94e0c77452b6319c2f16ef211ca1375834
Instruction Fuzzy Hash: F3117332708F8186E7509F27784002D76E5FB88FA0B585238EA5E877B5DF38E4158704

Function 00007FF61B733DA0 Relevance: 3.0, APIs: 2, Instructions: 41timeCOMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 00007FF61B733DCD
timeGetTime.WINMM ref: 00007FF61B733DF1

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: 2becff6657bc7d5012ec94526cf32972d5272bc21be79492e35a94961d449a59
Instruction ID: 436d0d24840463e2ba976a6d417f6154572c29c031939e3f1e1dbeec47b34553
Opcode Fuzzy Hash: 2becff6657bc7d5012ec94526cf32972d5272bc21be79492e35a94961d449a59
Instruction Fuzzy Hash: A8011B22A18A458AE7648B65E1C836D26A0F749BA4F452234C65A8A7B4CF7CD4A9C701

Function 00007FF61B758808 Relevance: 3.0, APIs: 2, Instructions: 31threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF61B758816
ExitThread.KERNEL32 ref: 00007FF61B75881E

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 86e50ef011b0631a2311c12b12e79fa44030a146f353d628d3291aff0b0405bd
Instruction ID: 5d97d6407040338c8b3ce25958d4ba59ef3742200c9fca866a0366e0377a0b24
Opcode Fuzzy Hash: 86e50ef011b0631a2311c12b12e79fa44030a146f353d628d3291aff0b0405bd
Instruction Fuzzy Hash: CCF09022E1AE8286FF04BB7194191BC1260AF5DF60F043534D90AD73B2DF2CA84D8304

Function 00007FF61B74DE98 Relevance: 3.0, APIs: 2, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF61B74DEC8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF61B74DECE

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: a47e5a6ac0625703f2fd5b566550f71a2f7208a7861a0071670bc6a0f9e7358f
Instruction ID: 93b523c6a7a98f8dc5fb0d58b4917a24858a39c0888e983c076117a0fad4e964
Opcode Fuzzy Hash: a47e5a6ac0625703f2fd5b566550f71a2f7208a7861a0071670bc6a0f9e7358f
Instruction Fuzzy Hash: FDE0B651E1EE1749FD696172265517401500F6DF72E283B30D9BE842F3AE1CA89D8314

Function 00007FF61B75E6BC Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF61B7665C2,?,?,?,00007FF61B76693F,?,?,00000000,00007FF61B766D85,?,?,?,00007FF61B766CB7), ref: 00007FF61B75E6D2
GetLastError.KERNEL32(?,?,?,00007FF61B7665C2,?,?,?,00007FF61B76693F,?,?,00000000,00007FF61B766D85,?,?,?,00007FF61B766CB7), ref: 00007FF61B75E6DC

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: a27750d6ae148c980c7c980f65ba2d3e2e52c6c92a9735542c6e0cceef461146
Instruction ID: 35835f01622c6ebd4a32428a1b30e86f2cd708b465d5ec6cb6ee5bc3e3f17d05
Opcode Fuzzy Hash: a27750d6ae148c980c7c980f65ba2d3e2e52c6c92a9735542c6e0cceef461146
Instruction Fuzzy Hash: B2E0E651F19D5343FB146BB2985507421519F8CF71F447834D91ED6275EE2C684D4718

Function 00007FF61B731730 Relevance: 2.6, APIs: 2, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF61B731796
VirtualFree.KERNELBASE ref: 00007FF61B7317CA

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 616965ea612f33b462fe03c73724eb49c1abe59c321f00a6c33259c6d796c58f
Instruction ID: 80bc0de63225a9ed9b3a7b56f1c5488336c6aac400ace687f567fe44a0001f32
Opcode Fuzzy Hash: 616965ea612f33b462fe03c73724eb49c1abe59c321f00a6c33259c6d796c58f
Instruction Fuzzy Hash: 27216531B18E4586D724DB2AF44012AB7B1FB88B90B149135EB9ED3B38DF3CE5858B44

Function 00007FF61B731670 Relevance: 2.6, APIs: 2, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF61B7316C4
VirtualFree.KERNEL32 ref: 00007FF61B7316FE

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 0d2589c5e0cc1a94e4b3bf8f4f54a9d1287f00ffced7c8db5b8a82110618710c
Instruction ID: a8a211fd62645928d7350b256d5f79e61f5cb02218b549174aac4adbf63cee54
Opcode Fuzzy Hash: 0d2589c5e0cc1a94e4b3bf8f4f54a9d1287f00ffced7c8db5b8a82110618710c
Instruction Fuzzy Hash: 8C119671B28E8182E705CF26A440129A3A5EF9CFD4B146131E94ED7B78DF3CD9958B40

Function 00007FF61B74DFC0 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61B74DC60: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF61B74DC74

__scrt_release_startup_lock.LIBCMT ref: 00007FF61B74E057

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: __scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 2217363868-0
Opcode ID: cbc0649b0607904615e0344cdc653858b0dfbbed05089a03dbfd93f3e9e99ab1
Instruction ID: 7b558f7b40ecc40c8cb8633078977d7cb8fa1c0fcae280ee9a1363521ffe9ae0
Opcode Fuzzy Hash: cbc0649b0607904615e0344cdc653858b0dfbbed05089a03dbfd93f3e9e99ab1
Instruction Fuzzy Hash: 64316B21E0CE4781FA18AB20D4513B92291AF4DFB5F947835D94DCB2F3DE2DA84D8700

Function 00007FF61B731000 Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FF61B731022

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 27a40b9f3cf52b959e37d45274ab80e386b8a2eb9336faf4e796e06ae50c97e7
Instruction ID: 516bc6c84f71f9d355bd6b05c5b0a9361ddcb8858b3b62a91bd03dfe551be502
Opcode Fuzzy Hash: 27a40b9f3cf52b959e37d45274ab80e386b8a2eb9336faf4e796e06ae50c97e7
Instruction Fuzzy Hash: 66E04F36B09945CAE611AF24D4490687364F76D710F805131E58CC7774DE2CD5598F00

Function 00007FF61B75EDD0 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF61B76252D,?,?,00000000,00007FF61B75A3FB,?,?,?,00007FF61B75C5D3,?,?,?,00007FF61B75C4C9), ref: 00007FF61B75EE0E

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: c5d91307553507d7a0b65c4578cb45837d9ca66b83f15ba5a6112bdae37f71ee
Instruction ID: f3c235a5399bada882d2f271c3c1f8f5c4fd5e43ae8f1144c36a01d635980733
Opcode Fuzzy Hash: c5d91307553507d7a0b65c4578cb45837d9ca66b83f15ba5a6112bdae37f71ee
Instruction Fuzzy Hash: 56F05810A2DE4689FA686A62584127821815F8CFB0F08AE34D82EC66F2DE2CA4894318

Non-executed Functions

Function 00007FF61B739320 Relevance: 68.5, APIs: 29, Strings: 10, Instructions: 221libraryloaderinjectionCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32 ref: 00007FF61B739396
CreateProcessA.KERNEL32 ref: 00007FF61B7393F9
GetCurrentProcess.KERNEL32 ref: 00007FF61B739407
OpenProcessToken.ADVAPI32 ref: 00007FF61B73941C
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF61B73943A
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF61B739482
OpenProcess.KERNEL32 ref: 00007FF61B73949B
LoadLibraryA.KERNEL32 ref: 00007FF61B7394C5
GetProcAddress.KERNEL32 ref: 00007FF61B7394D5
LoadLibraryA.KERNEL32 ref: 00007FF61B7394E6
GetProcAddress.KERNEL32 ref: 00007FF61B7394F6
LoadLibraryA.KERNEL32 ref: 00007FF61B739507
GetProcAddress.KERNEL32 ref: 00007FF61B739517
LoadLibraryA.KERNEL32 ref: 00007FF61B739528
GetProcAddress.KERNEL32 ref: 00007FF61B739538
GetCurrentProcess.KERNEL32 ref: 00007FF61B739542
GetProcessId.KERNEL32 ref: 00007FF61B73954B
GetModuleFileNameA.KERNEL32 ref: 00007FF61B73957F
VirtualAllocEx.KERNEL32 ref: 00007FF61B7395B5
WriteProcessMemory.KERNEL32 ref: 00007FF61B7395DC
VirtualProtectEx.KERNEL32 ref: 00007FF61B73960F
VirtualAllocEx.KERNEL32 ref: 00007FF61B73962E
WriteProcessMemory.KERNEL32 ref: 00007FF61B739658
VirtualProtectEx.KERNEL32 ref: 00007FF61B739684
CreateRemoteThread.KERNEL32 ref: 00007FF61B7396A7
Sleep.KERNEL32 ref: 00007FF61B7396BA
VirtualProtectEx.KERNEL32 ref: 00007FF61B7396DE
VirtualProtectEx.KERNEL32 ref: 00007FF61B739702
ResumeThread.KERNEL32 ref: 00007FF61B73970B

Strings

Kernel32.dll, xrefs: 00007FF61B7394BE, 00007FF61B7394DB, 00007FF61B7394FC, 00007FF61B73951D
h, xrefs: 00007FF61B73937D
OpenProcess, xrefs: 00007FF61B7394CE
%s%s, xrefs: 00007FF61B7393B1
@, xrefs: 00007FF61B739617
ExitProcess, xrefs: 00007FF61B7394EF
WaitForSingleObject, xrefs: 00007FF61B739531
SeDebugPrivilege, xrefs: 00007FF61B739433
Windows\System32\svchost.exe, xrefs: 00007FF61B73939C
WinExec, xrefs: 00007FF61B739510

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Process$Virtual$AddressLibraryLoadProcProtect$AllocCreateCurrentMemoryOpenThreadTokenWrite$AdjustDirectoryFileLookupModuleNamePrivilegePrivilegesRemoteResumeSleepSystemValue
String ID: %s%s$@$ExitProcess$Kernel32.dll$OpenProcess$SeDebugPrivilege$WaitForSingleObject$WinExec$Windows\System32\svchost.exe$h
API String ID: 3040193174-4212407401
Opcode ID: 0c2d203bb3590072b2790da5483ee898493f9f682a060de060c9115ce93124ea
Instruction ID: e1649dc2dd3d3645c05bc87587aef297983cee55a160037f82ccb8a5b03546a5
Opcode Fuzzy Hash: 0c2d203bb3590072b2790da5483ee898493f9f682a060de060c9115ce93124ea
Instruction Fuzzy Hash: CBA13E32A18F8286F7219F61E8147E923A4FB4CBA8F446135DA4D9AB74DF7CD249C740

Function 00007FF61B73ADB0 Relevance: 63.3, APIs: 30, Strings: 6, Instructions: 286stringclipboardfileCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,00000000,00000000,00002514,00000000,00000000,00000000,00007FF61B7379D1), ref: 00007FF61B73AE08
GetTickCount.KERNEL32 ref: 00007FF61B73AE0E
GetTickCount.KERNEL32 ref: 00007FF61B73AE25
OpenClipboard.USER32 ref: 00007FF61B73AE33
GetClipboardData.USER32 ref: 00007FF61B73AE3E
GlobalSize.KERNEL32 ref: 00007FF61B73AE53
GlobalLock.KERNEL32 ref: 00007FF61B73AE63
wsprintfW.USER32 ref: 00007FF61B73AECE
WaitForSingleObject.KERNEL32 ref: 00007FF61B73AEE0
CreateFileW.KERNEL32 ref: 00007FF61B73AF14
SetFilePointer.KERNEL32 ref: 00007FF61B73AF3C
lstrlenW.KERNEL32 ref: 00007FF61B73AF47
WriteFile.KERNEL32 ref: 00007FF61B73AF6A
CloseHandle.KERNEL32 ref: 00007FF61B73AF73
ReleaseMutex.KERNEL32 ref: 00007FF61B73AF80
GlobalUnlock.KERNEL32 ref: 00007FF61B73AF9B
CloseClipboard.USER32 ref: 00007FF61B73AFA1
GetForegroundWindow.USER32 ref: 00007FF61B73AFBB
GetWindowTextW.USER32 ref: 00007FF61B73AFD8
lstrlenW.KERNEL32 ref: 00007FF61B73B00E
GetLocalTime.KERNEL32 ref: 00007FF61B73B021
wsprintfW.USER32 ref: 00007FF61B73B074
GetKeyState.USER32 ref: 00007FF61B73B153
lstrlenW.KERNEL32 ref: 00007FF61B73B1A0
lstrlenW.KERNEL32 ref: 00007FF61B73B1C1
wsprintfW.USER32 ref: 00007FF61B73B211
wsprintfW.USER32 ref: 00007FF61B73B22F
lstrlenW.KERNEL32 ref: 00007FF61B73B2A7

Strings

%s%s, xrefs: 00007FF61B73B24D
[, xrefs: 00007FF61B73B05C
[esc], xrefs: 00007FF61B73ADFC
%s%s, xrefs: 00007FF61B73B207
%s%s, xrefs: 00007FF61B73B21B
[, xrefs: 00007FF61B73AEC2

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: lstrlen$wsprintf$ClipboardFileGlobal$CloseCountTickWindow$CreateDataForegroundHandleLocalLockMutexObjectOpenPointerReleaseSingleSizeSleepStateTextTimeUnlockWaitWrite
String ID: [$[$%s%s$%s%s$%s%s$[esc]
API String ID: 3669393114-972647286
Opcode ID: e6ab48ff98ca9ddfa9a13a1758a8a9b1ffd3d9cd46131382e05cf3f4eced504b
Instruction ID: 5fe4035328ad3c736a05e6bf52d94e091d5b1429ca69fb6aa9e8052447c45ca2
Opcode Fuzzy Hash: e6ab48ff98ca9ddfa9a13a1758a8a9b1ffd3d9cd46131382e05cf3f4eced504b
Instruction Fuzzy Hash: 02D13A21A0CE8686F714EB55E8842B963A0FF9DB60F806536D94EC66B4DF3CE64DC700

Function 00007FF61B73D410 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 385stringtimeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00007FF61B73D437
wsprintfW.USER32 ref: 00007FF61B73D47F
lstrlenW.KERNEL32 ref: 00007FF61B73D4C5
lstrlenW.KERNEL32 ref: 00007FF61B73D4E6
lstrlenW.KERNEL32 ref: 00007FF61B73D4F9
lstrlenW.KERNEL32 ref: 00007FF61B73D58D
lstrlenW.KERNEL32 ref: 00007FF61B73D5AC
lstrlenW.KERNEL32 ref: 00007FF61B73D5BF
lstrlenW.KERNEL32 ref: 00007FF61B73D649
lstrlenW.KERNEL32 ref: 00007FF61B73D65C
CreateEventA.KERNEL32 ref: 00007FF61B73D7AD

Strings

t1:, xrefs: 00007FF61B73D652
%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 00007FF61B73D471
o1:, xrefs: 00007FF61B73D5B5
p1:, xrefs: 00007FF61B73D4EF

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: lstrlen$CreateEventLocalTimewsprintf
String ID: %4d.%2d.%2d-%2d:%2d:%2d$o1:$p1:$t1:
API String ID: 2157945651-1225219777
Opcode ID: 4ab38958384f3d8ae6ea9e35e84b41bd479a6b61bb859707b2bd8aeb0401d26c
Instruction ID: 22f2c51064e9c90ab5bf628be6127dae6c26eb0d5a54af25bd34eb1605d4a004
Opcode Fuzzy Hash: 4ab38958384f3d8ae6ea9e35e84b41bd479a6b61bb859707b2bd8aeb0401d26c
Instruction Fuzzy Hash: CDF1F962F18A9286EB24DF25D4403BD2361FB48FA4F406231DA5E97AB5DF7CE589C700

Function 00007FF61B7397A0 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 118libraryloaderfileCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF61B7397D5
GetProcAddress.KERNEL32 ref: 00007FF61B7397E8
GetProcAddress.KERNEL32 ref: 00007FF61B739816
FreeLibrary.KERNEL32 ref: 00007FF61B739847
CreateFileW.KERNEL32 ref: 00007FF61B739874
GetProcAddress.KERNEL32 ref: 00007FF61B7398BC
WriteFile.KERNEL32 ref: 00007FF61B739906
CloseHandle.KERNEL32 ref: 00007FF61B73991E
Sleep.KERNEL32 ref: 00007FF61B739931
GetProcAddress.KERNEL32 ref: 00007FF61B739941
FreeLibrary.KERNEL32 ref: 00007FF61B73995C

Strings

MSIE 6.0, xrefs: 00007FF61B7397F9
InternetOpenW, xrefs: 00007FF61B7397DE
InternetReadFile, xrefs: 00007FF61B7398B2
wininet.dll, xrefs: 00007FF61B7397C3
InternetOpenUrlW, xrefs: 00007FF61B73980C
InternetCloseHandle, xrefs: 00007FF61B739937

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWrite
String ID: InternetCloseHandle$InternetOpenUrlW$InternetOpenW$InternetReadFile$MSIE 6.0$wininet.dll
API String ID: 2977986460-1099148085
Opcode ID: b869be42eea26ef83cf2f127258845e1be2102d2018284c86f6782853b1c64bb
Instruction ID: cffcd07eed820329d9087052b1fb5e1360280775368eb4be56f61105836b460c
Opcode Fuzzy Hash: b869be42eea26ef83cf2f127258845e1be2102d2018284c86f6782853b1c64bb
Instruction Fuzzy Hash: CD41A325609A8286FA60EB11A9147BA67A0FB8DFB4F446130CD9E87774DF3CD54CCB40

Function 00007FF61B740E20 Relevance: 27.3, APIs: 18, Instructions: 322clipboardsleepmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61B74D14C: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF61B74D169
Part of subcall function 00007FF61B74D14C: std::locale::_Setgloballocale.LIBCPMT ref: 00007FF61B74D18C
Part of subcall function 00007FF61B74D14C: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF61B74D221

Part of subcall function 00007FF61B741620: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF61B741639
Part of subcall function 00007FF61B741620: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF61B74165E
Part of subcall function 00007FF61B741620: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF61B741688
Part of subcall function 00007FF61B741620: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF61B741722
Part of subcall function 00007FF61B741620: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF61B741732
Part of subcall function 00007FF61B741620: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF61B741757
Part of subcall function 00007FF61B741620: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF61B741781

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B741062
lstrlenW.KERNEL32 ref: 00007FF61B741085
Sleep.KERNEL32 ref: 00007FF61B7410E5
OpenClipboard.USER32 ref: 00007FF61B7410FB
GetClipboardData.USER32 ref: 00007FF61B74110A
GlobalLock.KERNEL32 ref: 00007FF61B74111B
GlobalUnlock.KERNEL32 ref: 00007FF61B741136
CloseClipboard.USER32 ref: 00007FF61B74113C
CloseClipboard.USER32 ref: 00007FF61B741158
OpenClipboard.USER32 ref: 00007FF61B741180
EmptyClipboard.USER32 ref: 00007FF61B74118A
GlobalAlloc.KERNEL32 ref: 00007FF61B7411A2
GlobalLock.KERNEL32 ref: 00007FF61B7411B3
GlobalUnlock.KERNEL32 ref: 00007FF61B7411DD
SetClipboardData.USER32 ref: 00007FF61B7411EB
CloseClipboard.USER32 ref: 00007FF61B7411F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B74127E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B741284

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Lockitstd::_$Clipboard$GlobalLockit::_$Lockit::~_$Close_invalid_parameter_noinfo_noreturn$DataLockOpenUnlock$AllocEmptySetgloballocaleSleeplstrlenstd::locale::_
String ID:
API String ID: 1851032462-0
Opcode ID: 57475f5eeade9a15ba90b0c6b2e4b195fe2ff05ea7ed50c1724f462bec61f548
Instruction ID: fb2f2980a5cec065c818c72f0cd903d544b892519a5cffae962bad4956102fe1
Opcode Fuzzy Hash: 57475f5eeade9a15ba90b0c6b2e4b195fe2ff05ea7ed50c1724f462bec61f548
Instruction Fuzzy Hash: 49D1B262B08F8282EB10AF65E4442AD6361FF89FA5F446135EA5D87BB9DF3CD448C700

Function 00007FF61B73CD40 Relevance: 26.7, APIs: 7, Strings: 8, Instructions: 406threadinjectionprocessCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32 ref: 00007FF61B73CF12
CreateProcessA.KERNEL32 ref: 00007FF61B73CF6E
VirtualAllocEx.KERNEL32 ref: 00007FF61B73CF97
WriteProcessMemory.KERNEL32 ref: 00007FF61B73CFBC
GetThreadContext.KERNEL32 ref: 00007FF61B73CFE0
SetThreadContext.KERNEL32 ref: 00007FF61B73D001
ResumeThread.KERNEL32 ref: 00007FF61B73D014

Strings

plugmark, xrefs: 00007FF61B73CE43
h, xrefs: 00007FF61B73CEE6
d91774dd-ee7f-4c3d-8560-05242810d920, xrefs: 00007FF61B73D262
nlyloadinmyself, xrefs: 00007FF61B73CD94
%s%s, xrefs: 00007FF61B73CF27
@, xrefs: 00007FF61B73CF8A
Windows\System32\svchost.exe, xrefs: 00007FF61B73CF18
%s %s, xrefs: 00007FF61B73D05B, 00007FF61B73D1EF, 00007FF61B73D2D3, 00007FF61B73D369

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Thread$ContextProcess$AllocCreateDirectoryMemoryResumeSystemVirtualWrite
String ID: %s %s$%s%s$@$Windows\System32\svchost.exe$d91774dd-ee7f-4c3d-8560-05242810d920$h$nlyloadinmyself$plugmark
API String ID: 4033188109-3660303421
Opcode ID: 046c22b18b6f5ac0ccc3cac11c7471c69f57d2820ce8935287c8eeb1aafb36af
Instruction ID: fe306dcbf4d5673d87923f8089fcc53a841e7bb8844e7ffeb4dbfb6de2113851
Opcode Fuzzy Hash: 046c22b18b6f5ac0ccc3cac11c7471c69f57d2820ce8935287c8eeb1aafb36af
Instruction Fuzzy Hash: AC129D62B18E8282E720CF26D4442BD67A1FB99B94F449136DB4D87BB6DF3CD589C700

Function 00007FF61B73E3E9 Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 64shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF61B73E3E9
OpenProcessToken.ADVAPI32 ref: 00007FF61B73E3FE
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF61B73E426
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF61B73E44A
GetLastError.KERNEL32 ref: 00007FF61B73E450
CloseHandle.KERNEL32 ref: 00007FF61B73E45D
ExitWindowsEx.USER32 ref: 00007FF61B73E56F
GetCurrentProcess.KERNEL32 ref: 00007FF61B73E575
OpenProcessToken.ADVAPI32 ref: 00007FF61B73E58A
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF61B73E5B2
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF61B73E5D6
GetLastError.KERNEL32 ref: 00007FF61B73E5DC
CloseHandle.KERNEL32 ref: 00007FF61B73E5F1

Strings

SeShutdownPrivilege, xrefs: 00007FF61B73E415, 00007FF61B73E5A5

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue$ExitWindows
String ID: SeShutdownPrivilege
API String ID: 1423298842-3733053543
Opcode ID: 207f020c3be7a49f4dae7fd528dd377aaad196edefdcd6a65a6542525f0315a2
Instruction ID: e13d6b8f71bca6a09f3ab91b32baccc296f4e54ee2543668324d977a89e65d26
Opcode Fuzzy Hash: 207f020c3be7a49f4dae7fd528dd377aaad196edefdcd6a65a6542525f0315a2
Instruction Fuzzy Hash: E8314C35A0CEC281F720AF25E8543AA6360FB88F66F406035DA4E96A74DF3DD58EC700

Function 00007FF61B74A5A0 Relevance: 25.8, APIs: 17, Instructions: 347memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF61B73D242), ref: 00007FF61B74A5E5
GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF61B73D242), ref: 00007FF61B74A66A
VirtualAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF61B73D242), ref: 00007FF61B74A6BF
VirtualAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF61B73D242), ref: 00007FF61B74A6DE
VirtualAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF61B73D242), ref: 00007FF61B74A741
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF61B73D242), ref: 00007FF61B74A762
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF61B73D242), ref: 00007FF61B74A776
VirtualFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF61B73D242), ref: 00007FF61B74A793
VirtualFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF61B73D242), ref: 00007FF61B74A7AF
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF61B73D242), ref: 00007FF61B74A7CC
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF61B73D242), ref: 00007FF61B74AAB2

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Virtual$Alloc$ErrorLast$FreeHeap$InfoNativeProcessSystem
String ID:
API String ID: 1282860858-0
Opcode ID: 88d7adfe9b312bdb6fdf674f549a5cc549a824bf45d913ac83d4f697423f226a
Instruction ID: dc3f825638a1ea23076682fd21a7a6aba27e98fa1c5b903e8180c37ca7a99551
Opcode Fuzzy Hash: 88d7adfe9b312bdb6fdf674f549a5cc549a824bf45d913ac83d4f697423f226a
Instruction Fuzzy Hash: 7AD18E32B19E4286FB61AB16E45077973A4EF4CFA5F456035CA4E87BB0EE3CE4498300

Function 00007FF61B73E46D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 62shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF61B73E46D
OpenProcessToken.ADVAPI32 ref: 00007FF61B73E482
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF61B73E4AA
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF61B73E4CE
GetLastError.KERNEL32 ref: 00007FF61B73E4D4
CloseHandle.KERNEL32 ref: 00007FF61B73E4E1
ExitWindowsEx.USER32 ref: 00007FF61B73E56F
GetCurrentProcess.KERNEL32 ref: 00007FF61B73E575
OpenProcessToken.ADVAPI32 ref: 00007FF61B73E58A
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF61B73E5B2
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF61B73E5D6
GetLastError.KERNEL32 ref: 00007FF61B73E5DC
CloseHandle.KERNEL32 ref: 00007FF61B73E5F1

Strings

SeShutdownPrivilege, xrefs: 00007FF61B73E499, 00007FF61B73E5A5

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue$ExitWindows
String ID: SeShutdownPrivilege
API String ID: 1423298842-3733053543
Opcode ID: eb7aa2d56a82b613c27039d286a92213749df77ba304c44aa2638bc2cb38e150
Instruction ID: bbdb13ce30b56d2fdda25bc07881d197b0dd76bf34a5f3d7c4bcc7ad365b839a
Opcode Fuzzy Hash: eb7aa2d56a82b613c27039d286a92213749df77ba304c44aa2638bc2cb38e150
Instruction Fuzzy Hash: 39312D35A0CE8281F720AF25E8143AA6360FB88F66F406035DA4D96A74DF3DD18EC700

Function 00007FF61B73E4EE Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 61shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF61B73E4EE
OpenProcessToken.ADVAPI32 ref: 00007FF61B73E503
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF61B73E52B
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF61B73E54F
GetLastError.KERNEL32 ref: 00007FF61B73E555
CloseHandle.KERNEL32 ref: 00007FF61B73E562
ExitWindowsEx.USER32 ref: 00007FF61B73E56F
GetCurrentProcess.KERNEL32 ref: 00007FF61B73E575
OpenProcessToken.ADVAPI32 ref: 00007FF61B73E58A
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF61B73E5B2
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF61B73E5D6
GetLastError.KERNEL32 ref: 00007FF61B73E5DC
CloseHandle.KERNEL32 ref: 00007FF61B73E5F1

Strings

SeShutdownPrivilege, xrefs: 00007FF61B73E51A, 00007FF61B73E5A5

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue$ExitWindows
String ID: SeShutdownPrivilege
API String ID: 1423298842-3733053543
Opcode ID: 2905a319caa5e6a93b8be62912fe952188e187deaf7a97c308075b004fe8cd81
Instruction ID: 7b45f7c75a3f359d9419bf77faae0275cde779c3a08c33e74f230644719c64a5
Opcode Fuzzy Hash: 2905a319caa5e6a93b8be62912fe952188e187deaf7a97c308075b004fe8cd81
Instruction Fuzzy Hash: 13310B35A08E8281F720AF25E8143AA6760FB88F66F406035DA4D96A74DF7DD58EC700

Function 00007FF61B768584 Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF61B7685D2
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61B768C3E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61B768DB4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61B769072
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61B769292
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61B7694CF
memcpy_s.LIBCPMT ref: 00007FF61B7695AA
memcpy_s.LIBCPMT ref: 00007FF61B769655
memcpy_s.LIBCPMT ref: 00007FF61B769724

Strings

1#INF, xrefs: 00007FF61B7686FB
1#QNAN, xrefs: 00007FF61B7686EB
1#SNAN, xrefs: 00007FF61B7686E2
1#IND, xrefs: 00007FF61B7686BF

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 622423286a591ad007cfa081ef015de5a4a39bf13039204cb660433145fa8b31
Instruction ID: bb4764ce74d0e8dcb3ea7205db22bc4e903921cc3d371dd12f1ec3efc0ce0a90
Opcode Fuzzy Hash: 622423286a591ad007cfa081ef015de5a4a39bf13039204cb660433145fa8b31
Instruction Fuzzy Hash: D3B2D4B2A186C28BF7658E64D4407FD37A1FB5CB94F406136DA0D97AB4DF38A908CB40

Function 00007FF61B73B410 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 232memorytimeCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 00007FF61B73B444

Part of subcall function 00007FF61B731200: GetProcessHeap.KERNEL32 ref: 00007FF61B731236

HeapCreate.KERNEL32 ref: 00007FF61B73B50F
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF61B73B56F
CreateEventW.KERNEL32 ref: 00007FF61B73B5A2
CreateEventW.KERNEL32 ref: 00007FF61B73B5C2
CreateEventW.KERNEL32 ref: 00007FF61B73B5E2
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF61B73B6B3
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF61B73B6C7
timeGetTime.WINMM ref: 00007FF61B73B739
CreateEventW.KERNEL32 ref: 00007FF61B73B74F
CreateEventW.KERNEL32 ref: 00007FF61B73B763

Strings

<, xrefs: 00007FF61B73B47D
<, xrefs: 00007FF61B73B484

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Create$Event$CountCriticalInitializeSectionSpin$Heap$ProcessTimetime
String ID: <$<
API String ID: 2446585644-213342407
Opcode ID: b1ad8ba58de1e0846612e2a068909c756507ce6fc06109a86d1a20cc9e8294d7
Instruction ID: e2e36ccdb18254aab61216ce4b800d702bd31a1e28a7c113bbf3159a3f13fd8e
Opcode Fuzzy Hash: b1ad8ba58de1e0846612e2a068909c756507ce6fc06109a86d1a20cc9e8294d7
Instruction Fuzzy Hash: F2B13A72605B828AE744DF35E5853A937A5FB48F18F985138CB4C8BBB5DF38A068C714

Function 00007FF61B740900 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 129registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF61B740970
RegQueryValueExW.ADVAPI32 ref: 00007FF61B7409EF
lstrcpyW.KERNEL32 ref: 00007FF61B740B72
RegCloseKey.ADVAPI32 ref: 00007FF61B740B84
RegCloseKey.ADVAPI32 ref: 00007FF61B740B92

Strings

%08X, xrefs: 00007FF61B740B0D

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Close$OpenQueryValuelstrcpy
String ID: %08X
API String ID: 2032971926-3773563069
Opcode ID: 5daa38b5fec1510e7cc40f4dc4df9c16a8fb62c5527b438061e7080e78411b39
Instruction ID: b4b15bdecbbb0d1d09458c8d137a8cf2ee8d1207a9206da6fb68d3940d0a9d65
Opcode Fuzzy Hash: 5daa38b5fec1510e7cc40f4dc4df9c16a8fb62c5527b438061e7080e78411b39
Instruction Fuzzy Hash: 86513B6260CEC185E7709B25E8443AAB3A1FB89B65F805135D79D83AB8DF3CD548CB08

Function 00007FF61B7676DC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF61B75EA70: GetLastError.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EA7F
Part of subcall function 00007FF61B75EA70: FlsGetValue.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EA94
Part of subcall function 00007FF61B75EA70: SetLastError.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EB1F

TranslateName.LIBCMT ref: 00007FF61B767746
TranslateName.LIBCMT ref: 00007FF61B767781
GetACP.KERNEL32(?,?,?,00000000,00000092,00007FF61B75D4D8), ref: 00007FF61B7677C8
IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,00007FF61B75D4D8), ref: 00007FF61B767800
GetLocaleInfoW.KERNEL32 ref: 00007FF61B7679BD

Strings

utf8, xrefs: 00007FF61B7678E4

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
String ID: utf8
API String ID: 3069159798-905460609
Opcode ID: 8c099eda83a5c1324d953c8da46f7dcfc7382bd5fb40a4303c146f7c8692acb4
Instruction ID: 8b32030deef56045539bd4c6d8e378cb8c81ee44aededc1ddb08a2724aec319e
Opcode Fuzzy Hash: 8c099eda83a5c1324d953c8da46f7dcfc7382bd5fb40a4303c146f7c8692acb4
Instruction Fuzzy Hash: 79918B32A08B8285FB259F21D5416B9A3A4EB48FE0F44A531DE4C877B5EF3CE959C340

Function 00007FF61B768124 Relevance: 10.7, APIs: 7, Instructions: 172COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF61B75EA70: GetLastError.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EA7F
Part of subcall function 00007FF61B75EA70: FlsGetValue.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EA94
Part of subcall function 00007FF61B75EA70: SetLastError.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EB1F

Part of subcall function 00007FF61B75EA70: FlsSetValue.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EAB5

GetUserDefaultLCID.KERNEL32(00000000,00000092,?,?), ref: 00007FF61B768294

Part of subcall function 00007FF61B75EA70: FlsSetValue.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EAE2
Part of subcall function 00007FF61B75EA70: FlsSetValue.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EAF3
Part of subcall function 00007FF61B75EA70: FlsSetValue.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EB04

EnumSystemLocalesW.KERNEL32(00000000,00000092,?,?,00000000,?,?,00007FF61B75D4D1), ref: 00007FF61B76827B
ProcessCodePage.LIBCMT ref: 00007FF61B7682BE
IsValidCodePage.KERNEL32 ref: 00007FF61B7682D0
IsValidLocale.KERNEL32 ref: 00007FF61B7682E6
GetLocaleInfoW.KERNEL32 ref: 00007FF61B768342
GetLocaleInfoW.KERNEL32 ref: 00007FF61B76835E

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 2591520935-0
Opcode ID: f1a69095846091a71a20ee3ef6c788d879191f60c9ca7d1b933c088628ba7f76
Instruction ID: f6efc4335fbe0825ca0b3b59cd51469d28558c2dd13fe51585c7c1a07b7e094c
Opcode Fuzzy Hash: f1a69095846091a71a20ee3ef6c788d879191f60c9ca7d1b933c088628ba7f76
Instruction Fuzzy Hash: CB717FA2B18E828AFB119F61D8506BD23A0BF4CF64F446436CE0D876B5EF3CA549C350

Function 00007FF61B74E54C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF61B74E568
RtlCaptureContext.KERNEL32 ref: 00007FF61B74E595
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF61B74E5AF
RtlVirtualUnwind.KERNEL32 ref: 00007FF61B74E5F0
IsDebuggerPresent.KERNEL32 ref: 00007FF61B74E644
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF61B74E661
UnhandledExceptionFilter.KERNEL32 ref: 00007FF61B74E66C

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 18c7dfee12948f11b2b1ef149d65aa3e1b9c7e2d1ea7ed06afb51cbb3a88d299
Instruction ID: 7a81d65ce28bd1bf827b1465f55d35594274b24820cddf8222fbee1ce72695fa
Opcode Fuzzy Hash: 18c7dfee12948f11b2b1ef149d65aa3e1b9c7e2d1ea7ed06afb51cbb3a88d299
Instruction Fuzzy Hash: DE315E72609F8186EB649F61E8403ED7364FB88B64F44543ADA4E87BB9EF38D548C710

Function 00007FF61B73E36A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

OpenEventLogW.ADVAPI32 ref: 00007FF61B73E397
ClearEventLogW.ADVAPI32 ref: 00007FF61B73E3AA
CloseEventLog.ADVAPI32 ref: 00007FF61B73E3B3

Strings

Security, xrefs: 00007FF61B73E376
Application, xrefs: 00007FF61B73E36A
System, xrefs: 00007FF61B73E382

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Event$ClearCloseOpen
String ID: Application$Security$System
API String ID: 1391105993-2169399579
Opcode ID: 2cf3709b3cb76df16a2a92579992847c2f846cbe0948eda6c13293e34c808135
Instruction ID: 0bf1511d3921343cb2713f6b0e31046f2999a6e68702cf7067a43663e9b3f932
Opcode Fuzzy Hash: 2cf3709b3cb76df16a2a92579992847c2f846cbe0948eda6c13293e34c808135
Instruction Fuzzy Hash: B4F03136E0DF4281EA15DB15F914265A3A4FB8CB74F446435C94D83774EE7CD09A8710

Function 00007FF61B753A6C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF61B753AE5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF61B753AFD
RtlVirtualUnwind.KERNEL32 ref: 00007FF61B753B38
IsDebuggerPresent.KERNEL32 ref: 00007FF61B753B71
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF61B753B7B
UnhandledExceptionFilter.KERNEL32 ref: 00007FF61B753B86

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: e6fb25ffa18b66ffda036dc74a26e2becfae59b68bb230e1827b5a608bc93c87
Instruction ID: 03af49e0e59d7377cee025c0b04b36e42dbd6627f815e1072e477990c7a49258
Opcode Fuzzy Hash: e6fb25ffa18b66ffda036dc74a26e2becfae59b68bb230e1827b5a608bc93c87
Instruction Fuzzy Hash: 58314132618F8186EB64DF25E8402AE73A4FB88B64F541135EA9D87B79DF3CD549CB00

Function 00007FF61B763EF0 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61B763F3C
FindFirstFileExW.KERNEL32 ref: 00007FF61B764046

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 116a84698524b3bcd43aaaa4f2cca2c7c536e0f4c45a8280c933762a24cf8a5b
Instruction ID: b7b714819cd076c10b55764a1dd48cde90d52aaac94571416d6b9720145734d9
Opcode Fuzzy Hash: 116a84698524b3bcd43aaaa4f2cca2c7c536e0f4c45a8280c933762a24cf8a5b
Instruction Fuzzy Hash: 2BB1D322B18ED241FA649B2598002B963A2EB58FF0F446131EA5E87BF5DE3CE549C300

Function 00007FF61B74C70C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF61B74C76D
IsDebuggerPresent.KERNEL32 ref: 00007FF61B74C785
OutputDebugStringW.KERNEL32 ref: 00007FF61B74C796

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF61B74C78F

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: efbf15865cd5c1087f73e292c5c5f3e8b2dd5a504a7ddbe30f15df4fd023cf7f
Instruction ID: e7294939c5042319fc395aafc31ed485c55f8eaf124f9d9cf6c582c0946369de
Opcode Fuzzy Hash: efbf15865cd5c1087f73e292c5c5f3e8b2dd5a504a7ddbe30f15df4fd023cf7f
Instruction Fuzzy Hash: 65116A32A18F8297F7059B22E6403B932A4FB48B61F446135C64DC6A70EF3CE0688700

Function 00007FF61B75B350 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF61B75B3B6
memcpy_s.LIBCPMT ref: 00007FF61B75B3E1

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: a3a34dc7f104a5757306e0e4006adbba08ef9a00a3e13a0073f806107d450ba3
Instruction ID: b75a60ef1554bc0012cde2504d4f903d23c9e5cc78512841a12ac7ddb24a7b9b
Opcode Fuzzy Hash: a3a34dc7f104a5757306e0e4006adbba08ef9a00a3e13a0073f806107d450ba3
Instruction Fuzzy Hash: 67C1E372B18A8A87E7248F15A04467AB795FB88B94F44A135DB4AC3B64DF3DE805CF04

Function 00007FF61B767BA0 Relevance: 4.7, APIs: 3, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61B75EA70: GetLastError.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EA7F
Part of subcall function 00007FF61B75EA70: FlsGetValue.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EA94
Part of subcall function 00007FF61B75EA70: SetLastError.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EB1F

Part of subcall function 00007FF61B75EA70: FlsSetValue.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EAB5

GetLocaleInfoW.KERNEL32 ref: 00007FF61B767C0C

Part of subcall function 00007FF61B763D2C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61B763D49

GetLocaleInfoW.KERNEL32 ref: 00007FF61B767C55

Part of subcall function 00007FF61B763D2C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61B763DA2

GetLocaleInfoW.KERNEL32 ref: 00007FF61B767D1D

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: InfoLocale$ErrorLastValue_invalid_parameter_noinfo
String ID:
API String ID: 1791019856-0
Opcode ID: 605c002cd1232363f8b97f7bb09a672fc6956a026fdc72186da3fd3d1de90a13
Instruction ID: fa94a70fe648b304bf968e5938f55043cbd403f8697353f83ff929fe4df4f231
Opcode Fuzzy Hash: 605c002cd1232363f8b97f7bb09a672fc6956a026fdc72186da3fd3d1de90a13
Instruction Fuzzy Hash: F5616F32A0998286FB748F15D440279B3A5FB88BA4F446135CB5EC76F5EF3CE8599700

Function 00007FF61B760D10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,00007FF61B75D6AA), ref: 00007FF61B760D84

Strings

GetLocaleInfoEx, xrefs: 00007FF61B760D2C, 00007FF61B760D3D

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 053289818baea42516c59c341b95a57cf593464f2c81e046735848086310e6c4
Instruction ID: e3a076898520adb35bdee117f28612e8f842347129d91c4a922d38ea3dfc90d6
Opcode Fuzzy Hash: 053289818baea42516c59c341b95a57cf593464f2c81e046735848086310e6c4
Instruction Fuzzy Hash: CC018421B0CE8285F7049B57B4440A6A6A0EB8CFE0F555036DE4D97B75CF7CD9498340

Function 00007FF61B763760 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF61B7639AF
RaiseException.KERNEL32 ref: 00007FF61B7639C0

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: d1d57c0b9bdf7be1867346d5e9c7cf9c26021b93baf768b42c1e913034eff148
Instruction ID: 79e20da81089155f3c74fb6b422934d202cab6d91dc687234face20e8dbada07
Opcode Fuzzy Hash: d1d57c0b9bdf7be1867346d5e9c7cf9c26021b93baf768b42c1e913034eff148
Instruction Fuzzy Hash: ECB15B73A14B898AE715CF2DC8863683BA0F788F58F198925DA5D877B4CF39D455C700

Function 00007FF61B757340 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF61B7576F0
, xrefs: 00007FF61B7574AE

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: f4d1caadcdf6a988165dfb6027386ea397a00727bebf28c93510380ffb834353
Instruction ID: 4e210b9b335ece5598be1a67450de7fc829843640a30cf9ee974a09b4de49ac7
Opcode Fuzzy Hash: f4d1caadcdf6a988165dfb6027386ea397a00727bebf28c93510380ffb834353
Instruction Fuzzy Hash: 24E1B472A08E4686EB688E29C05013DB7A0FF4DF68F146135DE5E877B4CF29E849C748

Function 00007FF61B75F6B0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF61B75F83A
e+000, xrefs: 00007FF61B75F7BD

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: 7a480f9cb63785b231e93cdb4053ba6ead140b4a31814c2e6dd1f53a1ff5a9d1
Instruction ID: c3121195af7de7610d6d7bd01c96290bc6436f20b679c12e142d60f49f5d5b16
Opcode Fuzzy Hash: 7a480f9cb63785b231e93cdb4053ba6ead140b4a31814c2e6dd1f53a1ff5a9d1
Instruction Fuzzy Hash: E3517962B18AC546E7248E35980076D6B91E748FA4F48A631CBA88BAF5CE7DE0498700

Function 00007FF61B75A4F8 Relevance: 1.9, APIs: 1, Instructions: 373COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00007FF61B75A640

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 7f0259b4a75c2d79dd05197e9e3c50a83c61ba8df8d38db5a1941d1f165b01d3
Instruction ID: 11cfab25e5f325f9a3e7f1df8beb93e0bb6ad9a107719b9799fec761e1f5ddbd
Opcode Fuzzy Hash: 7f0259b4a75c2d79dd05197e9e3c50a83c61ba8df8d38db5a1941d1f165b01d3
Instruction Fuzzy Hash: DA12A022A08BC186E751DF3895542FD73A4FB5CB58F05A235EB9D826A2DF38E589C700

Function 00007FF61B765D34 Relevance: 1.8, APIs: 1, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a91221a961958e25f62bfb1168308d288fd5f56a1465658bce0cb830e97a7a
Instruction ID: 9f5c44eaadad13e565dcd28a17d4082e83e42a62bc2218006375d5c3415f399e
Opcode Fuzzy Hash: a2a91221a961958e25f62bfb1168308d288fd5f56a1465658bce0cb830e97a7a
Instruction Fuzzy Hash: 56E16E22A04F8186E724DB61E4506EA77A4FB58B98F405635DF8D93BA6EF38D249D300

Function 00007FF61B732E50 Relevance: 1.8, Strings: 1, Instructions: 571COMMON

Download Yara Rule

Strings

[RO] %ld bytes, xrefs: 00007FF61B733450, 00007FF61B7335BB

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID: [RO] %ld bytes
API String ID: 0-772938740
Opcode ID: 2a2e8e66bac2129e6156a5cab3092c46a0c869edfc0550a0c0319ad8eb13d815
Instruction ID: 385709170744917da1be94b38832c2518d11572e0c4f6b1d842f736f7e353df2
Opcode Fuzzy Hash: 2a2e8e66bac2129e6156a5cab3092c46a0c869edfc0550a0c0319ad8eb13d815
Instruction Fuzzy Hash: 8342C1336097C5CFC328CF28D48026E7BA1F759B44F448129DB8A87B66DB38E859CB51

Function 00007FF61B767DE8 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61B75EA70: GetLastError.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EA7F
Part of subcall function 00007FF61B75EA70: FlsGetValue.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EA94
Part of subcall function 00007FF61B75EA70: SetLastError.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EB1F

Part of subcall function 00007FF61B75EA70: FlsSetValue.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EAB5

GetLocaleInfoW.KERNEL32 ref: 00007FF61B767E50

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorLastValue$InfoLocale
String ID:
API String ID: 673564084-0
Opcode ID: b88317f099404d3c0d10a5a24cf9ae58312b9b643a33a099b411d16474a7bbc4
Instruction ID: c9d162888cd5c2a2bc64fb6a9a8d6d59f5e7e76578776ffc7d36fb1bb66270d5
Opcode Fuzzy Hash: b88317f099404d3c0d10a5a24cf9ae58312b9b643a33a099b411d16474a7bbc4
Instruction Fuzzy Hash: 9F317331A08AC286FB648B25D4417AAB3A1FB4CB94F44A535DA5DC36B5EF3CE8498701

Function 00007FF61B767A38 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF61B75EA70: GetLastError.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EA7F
Part of subcall function 00007FF61B75EA70: FlsGetValue.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EA94
Part of subcall function 00007FF61B75EA70: SetLastError.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EB1F

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF61B768227,00000000,00000092,?,?,00000000,?,?,00007FF61B75D4D1), ref: 00007FF61B767AD6

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: ddf0bcd54fee30cee3c2fa2f3cf32a3156214357c3b61558b17e74e9ba4e1d34
Instruction ID: 5ab3470ccc11e879b6d42dbd82bdf2f2b16cb6ec8c9436c2101a2d805357caeb
Opcode Fuzzy Hash: ddf0bcd54fee30cee3c2fa2f3cf32a3156214357c3b61558b17e74e9ba4e1d34
Instruction Fuzzy Hash: BC11C667A1CA858AFB148F29D0806B877A1EB44FE0F545135CA19833E0EE28D6D5C740

Function 00007FF61B767FF0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61B75EA70: GetLastError.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EA7F
Part of subcall function 00007FF61B75EA70: FlsGetValue.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EA94
Part of subcall function 00007FF61B75EA70: SetLastError.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EB1F

GetLocaleInfoW.KERNEL32(?,?,?,00007FF61B767D9A), ref: 00007FF61B768027

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorLast$InfoLocaleValue
String ID:
API String ID: 3796814847-0
Opcode ID: 4756a55a6f6df2e1738916ac1a71c6225747ce609875c26223506d2cfc4742c0
Instruction ID: 7280f0f79a0b78d76d1220012b8e9d484803faea7f5d3202bfe66623a64e0b5e
Opcode Fuzzy Hash: 4756a55a6f6df2e1738916ac1a71c6225747ce609875c26223506d2cfc4742c0
Instruction Fuzzy Hash: 75113D71F1899283FB748725A04067E6251EB4CBB0F546A32D76D876F4DE2ED8858700

Function 00007FF61B767B08 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF61B75EA70: GetLastError.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EA7F
Part of subcall function 00007FF61B75EA70: FlsGetValue.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EA94
Part of subcall function 00007FF61B75EA70: SetLastError.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EB1F

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF61B7681E3,00000000,00000092,?,?,00000000,?,?,00007FF61B75D4D1), ref: 00007FF61B767B86

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: bc703af400f14b42b20c9fcb5047461b7f50c903457c8d4997ca4285d83e45ea
Instruction ID: 1126e8241a9301342310c248007c982ca19425be2b2d5e62c9bf12ff0bcccc32
Opcode Fuzzy Hash: bc703af400f14b42b20c9fcb5047461b7f50c903457c8d4997ca4285d83e45ea
Instruction Fuzzy Hash: 5201B972E0C6C586F7144F25E4407B9B6B1EB48FF4F55A231DA2D872F4EF6894898700

Function 00007FF61B760838 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF61B760CDF,?,?,?,?,?,?,?,?,00000000,00007FF61B767088), ref: 00007FF61B760887

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 0da49028f00012ccddbac4aa6a8129618cfbebd136c027dc8325545b3ece71c8
Instruction ID: dc0f42e06eb7eebbac30345e2af7295b0e439e5931b7306ce3dd3a0461674b08
Opcode Fuzzy Hash: 0da49028f00012ccddbac4aa6a8129618cfbebd136c027dc8325545b3ece71c8
Instruction Fuzzy Hash: 05F01972A08F4183E704DB29E8902A92362EB9CBA0F54A035DA4DD7375CE3CD4998740

Function 00007FF61B75F21C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF61B75F55E

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: 172941b2f1d4039ba21c6dc8853c143536a16ca8654b5df5f12dde2487208479
Instruction ID: 6d3781d56f6a1b93ff618b624aaecbe6a77217ca6b19a95fb6a0817c2b820954
Opcode Fuzzy Hash: 172941b2f1d4039ba21c6dc8853c143536a16ca8654b5df5f12dde2487208479
Instruction Fuzzy Hash: 38A15863B08BC546EB21DF29A4407AD7791AB58FA4F04A031DE8D8B7B1DE3DE509C701

Function 00007FF61B7565AC Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

, xrefs: 00007FF61B75678E

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6871d27396c91e0bed272bc22aae0ea20e11987830d478801ef476eeb5b70fb8
Instruction ID: 8b98bc849f797cee98fc7221720a96c61550d34602d4e0c9b69cc0248aa634c6
Opcode Fuzzy Hash: 6871d27396c91e0bed272bc22aae0ea20e11987830d478801ef476eeb5b70fb8
Instruction Fuzzy Hash: 0FB1A172908B8586E7648F39E05017C3BA4E74DF68F242135EA4E973B9CF39E449C748

Function 00007FF61B762744 Relevance: 1.4, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF61B7627E9

Part of subcall function 00007FF61B760788: HeapAlloc.KERNEL32(?,?,00000000,00007FF61B75EC4A,?,?,000054315B38B81F,00007FF61B758B05,?,?,?,?,00007FF61B762546,?,?,00000000), ref: 00007FF61B7607DD

Part of subcall function 00007FF61B75E6BC: RtlFreeHeap.NTDLL(?,?,?,00007FF61B7665C2,?,?,?,00007FF61B76693F,?,?,00000000,00007FF61B766D85,?,?,?,00007FF61B766CB7), ref: 00007FF61B75E6D2
Part of subcall function 00007FF61B75E6BC: GetLastError.KERNEL32(?,?,?,00007FF61B7665C2,?,?,?,00007FF61B76693F,?,?,00000000,00007FF61B766D85,?,?,?,00007FF61B766CB7), ref: 00007FF61B75E6DC

Part of subcall function 00007FF61B769FAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61B769FDF

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorHeapLast$AllocFree_invalid_parameter_noinfo
String ID:
API String ID: 916656526-0
Opcode ID: c069c10827176b9df77e9eacd146a24f3ebe0e1c557e8cf5116eb7accc2f9201
Instruction ID: cef330402f651af9fb9094b60467e3db2ca1c4b63510dff73b9dd0bf998a7ef9
Opcode Fuzzy Hash: c069c10827176b9df77e9eacd146a24f3ebe0e1c557e8cf5116eb7accc2f9201
Instruction Fuzzy Hash: 7141F721F09AC341FAB15A22685177A62907F9DFE0F446535EE8DD7BB6DE3CE4094700

Function 00007FF61B749250 Relevance: .7, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d3e26cd520c0d7484bca21c75386a0081201fe8f2cf936fcf25e5b7a4aa551
Instruction ID: ea8057b0bb0761df68a05da1259849286377d17061389988ab1509f21aaec746
Opcode Fuzzy Hash: f9d3e26cd520c0d7484bca21c75386a0081201fe8f2cf936fcf25e5b7a4aa551
Instruction Fuzzy Hash: F622CEB7B3805047D36DCB1DEC52FA97692B7A5308748A02CBA07C3F45EA3DEA458A44

Function 00007FF61B7478F0 Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dbab6f601d912f7832fe87e6cb8010b159b99cec89eaaed4f22644e13967388
Instruction ID: 2a8fb52169cce43ecb3bb912cc23239560564c9264b6f310f4e3099c7fd1f3fe
Opcode Fuzzy Hash: 2dbab6f601d912f7832fe87e6cb8010b159b99cec89eaaed4f22644e13967388
Instruction Fuzzy Hash: 77C13373B19A9187DB09CF26D950579B792FBC8BE0B41D134CA4A47BA8DE3CD805CB00

Function 00007FF61B756F3C Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe8ec01f60584a1ee149ae2a08fff37cdae008ac808ef4f9df4273de0df04db
Instruction ID: 40d7ac394b627c87d8476ef9c3f8bf02d9c25f8550ff61e3085041b596709926
Opcode Fuzzy Hash: 4fe8ec01f60584a1ee149ae2a08fff37cdae008ac808ef4f9df4273de0df04db
Instruction Fuzzy Hash: D3D1E522A08E4686FB688E25D45027DA7A0EF4DF68F146235DE0D876F5DF3DE849C348

Function 00007FF61B75D320 Relevance: .3, Instructions: 310COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodePageValidValue_invalid_parameter_noinfo
String ID:
API String ID: 4023145424-0
Opcode ID: 8a64524f1fb9e6959651956f91e34aa30073aa11383fd560e196b95c26644943
Instruction ID: a442f4a8602534f4ff2f74f2505bbb5c7d9657dddac589e3c16c7f44f7318962
Opcode Fuzzy Hash: 8a64524f1fb9e6959651956f91e34aa30073aa11383fd560e196b95c26644943
Instruction Fuzzy Hash: 09C1EA65A08A8185FB609B619410BBA37A4FB98FE8F406035DE5EC77B4DF3CE54AC704

Function 00007FF61B76714C Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorLast$Value_invalid_parameter_noinfo
String ID:
API String ID: 1500699246-0
Opcode ID: 40463cb8fd89e5f38144c8e404f20e2a32259e43623898d7ad92a87b920fc9c4
Instruction ID: e4fb83bcccc2bf873c64a7d5d24e0bc6c59259131ee7c9e3ab3c5a33dde1bd28
Opcode Fuzzy Hash: 40463cb8fd89e5f38144c8e404f20e2a32259e43623898d7ad92a87b920fc9c4
Instruction Fuzzy Hash: 57B1E532A18AC686FB649F21D4116B973A0EB48FE8F506131DE59C36F5EF3CE5498740

Function 00007FF61B756228 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe3a20954eaf19cca18b720aca6cea66dcaf64d55a17c7986fbc43ae61592d0
Instruction ID: ae2c39cbce8c3b1462b0ec9b6c697ae4c5c68c462068563ef8576ad7ddcb1399
Opcode Fuzzy Hash: 4fe3a20954eaf19cca18b720aca6cea66dcaf64d55a17c7986fbc43ae61592d0
Instruction Fuzzy Hash: 8AB17172908A8585EB648F29E05027C3BA0F74DF68F246135EB4E873B5DF39E549C748

Function 00007FF61B75AC80 Relevance: .2, Instructions: 207COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7c967eb539ab6c81368948c69a9b6320c10fa2f7b73efbe3c4b6df7895ae468e
Instruction ID: 9b1ec306a0da6dd7dc71fa3cdd18b68a520f0a1a284d2bee9347475d34c0449a
Opcode Fuzzy Hash: 7c967eb539ab6c81368948c69a9b6320c10fa2f7b73efbe3c4b6df7895ae468e
Instruction Fuzzy Hash: E6818F72A04F5186EB64EE29D49137D23A0FB48FA8F149636EE1E877B5DF38D4498304

Function 00007FF61B75FD30 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa2f4ae56baf169408e60df2444458542a3c73068db43e6345bf2ec4a63d4b14
Instruction ID: 2f873fd5bc8bc95e2ab4f8fcce94e7ae986022dace88ddda1add518f68bba40d
Opcode Fuzzy Hash: aa2f4ae56baf169408e60df2444458542a3c73068db43e6345bf2ec4a63d4b14
Instruction Fuzzy Hash: 4381E672A08B8146E774EF19944037A7691FB4EBA4F145239DA8D8BBF9DF3CD4488B04

Function 00007FF61B742EC0 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f6a1a1a1cf9baf0de81f1e4df80e775a01d7d2970379cd065fadcfc056c7f6
Instruction ID: 3de1a197cd164e89ff893ee23c5bc5b1b9bb470655d851dcd34a861fc3546d05
Opcode Fuzzy Hash: f6f6a1a1a1cf9baf0de81f1e4df80e775a01d7d2970379cd065fadcfc056c7f6
Instruction Fuzzy Hash: 1261E762B14F8982DF208B19E4416A9A360F75DB90F546331EB9C87BA4EF3DE194C340

Function 00007FF61B75536C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: c14727ac153fce8a78e5a7ea2a7abbecafac96647c9cd6213d94deb0b41138cf
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: FD516D72A18E5186E7248B29C05432C33A1EB48F78F24A135DA4DD77B4CF3AE84BC744

Function 00007FF61B754F5C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: d820d8d33a070291e9adb1d3b3b2608a7e9d2295a0b056dfef4c025565f9a4dd
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: 96518136A18E5582E7648B29C45032827A0EB49F78F286131CA4D977F8CF3AE857C784

Function 00007FF61B75577C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: d46e004ac597c53d633e3815e487d8a071c81c9b649741ac1d7ed7efbcfe2e28
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 01515F76A28E5186E7248B29C05436837A1EB48F78F24A131CE4DD77B4CF3AE857C784

Function 00007FF61B755168 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a3dccb135ddd09f63c505db29ff29986bf9dd63497299e7c799fac6b959aa4
Instruction ID: 38769905863c73c216d170e8cbd0d0630717b3bd19fe8af95ac6b365e4a6dff1
Opcode Fuzzy Hash: f6a3dccb135ddd09f63c505db29ff29986bf9dd63497299e7c799fac6b959aa4
Instruction Fuzzy Hash: 39518072A18A5586E7248B29D0543383BA0EB4CF68F246131CE4DD77B4CF3AE947C784

Function 00007FF61B754D58 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db363646d287334b7a31293e9082935613ba5dde14aee32d187fc7345eaa1eeb
Instruction ID: 98f2f714b0bda6e59d634b3f73b242f96ab1b09e7aec8c4041df9759c96db1bd
Opcode Fuzzy Hash: db363646d287334b7a31293e9082935613ba5dde14aee32d187fc7345eaa1eeb
Instruction Fuzzy Hash: 16519376B18E5586E7648B29C04423837A0EB4DF68F286131CE4C877B8CF3AED56D784

Function 00007FF61B755578 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e46230d8c0bb23a9b26f12389beaf27d8e9063d4bba2e4d98de2a57eaa924be5
Instruction ID: 7c55191eae1b6d4cff4e1b23cc42c3822d7e635323bf153891a7d93b931b77f5
Opcode Fuzzy Hash: e46230d8c0bb23a9b26f12389beaf27d8e9063d4bba2e4d98de2a57eaa924be5
Instruction Fuzzy Hash: 54517276A28A9186E7248B29C04032D27A1EB48F68F246131CE4DD77B5CF3AE84BC744

Function 00007FF61B75C51C Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4d1d88932efd7b63ecfdde29945dfc17fd218d95b7e0763bafd054a92f058063
Instruction ID: 7fbd7c615cce6ab12a884dcdf26d9a5ae99cf6f44af8886663f5701cfd6ffbc2
Opcode Fuzzy Hash: 4d1d88932efd7b63ecfdde29945dfc17fd218d95b7e0763bafd054a92f058063
Instruction Fuzzy Hash: 9441FF62714E5482EF04CF2AD92426963A1FB4CFE4B58A032EE0DD7B78DE3CC4458304

Function 00007FF61B76C8C0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8325bb8896eb9c8ae2d46c5932a003c3c7f8bfc008283704c68a5069cd28ac66
Instruction ID: 3d2f642a9756c2fb89c4aee7cbe336a56936900946f949743817b0472747964f
Opcode Fuzzy Hash: 8325bb8896eb9c8ae2d46c5932a003c3c7f8bfc008283704c68a5069cd28ac66
Instruction Fuzzy Hash: 45F06871B18A958ADB948F78A802A2977D0F70C790F409539D58DC7B24DF3C95659F04

Function 00007FF61B74E6F4 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 174bfe62ffdb35f0a8b82215b8c446e4258c47945d5cfe3425f7157a53489505
Instruction ID: 9037f75cd14a16e157148409741755e203331779727234652dd07dead20c1728
Opcode Fuzzy Hash: 174bfe62ffdb35f0a8b82215b8c446e4258c47945d5cfe3425f7157a53489505
Instruction Fuzzy Hash: 3CA0026194CC46D0F6099B01ED550702330FB58B31B823431D11DD5071AF3CB508C301

Function 00007FF61B734C50 Relevance: 33.2, APIs: 22, Instructions: 199windowthreadnetworkCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF61B734C65
SwitchToThread.KERNEL32 ref: 00007FF61B734C9D
SetLastError.KERNEL32 ref: 00007FF61B734CDC
SetEvent.KERNEL32 ref: 00007FF61B734D17
MsgWaitForMultipleObjects.USER32 ref: 00007FF61B734D4B
PeekMessageW.USER32 ref: 00007FF61B734D66
TranslateMessage.USER32 ref: 00007FF61B734D75
DispatchMessageW.USER32 ref: 00007FF61B734D80
PeekMessageW.USER32 ref: 00007FF61B734D97
CloseHandle.KERNEL32 ref: 00007FF61B734DC4
send.WS2_32 ref: 00007FF61B734E01
SetEvent.KERNEL32 ref: 00007FF61B734E18
WSACloseEvent.WS2_32 ref: 00007FF61B734E2D
shutdown.WS2_32 ref: 00007FF61B734E49
closesocket.WS2_32 ref: 00007FF61B734E53
EnterCriticalSection.KERNEL32 ref: 00007FF61B734E70
ResetEvent.KERNEL32 ref: 00007FF61B734E7D
ResetEvent.KERNEL32 ref: 00007FF61B734E8A
ResetEvent.KERNEL32 ref: 00007FF61B734E97
SetEvent.KERNEL32 ref: 00007FF61B734F2C
LeaveCriticalSection.KERNEL32 ref: 00007FF61B734F39
SetLastError.KERNEL32 ref: 00007FF61B734F79

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Event$Message$Reset$CloseCriticalErrorLastPeekSectionThread$CurrentDispatchEnterHandleLeaveMultipleObjectsSwitchTranslateWaitclosesocketsendshutdown
String ID:
API String ID: 4058177064-0
Opcode ID: 1d5cc57fb7fbf7527f04433d1c2939eb4b1b6e6938b0e21f75a258dbfa576023
Instruction ID: 53776cf3df4a58062cdef40fef400a6478325d1645913e133d3a817698ea0ebc
Opcode Fuzzy Hash: 1d5cc57fb7fbf7527f04433d1c2939eb4b1b6e6938b0e21f75a258dbfa576023
Instruction Fuzzy Hash: 82914D76A08E8297E758DB25E5846A973A0FB48F60F446535CB5DC7AB0CF3CE4A8D700

Function 00007FF61B7406A0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 140stringprocessCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00007FF61B740718
lstrlenW.KERNEL32 ref: 00007FF61B74073A
wsprintfW.USER32 ref: 00007FF61B7407A2
ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF61B740806
lstrcatW.KERNEL32 ref: 00007FF61B740841
lstrcatW.KERNEL32 ref: 00007FF61B74084E
lstrcpyW.KERNEL32 ref: 00007FF61B74085C
CreateProcessW.KERNEL32 ref: 00007FF61B7408DB

Strings

%s\shell\open\command, xrefs: 00007FF61B740794
"%1, xrefs: 00007FF61B74080C
h, xrefs: 00007FF61B740865
WinSta0\Default, xrefs: 00007FF61B740893

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: lstrcatlstrlen$CreateEnvironmentExpandProcessStringslstrcpywsprintf
String ID: "%1$%s\shell\open\command$WinSta0\Default$h
API String ID: 1783372451-551013563
Opcode ID: 2aa4d3ebf5c45bd74505c1267e1058c2c24ed9b570e41b1434e0a24903c1c98a
Instruction ID: 84e26623351823f9a5117c91a704100f3b53845b377d3d37ca59917b3e44976d
Opcode Fuzzy Hash: 2aa4d3ebf5c45bd74505c1267e1058c2c24ed9b570e41b1434e0a24903c1c98a
Instruction Fuzzy Hash: 67618022A18F8285FB21DF61D8442FD2360FB9DB58F446135DA4D96AB9EF3CD248CB40

Function 00007FF61B734270 Relevance: 21.1, APIs: 14, Instructions: 119networkstringCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FF61B73429F
WSAIoctl.WS2_32 ref: 00007FF61B7342F8
setsockopt.WS2_32 ref: 00007FF61B73431D
setsockopt.WS2_32 ref: 00007FF61B734342
WSACreateEvent.WS2_32 ref: 00007FF61B734348
lstrlenW.KERNEL32 ref: 00007FF61B734355
WideCharToMultiByte.KERNEL32 ref: 00007FF61B734378
lstrlenW.KERNEL32 ref: 00007FF61B734390
WideCharToMultiByte.KERNEL32 ref: 00007FF61B7343B3
gethostbyname.WS2_32 ref: 00007FF61B7343C0
htons.WS2_32 ref: 00007FF61B7343ED
WSAEventSelect.WS2_32 ref: 00007FF61B734413
connect.WS2_32 ref: 00007FF61B73442D
WSAGetLastError.WS2_32 ref: 00007FF61B73443C

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
String ID:
API String ID: 1455939504-0
Opcode ID: 6f0a85a34c6bb75636ccf932ec56d1350418621ff62b1755ad958c4a4e8ec29f
Instruction ID: 129d55d35b5e63480a70e28a9a7e077ca1c06657ffb2dde95d725c3613c6b682
Opcode Fuzzy Hash: 6f0a85a34c6bb75636ccf932ec56d1350418621ff62b1755ad958c4a4e8ec29f
Instruction Fuzzy Hash: 1E514E36608E9186E724DF21E84026A77A5FB88FA4F501235EE9D87BB8CF3CD549C700

Function 00007FF61B741620 Relevance: 18.2, APIs: 12, Instructions: 153COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF61B741639
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF61B74165E
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF61B741688
std::_Facet_Register.LIBCPMT ref: 00007FF61B741708
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF61B741722
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF61B741732
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF61B741757
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF61B741781
std::_Facet_Register.LIBCPMT ref: 00007FF61B7417F7
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF61B741811
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF61B74182A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF61B741830

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 86a4ff4925cbc545ad5961b211c5cb2ede80d6a6447645a52bcc9b3ede11fd42
Instruction ID: 449279cb35e3dd939f6df50235ed0337c125a67b9e27d94eabcd5d01c2cc7d82
Opcode Fuzzy Hash: 86a4ff4925cbc545ad5961b211c5cb2ede80d6a6447645a52bcc9b3ede11fd42
Instruction Fuzzy Hash: D6515D22A09E4285EB15EB26E44417937A1FB5CFB1F186132DA5E87BB5DF3CE44AC700

Function 00007FF61B7346A0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 171networktimeCOMMON

Download Yara Rule

APIs

WSAEnumNetworkEvents.WS2_32 ref: 00007FF61B7346C7
WSAGetLastError.WS2_32 ref: 00007FF61B7346D8
WSAResetEvent.WS2_32 ref: 00007FF61B734717
WSAEventSelect.WS2_32 ref: 00007FF61B73479C
WSAGetLastError.WS2_32 ref: 00007FF61B7347A7
timeGetTime.WINMM ref: 00007FF61B7347D2
timeGetTime.WINMM ref: 00007FF61B73481D
send.WS2_32 ref: 00007FF61B734852
WSAGetLastError.WS2_32 ref: 00007FF61B73485D

Strings

, xrefs: 00007FF61B7348F8

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorLast$EventTimetime$EnumEventsNetworkResetSelectsend
String ID:
API String ID: 957247320-3916222277
Opcode ID: 70faab5df619376ecbd789658116d1a95d03484d4b81b7d6c2cb32eb3eab3399
Instruction ID: e189242e0d3a87ffa664fd20ab181df25565518148e04d014053bf6b6bff8983
Opcode Fuzzy Hash: 70faab5df619376ecbd789658116d1a95d03484d4b81b7d6c2cb32eb3eab3399
Instruction Fuzzy Hash: BA715E76A08A828BE368CF29D58436977E0FB48B68F545035CB4DC76B5CF7DE4498B40

Function 00007FF61B735A80 Relevance: 16.7, APIs: 11, Instructions: 154networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF61B735AC4
WSASetLastError.WS2_32 ref: 00007FF61B735C69
LeaveCriticalSection.KERNEL32 ref: 00007FF61B735C73

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: ce0fa88aebe3efe6d4cfa5056a018ff2338e1d011f624170396f62e2d62db8ee
Instruction ID: e67a76a305731ccb5fb78f58bbfac0d40cef697cb8f2d0501149ba5ec2eb043c
Opcode Fuzzy Hash: ce0fa88aebe3efe6d4cfa5056a018ff2338e1d011f624170396f62e2d62db8ee
Instruction Fuzzy Hash: FB61AF32B08E8282E758DB22E55467D6365FB88FA5F856031CA1EC76B0DF3CE459C700

Function 00007FF61B735090 Relevance: 16.6, APIs: 11, Instructions: 87COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF61B7350F5
LeaveCriticalSection.KERNEL32 ref: 00007FF61B735107
SetLastError.KERNEL32 ref: 00007FF61B7351DB

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: b12bcef403b9db2977f705d0ecef41abbd2038a6eeb512479f31e0cb207d576e
Instruction ID: 5ea37a068f7dc016c3429ec0396be9b776d9fad876e3410851a13f6ec50f9092
Opcode Fuzzy Hash: b12bcef403b9db2977f705d0ecef41abbd2038a6eeb512479f31e0cb207d576e
Instruction Fuzzy Hash: 4A314E22B0CE8282F758EB2599981796765FF4DFA5F542034DA5ECAAB1CF2CE449C700

Function 00007FF61B740BC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 52registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF61B740C11
RegDeleteValueW.ADVAPI32 ref: 00007FF61B740C1F
RegCloseKey.ADVAPI32 ref: 00007FF61B740C2A
RegCreateKeyW.ADVAPI32 ref: 00007FF61B740C4A
lstrlenW.KERNEL32 ref: 00007FF61B740C57
RegSetValueExW.ADVAPI32 ref: 00007FF61B740C79
RegCloseKey.ADVAPI32 ref: 00007FF61B740C84

Strings

Software, xrefs: 00007FF61B740BF3
VenNetwork, xrefs: 00007FF61B740BE9

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CloseValue$CreateDeleteOpenlstrlen
String ID: Software$VenNetwork
API String ID: 3197061591-1820303132
Opcode ID: 977d34d6a8543d540e474d7a41a606a027e4303f67bb5f64f5b8d5885a1a35b1
Instruction ID: 72e755b35a5fe8fb5c9e62f61ed4c08bc49a5d38e3455a3deb25d379acef4106
Opcode Fuzzy Hash: 977d34d6a8543d540e474d7a41a606a027e4303f67bb5f64f5b8d5885a1a35b1
Instruction Fuzzy Hash: A1213E26618E8086EB109B22E84465AB761FB88FB1F845131DE5D87B78DFBCD14DCB04

Function 00007FF61B735FC0 Relevance: 15.1, APIs: 10, Instructions: 140COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF61B735FE4
EnterCriticalSection.KERNEL32 ref: 00007FF61B736004
SetLastError.KERNEL32 ref: 00007FF61B736016
LeaveCriticalSection.KERNEL32 ref: 00007FF61B73606F

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 1e7b01e8061498853063041e14b47fd2e59aeeeabd15da1d9f1fa77a953021b1
Instruction ID: 26750c8fc86f534185ca7a293ce92d3c9460d2dd981cafd8bb3a959a061106d0
Opcode Fuzzy Hash: 1e7b01e8061498853063041e14b47fd2e59aeeeabd15da1d9f1fa77a953021b1
Instruction Fuzzy Hash: 78519B32A0CA428BE764EB15E54067C77A5FB4CFA4F456139EA4E877B1DF28E8098740

Function 00007FF61B7545E0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61B754620
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61B7549E8
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61B754C87

Strings

f, xrefs: 00007FF61B754722
f, xrefs: 00007FF61B75486D
p, xrefs: 00007FF61B75472A
p, xrefs: 00007FF61B7546C5
f, xrefs: 00007FF61B7546B8

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 338c2a64cdc3021812c5b6ddca5db7159329e9a17ba8d876efc02d9e71b2fbd5
Instruction ID: 24a076bcaad609fbf2344039e9ef7e4694700c14a03368b2e6024f3eacca1513
Opcode Fuzzy Hash: 338c2a64cdc3021812c5b6ddca5db7159329e9a17ba8d876efc02d9e71b2fbd5
Instruction Fuzzy Hash: DE12A472B0C98386FB649F15D0447B97261FB84F64F946135E68A866FCDF3CE4898B08

Function 00007FF61B734080 Relevance: 13.6, APIs: 9, Instructions: 111timenetworkCOMMON

Download Yara Rule

APIs

CreateWaitableTimerW.KERNEL32 ref: 00007FF61B7340C6
setsockopt.WS2_32 ref: 00007FF61B734165
setsockopt.WS2_32 ref: 00007FF61B73418F
ResetEvent.KERNEL32 ref: 00007FF61B7341DE
SetLastError.KERNEL32 ref: 00007FF61B73420A
WSAGetLastError.WS2_32 ref: 00007FF61B734216
SetLastError.KERNEL32 ref: 00007FF61B734228
GetLastError.KERNEL32 ref: 00007FF61B734241
SetLastError.KERNEL32 ref: 00007FF61B734253

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorLast$setsockopt$CreateEventResetTimerWaitable
String ID:
API String ID: 2911610646-0
Opcode ID: 29f4db180f811eed727e115f3e9634c508b58a893b040440cf1ba2de9885e7b9
Instruction ID: 48f04ffd86299624d9af11e722ef2a81c23d038302f9ac40f3eed4481a85ce8a
Opcode Fuzzy Hash: 29f4db180f811eed727e115f3e9634c508b58a893b040440cf1ba2de9885e7b9
Instruction Fuzzy Hash: 34515576A09A8287E718DF25E94436977A0FB48B64F401135DB4C9BBB0DF7DE46A8B00

Function 00007FF61B735D10 Relevance: 13.6, APIs: 9, Instructions: 93timenetworkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,-00000004,00007FF61B7349B9), ref: 00007FF61B735D5E
timeGetTime.WINMM(?,?,-00000004,00007FF61B7349B9), ref: 00007FF61B735D95
LeaveCriticalSection.KERNEL32(?,?,-00000004,00007FF61B7349B9), ref: 00007FF61B735DB5
timeGetTime.WINMM(?,?,-00000004,00007FF61B7349B9), ref: 00007FF61B735DFA
SetEvent.KERNEL32 ref: 00007FF61B735E27
LeaveCriticalSection.KERNEL32 ref: 00007FF61B735E3B
WSASetLastError.WS2_32(?,?,-00000004,00007FF61B7349B9), ref: 00007FF61B735E52
LeaveCriticalSection.KERNEL32(?,?,-00000004,00007FF61B7349B9), ref: 00007FF61B735E61
WSASetLastError.WS2_32(?,?,-00000004,00007FF61B7349B9), ref: 00007FF61B735E73

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEvent
String ID:
API String ID: 3019579578-0
Opcode ID: 0f5c7540d6a6d13954bf3b0610fbdb20e4227d3d9c7ae04a05d2493569245aae
Instruction ID: e6c97d53857360956f73bac908912a06c79a4cb32c9ca3e78ba9ac8760922d21
Opcode Fuzzy Hash: 0f5c7540d6a6d13954bf3b0610fbdb20e4227d3d9c7ae04a05d2493569245aae
Instruction Fuzzy Hash: 65414E72918A828BE770DB15D54423E7761FB88F64F542135DA8E87AB4DF3CF8898740

Function 00007FF61B735E90 Relevance: 13.6, APIs: 9, Instructions: 77COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF61B735EAA
TryEnterCriticalSection.KERNEL32 ref: 00007FF61B735ECB
TryEnterCriticalSection.KERNEL32 ref: 00007FF61B735EDD
SetLastError.KERNEL32 ref: 00007FF61B735EF6
LeaveCriticalSection.KERNEL32 ref: 00007FF61B735F00
LeaveCriticalSection.KERNEL32 ref: 00007FF61B735F0A

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: 67fb679d431cd07a0a75245ad9faae6b58536de87acf8e54a525854fe2ab2b98
Instruction ID: ffbf9d13891e8126c94defdbbe6571eb9692a39be24615dfd96eaa2e46d6c634
Opcode Fuzzy Hash: 67fb679d431cd07a0a75245ad9faae6b58536de87acf8e54a525854fe2ab2b98
Instruction Fuzzy Hash: A8310832A18D928AE790DF25D58827D37A4FB48F59F842031DA0ECA6B5DF3DE859C701

Function 00007FF61B750C08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF61B750C65

Part of subcall function 00007FF61B752FC8: __GetUnwindTryBlock.LIBCMT ref: 00007FF61B75300B
Part of subcall function 00007FF61B752FC8: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF61B753030

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF61B750D3D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF61B750F8B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF61B751098

Strings

csm, xrefs: 00007FF61B750C7F
csm, xrefs: 00007FF61B750CE6
csm, xrefs: 00007FF61B750D60

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 2b2ef099c7c498c1f83d83cf8365c45f4a2add1e44776cae4b3bb5ec5925f551
Instruction ID: 3d6bdd4b82ad3c682e58e209cb4c3687b439df35bfc6d79a1243febddeeecab1
Opcode Fuzzy Hash: 2b2ef099c7c498c1f83d83cf8365c45f4a2add1e44776cae4b3bb5ec5925f551
Instruction Fuzzy Hash: 39D19372A08B418AEB219F25D4413AD77A0FB4DBA8F102135EE4D97BB5DF38E588C705

Function 00007FF61B7608B4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FF61B760A30
GetProcAddress.KERNEL32 ref: 00007FF61B760A3C

Strings

api-ms-, xrefs: 00007FF61B76097A
ext-ms-, xrefs: 00007FF61B76098D

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 7440c042807cac739352953deb803b73dd017de38a4217708bea05fa604c5186
Instruction ID: dd48f24345670fee81869d5452789afbebe9777fa5655f6fd2916dc6b08beada
Opcode Fuzzy Hash: 7440c042807cac739352953deb803b73dd017de38a4217708bea05fa604c5186
Instruction Fuzzy Hash: C141D121B19F4245FA16DB16A85027623A1BF4DFB0F486536DD0DDB7B4EE3CE4498300

Function 00007FF61B73E01F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF61B73E0E9
WriteFile.KERNEL32 ref: 00007FF61B73E119
CloseHandle.KERNEL32 ref: 00007FF61B73E12A
lstrlenW.KERNEL32 ref: 00007FF61B73E135
wsprintfW.USER32 ref: 00007FF61B73E159
lstrcpyW.KERNEL32 ref: 00007FF61B73E168

Part of subcall function 00007FF61B7406A0: lstrlenW.KERNEL32 ref: 00007FF61B740718
Part of subcall function 00007FF61B7406A0: wsprintfW.USER32 ref: 00007FF61B7407A2
Part of subcall function 00007FF61B7406A0: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF61B740806
Part of subcall function 00007FF61B7406A0: lstrcatW.KERNEL32 ref: 00007FF61B740841
Part of subcall function 00007FF61B7406A0: lstrcatW.KERNEL32 ref: 00007FF61B74084E

Strings

%s %s, xrefs: 00007FF61B73E152

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Filelstrcatlstrlenwsprintf$CloseCreateEnvironmentExpandHandleStringsWritelstrcpy
String ID: %s %s
API String ID: 958574092-2939940506
Opcode ID: eceb82c3cd3af4ca55499d5fe9bd5fadc0488819e054981a88d383308b1fa06d
Instruction ID: f83be216e75f9304c29c468c23122f9c9cc5206648376d97103a6919ab4c3326
Opcode Fuzzy Hash: eceb82c3cd3af4ca55499d5fe9bd5fadc0488819e054981a88d383308b1fa06d
Instruction Fuzzy Hash: 7D413222A18FC681E711CF28D9042FD2720F799B58F55A325DB4D56672EF39E2D9C700

Function 00007FF61B734A90 Relevance: 12.1, APIs: 8, Instructions: 104networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF61B734AD0
LeaveCriticalSection.KERNEL32 ref: 00007FF61B734B20
send.WS2_32 ref: 00007FF61B734B49
EnterCriticalSection.KERNEL32 ref: 00007FF61B734B58
LeaveCriticalSection.KERNEL32 ref: 00007FF61B734B6F
WSAGetLastError.WS2_32 ref: 00007FF61B734BA9
EnterCriticalSection.KERNEL32 ref: 00007FF61B734BB9
LeaveCriticalSection.KERNEL32 ref: 00007FF61B734BFB

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ErrorLastsend
String ID:
API String ID: 3480985631-0
Opcode ID: dcbfb0b2159904ea6d1c624c1834ef820b2325ccb56d393d0a5f1f6bb36a758c
Instruction ID: bc22343b1e8792f6a37aacb44944d98bd4eeda95db72ff45e1a5391c6b0688be
Opcode Fuzzy Hash: dcbfb0b2159904ea6d1c624c1834ef820b2325ccb56d393d0a5f1f6bb36a758c
Instruction Fuzzy Hash: D6410536608A8182E758DF26E5442AC73A4FB48FA8F582135CE5D8BB78CF38E559C750

Function 00007FF61B759480 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61B7594C3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61B7598B0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61B759B4C

Strings

p, xrefs: 00007FF61B7595ED
p, xrefs: 00007FF61B759575
f, xrefs: 00007FF61B7595E5

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: 42fb3e65d0f17d18353857ebdda260012259b146ac6ef5ada1715a4ca3ec7708
Instruction ID: 720b72a87b25a9a0cf118c5a3a050c51407a3b5d24baeb8b93a80cf7296719fb
Opcode Fuzzy Hash: 42fb3e65d0f17d18353857ebdda260012259b146ac6ef5ada1715a4ca3ec7708
Instruction Fuzzy Hash: DF12B571E0C94786FB205A15D0542BA72A2FB89F70F885135D6DA876F4DF3CE588CB18

Function 00007FF61B734470 Relevance: 10.6, APIs: 7, Instructions: 143threadnetworktimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF61B73448E
SetWaitableTimer.KERNEL32 ref: 00007FF61B7344C3
WSAWaitForMultipleEvents.WS2_32 ref: 00007FF61B73456D
GetCurrentThreadId.KERNEL32 ref: 00007FF61B734676

Part of subcall function 00007FF61B734A90: EnterCriticalSection.KERNEL32 ref: 00007FF61B734AD0
Part of subcall function 00007FF61B734A90: LeaveCriticalSection.KERNEL32 ref: 00007FF61B734B20
Part of subcall function 00007FF61B734A90: send.WS2_32 ref: 00007FF61B734B49
Part of subcall function 00007FF61B734A90: EnterCriticalSection.KERNEL32 ref: 00007FF61B734B58
Part of subcall function 00007FF61B734A90: LeaveCriticalSection.KERNEL32 ref: 00007FF61B734B6F
Part of subcall function 00007FF61B734A90: WSAGetLastError.WS2_32 ref: 00007FF61B734BA9
Part of subcall function 00007FF61B734A90: EnterCriticalSection.KERNEL32 ref: 00007FF61B734BB9
Part of subcall function 00007FF61B734A90: LeaveCriticalSection.KERNEL32 ref: 00007FF61B734BFB

SetLastError.KERNEL32 ref: 00007FF61B734616

Part of subcall function 00007FF61B735FC0: SetLastError.KERNEL32 ref: 00007FF61B735FE4

GetLastError.KERNEL32 ref: 00007FF61B73461C
WSAGetLastError.WS2_32 ref: 00007FF61B734641

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CriticalSection$ErrorLast$EnterLeave$CurrentThread$EventsMultipleTimerWaitWaitablesend
String ID:
API String ID: 2807917265-0
Opcode ID: 495490e7d3477735b75ad2edb0a11b0efccf73ea01b4538bcbeaf1220e2ab4c3
Instruction ID: 120baafd099740344646c24f1cfcd04316b9f116ed5eac5ba23e58c8e7794edf
Opcode Fuzzy Hash: 495490e7d3477735b75ad2edb0a11b0efccf73ea01b4538bcbeaf1220e2ab4c3
Instruction Fuzzy Hash: 20513376A08E4286EB68DF25984427D23A4FB48F78F546635DE5EC77B4DF38E4488700

Function 00007FF61B73B9E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF61B73BA4B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF61B73BA93
_Getctype.LIBCPMT ref: 00007FF61B73BAAB
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF61B73BB63
_Getwctype.LIBCPMT ref: 00007FF61B73BBB1

Strings

bad locale name, xrefs: 00007FF61B73BB86

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: std::_$Lockit$GetctypeGetwctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1386471777-1405518554
Opcode ID: 1e5e98c9536fad76aa215f10c33411828afcd6fe37bfa1046ea3f08e32c02a87
Instruction ID: 3d9cf6c04496632deceb84de4457cf836151dc1569b461a491542d96b48be7a7
Opcode Fuzzy Hash: 1e5e98c9536fad76aa215f10c33411828afcd6fe37bfa1046ea3f08e32c02a87
Instruction Fuzzy Hash: 24515D22B09B418AFB15DBB0D4902BC3370EF58B68F445135DE8DA6A76DF38E55AC304

Function 00007FF61B741D30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF61B741DA0
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF61B741DE8
_Getcoll.LIBCPMT ref: 00007FF61B741E00
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF61B741E8F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B741EE9

Strings

bad locale name, xrefs: 00007FF61B741EEF

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: std::_$Lockit$GetcollLocinfo::_Locinfo_ctorLockit::_Lockit::~__invalid_parameter_noinfo_noreturn
String ID: bad locale name
API String ID: 3908275632-1405518554
Opcode ID: b631740363b0e831fde9baf712990589db3f9d8b5b5567fa3c7a7b01eb85b2e8
Instruction ID: f6bc459557081ddc07fa929aba6455ad41c2a1a9e2880feb7c60f41d30fc0d95
Opcode Fuzzy Hash: b631740363b0e831fde9baf712990589db3f9d8b5b5567fa3c7a7b01eb85b2e8
Instruction Fuzzy Hash: 9F517A22B09B4189FB10EBB1E4503AC33A1EF48B69F445135DE4DA7AB9DF38D40AC304

Function 00007FF61B75352C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF61B7537DE,?,?,?,00007FF61B7534D0,?,?,?,00007FF61B750109), ref: 00007FF61B7535B1
GetLastError.KERNEL32(?,?,?,00007FF61B7537DE,?,?,?,00007FF61B7534D0,?,?,?,00007FF61B750109), ref: 00007FF61B7535BF
LoadLibraryExW.KERNEL32(?,?,?,00007FF61B7537DE,?,?,?,00007FF61B7534D0,?,?,?,00007FF61B750109), ref: 00007FF61B7535E9
FreeLibrary.KERNEL32(?,?,?,00007FF61B7537DE,?,?,?,00007FF61B7534D0,?,?,?,00007FF61B750109), ref: 00007FF61B753657
GetProcAddress.KERNEL32(?,?,?,00007FF61B7537DE,?,?,?,00007FF61B7534D0,?,?,?,00007FF61B750109), ref: 00007FF61B753663

Strings

api-ms-, xrefs: 00007FF61B7535D1

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 79f1708f0d73a3895a2fe6d32fc30880b345232a89ca131bb8ab1f3b75cbd6b1
Instruction ID: 2cbf76ba3475765508fa118ab683cd29f0ca335050df0efc18d2dce1ba0bce52
Opcode Fuzzy Hash: 79f1708f0d73a3895a2fe6d32fc30880b345232a89ca131bb8ab1f3b75cbd6b1
Instruction Fuzzy Hash: 00316121A1AE4191EE21AB1698405796394FF4CFB4F5A253ADD1FCB3B0EF3CE5498704

Function 00007FF61B740CA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82processstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00007FF61B740CB0
GetFileAttributesW.KERNEL32 ref: 00007FF61B740D3D
GetLastError.KERNEL32 ref: 00007FF61B740D4C
CreateProcessW.KERNEL32 ref: 00007FF61B740DD9

Strings

h, xrefs: 00007FF61B740DB9
WinSta0\Default, xrefs: 00007FF61B740D6B

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: AttributesCreateErrorFileLastProcesslstrlen
String ID: WinSta0\Default$h
API String ID: 591566999-1620045033
Opcode ID: 9328811ce07eccb9baa46191bf573199de9204eba7fc0589a085695e6e112cb4
Instruction ID: a47f0b8ace24ca28e063f3d6c7ead3063c188417ac14b2c56d57e3782f8d6c34
Opcode Fuzzy Hash: 9328811ce07eccb9baa46191bf573199de9204eba7fc0589a085695e6e112cb4
Instruction Fuzzy Hash: EF316821E0CBC246E6609B15B5043BA6391FB9DBA0F406335E99DC7BB5EF7CD4988B00

Function 00007FF61B75EA70 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EA7F
FlsGetValue.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EA94
FlsSetValue.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EAB5
FlsSetValue.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EAE2
FlsSetValue.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EAF3
FlsSetValue.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EB04
SetLastError.KERNEL32(?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F,?,?,?,00007FF61B756443), ref: 00007FF61B75EB1F

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 0e252fc1aa08c509f0e93816402eca9f1f65028cc0729f634b753678d4cd798a
Instruction ID: 927fda394f0d7a1ae0885b35ac148f63ee7396ff554b7657c890c126fc8cc098
Opcode Fuzzy Hash: 0e252fc1aa08c509f0e93816402eca9f1f65028cc0729f634b753678d4cd798a
Instruction Fuzzy Hash: 65219D60B0DE4281FA596B3155850396162AF4CFB0F04AB38E87FC7AF6DE6CF8095344

Function 00007FF61B76CC80 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF61B76CCB1
GetLastError.KERNEL32 ref: 00007FF61B76CCBD
CloseHandle.KERNEL32 ref: 00007FF61B76CCD5
CreateFileW.KERNEL32 ref: 00007FF61B76CD00
WriteConsoleW.KERNEL32 ref: 00007FF61B76CD1F

Strings

CONOUT$, xrefs: 00007FF61B76CCE1

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: c477bea2d07ef44c7e07df60decfd2619db83e7f0bc9226f08f6201d8069434b
Instruction ID: afadf9a6079624e9d62a2170173f1c73d93f9ea73e716d253bb0b68ccf8e2506
Opcode Fuzzy Hash: c477bea2d07ef44c7e07df60decfd2619db83e7f0bc9226f08f6201d8069434b
Instruction Fuzzy Hash: 5B113721A18E8186F7509B52E854729B6A0BB8CFF4F445234EA6EC77B4DF7CD8588740

Function 00007FF61B73ACF0 Relevance: 10.5, APIs: 7, Instructions: 40filesynchronizationstringCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF61B73AD09
CreateFileW.KERNEL32 ref: 00007FF61B73AD3D
SetFilePointer.KERNEL32 ref: 00007FF61B73AD62
lstrlenW.KERNEL32 ref: 00007FF61B73AD6B
WriteFile.KERNEL32 ref: 00007FF61B73AD89
CloseHandle.KERNEL32 ref: 00007FF61B73AD92
ReleaseMutex.KERNEL32 ref: 00007FF61B73AD9F

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: File$CloseCreateHandleMutexObjectPointerReleaseSingleWaitWritelstrlen
String ID:
API String ID: 4202892810-0
Opcode ID: 6d311e261bfe59e5949d3104aa2c883e73ffb96b44e413d4cc9c1204dacd56c9
Instruction ID: 4d6ba4cdd66f570ef4d910ac4be5edc74046e1c1403bda2e7026b0a262e45fb5
Opcode Fuzzy Hash: 6d311e261bfe59e5949d3104aa2c883e73ffb96b44e413d4cc9c1204dacd56c9
Instruction Fuzzy Hash: 80114861A08E8282F710AB11F8487297760EB8CFB4F506231DA6A4BBB4CF7CD54D8B00

Function 00007FF61B73EF25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF61B73EF4F
RegDeleteValueW.ADVAPI32 ref: 00007FF61B73EF63
RegSetValueExW.ADVAPI32 ref: 00007FF61B73EF8D
RegCloseKey.ADVAPI32 ref: 00007FF61B73EF9A

Strings

IpDatespecial, xrefs: 00007FF61B73EF5C, 00007FF61B73EF70
Console, xrefs: 00007FF61B73EF41

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Value$CloseDeleteOpen
String ID: Console$IpDatespecial
API String ID: 3183427449-1840232981
Opcode ID: f23957102dd5c337703c86b23f0909451c31f6d4053b1f337106711f9d04a52f
Instruction ID: 01e65d6a62866dd7b4def7727823b84205f5e89b545a98a5549f05e6f492347b
Opcode Fuzzy Hash: f23957102dd5c337703c86b23f0909451c31f6d4053b1f337106711f9d04a52f
Instruction Fuzzy Hash: 20013936A08EC186E7219F24EC247A93720EB88B65F446122CE4D877B8DE7CD19DCB04

Function 00007FF61B739220 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 26processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FF61B739239
GetCommandLineW.KERNEL32 ref: 00007FF61B73923F
GetStartupInfoW.KERNEL32 ref: 00007FF61B73924D
CreateProcessW.KERNEL32 ref: 00007FF61B739290
ExitProcess.KERNEL32 ref: 00007FF61B73929B

Strings

, xrefs: 00007FF61B739284

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
String ID:
API String ID: 3421218197-3916222277
Opcode ID: 190dd20226834de6593c2658ef490eeec5e65b5d977b517c4b94419b13326a92
Instruction ID: d7bb7edc2672a5f13770ff6ce0acc85b0d8c0e9b4a257351e88c98292d497ea6
Opcode Fuzzy Hash: 190dd20226834de6593c2658ef490eeec5e65b5d977b517c4b94419b13326a92
Instruction Fuzzy Hash: 94F01232618EC186EB609F24F85875EB7A0FB8C794F902135D68E86A74DF3CC149CB00

Function 00007FF61B734940 Relevance: 9.1, APIs: 6, Instructions: 80networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF61B734964
SetLastError.KERNEL32 ref: 00007FF61B734977
WSAGetLastError.WS2_32 ref: 00007FF61B7349C8
SetLastError.KERNEL32 ref: 00007FF61B734A32
WSASetLastError.WS2_32 ref: 00007FF61B734A3D
GetLastError.KERNEL32 ref: 00007FF61B734A43

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorLast$recv
String ID:
API String ID: 316788870-0
Opcode ID: 4d768c99772465553fa61935876ff201d4a32ce5a3f2b2de379ff66690b2a509
Instruction ID: f48adce9b97e5756e97911663fcd85710bc713b94c4a30bc03c7e974a6bfd605
Opcode Fuzzy Hash: 4d768c99772465553fa61935876ff201d4a32ce5a3f2b2de379ff66690b2a509
Instruction Fuzzy Hash: 36316176A1CE4281FB64DF29E48437D27A1EB48F68F942536CA4DC62B4DF3DD8489701

Function 00007FF61B7510D8 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 320COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF61B751276
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF61B75159F

Strings

csm, xrefs: 00007FF61B7511BD
csm, xrefs: 00007FF61B75121F
csm, xrefs: 00007FF61B75129D

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 89a7cbb458af1ec799ed0823309e47d85c371afd6e512bd69dcc86c67ccd7e4c
Instruction ID: dd029e7f72056a9d1989d4d71ab870ec7477c8b9981bbd6bb06ce3dca05ba15c
Opcode Fuzzy Hash: 89a7cbb458af1ec799ed0823309e47d85c371afd6e512bd69dcc86c67ccd7e4c
Instruction Fuzzy Hash: 2CE1B373908B828AE750DF65D4803AD37A0FB49B69F102135DA8D87A75DF38E589C705

Function 00007FF61B735300 Relevance: 9.1, APIs: 6, Instructions: 63synchronizationtimeCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32 ref: 00007FF61B73531C
ResetEvent.KERNEL32 ref: 00007FF61B735329
timeGetTime.WINMM ref: 00007FF61B73532F
WaitForSingleObject.KERNEL32 ref: 00007FF61B735379
ResetEvent.KERNEL32 ref: 00007FF61B735396

Part of subcall function 00007FF61B734C50: GetCurrentThreadId.KERNEL32 ref: 00007FF61B734C65
Part of subcall function 00007FF61B734C50: SwitchToThread.KERNEL32 ref: 00007FF61B734C9D
Part of subcall function 00007FF61B734C50: SetLastError.KERNEL32 ref: 00007FF61B734CDC

ResetEvent.KERNEL32 ref: 00007FF61B7353BD

Part of subcall function 00007FF61B758940: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61B75896B

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: EventReset$Thread$CurrentErrorLastObjectSingleSwitchTimeWait_invalid_parameter_noinfotime
String ID:
API String ID: 2235205178-0
Opcode ID: 6797ce520ad4e8d809bfec53c9e8342f43c56bbc6854028e75bb9cf567634471
Instruction ID: cd1604332782cde7b79fd4cb231e2873d98632cac364ccc6e5adad2f40df7b8a
Opcode Fuzzy Hash: 6797ce520ad4e8d809bfec53c9e8342f43c56bbc6854028e75bb9cf567634471
Instruction Fuzzy Hash: 6B215A36A08E8186EB40DF25E84026D73A4FB88FA8F585531DE4DDB778CF38D5898750

Function 00007FF61B75EBE8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,000054315B38B81F,00007FF61B758B05,?,?,?,?,00007FF61B762546,?,?,00000000,00007FF61B75A3FB,?,?,?), ref: 00007FF61B75EBF7
FlsSetValue.KERNEL32(?,?,000054315B38B81F,00007FF61B758B05,?,?,?,?,00007FF61B762546,?,?,00000000,00007FF61B75A3FB,?,?,?), ref: 00007FF61B75EC2D
FlsSetValue.KERNEL32(?,?,000054315B38B81F,00007FF61B758B05,?,?,?,?,00007FF61B762546,?,?,00000000,00007FF61B75A3FB,?,?,?), ref: 00007FF61B75EC5A
FlsSetValue.KERNEL32(?,?,000054315B38B81F,00007FF61B758B05,?,?,?,?,00007FF61B762546,?,?,00000000,00007FF61B75A3FB,?,?,?), ref: 00007FF61B75EC6B
FlsSetValue.KERNEL32(?,?,000054315B38B81F,00007FF61B758B05,?,?,?,?,00007FF61B762546,?,?,00000000,00007FF61B75A3FB,?,?,?), ref: 00007FF61B75EC7C
SetLastError.KERNEL32(?,?,000054315B38B81F,00007FF61B758B05,?,?,?,?,00007FF61B762546,?,?,00000000,00007FF61B75A3FB,?,?,?), ref: 00007FF61B75EC97

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: c7396dbfbcb47cfb6cfc33ed0fb29296ace80fe16ba5d506c85f3ecfa09c6d8f
Instruction ID: 8ef8ff5d393dcabb5a3da102212b4dd4ae4bd0424f1d6fccc3a5473d3e91861e
Opcode Fuzzy Hash: c7396dbfbcb47cfb6cfc33ed0fb29296ace80fe16ba5d506c85f3ecfa09c6d8f
Instruction Fuzzy Hash: 00116060A0DE8242FA556B2555910395152AF4CFB0F54AB38E86FC67F6DE6CF8095304

Function 00007FF61B75BC90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF61B75BCB5
GetProcAddress.KERNEL32 ref: 00007FF61B75BCCB
FreeLibrary.KERNEL32 ref: 00007FF61B75BCF2

Strings

CorExitProcess, xrefs: 00007FF61B75BCC4
mscoree.dll, xrefs: 00007FF61B75BCAC

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4e200ac4912f663bf200d97a0492af6b570e41165da9f834e6f0b0fe5145a0ad
Instruction ID: 7a604ef087283540402c43a096de879f976f1e74259940e327082464fe9880d5
Opcode Fuzzy Hash: 4e200ac4912f663bf200d97a0492af6b570e41165da9f834e6f0b0fe5145a0ad
Instruction Fuzzy Hash: E7F04F61A19E4281FA109B24E4553796320EF4DB71F942239D96EC96F4CF6CD54DC704

Function 00007FF61B73EFA3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF61B73EFC9
RegDeleteValueW.ADVAPI32 ref: 00007FF61B73EFDD
RegCloseKey.ADVAPI32 ref: 00007FF61B73EFEA

Strings

IpDatespecial, xrefs: 00007FF61B73EFD6
Console, xrefs: 00007FF61B73EFBB

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Console$IpDatespecial
API String ID: 849931509-1840232981
Opcode ID: 6e7d2c7a670a32b5de56c4a84771261a6cdbf4bc2880aa7204407435697e958c
Instruction ID: 3d6b6eac819d9c9f2dfdcc2680aaf4cc6eec53c993d8eb9730cf5ce2cdb13ac8
Opcode Fuzzy Hash: 6e7d2c7a670a32b5de56c4a84771261a6cdbf4bc2880aa7204407435697e958c
Instruction Fuzzy Hash: 10F0F936A08DC285EB208B14EC147A96320EB88B7AF402131CE1D97778DE79D59E8B04

Function 00007FF61B7504D8 Relevance: 7.8, APIs: 5, Instructions: 290COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FF61B7505FB
__AdjustPointer.LIBCMT ref: 00007FF61B750646

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: f957c6767cf5b81622e8ff6fae34e0b794288dc4cc0809d74a0a7b197e878a35
Instruction ID: 9e5108ad65ffd54e4b4cdc501e88b33517f294ac58fde9509fb11f405f271e74
Opcode Fuzzy Hash: f957c6767cf5b81622e8ff6fae34e0b794288dc4cc0809d74a0a7b197e878a35
Instruction Fuzzy Hash: 01B1F422A0AF4681FE66DF1190406796394EF4CFA4F09A835DE4E8B7B5DF3CE4498748

Function 00007FF61B76C6BC Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF61B76C6E4
_set_statfp.LIBCMT ref: 00007FF61B76C6FF
_set_statfp.LIBCMT ref: 00007FF61B76C71B
_set_statfp.LIBCMT ref: 00007FF61B76C757

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 3a9c703ea5aaac55ee3dcba71a43574e980d604707a0521e319b1fc91c9c8b59
Instruction ID: a4a806bf52651bfae020776d75f05997109426fdfb3e7748bffa360bb8ef859d
Opcode Fuzzy Hash: 3a9c703ea5aaac55ee3dcba71a43574e980d604707a0521e319b1fc91c9c8b59
Instruction Fuzzy Hash: 2B115126E1CED301F6E8113CE44637530516F5CB70E596635EA7ECA6FA9F1CAC498304

Function 00007FF61B75ECB0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF61B7539FB,?,?,00000000,00007FF61B753C96,?,?,?,?,?,00007FF61B753C22), ref: 00007FF61B75ECCF
FlsSetValue.KERNEL32(?,?,?,00007FF61B7539FB,?,?,00000000,00007FF61B753C96,?,?,?,?,?,00007FF61B753C22), ref: 00007FF61B75ECEE
FlsSetValue.KERNEL32(?,?,?,00007FF61B7539FB,?,?,00000000,00007FF61B753C96,?,?,?,?,?,00007FF61B753C22), ref: 00007FF61B75ED16
FlsSetValue.KERNEL32(?,?,?,00007FF61B7539FB,?,?,00000000,00007FF61B753C96,?,?,?,?,?,00007FF61B753C22), ref: 00007FF61B75ED27
FlsSetValue.KERNEL32(?,?,?,00007FF61B7539FB,?,?,00000000,00007FF61B753C96,?,?,?,?,?,00007FF61B753C22), ref: 00007FF61B75ED38

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 8e80255def71e26e38969c6b9ad95fb919b46607e2d80395ee43e046c775e245
Instruction ID: 6c32f9f00a5bb247c3da2d31497c5a5f3cb4d823d2fb11e696c79287800aace5
Opcode Fuzzy Hash: 8e80255def71e26e38969c6b9ad95fb919b46607e2d80395ee43e046c775e245
Instruction Fuzzy Hash: 12118EA0E09E4241FA995721A5911796152AF4CFB0F04BB39E87EC66F6DE2CF8096704

Function 00007FF61B75EB44 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F), ref: 00007FF61B75EB55
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F), ref: 00007FF61B75EB74
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F), ref: 00007FF61B75EB9C
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F), ref: 00007FF61B75EBAD
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF61B766E73,?,?,?,00007FF61B75F1A4,?,?,?,00007FF61B75819F), ref: 00007FF61B75EBBE

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: be4a96ff5b18d49a05f4adbf766956ae433ebef540c65d26a29db4b7139a2023
Instruction ID: 4b8759cb1ea12e4386bb012a1005557498e95cf69bda0f753e374d259ffa086e
Opcode Fuzzy Hash: be4a96ff5b18d49a05f4adbf766956ae433ebef540c65d26a29db4b7139a2023
Instruction Fuzzy Hash: F1113C50E0DE4702F9996B21546197921619F4CF71F14BF38E8BFCA2F2DE6CB8095344

Function 00007FF61B7356C0 Relevance: 7.5, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF61B7356E5
EnterCriticalSection.KERNEL32 ref: 00007FF61B7356EF
LeaveCriticalSection.KERNEL32 ref: 00007FF61B7356FF
LeaveCriticalSection.KERNEL32 ref: 00007FF61B735709

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: ec8515e0b6118a22be018e0c36bf8043355ac570717b599eb6440d7a0495df03
Instruction ID: d04a5bebb050ca0dd5e6d2350172fff035a4c1e0930a1ebe55e79a1abc0e2eb4
Opcode Fuzzy Hash: ec8515e0b6118a22be018e0c36bf8043355ac570717b599eb6440d7a0495df03
Instruction Fuzzy Hash: B111C132624985C3EB50EB65F4943A96760FB48B59F847031DB8F86A75DF3CE48AC700

Function 00007FF61B73C0C0 Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FF61B73C103
EnterCriticalSection.KERNEL32(?,?,?,00007FF61B73C094), ref: 00007FF61B73C115
EnterCriticalSection.KERNEL32 ref: 00007FF61B73C125
GdiplusShutdown.GDIPLUS ref: 00007FF61B73C133
LeaveCriticalSection.KERNEL32 ref: 00007FF61B73C140

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CriticalSection$Enter$DeleteGdiplusLeaveObjectShutdown
String ID:
API String ID: 1513102227-0
Opcode ID: cdd56314798a8dc9bb9b375cd871b4762f9b413abb23fcd634828e7dcd198d12
Instruction ID: d81448276348b05061678af280febef9e7d15147068e172d9f3a305eb2298e8c
Opcode Fuzzy Hash: cdd56314798a8dc9bb9b375cd871b4762f9b413abb23fcd634828e7dcd198d12
Instruction Fuzzy Hash: 85113A32519F9281EB10DF29E88406873B4FB48FA8B686236D65D866B4DF38D95AC340

Function 00007FF61B735640 Relevance: 7.5, APIs: 5, Instructions: 26synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF61B735652
WaitForSingleObject.KERNEL32 ref: 00007FF61B735664
Sleep.KERNEL32 ref: 00007FF61B73566F
CloseHandle.KERNEL32 ref: 00007FF61B73568C
CloseHandle.KERNEL32 ref: 00007FF61B735699

Part of subcall function 00007FF61B734C50: GetCurrentThreadId.KERNEL32 ref: 00007FF61B734C65
Part of subcall function 00007FF61B734C50: SwitchToThread.KERNEL32 ref: 00007FF61B734C9D
Part of subcall function 00007FF61B734C50: SetLastError.KERNEL32 ref: 00007FF61B734CDC

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CloseHandleObjectSingleThreadWait$CurrentErrorLastSleepSwitch
String ID:
API String ID: 1535946027-0
Opcode ID: 6bee8a0a4dea1eafbbaf25a2cc800b23e58b43f259c7b6e2f946ecae76c8c5a2
Instruction ID: 3ec48f3d14920ebd109e339aba0bdbe8cf9616dfcbf431b9dbdae75e56cc126b
Opcode Fuzzy Hash: 6bee8a0a4dea1eafbbaf25a2cc800b23e58b43f259c7b6e2f946ecae76c8c5a2
Instruction Fuzzy Hash: 1AF0AF75608E8586F704AF25DC941783721EB8DF75F586230DA2E8B7B4CF38D8898360

Function 00007FF61B75184C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF61B7518BC
_CallSETranslator.LIBVCRUNTIME ref: 00007FF61B751907

Strings

MOC, xrefs: 00007FF61B7518D0
RCC, xrefs: 00007FF61B7518D8

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: a53d2363c14758023286afc4a6ab41b9c25c1dd74b553e4400a7d45858c9584b
Instruction ID: f9f7dc0148a6662ae97785c38d54a4a7fdd9f861c670cc97e671c1e089648122
Opcode Fuzzy Hash: a53d2363c14758023286afc4a6ab41b9c25c1dd74b553e4400a7d45858c9584b
Instruction Fuzzy Hash: CC91B073A08B818AE711DF65E8402EC77A0FB49B98F10512AEA8D97B75DF38D199C704

Function 00007FF61B74FA80 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF61B74FAAB
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF61B74FB42
RtlUnwindEx.KERNEL32 ref: 00007FF61B74FB9C

Strings

csm, xrefs: 00007FF61B74FB29

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 97e6136df740a7f50eb7a5892aa497e90dc07242db7e08e9cb4e882c62b2f360
Instruction ID: cd21e3c7ebec2168a4f5626f02128fa9b9226660e6a13defccc69c2c018b50a8
Opcode Fuzzy Hash: 97e6136df740a7f50eb7a5892aa497e90dc07242db7e08e9cb4e882c62b2f360
Instruction Fuzzy Hash: 7F51E631B19A028AEB14EF25E44863933A1EB58FA9F115135DE4E8B7B8DF7CE845C700

Function 00007FF61B751DCC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF61B751DF4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF61B751EDC

Strings

csm, xrefs: 00007FF61B751E16
csm, xrefs: 00007FF61B751F2E

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1c7f32590a0a5e31803e0cd6c6efa8edac5466215bfbb7b2d07330e269dc0479
Instruction ID: 95312e4cfe59e63a86b9e74f6e9b7db3b79c843d58e85b32e4b6f1da6e21fde4
Opcode Fuzzy Hash: 1c7f32590a0a5e31803e0cd6c6efa8edac5466215bfbb7b2d07330e269dc0479
Instruction Fuzzy Hash: 1751A332A08A428AEB748F12A8442787790FB58FA6F146135DA5D87FF5CF3CE895C705

Function 00007FF61B7515DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF61B75163B
_CallSETranslator.LIBVCRUNTIME ref: 00007FF61B751687

Strings

RCC, xrefs: 00007FF61B751657
MOC, xrefs: 00007FF61B75164F

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: b953805b3f16366bb71475c1063139944ec3feeea47b818f87e78a0e56bad00b
Instruction ID: 6bed7bd56034911a52ad498ad2e44f98593e8e1d23f39ee656a51f270ccbfd33
Opcode Fuzzy Hash: b953805b3f16366bb71475c1063139944ec3feeea47b818f87e78a0e56bad00b
Instruction Fuzzy Hash: 0A61D132908FC581E7309B15E0407AAB7A0FB89BA9F045225EB8D53B75CF3CE188CB04

Function 00007FF61B76A7BC Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF61B76A83B
WriteFile.KERNEL32 ref: 00007FF61B76AB03
WriteFile.KERNEL32 ref: 00007FF61B76AB49
GetLastError.KERNEL32 ref: 00007FF61B76ABFF

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 77dd5d4aa20de0d79966c3f830593b01910af74af4cc21fda2ecf357b99f0be0
Instruction ID: 5bbd7e8f9016eeb9b31fcbc010266972de752b4117b370e24d790690b22bbbe7
Opcode Fuzzy Hash: 77dd5d4aa20de0d79966c3f830593b01910af74af4cc21fda2ecf357b99f0be0
Instruction Fuzzy Hash: 24D1B232B18E818AF711DF66D4402AC37B5FB48BA8B145236DE5D97BB9DE38D54AC300

Function 00007FF61B747530 Relevance: 6.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B7478D6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B7478DC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B7478E2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B7478E8

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 7d7153dc9ae7d5b3424c28ff14d58aef55a80775f13d9447e24f61463487f32c
Instruction ID: 5c19f1e7f11137ab39eba84e227754c2a63907b36617bda56106226293be58f6
Opcode Fuzzy Hash: 7d7153dc9ae7d5b3424c28ff14d58aef55a80775f13d9447e24f61463487f32c
Instruction Fuzzy Hash: CDB19172F14B5585FB00CBA5D4447AC6372FB08BA9F40A225DE6D67BB9DF78A885C300

Function 00007FF61B76B0E4 Relevance: 6.2, APIs: 4, Instructions: 219COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00007FF61B76B0CF), ref: 00007FF61B76B200
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00007FF61B76B0CF), ref: 00007FF61B76B28B

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 8d852cd364b953300601feb318994bc5f66eb9b85f3205e0d4ed1d6cdd918134
Instruction ID: e46c2e154f7313a335b3db93554cf9d7ecbc775c3db63f7d507d9389840cd92a
Opcode Fuzzy Hash: 8d852cd364b953300601feb318994bc5f66eb9b85f3205e0d4ed1d6cdd918134
Instruction Fuzzy Hash: 6D91B422F08E9189F7549F6694412BD2BA0FB0AFA8F546139DE0ED67B4DF38D44AC700

Function 00007FF61B748750 Relevance: 6.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B748994
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF61B7489A0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B7489A6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B748A07

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID:
API String ID: 3936042273-0
Opcode ID: aa83a4776d611bfa6910a88996202f0a13839e5925797b86addcbd2790bd8b35
Instruction ID: 279cc7d6a1db30adca6e4c78118b48cfb05cf264a399d3963ef4c6ec1117ea23
Opcode Fuzzy Hash: aa83a4776d611bfa6910a88996202f0a13839e5925797b86addcbd2790bd8b35
Instruction Fuzzy Hash: A271C162B18F8985EA04DB25D40436C6364EB89FE0F55A631DEAC57BF5DF78E884C300

Function 00007FF61B73F160 Relevance: 6.2, APIs: 4, Instructions: 190processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF61B73F1AD
Process32FirstW.KERNEL32 ref: 00007FF61B73F23F
Process32NextW.KERNEL32 ref: 00007FF61B73F333

Part of subcall function 00007FF61B7587A0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61B7587C6

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B73F3FB

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32_invalid_parameter_noinfo_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 4260596558-0
Opcode ID: 7762ce93aa6985307a259bfb251e473b870e7df6f058cf487220d00444a178a1
Instruction ID: 6fa1b744eff458649220567604ab151d8557915eced523c6b8efc89f87622d4b
Opcode Fuzzy Hash: 7762ce93aa6985307a259bfb251e473b870e7df6f058cf487220d00444a178a1
Instruction Fuzzy Hash: 0271A362A19E8681EA20EB25D4442AD6361FB89FF4F446331EAAD877F4DF7CD548C700

Function 00007FF61B759344 Relevance: 6.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF61B75939B
GetSystemInfo.KERNEL32 ref: 00007FF61B7593B4
VirtualAlloc.KERNEL32 ref: 00007FF61B759422
VirtualProtect.KERNEL32 ref: 00007FF61B75943D

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: 8276b17d3f0086b027f55cc71dd443fed715192864dd3a3d0b6a65bee2902499
Instruction ID: 4e3e6e7edc5fe6f543055f4ca6cc4e643d8d94978187ada34385a8f1b6764dfd
Opcode Fuzzy Hash: 8276b17d3f0086b027f55cc71dd443fed715192864dd3a3d0b6a65bee2902499
Instruction Fuzzy Hash: 8D314A32714A819EEB20DF35D8547E923A5FB4DB98F845025EA4D8BB68DF38E649C700

Function 00007FF61B734F90 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF61B734FAC
LeaveCriticalSection.KERNEL32 ref: 00007FF61B734FC3
LeaveCriticalSection.KERNEL32 ref: 00007FF61B73504B
SetEvent.KERNEL32 ref: 00007FF61B73506B

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: ee59a16ddcb61b2f30476306e2c70f7e991c931b41d410101ed0a7d795a74e2b
Instruction ID: 9ea8814df7a2da8920ea86db1457cd152cfc9373ba2274778c0f81632f344aac
Opcode Fuzzy Hash: ee59a16ddcb61b2f30476306e2c70f7e991c931b41d410101ed0a7d795a74e2b
Instruction Fuzzy Hash: 2B212432704B8193E788CB2AE5802A9B3A4FB48B94F545035DB6E83775DF38E8A5C740

Function 00007FF61B74E760 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF61B74E78C
GetCurrentThreadId.KERNEL32 ref: 00007FF61B74E79A
GetCurrentProcessId.KERNEL32 ref: 00007FF61B74E7A6
QueryPerformanceCounter.KERNEL32 ref: 00007FF61B74E7B6

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: cc56691cd60568e6146a7dde9c83608ec099c6c6a56f3e0ff612a8b3836fe06a
Instruction ID: b6844c9e765eb688292c2c8e723f806db0de5e722a66a78cbebbdac070795402
Opcode Fuzzy Hash: cc56691cd60568e6146a7dde9c83608ec099c6c6a56f3e0ff612a8b3836fe06a
Instruction Fuzzy Hash: 7A111C26B18F018AEB009F60E8542A833A4FB1DB68F842E31DA6D867B4DF78D1588340

Function 00007FF61B733FF0 Relevance: 6.0, APIs: 4, Instructions: 22synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF61B734002
Sleep.KERNEL32 ref: 00007FF61B73400D
WaitForSingleObject.KERNEL32 ref: 00007FF61B734024
WaitForSingleObject.KERNEL32 ref: 00007FF61B734036

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ObjectSingleWait$Sleep
String ID:
API String ID: 2961732021-0
Opcode ID: 4ede45267323656183b3c0ec57ef8ecec2c46d3b5a24cc8965c2015fc5653a59
Instruction ID: e76cd71b412ccf9525e3d7785bd9a055e8a51a79e5802d8e4a5f17d7011c4eac
Opcode Fuzzy Hash: 4ede45267323656183b3c0ec57ef8ecec2c46d3b5a24cc8965c2015fc5653a59
Instruction Fuzzy Hash: 6AF0DA72609E8586E740AB39D8942283761EF8DF35F551330CA2D8B7F4CF38C8898350

Function 00007FF61B741840 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B741A68
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF61B741AD7

Strings

^(T[A-Za-z0-9]*|0x[A-Za-z0-9]*)$, xrefs: 00007FF61B741868

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: ^(T[A-Za-z0-9]*|0x[A-Za-z0-9]*)$
API String ID: 3668304517-660079095
Opcode ID: 1a7bd3f9ad1e2be3bb215426da79a080b2b48fcb5330e2929561e3c4d22847e3
Instruction ID: 2f630d003557d6a2d2b7b43d293f86103366c01cde778ac7197ec546c481e840
Opcode Fuzzy Hash: 1a7bd3f9ad1e2be3bb215426da79a080b2b48fcb5330e2929561e3c4d22847e3
Instruction Fuzzy Hash: 7C817A72B19B8189EB50DF65E4403AC37A5EB4CBA9F046235EA5D83BB8DF38D558C340

Function 00007FF61B752004 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF61B75202E

Strings

csm, xrefs: 00007FF61B752053
csm, xrefs: 00007FF61B7521C2

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: 2e13650262a6f61ea207b4025eb27adbf5cb157b43e28d55221f4b040b54e9a1
Instruction ID: 30a64344b3152b832b6b6d5e8041db6f30e6589e60d78c26557d1ee725744641
Opcode Fuzzy Hash: 2e13650262a6f61ea207b4025eb27adbf5cb157b43e28d55221f4b040b54e9a1
Instruction Fuzzy Hash: 6171E372508A8186DB609F21D04037D7BA0FB09FA5F08A135EE8C87AB9CF3CD699C745

Function 00007FF61B73DC4D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00007FF61B73DCA0
CloseHandle.KERNEL32 ref: 00007FF61B73DE27

Strings

%s_bin, xrefs: 00007FF61B73DC95

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CloseHandlewsprintf
String ID: %s_bin
API String ID: 3088109604-2665034546
Opcode ID: 38539e2762eca19275933df481f064c263753660025e23b79f8a6f04b4997217
Instruction ID: dee9650d37daecd41cf9dd1141d36a67a601f0dd1cfe3929755d1adcbb61db37
Opcode Fuzzy Hash: 38539e2762eca19275933df481f064c263753660025e23b79f8a6f04b4997217
Instruction Fuzzy Hash: C251DE62B29EA685EB60DB21C414AB92365EF88F64F469136DA0D877F1DF3CD809C301

Function 00007FF61B761CC4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61B759248: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61B75927B

_get_daylight.LIBCMT ref: 00007FF61B761DDC
_get_daylight.LIBCMT ref: 00007FF61B761DED

Strings

?, xrefs: 00007FF61B761D6D

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 0b7c1d742c13ddddedbe4d6e2c5e7ad1023c035335ca7369220edd5dde904ae5
Instruction ID: 645158cacaa5eaf3ff32efde33e4ddd43af031c44272d836642c28812d33b5e9
Opcode Fuzzy Hash: 0b7c1d742c13ddddedbe4d6e2c5e7ad1023c035335ca7369220edd5dde904ae5
Instruction Fuzzy Hash: F0412822A08BC246FB609B26E45537A6660EB88FB4F146235EE5C87EF5DF3CD449C700

Function 00007FF61B75269C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF61B752746
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF61B75276F

Strings

csm, xrefs: 00007FF61B75286F

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: 503767daf86984436527780b72ab736630531d0d6d2b9058069c45c3b2766ca2
Instruction ID: ff4e52510171df3ee15c68973c19b3f879e1b707bf0888d4962bcd9771ad8954
Opcode Fuzzy Hash: 503767daf86984436527780b72ab736630531d0d6d2b9058069c45c3b2766ca2
Instruction Fuzzy Hash: CC515E32A18B4196E660EB25E44026D77A4FB8DFA0F142134EB8D87B75CF3CE464CB05

Function 00007FF61B75BF84 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61B75BFB6

Part of subcall function 00007FF61B75E6BC: RtlFreeHeap.NTDLL(?,?,?,00007FF61B7665C2,?,?,?,00007FF61B76693F,?,?,00000000,00007FF61B766D85,?,?,?,00007FF61B766CB7), ref: 00007FF61B75E6D2
Part of subcall function 00007FF61B75E6BC: GetLastError.KERNEL32(?,?,?,00007FF61B7665C2,?,?,?,00007FF61B76693F,?,?,00000000,00007FF61B766D85,?,?,?,00007FF61B766CB7), ref: 00007FF61B75E6DC

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF61B74DF31), ref: 00007FF61B75BFD4

Strings

C:\Users\user\Desktop\WgnsGjhA3P.exe, xrefs: 00007FF61B75BFC2

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\WgnsGjhA3P.exe
API String ID: 3580290477-2952926942
Opcode ID: 3a5b6248115956fb8c5867fcb2c099a73d6e8c573ad95eb16c3a51b61da9d299
Instruction ID: d1b6aa92d66041a44daa8bf55f6ba2151e31611d0693cfe90f0ecad59e659766
Opcode Fuzzy Hash: 3a5b6248115956fb8c5867fcb2c099a73d6e8c573ad95eb16c3a51b61da9d299
Instruction Fuzzy Hash: 5D418F76A08F1285E714EF25D8501B867A4FF48FA0B546039E94EC3BB5DE3CE8498744

Function 00007FF61B76AE54 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF61B76AF6B
GetLastError.KERNEL32 ref: 00007FF61B76AF8D

Strings

U, xrefs: 00007FF61B76AF17

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 54112263acd02f42df0a8cef6501b04abbfb211da2f70ad802a6942ee1910395
Instruction ID: 8a19306f1512b542d37c58ab687e404548b9a05627088a7523c0d39ee3c2dd7f
Opcode Fuzzy Hash: 54112263acd02f42df0a8cef6501b04abbfb211da2f70ad802a6942ee1910395
Instruction Fuzzy Hash: 0B419172A18E8185EB209F25E4443A967A0FB98BA4F815035EE4EC77B8EF3CD449C740

Function 00007FF61B750050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF61B731111), ref: 00007FF61B7500A0
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF61B731111), ref: 00007FF61B7500E1

Strings

csm, xrefs: 00007FF61B7500CE

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 3c98ac448948905eff4ad47a47963f754950c65019d46630b15deedf807f34ab
Instruction ID: 969f06deea9cbb7b8421cf4261f9f17051d98fc79d25de3bd6121cc2b404670c
Opcode Fuzzy Hash: 3c98ac448948905eff4ad47a47963f754950c65019d46630b15deedf807f34ab
Instruction Fuzzy Hash: 24114632618F8082EB218B25E410269B7E1FB8CBA4F585231EA8C47B78DF3CC9558B00

Function 00007FF61B74A3D0 Relevance: 5.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 00007FF61B74A40E
IsBadReadPtr.KERNEL32 ref: 00007FF61B74A4E3
SetLastError.KERNEL32(?,00000000,00007FF61B74A9E9,?,?,?,?,?,?,?,?,?,00007FF61B73D242), ref: 00007FF61B74A505
SetLastError.KERNEL32(?,00000000,00007FF61B74A9E9,?,?,?,?,?,?,?,?,?,00007FF61B73D242), ref: 00007FF61B74A523

Memory Dump Source

Source File: 00000000.00000002.4113693106.00007FF61B731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61B730000, based on PE: true

Associated: 00000000.00000002.4113676280.00007FF61B730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113721372.00007FF61B76F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113741510.00007FF61B785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113758728.00007FF61B788000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113776992.00007FF61B78C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4113795240.00007FF61B790000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b730000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: e0e517c51036cec7b570afbeb596ed896a79d3929b09d4426d0e27ecdcf8b3b8
Instruction ID: 7b282fc94866a2dac40d2a72bcf26e54216224b5b46c4d1e3d29202d17fdffce
Opcode Fuzzy Hash: e0e517c51036cec7b570afbeb596ed896a79d3929b09d4426d0e27ecdcf8b3b8
Instruction Fuzzy Hash: 5B413A62B09B4287EB109B2AE54427973A0FB48FA5F046435CF4E87B64DF3CE4A9C700

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WgnsGjhA3P.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\kernelquick.sys

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
WgnsGjhA3P.exe

Function 00007FF61B7362F0 Relevance: 193.3, APIs: 81, Strings: 29, Instructions: 845
registrystringprocessCOMMON

Function 00007FF61B74B500 Relevance: 103.7, APIs: 41, Strings: 18, Instructions: 406
registrylibrarysleepCOMMON

Function 00007FF61B73F410 Relevance: 81.0, APIs: 35, Strings: 11, Instructions: 532
registryprocessfileCOMMON

Function 00007FF61B73FD10 Relevance: 56.3, APIs: 27, Strings: 5, Instructions: 326
windowCOMMON

Function 00007FF61B737250 Relevance: 54.7, APIs: 26, Strings: 5, Instructions: 457
COMMON

Function 00007FF61B7379E0 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 216
stringregistrycomCOMMON

Function 00007FF61B738690 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 149
memoryCOMMON

Function 00007FF61B74C2E0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 128
fileCOMMON

Function 00007FF61B738900 Relevance: 45.7, APIs: 22, Strings: 4, Instructions: 225
memoryCOMMON

Function 00007FF61B7402A0 Relevance: 45.3, APIs: 30, Instructions: 260
memorywindowCOMMON

Function 00007FF61B73C340 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 297
windowCOMMON

Function 00007FF61B733820 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 157
networkstringtimeCOMMON

Function 00007FF61B738AD0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 101
memoryCOMMON

Function 00007FF61B74BDD0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 223
memoryCOMMON

Function 00007FF61B73D9C0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 137
registryCOMMON