Edit tour

Windows Analysis Report
WgnsGjhA3P.exe

Overview

General Information

Sample name:	WgnsGjhA3P.exe renamed because original name is a hash value
Original sample name:	7766c46c93d028e2e11517cfcf797fbb.exe
Analysis ID:	1585664
MD5:	7766c46c93d028e2e11517cfcf797fbb
SHA1:	147b40c5fe1e860d77c7e02a0c986cb1eaac3ceb
SHA256:	52e5833f1dedcc6f05d9585c6b4b52bab86c592061eddf38356492373583f8a0
Tags:	exeValleyRATuser-abuse_ch
Infos:

Detection

GhostRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GhostRat

AI detected suspicious sample

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Found evasive API chain (may stop execution after checking mutex)

Found stalling execution ending in API Sleep call

Sample is not signed and drops a device driver

Sigma detected: Potentially Suspicious Malware Callback Communication

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates driver files

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain checking for process token information

Installs a global mouse hook

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Stores large binary data to the registry

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Process Tree

System is w10x64

WgnsGjhA3P.exe (PID: 6988 cmdline: "C:\Users\user\Desktop\WgnsGjhA3P.exe" MD5: 7766C46C93D028E2E11517CFCF797FBB)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
WgnsGjhA3P.exe	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: WgnsGjhA3P.exe PID: 6988	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.WgnsGjhA3P.exe.7ff630880000.0.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.0.WgnsGjhA3P.exe.7ff630880000.0.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 192.238.134.52, DestinationIsIpv6: false, DestinationPort: 4433, EventID: 3, Image: C:\Users\user\Desktop\WgnsGjhA3P.exe, Initiated: true, ProcessId: 6988, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Suricata Signatures

ET MALWARE Anonymous RAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T00:19:02.944402+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49730	192.238.134.52	4433	TCP
2025-01-08T00:20:09.519910+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49730	192.238.134.52	4433	TCP
2025-01-08T00:21:14.723449+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49730	192.238.134.52	4433	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: WgnsGjhA3P.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: WgnsGjhA3P.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	File opened: [:	Jump to behavior

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF63088F410 GetLastInputInfo,GetTickCount,wsprintfW,GetForegroundWindow,GetWindowTextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,SHGetFolderPathW,lstrcatW,CreateFileW,lstrlenW,WriteFile,CloseHandle,FindFirstFileW,FindClose,_invalid_parameter_noinfo_noreturn,		0_2_00007FF63088F410
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308B3EF0 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00007FF6308B3EF0

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF6308862F0 gethostname,gethostbyname,inet_ntoa,inet_ntoa,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,LoadLibraryW,GetProcAddress,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,GetSystemInfo,wsprintfW,GetDriveTypeW,GetDiskFreeSpaceExW,GlobalMemoryStatusEx,GetForegroundWindow,GetWindowTextW,lstrlenW,GetLocalTime,wsprintfW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,CloseHandle,CoInitializeEx,CoCreateInstance,SysFreeString,CoUninitialize,RegOpenKeyExW,RegQueryInfoKeyW,RegEnumKeyExW,lstrlenW,lstrlenW,RegCloseKey,lstrlenW,GetTickCount,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,lstrcpyW,lstrcatW,lstrlenW,GetLocalTime,wsprintfW,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,RegCreateKeyW,lstrlenW,RegSetValueExW,RegCloseKey,RegCloseKey,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,

0_2_00007FF6308862F0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49730 -> 192.238.134.52:4433

Source: global traffic

TCP traffic: 192.168.2.4:49185 -> 162.159.36.2:53

Source: Joe Sandbox View

ASN Name: LEASEWEB-USA-LAX-11US LEASEWEB-USA-LAX-11US

Source: unknown

DNS traffic detected: query: 171.39.242.20.in-addr.arpa replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.52
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF630883B00 select,recv,timeGetTime,

0_2_00007FF630883B00

Source: global traffic

DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: [esc]

0_2_00007FF63088ADB0

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF630890E20 _invalid_parameter_noinfo_noreturn,lstrlenW,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF630890E20

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF630890E20

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF630890E20

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF63088FD10 GetVersion,GetDesktopWindow,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,GetDIBits,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,_invalid_parameter_noinfo_noreturn,

0_2_00007FF63088FD10

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF630887250 MultiByteToWideChar,MultiByteToWideChar,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,CreateMutexExW,GetLastError,Sleep,CreateMutexW,GetLastError,lstrlenW,lstrcmpW,SleepEx,GetModuleHandleW,GetConsoleWindow,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,

0_2_00007FF630887250

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Jump to behavior

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF63089C1B0: CreateFileA,DeviceIoControl,

0_2_00007FF63089C1B0

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF63088E3E9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	0_2_00007FF63088E3E9
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF63088E4EE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_00007FF63088E4EE
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF63088E46D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_00007FF63088E46D

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

File created: C:\ProgramData\kernelquick.sys

Jump to behavior

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308879E0	0_2_00007FF6308879E0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308862F0	0_2_00007FF6308862F0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF630887250	0_2_00007FF630887250
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308A8C10	0_2_00007FF6308A8C10
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF63088F410	0_2_00007FF63088F410
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF63088FD10	0_2_00007FF63088FD10
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF63089B500	0_2_00007FF63089B500
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF630881500	0_2_00007FF630881500
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF63089AD80	0_2_00007FF63089AD80
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308B1DA8	0_2_00007FF6308B1DA8
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF630888040	0_2_00007FF630888040
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308A6228	0_2_00007FF6308A6228
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308AF21C	0_2_00007FF6308AF21C
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308B714C	0_2_00007FF6308B714C
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308A5168	0_2_00007FF6308A5168
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308AD320	0_2_00007FF6308AD320
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF630889320	0_2_00007FF630889320
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF630899250	0_2_00007FF630899250
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF63088B410	0_2_00007FF63088B410
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF63088D410	0_2_00007FF63088D410
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308AB350	0_2_00007FF6308AB350
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308A7340	0_2_00007FF6308A7340
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308A536C	0_2_00007FF6308A536C
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308AA4F8	0_2_00007FF6308AA4F8
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308AFD30	0_2_00007FF6308AFD30
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308B5D34	0_2_00007FF6308B5D34
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308AC51C	0_2_00007FF6308AC51C
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308AAC80	0_2_00007FF6308AAC80
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF63088CD40	0_2_00007FF63088CD40
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308A4D58	0_2_00007FF6308A4D58
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308B8584	0_2_00007FF6308B8584
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308A5578	0_2_00007FF6308A5578
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF63088ADB0	0_2_00007FF63088ADB0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308A65AC	0_2_00007FF6308A65AC
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF63089A5A0	0_2_00007FF63089A5A0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF630892EC0	0_2_00007FF630892EC0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308B3EF0	0_2_00007FF6308B3EF0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF630882E50	0_2_00007FF630882E50
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308AF6B0	0_2_00007FF6308AF6B0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308B2024	0_2_00007FF6308B2024
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308B2744	0_2_00007FF6308B2744
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308A6F3C	0_2_00007FF6308A6F3C
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308B3760	0_2_00007FF6308B3760
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308A4F5C	0_2_00007FF6308A4F5C
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308A577C	0_2_00007FF6308A577C
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308897A0	0_2_00007FF6308897A0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308978F0	0_2_00007FF6308978F0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF630890900	0_2_00007FF630890900

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/1@1/1

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF63089B500 SleepEx,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,RegOpenKeyExW,RegDeleteValueW,RegSetValueExW,RegCloseKey,SleepEx,CreateEventA,Sleep,Sleep,CloseHandle,_invalid_parameter_noinfo_noreturn,IsDebuggerPresent,LoadLibraryW,GetProcAddress,FreeLibrary,GetLocalTime,wsprintfW,CreateFileW,FreeLibrary,GetCurrentThreadId,GetCurrentProcessId,GetCurrentProcess,CloseHandle,FreeLibrary,	0_2_00007FF63089B500
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF630889320 GetSystemDirectoryA,CreateProcessA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread,	0_2_00007FF630889320
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF63088E3E9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	0_2_00007FF63088E3E9
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF63088E4EE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_00007FF63088E4EE
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF63088E46D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_00007FF63088E46D

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF6308862F0

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF6308879E0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CoCreateInstance,wsprintfW,RegOpenKeyExW,RegQueryValueExW,lstrcatW,lstrcatW,RegCloseKey,lstrlenW,lstrcatW,CloseHandle,lstrcatW,lstrcatW,

0_2_00007FF6308879E0

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF6308879E0

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Mutant created: \Sessions\1\BaseNamedObjects\????

Source: WgnsGjhA3P.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: WgnsGjhA3P.exe

ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32

Jump to behavior

Source: WgnsGjhA3P.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: WgnsGjhA3P.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: WgnsGjhA3P.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF6308862F0

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

File created: C:\ProgramData\kernelquick.sys

Jump to behavior

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF63088E36A OpenEventLogW,ClearEventLogW,CloseEventLog,

0_2_00007FF63088E36A

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE VenkernalData_info

Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_0-21502

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Stalling execution: Execution stalls by calling Sleep

graph_0-21043

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{05DF8D13-C355-47F4-A11E-851B338CEFB8}

Jump to behavior

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF6308862F0

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Window / User API: threadDelayed 9587

Jump to behavior

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-21436

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe TID: 6372	Thread sleep count: 9587 > 30			Jump to behavior
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe TID: 6372	Thread sleep time: -95870s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF63088F410 GetLastInputInfo,GetTickCount,wsprintfW,GetForegroundWindow,GetWindowTextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,SHGetFolderPathW,lstrcatW,CreateFileW,lstrlenW,WriteFile,CloseHandle,FindFirstFileW,FindClose,_invalid_parameter_noinfo_noreturn,		0_2_00007FF63088F410
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308B3EF0 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00007FF6308B3EF0

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF6308862F0

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF6308891A0 GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

0_2_00007FF6308891A0

Source: WgnsGjhA3P.exe, 00000000.00000002.3503564877.0000016C3E03C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: WgnsGjhA3P.exe, 00000000.00000002.3503564877.0000016C3E03C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF63089B500 SleepEx,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,RegOpenKeyExW,RegDeleteValueW,RegSetValueExW,RegCloseKey,SleepEx,CreateEventA,Sleep,Sleep,CloseHandle,_invalid_parameter_noinfo_noreturn,IsDebuggerPresent,LoadLibraryW,GetProcAddress,FreeLibrary,GetLocalTime,wsprintfW,CreateFileW,FreeLibrary,GetCurrentThreadId,GetCurrentProcessId,GetCurrentProcess,CloseHandle,FreeLibrary,

0_2_00007FF63089B500

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF63089C70C GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF63089C70C

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF6308862F0

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF6308862F0

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF630888690 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree,

0_2_00007FF630888690

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF63089BCD0 SetUnhandledExceptionFilter,GetConsoleWindow,ShowWindow,GetCurrentThreadId,PostThreadMessageA,GetInputState,CreateThread,WaitForSingleObject,CloseHandle,Sleep,	0_2_00007FF63089BCD0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF63089B500 SleepEx,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,RegOpenKeyExW,RegDeleteValueW,RegSetValueExW,RegCloseKey,SleepEx,CreateEventA,Sleep,Sleep,CloseHandle,_invalid_parameter_noinfo_noreturn,IsDebuggerPresent,LoadLibraryW,GetProcAddress,FreeLibrary,GetLocalTime,wsprintfW,CreateFileW,FreeLibrary,GetCurrentThreadId,GetCurrentProcessId,GetCurrentProcess,CloseHandle,FreeLibrary,	0_2_00007FF63089B500
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF6308A3A6C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6308A3A6C
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF63089E54C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF63089E54C
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF63089E6F4 SetUnhandledExceptionFilter,	0_2_00007FF63089E6F4
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: 0_2_00007FF63089E8E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF63089E8E0

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF630889320 GetSystemDirectoryA,CreateProcessA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread,

0_2_00007FF630889320

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF630889320

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: GetSystemDirectoryA,CreateProcessA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe

0_2_00007FF630889320

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF63089B500

Source: WgnsGjhA3P.exe, 00000000.00000003.1728670149.0000016C3E0E5000.00000004.00000020.00020000.00000000.sdmp, WgnsGjhA3P.exe, 00000000.00000002.3503564877.0000016C3E0E5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: 0 minProgram Manager

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF6308BC8C0 cpuid

0_2_00007FF6308BC8C0

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: gethostname,gethostbyname,inet_ntoa,inet_ntoa,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,LoadLibraryW,GetProcAddress,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,GetSystemInfo,wsprintfW,GetDriveTypeW,GetDiskFreeSpaceExW,GlobalMemoryStatusEx,GetForegroundWindow,GetWindowTextW,lstrlenW,GetLocalTime,wsprintfW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,CloseHandle,CoInitializeEx,CoCreateInstance,SysFreeString,CoUninitialize,RegOpenKeyExW,RegQueryInfoKeyW,RegEnumKeyExW,lstrlenW,lstrlenW,RegCloseKey,lstrlenW,GetTickCount,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,lstrcpyW,lstrcatW,lstrlenW,GetLocalTime,wsprintfW,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,RegCreateKeyW,lstrlenW,RegSetValueExW,RegCloseKey,RegCloseKey,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,	0_2_00007FF6308862F0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: EnumSystemLocalesW,	0_2_00007FF6308B7B08
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: EnumSystemLocalesW,	0_2_00007FF6308B7A38
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF6308B7BA0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: GetLocaleInfoW,	0_2_00007FF6308B0D10
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: GetLocaleInfoW,	0_2_00007FF6308B7DE8
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00007FF6308B76DC
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: GetLocaleInfoW,	0_2_00007FF6308B7FF0
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF6308B7F40
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF6308B8124
Source: C:\Users\user\Desktop\WgnsGjhA3P.exe	Code function: EnumSystemLocalesW,	0_2_00007FF6308B0838

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF6308862F0

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

Code function: 0_2_00007FF6308B1DA8 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF6308B1DA8

Source: C:\Users\user\Desktop\WgnsGjhA3P.exe

0_2_00007FF63088FD10

Source: WgnsGjhA3P.exe, 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmp, WgnsGjhA3P.exe, 00000000.00000000.1656315338.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: KSafeTray.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match	File source: WgnsGjhA3P.exe, type: SAMPLE
Source: Yara match	File source: 0.2.WgnsGjhA3P.exe.7ff630880000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.WgnsGjhA3P.exe.7ff630880000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: WgnsGjhA3P.exe PID: 6988, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match	File source: WgnsGjhA3P.exe, type: SAMPLE
Source: Yara match	File source: 0.2.WgnsGjhA3P.exe.7ff630880000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.WgnsGjhA3P.exe.7ff630880000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: WgnsGjhA3P.exe PID: 6988, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	12 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	121 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Windows Service	1 Access Token Manipulation	1 Modify Registry	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Windows Service	1 Virtualization/Sandbox Evasion	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	121 Input Capture	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	211 Process Injection	1 Access Token Manipulation	NTDS	26 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	211 Process Injection	LSA Secrets	151 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Indicator Removal	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
WgnsGjhA3P.exe	50%	ReversingLabs	Win64.Backdoor.GhostRAT

Name	IP	Active	Malicious	Antivirus Detection	Reputation
171.39.242.20.in-addr.arpa	unknown	unknown	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.238.134.52	unknown	United States		395954	LEASEWEB-USA-LAX-11US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585664
Start date and time:	2025-01-08 00:18:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WgnsGjhA3P.exe renamed because original name is a hash value
Original Sample Name:	7766c46c93d028e2e11517cfcf797fbb.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 41 Number of non-executed functions: 119
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 20.242.39.171, 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
VT rate limit hit for: WgnsGjhA3P.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LEASEWEB-USA-LAX-11US	Mes_Drivers_3.0.4.exe	Get hash	malicious	Unknown	Browse	23.83.76.85
	fuckunix.sh4.elf	Get hash	malicious	Mirai	Browse	23.85.171.227
	armv7l.elf	Get hash	malicious	Unknown	Browse	23.83.17.216
	f3fBEUL66b.exe	Get hash	malicious	GhostRat	Browse	192.238.134.113
	f3fBEUL66b.exe	Get hash	malicious	GhostRat	Browse	192.238.134.113
	nabarm7.elf	Get hash	malicious	Unknown	Browse	23.84.102.105
	52C660192933BE09807FC4895F376764A2BE35AA68567819BB854E83CF5F9E5C.dll	Get hash	malicious	Unknown	Browse	192.238.132.206
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	23.87.203.7
	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse	108.187.71.205

Process:	C:\Users\user\Desktop\WgnsGjhA3P.exe
File Type:	data
Category:	dropped
Size (bytes):	30
Entropy (8bit):	2.6616157143988106
Encrypted:	false
SSDEEP:	3:tblM6lEjln:tbhEZn
MD5:	AE50B29A0B8DCC411F24F1863B0EAFDE
SHA1:	D415A55627B1ADED8E4B2CBBA402F816B0461155
SHA-256:	6B4BBBCE480FBC50D39A8EC4B72CDB7D781B151921E063DD899FD9B736ADCF68
SHA-512:	D9A9BA42D99BE32D26667060BE1D523DCD20EAFA187A67F7919002CC6DA349FD058053C9C6F721D6FDB730EA02FBAA3013E51C0C653368BD6B3F57A4C0FCABA8
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.060388863278636
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	WgnsGjhA3P.exe
File size:	389'632 bytes
MD5:	7766c46c93d028e2e11517cfcf797fbb
SHA1:	147b40c5fe1e860d77c7e02a0c986cb1eaac3ceb
SHA256:	52e5833f1dedcc6f05d9585c6b4b52bab86c592061eddf38356492373583f8a0
SHA512:	18c849a8de6220e2109c24352016d82201184738197acf4b8c37999ba36cd6b27540048095d3903212b52c44a064ab57a4f3f9f0dc48e4c042881c4d166e7a8c
SSDEEP:	6144:4KtL0RSVgMoEao8ItdKwzBFdYmT+xmCiRLBVmLhkM:NtwSqEao8It4wlDCxm/qx
TLSH:	1F848E49F79405F8E5678138C9634916EBB27C6D03A09BDF33A4866A2F237D0AD3E711
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........A...A...A.......D...............@.......@...Q(..K...Q(..S...Q(..........U.......X...A...m....)..S....)..@...RichA..........

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14001e13c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x677168BF [Sun Dec 29 15:20:31 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d7444b6dc7c8cddb50fba5269ad57bce

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F48CD1396B0h
dec eax
add esp, 28h
jmp 00007F48CD138F07h
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F48CD1390A2h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F48CD1390A5h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F48CD13909Dh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F48CD1390AAh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [00036E59h]
jne 00007F48CD1390A2h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007F48CD139093h
ret
dec eax
ror ecx, 10h
jmp 00007F48CD1397ABh
int3
int3
dec eax
mov dword ptr [esp+00h], ebx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x523b0	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x60000	0x3420	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x64000	0xc80	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4c7b0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4c980	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4c670	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3f000	0x918	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3dbf0	0x3dc00	d3f6189e43bbd290b28f7518c02b76a1	False	0.5461593813259109	data	6.462564110280856	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3f000	0x1519e	0x15200	6edb872335ad42db6aa2ce85a47a3af5	False	0.4149986131656805	data	4.932101759530432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x55000	0xaa6c	0x7c00	b1cb403515f9a2e2bde815147bd596cd	False	0.10622479838709678	DOS executable (block device driver \377\3)	1.5580115815014906	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x60000	0x3420	0x3600	20b7b9769859dd90801ea597a1d992be	False	0.4626736111111111	data	5.517914471579984	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x64000	0xc80	0xe00	316f5780e4a2c74c1946985bacab1ae4	False	0.4916294642857143	data	5.228910762857474	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	QueryDosDeviceW, WriteProcessMemory, GetCommandLineW, GetCurrentProcess, WriteFile, OutputDebugStringA, GetModuleFileNameW, GetProcessId, CreateMutexW, GetLocaleInfoW, LocalAlloc, CreateFileW, GetVersionExW, K32GetProcessImageFileNameW, GetSystemDirectoryW, ResumeThread, GetModuleHandleA, OpenProcess, GetVersion, GetLogicalDriveStringsW, CreateToolhelp32Snapshot, MultiByteToWideChar, Process32NextW, GetDiskFreeSpaceExW, GetSystemDirectoryA, LoadLibraryA, lstrcatW, GlobalAlloc, Process32FirstW, GlobalFree, GetSystemInfo, LoadLibraryW, GetLocalTime, VirtualProtectEx, GetThreadContext, GetProcAddress, VirtualAllocEx, LocalFree, ExitProcess, GetCurrentProcessId, GlobalMemoryStatusEx, CreateProcessW, GetModuleHandleW, FreeLibrary, GetConsoleWindow, lstrcpyW, CreateRemoteThread, CreateProcessA, SetThreadContext, GetModuleFileNameA, GetTickCount, lstrcmpW, GetDriveTypeW, GetExitCodeProcess, SetFilePointer, ReleaseMutex, GlobalSize, DeleteFileW, GlobalLock, GetFileSize, GlobalUnlock, FindFirstFileW, ExpandEnvironmentStringsW, FindClose, GetFileAttributesW, TerminateThread, VirtualProtect, IsBadReadPtr, CreateThread, IsDebuggerPresent, SetUnhandledExceptionFilter, WriteConsoleW, GetCurrentThreadId, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, SetFilePointerEx, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, LCMapStringW, CompareStringW, FlsFree, FlsSetValue, GetStartupInfoW, CreateWaitableTimerW, SetWaitableTimer, TryEnterCriticalSection, WideCharToMultiByte, ResetEvent, CreateEventW, lstrlenW, CancelIo, GetNativeSystemInfo, SetLastError, lstrcmpiW, CreateEventA, CloseHandle, SetEvent, Sleep, HeapFree, WaitForSingleObject, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, EnterCriticalSection, HeapCreate, GetProcessHeap, DeleteCriticalSection, HeapDestroy, DecodePointer, HeapAlloc, HeapReAlloc, GetLastError, HeapSize, InitializeCriticalSectionEx, VirtualAlloc, VirtualFree, FlsGetValue, FlsAlloc, GetFileType, GetCommandLineA, GetStdHandle, VirtualQuery, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, RtlPcToFileHeader, RtlUnwindEx, lstrcpyA, CreateFileA, GetSystemDefaultLangID, DeviceIoControl, TerminateProcess, InitializeSListHead, GetSystemTimeAsFileTime, QueryPerformanceCounter, IsProcessorFeaturePresent, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, SleepConditionVariableSRW, WakeAllConditionVariable, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, GetCPInfo, LCMapStringEx, EncodePointer, CompareStringEx, GetStringTypeW, RaiseException, OutputDebugStringW, SwitchToThread
USER32.dll	MsgWaitForMultipleObjects, GetWindowTextW, wsprintfW, GetForegroundWindow, GetLastInputInfo, GetClipboardData, CloseClipboard, OpenClipboard, GetKeyState, ReleaseDC, GetDesktopWindow, SetClipboardData, ExitWindowsEx, EmptyClipboard, GetSystemMetrics, GetDC, GetInputState, PostThreadMessageA, TranslateMessage, DispatchMessageW, PeekMessageW, ShowWindow
GDI32.dll	CreateCompatibleBitmap, SelectObject, CreateDIBSection, SetDIBColorTable, CreateCompatibleDC, StretchBlt, GetDIBits, GetDeviceCaps, GetObjectW, SetStretchBltMode, DeleteObject, DeleteDC
ADVAPI32.dll	OpenProcessToken, RegQueryValueExW, AllocateAndInitializeSid, FreeSid, CheckTokenMembership, ClearEventLogW, CloseEventLog, OpenEventLogW, LookupPrivilegeValueW, AdjustTokenPrivileges, GetCurrentHwProfileW, RegCloseKey, RegQueryInfoKeyW, GetSidSubAuthorityCount, GetSidSubAuthority, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, LookupAccountSidW, GetTokenInformation
SHELL32.dll	SHGetFolderPathW
ole32.dll	CreateStreamOnHGlobal, GetHGlobalFromStream, CoInitialize, CoUninitialize, CoCreateInstance
OLEAUT32.dll	SysFreeString
WS2_32.dll	WSASetLastError, WSAEventSelect, WSAResetEvent, WSAWaitForMultipleEvents, WSAEnumNetworkEvents, WSAGetLastError, WSACleanup, WSAIoctl, closesocket, WSACreateEvent, select, WSAStartup, send, socket, connect, recv, htons, setsockopt, inet_ntoa, WSACloseEvent, gethostbyname, gethostname, shutdown
WINMM.dll	timeGetTime
gdiplus.dll	GdipCreateBitmapFromStream, GdipBitmapUnlockBits, GdipCloneImage, GdipAlloc, GdiplusShutdown, GdipDrawImageI, GdipCreateBitmapFromScan0, GdipCreateBitmapFromHBITMAP, GdipGetImageWidth, GdipGetImagePalette, GdipDeleteGraphics, GdipGetImageEncodersSize, GdipGetImageGraphicsContext, GdipFree, GdipGetImagePixelFormat, GdipDisposeImage, GdipSaveImageToStream, GdipBitmapLockBits, GdipGetImagePaletteSize, GdiplusStartup, GdipGetImageHeight, GdipGetImageEncoders
dxgi.dll	CreateDXGIFactory
DINPUT8.dll	DirectInput8Create

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T00:19:02.944402+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	49730	192.238.134.52	4433	TCP
2025-01-08T00:20:09.519910+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	49730	192.238.134.52	4433	TCP
2025-01-08T00:21:14.723449+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	49730	192.238.134.52	4433	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 00:19:01.754209042 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:19:01.760711908 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:19:01.760890961 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:19:02.516408920 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:19:02.521799088 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:19:02.521821976 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:19:02.521872044 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:19:02.521924019 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:19:02.839272976 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:19:02.894110918 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:19:02.938110113 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:19:02.944330931 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:19:02.944343090 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:19:02.944351912 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:19:02.944401979 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:19:02.946050882 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:19:02.950473070 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:19:19.426230907 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:19:19.432627916 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:19:19.747056961 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:19:19.800528049 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:19:27.589776993 CET	49185	53	192.168.2.4	162.159.36.2
Jan 8, 2025 00:19:27.594640017 CET	53	49185	162.159.36.2	192.168.2.4
Jan 8, 2025 00:19:27.594711065 CET	49185	53	192.168.2.4	162.159.36.2
Jan 8, 2025 00:19:27.599500895 CET	53	49185	162.159.36.2	192.168.2.4
Jan 8, 2025 00:19:28.039550066 CET	49185	53	192.168.2.4	162.159.36.2
Jan 8, 2025 00:19:28.044572115 CET	53	49185	162.159.36.2	192.168.2.4
Jan 8, 2025 00:19:28.044629097 CET	49185	53	192.168.2.4	162.159.36.2
Jan 8, 2025 00:19:36.222687960 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:19:36.229800940 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:19:36.544368029 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:19:36.597546101 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:19:52.472701073 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:19:52.477730036 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:19:52.791897058 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:19:52.832012892 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:20:09.519910097 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:20:09.525630951 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:20:09.839143038 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:20:09.894650936 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:20:25.488699913 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:20:25.495203018 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:20:25.809870958 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:20:25.863569975 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:20:41.691937923 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:20:41.696821928 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:20:42.011234045 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:20:42.066787004 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:20:57.988953114 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:20:57.993860960 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:20:58.308326006 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:20:58.348289967 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:21:14.723448992 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:21:14.729775906 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:21:15.043353081 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:21:15.098267078 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:21:30.770328999 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:21:30.775257111 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:21:31.121126890 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:21:31.160897017 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:21:46.473824024 CET	49730	4433	192.168.2.4	192.238.134.52
Jan 8, 2025 00:21:46.557847977 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:21:46.872154951 CET	4433	49730	192.238.134.52	192.168.2.4
Jan 8, 2025 00:21:46.926728964 CET	49730	4433	192.168.2.4	192.238.134.52

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 00:19:27.589283943 CET	53	53995	162.159.36.2	192.168.2.4
Jan 8, 2025 00:19:28.051831007 CET	50221	53	192.168.2.4	1.1.1.1
Jan 8, 2025 00:19:28.058994055 CET	53	50221	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 00:19:28.051831007 CET	192.168.2.4	1.1.1.1	0x2c64	Standard query (0)	171.39.242.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 00:19:28.058994055 CET	1.1.1.1	192.168.2.4	0x2c64	Name error (3)	171.39.242.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	18:18:54
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\WgnsGjhA3P.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\WgnsGjhA3P.exe"
Imagebase:	0x7ff630880000
File size:	389'632 bytes
MD5 hash:	7766C46C93D028E2E11517CFCF797FBB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	7.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	38.4%
Total number of Nodes:	1032
Total number of Limit Nodes:	40

Executed Functions

Function 00007FF6308862F0 Relevance: 193.3, APIs: 81, Strings: 29, Instructions: 845
registrystringprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

gethostname.WS2_32 ref: 00007FF630886394
gethostbyname.WS2_32 ref: 00007FF63088639E
inet_ntoa.WS2_32 ref: 00007FF6308863BB
inet_ntoa.WS2_32 ref: 00007FF63088640B
MultiByteToWideChar.KERNEL32 ref: 00007FF630886469
MultiByteToWideChar.KERNEL32 ref: 00007FF63088648D
GetLastInputInfo.USER32 ref: 00007FF6308864A5
GetTickCount.KERNEL32 ref: 00007FF6308864AB
wsprintfW.USER32 ref: 00007FF6308864DE
MultiByteToWideChar.KERNEL32 ref: 00007FF63088651F
LoadLibraryW.KERNEL32 ref: 00007FF63088652C
GetProcAddress.KERNEL32 ref: 00007FF630886548
RegOpenKeyExW.KERNEL32 ref: 00007FF6308865ED
RegQueryValueExW.KERNEL32 ref: 00007FF630886618
RegCloseKey.KERNEL32 ref: 00007FF630886645
FreeLibrary.KERNEL32 ref: 00007FF630886656
GetSystemInfo.KERNEL32 ref: 00007FF63088666F
wsprintfW.USER32 ref: 00007FF630886687
GetDriveTypeW.KERNEL32 ref: 00007FF6308866B6
GetDiskFreeSpaceExW.KERNEL32 ref: 00007FF6308866D9
GlobalMemoryStatusEx.KERNEL32 ref: 00007FF63088671D
GetForegroundWindow.USER32 ref: 00007FF630886799
GetWindowTextW.USER32 ref: 00007FF6308867B4
lstrlenW.KERNEL32 ref: 00007FF6308867C4
GetLocalTime.KERNEL32 ref: 00007FF630886803
wsprintfW.USER32 ref: 00007FF63088681D
MultiByteToWideChar.KERNEL32 ref: 00007FF6308864FB

Part of subcall function 00007FF6308A87A0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6308A87C6

lstrlenW.KERNEL32 ref: 00007FF630886845
GetModuleHandleW.KERNEL32 ref: 00007FF63088688E
GetProcAddress.KERNEL32 ref: 00007FF63088689E
GetNativeSystemInfo.KERNEL32 ref: 00007FF6308868AD
GetSystemInfo.KERNEL32 ref: 00007FF6308868B1
wsprintfW.USER32 ref: 00007FF6308868F8
GetCurrentProcessId.KERNEL32 ref: 00007FF63088690D
OpenProcess.KERNEL32 ref: 00007FF63088692B
K32GetProcessImageFileNameW.KERNEL32 ref: 00007FF63088694D
GetLogicalDriveStringsW.KERNEL32 ref: 00007FF630886967
lstrcmpiW.KERNEL32 ref: 00007FF6308869A8
lstrcmpiW.KERNEL32 ref: 00007FF6308869BC
QueryDosDeviceW.KERNEL32 ref: 00007FF6308869F6

Part of subcall function 00007FF63089DE98: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF63089DEC8
Part of subcall function 00007FF63089DE98: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF63089DECE

Part of subcall function 00007FF6308891A0: GetModuleHandleW.KERNEL32 ref: 00007FF6308891BD
Part of subcall function 00007FF6308891A0: GetProcAddress.KERNEL32 ref: 00007FF6308891CD
Part of subcall function 00007FF6308891A0: GetNativeSystemInfo.KERNEL32 ref: 00007FF6308891DD

lstrlenW.KERNEL32 ref: 00007FF630886A07
lstrcpyW.KERNEL32 ref: 00007FF630886A48
CloseHandle.KERNEL32 ref: 00007FF630886A51
CoInitializeEx.COMBASE ref: 00007FF630886A62
CoCreateInstance.COMBASE ref: 00007FF630886A87
SysFreeString.OLEAUT32 ref: 00007FF630886B3C
CoUninitialize.OLE32 ref: 00007FF630886B7E
RegOpenKeyExW.KERNEL32 ref: 00007FF630886BE7
RegQueryInfoKeyW.ADVAPI32 ref: 00007FF630886C47
RegEnumKeyExW.ADVAPI32 ref: 00007FF630886CDF
lstrlenW.KERNEL32 ref: 00007FF630886CEC
lstrlenW.KERNEL32 ref: 00007FF630886CFE
RegCloseKey.ADVAPI32 ref: 00007FF630886D4C
lstrlenW.KERNEL32 ref: 00007FF630886D59

Part of subcall function 00007FF6308A9248: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6308A927B

Part of subcall function 00007FF6308879E0: CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF630887A6B
Part of subcall function 00007FF6308879E0: Process32FirstW.KERNEL32 ref: 00007FF630887A88
Part of subcall function 00007FF6308879E0: Process32NextW.KERNEL32 ref: 00007FF630887AC3
Part of subcall function 00007FF6308879E0: CloseHandle.KERNEL32 ref: 00007FF630887AD0
Part of subcall function 00007FF6308879E0: CoCreateInstance.COMBASE ref: 00007FF630887B1F

GetTickCount.KERNEL32 ref: 00007FF630886DA1

Part of subcall function 00007FF6308A8B9C: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6308A8BB0

wsprintfW.USER32 ref: 00007FF630886E19
GetLocaleInfoW.KERNEL32 ref: 00007FF630886E36
GetSystemDirectoryW.KERNEL32 ref: 00007FF630886E48
GetCurrentHwProfileW.ADVAPI32 ref: 00007FF630886E5C
lstrlenW.KERNEL32 ref: 00007FF630886EDB
GetLocalTime.KERNEL32 ref: 00007FF630886F17
wsprintfW.USER32 ref: 00007FF630886F31
RegOpenKeyExW.KERNEL32 ref: 00007FF630886F56
RegDeleteValueW.KERNEL32 ref: 00007FF630886F6A
RegCloseKey.ADVAPI32 ref: 00007FF630886F77
RegCreateKeyW.ADVAPI32 ref: 00007FF630886F8E
lstrlenW.KERNEL32 ref: 00007FF630886F9B
RegSetValueExW.KERNEL32 ref: 00007FF630886FC3
RegCloseKey.ADVAPI32 ref: 00007FF630886FD4
RegCloseKey.ADVAPI32 ref: 00007FF630886FE1
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF630886FEE
Process32FirstW.KERNEL32 ref: 00007FF630887029
Process32NextW.KERNEL32 ref: 00007FF63088707E
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF630887098
Process32FirstW.KERNEL32 ref: 00007FF6308870D3
Process32NextW.KERNEL32 ref: 00007FF63088712E
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF630887148
Process32FirstW.KERNEL32 ref: 00007FF630887183
Process32NextW.KERNEL32 ref: 00007FF6308871DA

Strings

kernel32.dll, xrefs: 00007FF63088687B
VenNetwork, xrefs: 00007FF6308867E0
%sFree%d Gb , xrefs: 00007FF63088676E
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00007FF6308865C5
HDD:%d, xrefs: 00007FF630886727
ProductName, xrefs: 00007FF6308865FF
WeChat.exe, xrefs: 00007FF6308870DD
Software, xrefs: 00007FF6308867D1
WxWork.exe, xrefs: 00007FF630887033
%d.%d.%d, xrefs: 00007FF63088657D
7e604a66-3b67-4656-8552-1184595e4a9f, xrefs: 00007FF630886352
VenREMARK, xrefs: 00007FF63088684B
A:\, xrefs: 00007FF63088699A
x86, xrefs: 00007FF6308868DF
X64 %s, xrefs: 00007FF6308868EA
GetNativeSystemInfo, xrefs: 00007FF630886897
%d min, xrefs: 00007FF6308864D7
Telegram.exe, xrefs: 00007FF63088718D
AppEvents, xrefs: 00007FF630886EE1
x64, xrefs: 00007FF6308868D8
B:\, xrefs: 00007FF6308869B2
INSTALLTIME, xrefs: 00007FF630886EF7, 00007FF630886F63, 00007FF630886FA8
RtlGetNtVersionNumbers, xrefs: 00007FF63088653E
%d.%d, xrefs: 00007FF63088680E, 00007FF630886F22
Network, xrefs: 00007FF630886EF0
FriendlyName, xrefs: 00007FF630886B22
VenGROUP, xrefs: 00007FF6308867EB
Software\Tencent\Plugin\VAS, xrefs: 00007FF630886BD9
ntdll.dll, xrefs: 00007FF630886525

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Process32lstrlen$CloseCreateInfo$Systemwsprintf$ByteCharFirstHandleMultiNextOpenSnapshotTimeToolhelp32Wide$AddressFreeProcProcessQueryValue$Concurrency::cancel_current_taskCountCurrentDriveFileInstanceLibraryLocalModuleNativeTickWindow_invalid_parameter_noinfoinet_ntoalstrcmpi$DeleteDeviceDirectoryDiskEnumForegroundGlobalImageInitializeInputLastLoadLocaleLogicalMemoryNameProfileSpaceStatusStringStringsTextTypeUninitializegethostbynamegethostnamelstrcpy
String ID: %d min$%d.%d$%d.%d.%d$%sFree%d Gb $7e604a66-3b67-4656-8552-1184595e4a9f$A:\$AppEvents$B:\$FriendlyName$GetNativeSystemInfo$HDD:%d$INSTALLTIME$Network$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Software$Software\Tencent\Plugin\VAS$Telegram.exe$VenGROUP$VenNetwork$VenREMARK$WeChat.exe$WxWork.exe$X64 %s$kernel32.dll$ntdll.dll$x64$x86
API String ID: 4136965836-154773921
Opcode ID: 5fafffc449150de91c54ecd83cfb5b313bf068d550184ca4faa4dac19eea3f34
Instruction ID: 1c7a4f7e8028092f36ee2a2e272c1336a86e767fb940363d921c06421f147809
Opcode Fuzzy Hash: 5fafffc449150de91c54ecd83cfb5b313bf068d550184ca4faa4dac19eea3f34
Instruction Fuzzy Hash: 22925E36A08A96A6EF20DF65D8446E93360FB8475CF804232DA4D87BA5EF3CD64DD700

Function 00007FF63089B500 Relevance: 103.7, APIs: 41, Strings: 18, Instructions: 406
registrylibrarysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 00007FF63089B531
CloseHandle.KERNEL32 ref: 00007FF63089B56D
GetCurrentProcess.KERNEL32 ref: 00007FF63089B580
OpenProcessToken.ADVAPI32 ref: 00007FF63089B595
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF63089B5B5
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF63089B5E1
CloseHandle.KERNEL32 ref: 00007FF63089B5EE
GetModuleHandleA.KERNEL32 ref: 00007FF63089B5FB
GetProcAddress.KERNEL32 ref: 00007FF63089B60B
GetCurrentProcessId.KERNEL32 ref: 00007FF63089B623
OpenProcess.KERNEL32 ref: 00007FF63089B632
GetLocalTime.KERNEL32 ref: 00007FF63089B654
wsprintfW.USER32 ref: 00007FF63089B69A
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF63089B6A7
CloseHandle.KERNEL32 ref: 00007FF63089B6CD
AllocateAndInitializeSid.ADVAPI32 ref: 00007FF63089B751
CheckTokenMembership.KERNELBASE ref: 00007FF63089B76B

Part of subcall function 00007FF6308A8940: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6308A896B

FreeSid.ADVAPI32 ref: 00007FF63089B783
RegOpenKeyExW.KERNEL32 ref: 00007FF63089B7B5
RegDeleteValueW.KERNEL32 ref: 00007FF63089B7C9
RegSetValueExW.KERNEL32 ref: 00007FF63089B7FA
RegCloseKey.ADVAPI32 ref: 00007FF63089B807
SleepEx.KERNEL32 ref: 00007FF63089B923
CreateEventA.KERNEL32 ref: 00007FF63089B99F

Part of subcall function 00007FF6308A87A0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6308A87C6

Part of subcall function 00007FF6308862F0: gethostname.WS2_32 ref: 00007FF630886394
Part of subcall function 00007FF6308862F0: gethostbyname.WS2_32 ref: 00007FF63088639E
Part of subcall function 00007FF6308862F0: inet_ntoa.WS2_32 ref: 00007FF6308863BB
Part of subcall function 00007FF6308862F0: inet_ntoa.WS2_32 ref: 00007FF63088640B
Part of subcall function 00007FF6308862F0: MultiByteToWideChar.KERNEL32 ref: 00007FF630886469
Part of subcall function 00007FF6308862F0: MultiByteToWideChar.KERNEL32 ref: 00007FF63088648D

Sleep.KERNEL32 ref: 00007FF63089BA41
Sleep.KERNEL32 ref: 00007FF63089BA77
CloseHandle.KERNEL32 ref: 00007FF63089BADE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF63089BAE9
IsDebuggerPresent.KERNEL32 ref: 00007FF63089BAFC
LoadLibraryW.KERNEL32 ref: 00007FF63089BB28
GetProcAddress.KERNEL32 ref: 00007FF63089BB52
FreeLibrary.KERNEL32 ref: 00007FF63089BB63

Strings

4433, xrefs: 00007FF63089B84D, 00007FF63089B879, 00007FF63089B8DA, 00007FF63089B933, 00007FF63089B967
SeDebugPrivilege, xrefs: 00007FF63089B5AC
loginconfig, xrefs: 00007FF63089B7D7
192.238.134.52, xrefs: 00007FF63089B835
VenkernalData_info, xrefs: 00007FF63089B7BB, 00007FF63089B7EC
SOFTWARE, xrefs: 00007FF63089B7A7
192.238.134.52, xrefs: 00007FF63089B825, 00007FF63089B8C2, 00007FF63089B942, 00007FF63089B9D1
MiniDumpWriteDump, xrefs: 00007FF63089BB40
%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 00007FF63089B68C
4433, xrefs: 00007FF63089B841
10443, xrefs: 00007FF63089B86D
%s-%04d%02d%02d-%02d%02d%02d.dmp, xrefs: 00007FF63089BBD2
DbgHelp.dll, xrefs: 00007FF63089BB19
192.238.134.52, xrefs: 00007FF63089B861
NtSetInformationProcess, xrefs: 00007FF63089B604
192.238.134.52, xrefs: 00007FF63089B8B6
!analyze -v, xrefs: 00007FF63089BBDE
NtDll.dll, xrefs: 00007FF63089B5F4

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CloseHandle$ProcessSleep$OpenTokenValue$AddressByteCharCurrentFreeLibraryMultiProcWide_invalid_parameter_noinfoinet_ntoa$AdjustAllocateCheckCreateDebuggerDeleteEventExceptionFilterInitializeLoadLocalLookupMembershipModulePresentPrivilegePrivilegesTimeUnhandled_invalid_parameter_noinfo_noreturngethostbynamegethostnamewsprintf
String ID: !analyze -v$%4d.%2d.%2d-%2d:%2d:%2d$%s-%04d%02d%02d-%02d%02d%02d.dmp$10443$192.238.134.52$192.238.134.52$192.238.134.52$192.238.134.52$4433$4433$DbgHelp.dll$MiniDumpWriteDump$NtDll.dll$NtSetInformationProcess$SOFTWARE$SeDebugPrivilege$VenkernalData_info$loginconfig
API String ID: 905065789-3740111702
Opcode ID: af5b0ca8d781796932839bb88e6d9c06d7e346fee9f2ebf3790dbac2dd1ba735
Instruction ID: 6abb110508cb56e153c2fe1254333b81e11b9330c7882161e966b9b3bd70bccb
Opcode Fuzzy Hash: af5b0ca8d781796932839bb88e6d9c06d7e346fee9f2ebf3790dbac2dd1ba735
Instruction Fuzzy Hash: 3B226271A08B82A6EF20DF65E8502A973A5FF84758F504236D94D87BA5DF3CE14DE700

Function 00007FF63088F410 Relevance: 81.0, APIs: 35, Strings: 11, Instructions: 532
registryprocessfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastInputInfo.USER32 ref: 00007FF63088F45C
GetTickCount.KERNEL32 ref: 00007FF63088F462
wsprintfW.USER32 ref: 00007FF63088F490
GetForegroundWindow.USER32 ref: 00007FF63088F496
GetWindowTextW.USER32 ref: 00007FF63088F4AE
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF63088F4C3
Process32FirstW.KERNEL32 ref: 00007FF63088F4F7
Process32NextW.KERNEL32 ref: 00007FF63088F54B
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF63088F565
Process32FirstW.KERNEL32 ref: 00007FF63088F59F
Process32NextW.KERNEL32 ref: 00007FF63088F5EE
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF63088F608
Process32FirstW.KERNEL32 ref: 00007FF63088F642
Process32NextW.KERNEL32 ref: 00007FF63088F69E
RegOpenKeyExW.ADVAPI32 ref: 00007FF63088F6EC
RegQueryValueExW.KERNEL32 ref: 00007FF63088F71F
RegQueryValueExW.KERNEL32 ref: 00007FF63088F783
RegCloseKey.ADVAPI32 ref: 00007FF63088F90D
RegOpenKeyExW.ADVAPI32 ref: 00007FF63088F943
RegQueryValueExW.KERNEL32 ref: 00007FF63088F976
RegQueryValueExW.ADVAPI32 ref: 00007FF63088F9D5
RegCloseKey.ADVAPI32 ref: 00007FF63088F9EC
RegOpenKeyExW.ADVAPI32 ref: 00007FF63088FA22
RegQueryValueExW.KERNEL32 ref: 00007FF63088FA55
RegCloseKey.ADVAPI32 ref: 00007FF63088FACB

Part of subcall function 00007FF63089DE98: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF63089DEC8
Part of subcall function 00007FF63089DE98: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF63089DECE

RegQueryValueExW.ADVAPI32 ref: 00007FF63088FAB4
SHGetFolderPathW.SHELL32 ref: 00007FF63088FAEF
lstrcatW.KERNEL32 ref: 00007FF63088FB03
CreateFileW.KERNEL32 ref: 00007FF63088FB34
lstrlenW.KERNEL32 ref: 00007FF63088FB44
WriteFile.KERNEL32 ref: 00007FF63088FB61
CloseHandle.KERNEL32 ref: 00007FF63088FB6A
FindFirstFileW.KERNEL32 ref: 00007FF63088FB7E
FindClose.KERNEL32 ref: 00007FF63088FB94
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF63088FCFE

Strings

WXWork.exe, xrefs: 00007FF63088F501
%d min, xrefs: 00007FF63088F489
Startup, xrefs: 00007FF63088F718, 00007FF63088F77C
Telegram.exe, xrefs: 00007FF63088F64C
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 00007FF63088F935, 00007FF63088FA14
OpenAi_Service, xrefs: 00007FF63088F96F, 00007FF63088F9CE, 00007FF63088FA4E, 00007FF63088FAAD
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 00007FF63088F6B1
WeChat.exe, xrefs: 00007FF63088F5A9
C:\ProgramData\Mylnk, xrefs: 00007FF63088F896
C:\Users, xrefs: 00007FF63088F812
\kernelquick.sys, xrefs: 00007FF63088FAF5

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Process32QueryValue$Close$CreateFirst$FileNextOpenSnapshotToolhelp32$Concurrency::cancel_current_taskFindWindow$CountFolderForegroundHandleInfoInputLastPathTextTickWrite_invalid_parameter_noinfo_noreturnlstrcatlstrlenwsprintf
String ID: %d min$C:\ProgramData\Mylnk$C:\Users$OpenAi_Service$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$Startup$Telegram.exe$WXWork.exe$WeChat.exe$\kernelquick.sys
API String ID: 3029130142-1423135667
Opcode ID: e62539a16d3ca5b5cc7c3476556dc898a7606d9ab66eaf610e565dd4e6f3647a
Instruction ID: 72cef16ee18ae94c3e24443aeffcd88833368cc297989c0f3d483870e5916e61
Opcode Fuzzy Hash: e62539a16d3ca5b5cc7c3476556dc898a7606d9ab66eaf610e565dd4e6f3647a
Instruction Fuzzy Hash: F232A232A08A86A2EF60DF69E4046BD77A0FB95B8CF404135DA4D87796EF7CE548D700

Function 00007FF63089AD80 Relevance: 75.8, APIs: 27, Strings: 16, Instructions: 529stringregistryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 00007FF63089ADB5
RegQueryValueExW.KERNEL32 ref: 00007FF63089ADE6
RegQueryValueExW.ADVAPI32 ref: 00007FF63089AE45
lstrlenW.KERNEL32 ref: 00007FF63089AE52
lstrlenW.KERNEL32 ref: 00007FF63089AE73
lstrlenW.KERNEL32 ref: 00007FF63089AE86
lstrlenW.KERNEL32 ref: 00007FF63089AF1F
lstrlenW.KERNEL32 ref: 00007FF63089AF40
lstrlenW.KERNEL32 ref: 00007FF63089AF53
lstrlenW.KERNEL32 ref: 00007FF63089AFEB
lstrlenW.KERNEL32 ref: 00007FF63089AFFE
lstrlenW.KERNEL32 ref: 00007FF63089B081
lstrlenW.KERNEL32 ref: 00007FF63089B0A2
lstrlenW.KERNEL32 ref: 00007FF63089B0B5
lstrlenW.KERNEL32 ref: 00007FF63089B14F
lstrlenW.KERNEL32 ref: 00007FF63089B170
lstrlenW.KERNEL32 ref: 00007FF63089B183
lstrlenW.KERNEL32 ref: 00007FF63089B21B
lstrlenW.KERNEL32 ref: 00007FF63089B22E
lstrlenW.KERNEL32 ref: 00007FF63089B2B1
lstrlenW.KERNEL32 ref: 00007FF63089B2D2
lstrlenW.KERNEL32 ref: 00007FF63089B2E5
lstrlenW.KERNEL32 ref: 00007FF63089B37F
lstrlenW.KERNEL32 ref: 00007FF63089B3A0
lstrlenW.KERNEL32 ref: 00007FF63089B3B3
lstrlenW.KERNEL32 ref: 00007FF63089B44B
lstrlenW.KERNEL32 ref: 00007FF63089B45E

Strings

p1:, xrefs: 00007FF63089AE79
p3:, xrefs: 00007FF63089B2D8
o2:, xrefs: 00007FF63089B176
Vendata, xrefs: 00007FF63089ADDF, 00007FF63089AE3E
192.238.134.52, xrefs: 00007FF63089AE4B, 00007FF63089AE5A, 00007FF63089AF09
o1:, xrefs: 00007FF63089AF46
t1:, xrefs: 00007FF63089AFF1
p2:, xrefs: 00007FF63089B0A8
4433, xrefs: 00007FF63089AF18, 00007FF63089AF27, 00007FF63089AFD9
10443, xrefs: 00007FF63089B148, 00007FF63089B157, 00007FF63089B209
Console, xrefs: 00007FF63089ADA7
o3:, xrefs: 00007FF63089B3A6
192.238.134.52, xrefs: 00007FF63089B07A, 00007FF63089B089, 00007FF63089B139
t2:, xrefs: 00007FF63089B221
192.238.134.52, xrefs: 00007FF63089B2AA, 00007FF63089B2B9, 00007FF63089B369
t3:, xrefs: 00007FF63089B451

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: lstrlen$QueryValue$Open
String ID: 10443$192.238.134.52$192.238.134.52$192.238.134.52$4433$Console$Vendata$o1:$o2:$o3:$p1:$p2:$p3:$t1:$t2:$t3:
API String ID: 1772312705-2005200276
Opcode ID: c599fbb0e57935ebe8c3f9b158b0f14cad8e83e9b9ac755a95a7fb9a9d72626c
Instruction ID: dcde39c8d3a5ce9c92773f3e2e14748e6e5c56f224b1cfe98a43b5a7082da1ff
Opcode Fuzzy Hash: c599fbb0e57935ebe8c3f9b158b0f14cad8e83e9b9ac755a95a7fb9a9d72626c
Instruction Fuzzy Hash: FC22C461F18A6BA1EF24AB18E5606B963A1EF9474CF805131C54EC2B92EF7CF14DA344

Function 00007FF63088FD10 Relevance: 56.3, APIs: 27, Strings: 5, Instructions: 326
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 00007FF63088FD2B
GetDesktopWindow.USER32 ref: 00007FF63088FD8C
GetDC.USER32 ref: 00007FF63088FD95
CreateCompatibleDC.GDI32 ref: 00007FF63088FDA1
GetDC.USER32 ref: 00007FF63088FDAC
GetDeviceCaps.GDI32 ref: 00007FF63088FDBD
GetDeviceCaps.GDI32 ref: 00007FF63088FDCD
ReleaseDC.USER32 ref: 00007FF63088FDEA
GetSystemMetrics.USER32 ref: 00007FF63088FE13
GetSystemMetrics.USER32 ref: 00007FF63088FE4E
GetSystemMetrics.USER32 ref: 00007FF63088FE82
GetSystemMetrics.USER32 ref: 00007FF63088FE9C
GetSystemMetrics.USER32 ref: 00007FF63088FEB6
CreateCompatibleBitmap.GDI32 ref: 00007FF63088FED4
SelectObject.GDI32 ref: 00007FF63088FEE8
SetStretchBltMode.GDI32 ref: 00007FF63088FEF6
GetSystemMetrics.USER32 ref: 00007FF63088FF01
GetSystemMetrics.USER32 ref: 00007FF63088FF1B
StretchBlt.GDI32 ref: 00007FF63088FF5C
GetDIBits.GDI32 ref: 00007FF630890022
DeleteObject.GDI32 ref: 00007FF6308900E9
DeleteObject.GDI32 ref: 00007FF6308900F2
ReleaseDC.USER32 ref: 00007FF6308900FD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF630890290

Strings

gfff, xrefs: 00007FF63088FE58
gfff, xrefs: 00007FF63088FE32
(, xrefs: 00007FF63088FF65
6, xrefs: 00007FF63088FFC2
, xrefs: 00007FF63088FF21

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: MetricsSystem$Object$CapsCompatibleCreateDeleteDeviceReleaseStretch$BitmapBitsDesktopModeSelectVersionWindow_invalid_parameter_noinfo_noreturn
String ID: $($6$gfff$gfff
API String ID: 3905184151-2922166585
Opcode ID: 9eafb342d491789966fcdb852ac60d50250fc806a3a0662fbf213cd29233fd2c
Instruction ID: 76231a0761181f50857f897df3b243097ee193b806dad9a7fe05769b53829ef8
Opcode Fuzzy Hash: 9eafb342d491789966fcdb852ac60d50250fc806a3a0662fbf213cd29233fd2c
Instruction Fuzzy Hash: 93E1D871A187C596EB259F35E40436EB3A1FF99B88F008235DA8D97B55DF3CD4889B00

Function 00007FF630887250 Relevance: 54.7, APIs: 26, Strings: 5, Instructions: 457
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF63088A300: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF63088A4A0
Part of subcall function 00007FF63088A300: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF63088A4A6

MultiByteToWideChar.KERNEL32 ref: 00007FF6308875FF
MultiByteToWideChar.KERNEL32 ref: 00007FF630887626

Strings

key, xrefs: 00007FF6308877B2
\DisplaySessionContainers.log, xrefs: 00007FF630887823
<, xrefs: 00007FF63088795D
open, xrefs: 00007FF6308877A6
X64, xrefs: 00007FF630887471, 00007FF63088748E

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ByteCharMultiWide$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: <$X64$\DisplaySessionContainers.log$key$open
API String ID: 143101810-941791203
Opcode ID: 84872136b42da0819a194256f274013d04c1c29aff028023f1cbf7d720f00181
Instruction ID: 79db2b18d0ddbb6593e51703a15d18fea46a21cbd681ee3279e22c3fb7fae35f
Opcode Fuzzy Hash: 84872136b42da0819a194256f274013d04c1c29aff028023f1cbf7d720f00181
Instruction Fuzzy Hash: FF228372A18A86A2EF10DB65E4402AE7371FB84B98F504232EA5D83B99DF3CD549D740

Function 00007FF6308879E0 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 216
stringregistrycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF630887A6B
Process32FirstW.KERNEL32 ref: 00007FF630887A88
Process32NextW.KERNEL32 ref: 00007FF630887AC3
CloseHandle.KERNEL32 ref: 00007FF630887AD0
CoCreateInstance.COMBASE ref: 00007FF630887B1F
wsprintfW.USER32 ref: 00007FF630887C25
RegOpenKeyExW.ADVAPI32 ref: 00007FF630887C55
RegQueryValueExW.KERNEL32 ref: 00007FF630887CB6
lstrcatW.KERNEL32 ref: 00007FF630887CCA
lstrcatW.KERNEL32 ref: 00007FF630887CDA
RegCloseKey.ADVAPI32 ref: 00007FF630887CE7
lstrlenW.KERNEL32 ref: 00007FF630887D24
lstrcatW.KERNEL32 ref: 00007FF630887D38
CloseHandle.KERNEL32 ref: 00007FF630887D65
lstrcatW.KERNEL32 ref: 00007FF630887D7D
lstrcatW.KERNEL32 ref: 00007FF630887D8D

Strings

Windows Defender IOfficeAntiVirus implementation , xrefs: 00007FF630887A04
CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 00007FF630887C17

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: lstrcat$Close$CreateHandleProcess32$FirstInstanceNextOpenQuerySnapshotToolhelp32Valuelstrlenwsprintf
String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
API String ID: 582347850-1583895642
Opcode ID: 134265c9e40a9f760aa4fceb9a534aa5a21de15c77527937ae6ae4b8d1d4e22b
Instruction ID: fbcf12ad277249f147d2e8f7882b871b5d0d0d5dca0a801b18a4ee98a67ecf31
Opcode Fuzzy Hash: 134265c9e40a9f760aa4fceb9a534aa5a21de15c77527937ae6ae4b8d1d4e22b
Instruction Fuzzy Hash: 9AA18132A08A92A6EB24CF75E8406AA77B1FB85B4CF444131DE4D87B69DF3CD648D700

Function 00007FF630888690 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 149
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE ref: 00007FF63088870B
GetLastError.KERNEL32 ref: 00007FF630888715
GetProcessHeap.KERNEL32 ref: 00007FF63088872B
HeapAlloc.KERNEL32 ref: 00007FF63088873C
GetTokenInformation.KERNELBASE ref: 00007FF63088876E
LookupAccountSidW.ADVAPI32 ref: 00007FF6308887B6
GetLastError.KERNEL32 ref: 00007FF6308887C0
GetProcessHeap.KERNEL32 ref: 00007FF6308888C4
HeapFree.KERNEL32 ref: 00007FF6308888D2

Strings

NONE_MAPPED, xrefs: 00007FF6308887CD

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Heap$ErrorInformationLastProcessToken$AccountAllocFreeLookup
String ID: NONE_MAPPED
API String ID: 162735656-2950899194
Opcode ID: fc7d76223dfa6cbbf8efa4015a3b0f0cb7eb74909b040ee270e83bc7d35c4934
Instruction ID: a3bd24295624e5578fa44c8e7056380109cea744a90344341a5690e844a72401
Opcode Fuzzy Hash: fc7d76223dfa6cbbf8efa4015a3b0f0cb7eb74909b040ee270e83bc7d35c4934
Instruction Fuzzy Hash: 8F51AD62A08B82E6EE609F05E4442AE73A0FF44BC8F844936DA5D83B95EF3CD548D740

Function 00007FF63089BCD0 Relevance: 15.0, APIs: 10, Instructions: 33threadsleepsynchronizationCOMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF63089BCDB
GetConsoleWindow.KERNEL32 ref: 00007FF63089BCE1
ShowWindow.USER32 ref: 00007FF63089BCEC
GetCurrentThreadId.KERNEL32 ref: 00007FF63089BCF2
PostThreadMessageA.USER32 ref: 00007FF63089BD02
GetInputState.USER32 ref: 00007FF63089BD08
CreateThread.KERNEL32 ref: 00007FF63089BD27
WaitForSingleObject.KERNEL32 ref: 00007FF63089BD3C
CloseHandle.KERNEL32 ref: 00007FF63089BD49
Sleep.KERNEL32 ref: 00007FF63089BD54

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Thread$Window$CloseConsoleCreateCurrentExceptionFilterHandleInputMessageObjectPostShowSingleSleepStateUnhandledWait
String ID:
API String ID: 2277684705-0
Opcode ID: 6f2be5bc360ff60992bf957455bd65437668e6ddaf6ac78ef69b290b53bfb88b
Instruction ID: 3b4bddf47d20fa03af8865390b074553d3f2b874f7f8b1b27798213144fe75cc
Opcode Fuzzy Hash: 6f2be5bc360ff60992bf957455bd65437668e6ddaf6ac78ef69b290b53bfb88b
Instruction Fuzzy Hash: 6F01E835E18A42A2EB14AFB9FC5457A33A1FF88B19F418135D40EC2771DE3CA44DA304

Function 00007FF6308B1DA8 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6308B1DED

Part of subcall function 00007FF6308B1464: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6308B1478

Part of subcall function 00007FF6308AE6BC: RtlFreeHeap.NTDLL(?,?,?,00007FF6308B65C2,?,?,?,00007FF6308B693F,?,?,00000000,00007FF6308B6D85,?,?,?,00007FF6308B6CB7), ref: 00007FF6308AE6D2
Part of subcall function 00007FF6308AE6BC: GetLastError.KERNEL32(?,?,?,00007FF6308B65C2,?,?,?,00007FF6308B693F,?,?,00000000,00007FF6308B6D85,?,?,?,00007FF6308B6CB7), ref: 00007FF6308AE6DC

Part of subcall function 00007FF6308A3D88: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6308A3D37,?,?,?,?,?,00007FF6308A3C22), ref: 00007FF6308A3D91
Part of subcall function 00007FF6308A3D88: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6308A3D37,?,?,?,?,?,00007FF6308A3C22), ref: 00007FF6308A3DB6

Part of subcall function 00007FF6308B9F14: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6308B9E5F

_get_daylight.LIBCMT ref: 00007FF6308B1DDC

Part of subcall function 00007FF6308B14C4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6308B14D8

_get_daylight.LIBCMT ref: 00007FF6308B2052
_get_daylight.LIBCMT ref: 00007FF6308B2063
_get_daylight.LIBCMT ref: 00007FF6308B2074
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6308B22B4), ref: 00007FF6308B209B

Strings

Eastern Summer Time, xrefs: 00007FF6308B2159
Eastern Standard Time, xrefs: 00007FF6308B2141

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: e4d215210ab8a5127c723f465f4324ebd8545cea5875ff9c0ed7522d57f15f04
Instruction ID: 9a720cdef9e05ee07fb2cd5f4550f5225134b0fd2a20ba15762fc9b1d9cc0641
Opcode Fuzzy Hash: e4d215210ab8a5127c723f465f4324ebd8545cea5875ff9c0ed7522d57f15f04
Instruction Fuzzy Hash: 21D1A126A08642A5EF20AF25D4902B97761EF4479CF844136EE4EC7B86DF3CE449E340

Function 00007FF630888040 Relevance: 10.9, APIs: 7, Instructions: 424COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63089C2E0: wsprintfW.USER32 ref: 00007FF63089C30F
Part of subcall function 00007FF63089C2E0: CreateFileW.KERNEL32 ref: 00007FF63089C33A
Part of subcall function 00007FF63089C2E0: DeviceIoControl.KERNEL32 ref: 00007FF63089C38A
Part of subcall function 00007FF63089C2E0: DeviceIoControl.KERNEL32 ref: 00007FF63089C3F1
Part of subcall function 00007FF63089C2E0: DeviceIoControl.KERNEL32 ref: 00007FF63089C451
Part of subcall function 00007FF63089C2E0: DeviceIoControl.KERNEL32 ref: 00007FF63089C4B0

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF630888670
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF630888676
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF63088867C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF630888682

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ControlDevice_invalid_parameter_noinfo_noreturn$CreateFilewsprintf
String ID:
API String ID: 3155671162-0
Opcode ID: ca3a5f53a69bd94d5085424c179d366c67bc8047cf41c0a47e4941c75c49cf7e
Instruction ID: e5170e445827c8e8b2b556f2091f80ae978307f2c6a3a66cf93a1bf17dcb0637
Opcode Fuzzy Hash: ca3a5f53a69bd94d5085424c179d366c67bc8047cf41c0a47e4941c75c49cf7e
Instruction Fuzzy Hash: 60029322F18B82A6EF00DB61E4103BD63A1EB55BACF004635DE5D977DADE3CE449A304

Function 00007FF6308B2024 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6308B2052

Part of subcall function 00007FF6308B14C4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6308B14D8

_get_daylight.LIBCMT ref: 00007FF6308B2063

Part of subcall function 00007FF6308B1464: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6308B1478

_get_daylight.LIBCMT ref: 00007FF6308B2074

Part of subcall function 00007FF6308B1494: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6308B14A8

Part of subcall function 00007FF6308AE6BC: RtlFreeHeap.NTDLL(?,?,?,00007FF6308B65C2,?,?,?,00007FF6308B693F,?,?,00000000,00007FF6308B6D85,?,?,?,00007FF6308B6CB7), ref: 00007FF6308AE6D2
Part of subcall function 00007FF6308AE6BC: GetLastError.KERNEL32(?,?,?,00007FF6308B65C2,?,?,?,00007FF6308B693F,?,?,00000000,00007FF6308B6D85,?,?,?,00007FF6308B6CB7), ref: 00007FF6308AE6DC

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6308B22B4), ref: 00007FF6308B209B

Strings

Eastern Summer Time, xrefs: 00007FF6308B2159
Eastern Standard Time, xrefs: 00007FF6308B2141

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: d39622db5b0ee5333b178c37cbbab90ca343d8bae9bfc90199294d5daa5d9118
Instruction ID: b6e934933ae28e022208124b64bf0902787656a3bc93d4908067b8ecd1fa705e
Opcode Fuzzy Hash: d39622db5b0ee5333b178c37cbbab90ca343d8bae9bfc90199294d5daa5d9118
Instruction Fuzzy Hash: 77518032A08642A6EF10EF25E8915B97761FF4878CF444236EA4DC7796DF3CE449A780

Function 00007FF6308891A0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6308891BD
GetProcAddress.KERNEL32 ref: 00007FF6308891CD
GetNativeSystemInfo.KERNEL32 ref: 00007FF6308891DD
GetSystemInfo.KERNEL32 ref: 00007FF6308891E1

Strings

kernel32.dll, xrefs: 00007FF6308891A7
GetNativeSystemInfo, xrefs: 00007FF6308891C6

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 3433367815-192647395
Opcode ID: 882c301155eb64aee104ed8b19a7cf0e71553aaaeea973eafe02328fb5bce8a2
Instruction ID: 5162680a425e45935eb8d0bd218311d7b1fc6ef01c7cfd0bda4a06b2a781176f
Opcode Fuzzy Hash: 882c301155eb64aee104ed8b19a7cf0e71553aaaeea973eafe02328fb5bce8a2
Instruction Fuzzy Hash: 2FF0FC15E1C68293EE51E714D8042797360FF98708F845332D9CE81B55EF3CE2999600

Function 00007FF6308A8C10 Relevance: 9.2, APIs: 6, Instructions: 249COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6308A8C32
_get_daylight.LIBCMT ref: 00007FF6308A8C92
_get_daylight.LIBCMT ref: 00007FF6308A8CA3
_get_daylight.LIBCMT ref: 00007FF6308A8CB4
_isindst.LIBCMT ref: 00007FF6308A8D05
_isindst.LIBCMT ref: 00007FF6308A8D58

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
String ID:
API String ID: 1405656091-0
Opcode ID: bc1b3b9caf7716422d15d8d8075c51535e8cc771750b1ef0c981aa63b125a24c
Instruction ID: 153cdf937fc428c55fd945216e4b87d8b5c654179ef512fd73b8bf0c382525e7
Opcode Fuzzy Hash: bc1b3b9caf7716422d15d8d8075c51535e8cc771750b1ef0c981aa63b125a24c
Instruction Fuzzy Hash: D091E2B2F04386DBEF588F29C9012A863A1EB54B8CF549435DA0D8BBC9EF3CE4559750

Function 00007FF63089C1B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FF63089C259
DeviceIoControl.KERNEL32 ref: 00007FF63089C2A1

Strings

L, xrefs: 00007FF63089C289
\\.\, xrefs: 00007FF63089C1FE

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ControlCreateDeviceFile
String ID: L$\\.\
API String ID: 107608037-1891537229
Opcode ID: 0cbf31d1c7ae4fdc9b9f59bce1c389b46034841fd4249985a256846f0105b842
Instruction ID: f3fd1989c27d0c93e6c72e676649d9671f5f6de3d09c74270e35cc45da5f4fcb
Opcode Fuzzy Hash: 0cbf31d1c7ae4fdc9b9f59bce1c389b46034841fd4249985a256846f0105b842
Instruction Fuzzy Hash: A131D672A0C68091EB009F51B450379BBA0EB86BE8F084335EBA947BC6CF7CC0099B00

Function 00007FF630883B00 Relevance: 4.7, APIs: 3, Instructions: 151timenetworkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00007FF630883BF5
recv.WS2_32 ref: 00007FF630883C1B

Part of subcall function 00007FF630881500: VirtualAlloc.KERNEL32 ref: 00007FF630881575
Part of subcall function 00007FF630881500: VirtualFree.KERNELBASE ref: 00007FF6308815AF

timeGetTime.WINMM ref: 00007FF630883D04

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Virtual$AllocFreeTimerecvselecttime
String ID:
API String ID: 1996171534-0
Opcode ID: 12d6ea6a5e9638a2a12ebf09b867218817c5d33edb793a075e5ebf3298344bd1
Instruction ID: 62f9347ca33659a12321450a959f7565deb608962871e42c75a8e88356b28af2
Opcode Fuzzy Hash: 12d6ea6a5e9638a2a12ebf09b867218817c5d33edb793a075e5ebf3298344bd1
Instruction Fuzzy Hash: B2716C72A18B8592EB209F29D4042BD3360FB94B8CF549635CF4D87B5AEF38E488D704

Function 00007FF630881500 Relevance: 2.6, APIs: 2, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF630881575
VirtualFree.KERNELBASE ref: 00007FF6308815AF

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 7adfbc43d79927e24f2f975998fe396b12a3d4926a19e200812a52629311d3ed
Instruction ID: cb99aee47dfe4e333f229eb36362e01cb8e841fc5c52590e7973f3f252135b83
Opcode Fuzzy Hash: 7adfbc43d79927e24f2f975998fe396b12a3d4926a19e200812a52629311d3ed
Instruction Fuzzy Hash: 6041D472B08A459AEF19CF2AE45066AA759FB84F88B044139EE4EC7744EE38D949C740

Function 00007FF630888900 Relevance: 45.7, APIs: 22, Strings: 4, Instructions: 225
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF630888B10), ref: 00007FF63088891C
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF630888B10), ref: 00007FF63088892C
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF630888B10), ref: 00007FF630888954
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF630888B10), ref: 00007FF630888961
CloseHandle.KERNEL32 ref: 00007FF6308889F0
CloseHandle.KERNEL32 ref: 00007FF6308889F9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF630888AB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF630888ABB
GetCurrentProcessId.KERNEL32 ref: 00007FF630888AEB
wsprintfW.USER32 ref: 00007FF630888B02
GetVersionExW.KERNEL32 ref: 00007FF630888B31
GetCurrentProcess.KERNEL32 ref: 00007FF630888B5D
OpenProcessToken.ADVAPI32 ref: 00007FF630888B73
GetTokenInformation.KERNELBASE ref: 00007FF630888BA8
GetLastError.KERNEL32 ref: 00007FF630888BB6
LocalAlloc.KERNEL32 ref: 00007FF630888BD5
GetTokenInformation.KERNELBASE ref: 00007FF630888C08
GetSidSubAuthorityCount.ADVAPI32 ref: 00007FF630888C15
GetSidSubAuthority.ADVAPI32 ref: 00007FF630888C23
LocalFree.KERNEL32 ref: 00007FF630888C2E
CloseHandle.KERNEL32 ref: 00007FF630888C44
wsprintfW.USER32 ref: 00007FF630888CA3

Strings

VenNetwork, xrefs: 00007FF630888AD0
-N/, xrefs: 00007FF630888C80
NO/, xrefs: 00007FF630888C89
None/%s, xrefs: 00007FF630888C92

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Process$CloseHandleToken$CurrentOpen$AuthorityInformationLocal_invalid_parameter_noinfo_noreturnwsprintf$AllocCountErrorFreeLastVersion
String ID: -N/$NO/$None/%s$VenNetwork
API String ID: 3589523989-819860926
Opcode ID: d42ba7504cebbf2a51a649e7bef0d695714f0f5e07d95865d6b26a32d06dfaba
Instruction ID: 8c5d75bc3d6e78d1408a0eceb9815f654df8b5bd977a4db7ce20206df7ea49d2
Opcode Fuzzy Hash: d42ba7504cebbf2a51a649e7bef0d695714f0f5e07d95865d6b26a32d06dfaba
Instruction Fuzzy Hash: EAA18261A0CB82E2EF609B65E4443BA6361FF84B98F405635DA8D83B99DF3CD94DD700

Function 00007FF6308902A0 Relevance: 45.3, APIs: 30, Instructions: 260
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32 ref: 00007FF6308902D8
GlobalLock.KERNEL32 ref: 00007FF6308902E4
GlobalUnlock.KERNEL32 ref: 00007FF6308902FB
CreateStreamOnHGlobal.OLE32 ref: 00007FF630890311
GlobalFree.KERNEL32 ref: 00007FF630890674

Part of subcall function 00007FF6308861E0: InitializeCriticalSectionEx.KERNEL32 ref: 00007FF630886231
Part of subcall function 00007FF6308861E0: GetLastError.KERNEL32 ref: 00007FF63088623B

EnterCriticalSection.KERNEL32 ref: 00007FF63089035F
LeaveCriticalSection.KERNEL32 ref: 00007FF63089036C
GdipCreateBitmapFromStream.GDIPLUS ref: 00007FF63089039A
GdipDisposeImage.GDIPLUS ref: 00007FF6308903B0
GdipDisposeImage.GDIPLUS ref: 00007FF6308903CE
CreateStreamOnHGlobal.OLE32 ref: 00007FF6308903EB
GetHGlobalFromStream.OLE32 ref: 00007FF630890412
GlobalLock.KERNEL32 ref: 00007FF63089041C
GlobalFree.KERNEL32 ref: 00007FF63089043B
DeleteObject.GDI32 ref: 00007FF63089046B
EnterCriticalSection.KERNEL32 ref: 00007FF63089047D
EnterCriticalSection.KERNEL32 ref: 00007FF63089048D
GdiplusShutdown.GDIPLUS ref: 00007FF63089049B
LeaveCriticalSection.KERNEL32 ref: 00007FF6308904A8
LeaveCriticalSection.KERNEL32 ref: 00007FF6308904B2
DeleteObject.GDI32 ref: 00007FF630890624
EnterCriticalSection.KERNEL32 ref: 00007FF630890636
EnterCriticalSection.KERNEL32 ref: 00007FF630890646
GdiplusShutdown.GDIPLUS ref: 00007FF630890654
LeaveCriticalSection.KERNEL32 ref: 00007FF630890661
LeaveCriticalSection.KERNEL32 ref: 00007FF63089066B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF630890698

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CriticalSection$Global$EnterLeave$Stream$CreateGdip$DeleteDisposeFreeFromGdiplusImageLockObjectShutdown$AllocBitmapErrorInitializeLastUnlock_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 953580087-0
Opcode ID: 6a47932f2d824f93bffde5a913d367a737229ea91dfede279ec8d7f768a18219
Instruction ID: 36230507a6f53533fdd0e1d48b34d89c4da439f5d6f6ebcb0175f786afccc95f
Opcode Fuzzy Hash: 6a47932f2d824f93bffde5a913d367a737229ea91dfede279ec8d7f768a18219
Instruction Fuzzy Hash: FEC12A36B08B42AAEB009BA4E4441AD3375FB44B5CB004135DE5D97B99DF38E45DE744

Function 00007FF63088C340 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 297
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GdipGetImagePixelFormat.GDIPLUS ref: 00007FF63088C377
GdipGetImageHeight.GDIPLUS ref: 00007FF63088C3F4
GdipGetImageWidth.GDIPLUS ref: 00007FF63088C41A
GdipGetImagePaletteSize.GDIPLUS ref: 00007FF63088C470
GdipGetImagePalette.GDIPLUS ref: 00007FF63088C4F1
CreateCompatibleDC.GDI32 ref: 00007FF63088C588
SelectObject.GDI32 ref: 00007FF63088C599
SetDIBColorTable.GDI32 ref: 00007FF63088C5B7
SelectObject.GDI32 ref: 00007FF63088C5CC
DeleteDC.GDI32 ref: 00007FF63088C5F6
GdipBitmapLockBits.GDIPLUS ref: 00007FF63088C646
GdipBitmapUnlockBits.GDIPLUS ref: 00007FF63088C6D3
GdipCreateBitmapFromScan0.GDIPLUS ref: 00007FF63088C702
GdipGetImageGraphicsContext.GDIPLUS ref: 00007FF63088C71D
GdipDrawImageI.GDIPLUS ref: 00007FF63088C737
GdipDeleteGraphics.GDIPLUS ref: 00007FF63088C740
GdipDisposeImage.GDIPLUS ref: 00007FF63088C74D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF63088C79F

Strings

&, xrefs: 00007FF63088C3D4

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Gdip$Image$Bitmap$BitsCreateDeleteGraphicsObjectPaletteSelect$ColorCompatibleContextDisposeDrawFormatFromHeightLockPixelScan0SizeTableUnlockWidth_invalid_parameter_noinfo
String ID: &
API String ID: 4034434136-3042966939
Opcode ID: dd11024c4d0ee26c12cb960423acbe48478663fb147fae3e010d538c7f7c31a7
Instruction ID: 35b90f7a8e0cf64222afee653b58a1cfe9cee5d6882b2188a853cb7630f35dcb
Opcode Fuzzy Hash: dd11024c4d0ee26c12cb960423acbe48478663fb147fae3e010d538c7f7c31a7
Instruction Fuzzy Hash: D2D1BC72A04A82AAEF609F25D8446BD37A4FB44B9CF018035DF1D97B89DF38E949D740

Function 00007FF630883820 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 157
networkstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32 ref: 00007FF630883840
timeGetTime.WINMM ref: 00007FF63088384F
socket.WS2_32 ref: 00007FF63088387C
lstrlenW.KERNEL32 ref: 00007FF63088389E
WideCharToMultiByte.KERNEL32 ref: 00007FF6308838C2
lstrlenW.KERNEL32 ref: 00007FF6308838DA
WideCharToMultiByte.KERNEL32 ref: 00007FF6308838FD
gethostbyname.WS2_32 ref: 00007FF63088390A
htons.WS2_32 ref: 00007FF630883938
connect.WS2_32 ref: 00007FF630883962
setsockopt.WS2_32 ref: 00007FF63088399E
setsockopt.WS2_32 ref: 00007FF6308839D1
setsockopt.WS2_32 ref: 00007FF630883A04
setsockopt.WS2_32 ref: 00007FF630883A2D
WSAIoctl.WS2_32 ref: 00007FF630883A80

Strings

0u, xrefs: 00007FF6308839EB

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: setsockopt$ByteCharMultiWidelstrlen$EventIoctlResetTimeconnectgethostbynamehtonssockettime
String ID: 0u
API String ID: 3082052849-3203441087
Opcode ID: ccce55d91f5f2933dea2ad9c04242a37362f75e3f1846cefbce616602e138f50
Instruction ID: 3948f463c5059a2a98efd5e8d49928355141254b7019228e2441b0d041895274
Opcode Fuzzy Hash: ccce55d91f5f2933dea2ad9c04242a37362f75e3f1846cefbce616602e138f50
Instruction Fuzzy Hash: 7A714D72608B8196DB24CF65F44076BB7A5FB84B58F00423AEA9E47B98DF3CD149DB04

Function 00007FF630888AD0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF630888AEB
wsprintfW.USER32 ref: 00007FF630888B02

Part of subcall function 00007FF630888900: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF630888B10), ref: 00007FF63088891C
Part of subcall function 00007FF630888900: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF630888B10), ref: 00007FF63088892C
Part of subcall function 00007FF630888900: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF630888B10), ref: 00007FF630888954
Part of subcall function 00007FF630888900: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF630888B10), ref: 00007FF630888961

GetVersionExW.KERNEL32 ref: 00007FF630888B31
GetCurrentProcess.KERNEL32 ref: 00007FF630888B5D
OpenProcessToken.ADVAPI32 ref: 00007FF630888B73
GetTokenInformation.KERNELBASE ref: 00007FF630888BA8
GetLastError.KERNEL32 ref: 00007FF630888BB6
LocalAlloc.KERNEL32 ref: 00007FF630888BD5
GetTokenInformation.KERNELBASE ref: 00007FF630888C08
GetSidSubAuthorityCount.ADVAPI32 ref: 00007FF630888C15
GetSidSubAuthority.ADVAPI32 ref: 00007FF630888C23
LocalFree.KERNEL32 ref: 00007FF630888C2E
CloseHandle.KERNEL32 ref: 00007FF630888C44
wsprintfW.USER32 ref: 00007FF630888CA3

Strings

VenNetwork, xrefs: 00007FF630888AD0

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion
String ID: VenNetwork
API String ID: 4155081256-3057682757
Opcode ID: 544014d16ea7105ca2918a4ebfd3314dfb4a8e47be3c755dc7ae7334bb45691a
Instruction ID: 8a3a8352abd1602035a831d568822f5401085618022cfc49a334bfba4d7c75b2
Opcode Fuzzy Hash: 544014d16ea7105ca2918a4ebfd3314dfb4a8e47be3c755dc7ae7334bb45691a
Instruction Fuzzy Hash: 5D416031A0DA82E2EFA19B61E8443BA6361EF85B49F444535CA4E83795DF3CD84DE710

Function 00007FF63089BDD0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 223
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeviceIoControl.KERNEL32 ref: 00007FF63089BE74
DeviceIoControl.KERNEL32 ref: 00007FF63089BEE3
GlobalAlloc.KERNEL32 ref: 00007FF63089BF12
DeviceIoControl.KERNEL32 ref: 00007FF63089BF5C
GlobalFree.KERNEL32 ref: 00007FF63089BF7E
DeviceIoControl.KERNEL32 ref: 00007FF63089BFCD
GlobalAlloc.KERNEL32 ref: 00007FF63089BFF5
DeviceIoControl.KERNEL32 ref: 00007FF63089C037
GlobalFree.KERNEL32 ref: 00007FF63089C050
GlobalFree.KERNEL32 ref: 00007FF63089C06F

Strings

- External Hub, xrefs: 00007FF63089C05B
%s-%s|, xrefs: 00007FF63089C0DB

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ControlDeviceGlobal$Free$Alloc
String ID: - External Hub$%s-%s|
API String ID: 3253977144-729331614
Opcode ID: 03081c74bdac7000a7ddd20b442c3762f1845e4c687d354af1ec42045e17da7d
Instruction ID: 762922593582aef3933151145aeb68c00b75cb3e8237543d800edfac1d666c27
Opcode Fuzzy Hash: 03081c74bdac7000a7ddd20b442c3762f1845e4c687d354af1ec42045e17da7d
Instruction Fuzzy Hash: 32B1E472A08B819AEB20DF21E8403AEB7A0FB85798F544135DB8D97BA5DF3CD548C704

Function 00007FF63088D9C0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 137
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF63088DA44
GetLastInputInfo.USER32 ref: 00007FF63088DAAB
GetTickCount.KERNEL32 ref: 00007FF63088DAB1
wsprintfW.USER32 ref: 00007FF63088DAE4
RegOpenKeyExW.KERNEL32 ref: 00007FF63088DB72
RegQueryValueExW.KERNEL32 ref: 00007FF63088DBA3

Strings

Console, xrefs: 00007FF63088DB64
%d min, xrefs: 00007FF63088DADD
IpDatespecial, xrefs: 00007FF63088DB9C

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CountInfoInputLastOpenQueryTickValue_invalid_parameter_noinfo_noreturnwsprintf
String ID: %d min$Console$IpDatespecial
API String ID: 357503962-2712035571
Opcode ID: efa53836958f32f8ab0cb54a8671f626514f8aa22354df529298ed1da135f9ea
Instruction ID: ec7e819f6e315e9131b0e0bb1f8b27f06d47b106913e2755febe1def5c8d07a9
Opcode Fuzzy Hash: efa53836958f32f8ab0cb54a8671f626514f8aa22354df529298ed1da135f9ea
Instruction Fuzzy Hash: 22518C73608E85A9EB608F28EC543A927A4EB84B5DF444131DA4C877AADF3DD589D700

Function 00007FF63089C2E0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 128
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfW.USER32 ref: 00007FF63089C30F
CreateFileW.KERNEL32 ref: 00007FF63089C33A
DeviceIoControl.KERNEL32 ref: 00007FF63089C38A
DeviceIoControl.KERNEL32 ref: 00007FF63089C3F1

Part of subcall function 00007FF63089C520: WideCharToMultiByte.KERNEL32 ref: 00007FF63089C555
Part of subcall function 00007FF63089C520: WideCharToMultiByte.KERNEL32 ref: 00007FF63089C590

DeviceIoControl.KERNEL32 ref: 00007FF63089C451
DeviceIoControl.KERNEL32 ref: 00007FF63089C4B0

Part of subcall function 00007FF63089C1B0: CreateFileA.KERNEL32 ref: 00007FF63089C259
Part of subcall function 00007FF63089C1B0: DeviceIoControl.KERNEL32 ref: 00007FF63089C2A1

CloseHandle.KERNEL32 ref: 00007FF63089C4DE
CloseHandle.KERNEL32 ref: 00007FF63089C503

Strings

\\.\HCD%d, xrefs: 00007FF63089C303

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ControlDevice$ByteCharCloseCreateFileHandleMultiWide$wsprintf
String ID: \\.\HCD%d
API String ID: 2324936672-2696249065
Opcode ID: b16b9414ff4f5bba01ca19ea586cfc01d35dadd3bdcc9ae74a2dc0319bdc3a1e
Instruction ID: 7eefc96bf97f70c2bfc920ebc18b293661cad52b8b76fe08385bf5e83ad14f99
Opcode Fuzzy Hash: b16b9414ff4f5bba01ca19ea586cfc01d35dadd3bdcc9ae74a2dc0319bdc3a1e
Instruction Fuzzy Hash: 90517032708781A6EF60EB11B44076AB7A4FB86798F540135EA8E87B95EF3DD009DB00

Function 00007FF63088C7B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS ref: 00007FF63088C7E4
GdipGetImageEncoders.GDIPLUS ref: 00007FF63088C871
GdipCreateBitmapFromScan0.GDIPLUS ref: 00007FF63088C915
GdipCreateBitmapFromHBITMAP.GDIPLUS ref: 00007FF63088C92D
GdipSaveImageToStream.GDIPLUS ref: 00007FF63088C944
GdipDisposeImage.GDIPLUS ref: 00007FF63088C951
GdipDisposeImage.GDIPLUS ref: 00007FF63088C95E

Strings

&, xrefs: 00007FF63088C8FD

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Gdip$Image$BitmapCreateDisposeEncodersFrom$SaveScan0SizeStream
String ID: &
API String ID: 370471037-3042966939
Opcode ID: 4526caf998ada3252c84406b8f766584f007c4df05e28e230d859843c7169577
Instruction ID: a8493eaa6e406e62b1298360c2ddb4f922e36b24daa4a478115c8acc66e7ea3d
Opcode Fuzzy Hash: 4526caf998ada3252c84406b8f766584f007c4df05e28e230d859843c7169577
Instruction Fuzzy Hash: E4517432A08B42A6EF109F65A8005B867A1FF44B9CF444275DE1D97B99DF3CE94AE340

Function 00007FF630888CD0 Relevance: 9.1, APIs: 6, Instructions: 67registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 00007FF630888D32
RegQueryValueExW.KERNEL32 ref: 00007FF630888D89
lstrcmpW.KERNEL32 ref: 00007FF630888D9F
RegCloseKey.KERNEL32 ref: 00007FF630888DCF
RegCloseKey.ADVAPI32 ref: 00007FF630888DDD

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Close$OpenQueryValuelstrcmp
String ID:
API String ID: 4288439342-0
Opcode ID: 898e3f92dd09ced9f59f1214a1bb77de0c366a7caab65dc6ea004482ae0e6425
Instruction ID: 2ba5577ab9fe3bf44d1b6b7f786e4d8f50de183173082aa5a54c3deb83e5cc2f
Opcode Fuzzy Hash: 898e3f92dd09ced9f59f1214a1bb77de0c366a7caab65dc6ea004482ae0e6425
Instruction Fuzzy Hash: 7F31863161CB8192EF608F25E8886AA73A4FB94B98F504231DA5D83BE9DF3DD44DD700

Function 00007FF630888E00 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 239COMMON

Download Yara Rule

APIs

CreateDXGIFactory.DXGI ref: 00007FF630888E4C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF630889191
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF630889197

Strings

%s%s %d*%d , xrefs: 00007FF630889094
%s%s %d %d , xrefs: 00007FF630888F3F

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CreateFactory
String ID: %s%s %d %d $%s%s %d*%d
API String ID: 2331002265-1924168580
Opcode ID: 8fa00d72778a232c14932e728595a13cc51c5fe8bf1a07966f1b6ffb0567861c
Instruction ID: f6393d09e81775d848955bb4efbe4f22115b9fbe049d8fa18804c7b383eb8bfa
Opcode Fuzzy Hash: 8fa00d72778a232c14932e728595a13cc51c5fe8bf1a07966f1b6ffb0567861c
Instruction Fuzzy Hash: D9A19E36B08B859AEB10CF65D4442EE7761FB88B98F540622EE9D97B98DF3CD485C700

Function 00007FF6308A8940 Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6308A896B
CreateThread.KERNEL32 ref: 00007FF6308A89AC
GetLastError.KERNEL32 ref: 00007FF6308A89BA
CloseHandle.KERNEL32 ref: 00007FF6308A89D0
FreeLibrary.KERNEL32 ref: 00007FF6308A89DF

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 2067211477-0
Opcode ID: bf8243345e757f2f55ee74e3b164a4444cec9f217b6620c703edaf3e446c73ac
Instruction ID: 217136ae9f1b2e4cec008d2a7140a93512fe7aa834701afeab1cfec6e2aee95b
Opcode Fuzzy Hash: bf8243345e757f2f55ee74e3b164a4444cec9f217b6620c703edaf3e446c73ac
Instruction Fuzzy Hash: 69218335A09741E7EE14DF56A40017AA7A0EF88BD8F184931DE4D83B95DF3CE4089611

Function 00007FF630883E30 Relevance: 6.1, APIs: 4, Instructions: 120threadnetworkCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF630883E51
send.WS2_32 ref: 00007FF630883F43
send.WS2_32 ref: 00007FF630883F90
GetCurrentThreadId.KERNEL32 ref: 00007FF630883FBA

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CurrentThreadsend
String ID:
API String ID: 302076607-0
Opcode ID: 8fc84bb4e0a68a1d65a8e1ac48c208ce2ab72bf0ff2939eb6e9be73f1c549aff
Instruction ID: e152825703a486443d4e4ae489d9dbb65eba95aa67761ef3663b426109e00804
Opcode Fuzzy Hash: 8fc84bb4e0a68a1d65a8e1ac48c208ce2ab72bf0ff2939eb6e9be73f1c549aff
Instruction Fuzzy Hash: 3251C132A08B46A7EB149F29E14436AB7B0FB84B8CF048035DB4D87B55EF38E45A9344

Function 00007FF63089C5C0 Relevance: 4.6, APIs: 3, Instructions: 79stringCOMMON

Download Yara Rule

APIs

GetSystemDefaultLangID.KERNEL32 ref: 00007FF63089C603
DeviceIoControl.KERNEL32 ref: 00007FF63089C653

Part of subcall function 00007FF63089C520: WideCharToMultiByte.KERNEL32 ref: 00007FF63089C555
Part of subcall function 00007FF63089C520: WideCharToMultiByte.KERNEL32 ref: 00007FF63089C590

lstrcpyA.KERNEL32 ref: 00007FF63089C6D2

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ByteCharMultiWide$ControlDefaultDeviceLangSystemlstrcpy
String ID:
API String ID: 3058672631-0
Opcode ID: 93d17b8bbf808d0062489be832d1c2fe809a10c804b5f1e4639794739b5737c4
Instruction ID: dbe1f435ceb26488b4e5507dddb5daf36e8d500d0b32923537bbe17e80c06b00
Opcode Fuzzy Hash: 93d17b8bbf808d0062489be832d1c2fe809a10c804b5f1e4639794739b5737c4
Instruction Fuzzy Hash: E831C53160CB82A5EF20DB11E4443AAA3A1EB9AB94F544135FA9D87B85DF3DD408DB00

Function 00007FF63088C9B0 Relevance: 4.5, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6308861E0: InitializeCriticalSectionEx.KERNEL32 ref: 00007FF630886231
Part of subcall function 00007FF6308861E0: GetLastError.KERNEL32 ref: 00007FF63088623B

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF63088C7D4), ref: 00007FF63088C9DA
GdiplusStartup.GDIPLUS ref: 00007FF63088CA0F
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF63088C7D4), ref: 00007FF63088CA27

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CriticalSection$EnterErrorGdiplusInitializeLastLeaveStartup
String ID:
API String ID: 2723390537-0
Opcode ID: 65629aaaa719a2e99d15e3f5434e13b9281ffa3b8c64cff51ac5a9778f412de6
Instruction ID: 6d383069ea8ce0edc9016b7699fd252dfcb96ae56220bafd52f86be619c53f3f
Opcode Fuzzy Hash: 65629aaaa719a2e99d15e3f5434e13b9281ffa3b8c64cff51ac5a9778f412de6
Instruction Fuzzy Hash: CD019E32A08B84D6EB008F15F44436AB7E1F784B49F481025EA8E83759CF3CD099DB40

Function 00007FF630883DA0 Relevance: 3.0, APIs: 2, Instructions: 41timeCOMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 00007FF630883DCD
timeGetTime.WINMM ref: 00007FF630883DF1

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: 2becff6657bc7d5012ec94526cf32972d5272bc21be79492e35a94961d449a59
Instruction ID: fe20e4dc4751cd2037ceaebe25d14413b21824c200685b0b208aa78739e3dac3
Opcode Fuzzy Hash: 2becff6657bc7d5012ec94526cf32972d5272bc21be79492e35a94961d449a59
Instruction Fuzzy Hash: DA018022B1864197EB644B64E18833D27A0F744789F441234C75E87BD4CF3CD4E9C704

Function 00007FF6308A8808 Relevance: 3.0, APIs: 2, Instructions: 31threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6308A8816
ExitThread.KERNEL32 ref: 00007FF6308A881E

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 86e50ef011b0631a2311c12b12e79fa44030a146f353d628d3291aff0b0405bd
Instruction ID: 1c0c2300ba7279cd180e5233b88025eb7a1233aa6c100c0a1694c2c215578c05
Opcode Fuzzy Hash: 86e50ef011b0631a2311c12b12e79fa44030a146f353d628d3291aff0b0405bd
Instruction Fuzzy Hash: 22F09021F1A642A2FF14ABB4845517D22A0EF58B48F540434D90AD77E2EE3CA8499310

Function 00007FF63089DE98 Relevance: 3.0, APIs: 2, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF63089DEC8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF63089DECE

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: a47e5a6ac0625703f2fd5b566550f71a2f7208a7861a0071670bc6a0f9e7358f
Instruction ID: ed53f3c1e910a8ad78f54b72c6a9c4327b2a0bd0b38eabdc502bf9e6243b673a
Opcode Fuzzy Hash: a47e5a6ac0625703f2fd5b566550f71a2f7208a7861a0071670bc6a0f9e7358f
Instruction Fuzzy Hash: D5E0B660E1A20B75FD6971B6281607810400F6977CE281B30E97E887C3AD3CB49DA118

Function 00007FF6308AE6BC Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF6308B65C2,?,?,?,00007FF6308B693F,?,?,00000000,00007FF6308B6D85,?,?,?,00007FF6308B6CB7), ref: 00007FF6308AE6D2
GetLastError.KERNEL32(?,?,?,00007FF6308B65C2,?,?,?,00007FF6308B693F,?,?,00000000,00007FF6308B6D85,?,?,?,00007FF6308B6CB7), ref: 00007FF6308AE6DC

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: a27750d6ae148c980c7c980f65ba2d3e2e52c6c92a9735542c6e0cceef461146
Instruction ID: 4920f2a9e4ce816044f7e0d169b285c32605866e1899ec69669a8536c23a96b5
Opcode Fuzzy Hash: a27750d6ae148c980c7c980f65ba2d3e2e52c6c92a9735542c6e0cceef461146
Instruction Fuzzy Hash: EAE0C210F18213A3FF186BF658551782250AFA4708F504C34D80DC37E2EE7C784CA724

Function 00007FF630881730 Relevance: 2.6, APIs: 2, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF630881796
VirtualFree.KERNELBASE ref: 00007FF6308817CA

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 616965ea612f33b462fe03c73724eb49c1abe59c321f00a6c33259c6d796c58f
Instruction ID: bac2148856622795530066515599f49a1a47dbb03f818c6323a96e5977a0ebf0
Opcode Fuzzy Hash: 616965ea612f33b462fe03c73724eb49c1abe59c321f00a6c33259c6d796c58f
Instruction Fuzzy Hash: DF21A731B18A4596DB24DF2EF44012AB7B5FB84B84B144134EB9ED3B18EF3CE4859704

Function 00007FF630881670 Relevance: 2.6, APIs: 2, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF6308816C4
VirtualFree.KERNEL32 ref: 00007FF6308816FE

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 0d2589c5e0cc1a94e4b3bf8f4f54a9d1287f00ffced7c8db5b8a82110618710c
Instruction ID: 054de24c8a9617eeba69259a9af6b3932c7a951a81366942070e47f392b2b0ac
Opcode Fuzzy Hash: 0d2589c5e0cc1a94e4b3bf8f4f54a9d1287f00ffced7c8db5b8a82110618710c
Instruction Fuzzy Hash: 5E110831B28A4182DF15CF3AA440129A3A5FF98FC8B144135E94ED3748EF3CD885CB40

Function 00007FF63089DFC0 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63089DC60: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF63089DC74

__scrt_release_startup_lock.LIBCMT ref: 00007FF63089E057

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: __scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 2217363868-0
Opcode ID: cbc0649b0607904615e0344cdc653858b0dfbbed05089a03dbfd93f3e9e99ab1
Instruction ID: cd526f254e890b145609c0a7c76fca2ca66d97ca4400f6daad08317bd336105b
Opcode Fuzzy Hash: cbc0649b0607904615e0344cdc653858b0dfbbed05089a03dbfd93f3e9e99ab1
Instruction Fuzzy Hash: F5316821A0C643A2FE10BB24D4127B92B91AF4178CF944035EA0DC77D7DE7DA80DA200

Function 00007FF630881000 Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FF630881022

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 27a40b9f3cf52b959e37d45274ab80e386b8a2eb9336faf4e796e06ae50c97e7
Instruction ID: 33d2b4384ab4cbbc9896b40e8b047fdc53367c1e4c89d89322dcac4a7efca616
Opcode Fuzzy Hash: 27a40b9f3cf52b959e37d45274ab80e386b8a2eb9336faf4e796e06ae50c97e7
Instruction Fuzzy Hash: 21E08636B09A45EAEB11EF24D4550B47364FB5D308F444171E58D83756DE3CD559DF00

Function 00007FF6308AEDD0 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF6308B252D,?,?,00000000,00007FF6308AA3FB,?,?,?,00007FF6308AC5D3,?,?,?,00007FF6308AC4C9), ref: 00007FF6308AEE0E

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: c5d91307553507d7a0b65c4578cb45837d9ca66b83f15ba5a6112bdae37f71ee
Instruction ID: f63fe5c0f272dd0abd4c00f07233f4f362b71fce356c67b111c604cfa08dd12a
Opcode Fuzzy Hash: c5d91307553507d7a0b65c4578cb45837d9ca66b83f15ba5a6112bdae37f71ee
Instruction Fuzzy Hash: 41F08C00F09247A2FEA467A6584137512805F947A8F280E34DC2EC6BC2EE3CB4A86114

Non-executed Functions

Function 00007FF630889320 Relevance: 68.5, APIs: 29, Strings: 10, Instructions: 221libraryloaderinjectionCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32 ref: 00007FF630889396
CreateProcessA.KERNEL32 ref: 00007FF6308893F9
GetCurrentProcess.KERNEL32 ref: 00007FF630889407
OpenProcessToken.ADVAPI32 ref: 00007FF63088941C
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF63088943A
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF630889482
OpenProcess.KERNEL32 ref: 00007FF63088949B
LoadLibraryA.KERNEL32 ref: 00007FF6308894C5
GetProcAddress.KERNEL32 ref: 00007FF6308894D5
LoadLibraryA.KERNEL32 ref: 00007FF6308894E6
GetProcAddress.KERNEL32 ref: 00007FF6308894F6
LoadLibraryA.KERNEL32 ref: 00007FF630889507
GetProcAddress.KERNEL32 ref: 00007FF630889517
LoadLibraryA.KERNEL32 ref: 00007FF630889528
GetProcAddress.KERNEL32 ref: 00007FF630889538
GetCurrentProcess.KERNEL32 ref: 00007FF630889542
GetProcessId.KERNEL32 ref: 00007FF63088954B
GetModuleFileNameA.KERNEL32 ref: 00007FF63088957F
VirtualAllocEx.KERNEL32 ref: 00007FF6308895B5
WriteProcessMemory.KERNEL32 ref: 00007FF6308895DC
VirtualProtectEx.KERNEL32 ref: 00007FF63088960F
VirtualAllocEx.KERNEL32 ref: 00007FF63088962E
WriteProcessMemory.KERNEL32 ref: 00007FF630889658
VirtualProtectEx.KERNEL32 ref: 00007FF630889684
CreateRemoteThread.KERNEL32 ref: 00007FF6308896A7
Sleep.KERNEL32 ref: 00007FF6308896BA
VirtualProtectEx.KERNEL32 ref: 00007FF6308896DE
VirtualProtectEx.KERNEL32 ref: 00007FF630889702
ResumeThread.KERNEL32 ref: 00007FF63088970B

Strings

SeDebugPrivilege, xrefs: 00007FF630889433
OpenProcess, xrefs: 00007FF6308894CE
WaitForSingleObject, xrefs: 00007FF630889531
h, xrefs: 00007FF63088937D
%s%s, xrefs: 00007FF6308893B1
@, xrefs: 00007FF630889617
ExitProcess, xrefs: 00007FF6308894EF
WinExec, xrefs: 00007FF630889510
Kernel32.dll, xrefs: 00007FF6308894BE, 00007FF6308894DB, 00007FF6308894FC, 00007FF63088951D
Windows\System32\svchost.exe, xrefs: 00007FF63088939C

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Process$Virtual$AddressLibraryLoadProcProtect$AllocCreateCurrentMemoryOpenThreadTokenWrite$AdjustDirectoryFileLookupModuleNamePrivilegePrivilegesRemoteResumeSleepSystemValue
String ID: %s%s$@$ExitProcess$Kernel32.dll$OpenProcess$SeDebugPrivilege$WaitForSingleObject$WinExec$Windows\System32\svchost.exe$h
API String ID: 3040193174-4212407401
Opcode ID: 0c2d203bb3590072b2790da5483ee898493f9f682a060de060c9115ce93124ea
Instruction ID: b154c42c606d0ce0dc27f420a0bf37cb80049f264a175d7766c953e0dbbd2e34
Opcode Fuzzy Hash: 0c2d203bb3590072b2790da5483ee898493f9f682a060de060c9115ce93124ea
Instruction Fuzzy Hash: 3DA17C32B14B82A5EB219F65E8143E973A4FB48B8CF040135DA4D97B65DF3CD24AD700

Function 00007FF63088ADB0 Relevance: 63.3, APIs: 30, Strings: 6, Instructions: 286stringclipboardfileCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,00000000,00000000,00002514,00000000,00000000,00000000,00007FF6308879D1), ref: 00007FF63088AE08
GetTickCount.KERNEL32 ref: 00007FF63088AE0E
GetTickCount.KERNEL32 ref: 00007FF63088AE25
OpenClipboard.USER32 ref: 00007FF63088AE33
GetClipboardData.USER32 ref: 00007FF63088AE3E
GlobalSize.KERNEL32 ref: 00007FF63088AE53
GlobalLock.KERNEL32 ref: 00007FF63088AE63
wsprintfW.USER32 ref: 00007FF63088AECE
WaitForSingleObject.KERNEL32 ref: 00007FF63088AEE0
CreateFileW.KERNEL32 ref: 00007FF63088AF14
SetFilePointer.KERNEL32 ref: 00007FF63088AF3C
lstrlenW.KERNEL32 ref: 00007FF63088AF47
WriteFile.KERNEL32 ref: 00007FF63088AF6A
CloseHandle.KERNEL32 ref: 00007FF63088AF73
ReleaseMutex.KERNEL32 ref: 00007FF63088AF80
GlobalUnlock.KERNEL32 ref: 00007FF63088AF9B
CloseClipboard.USER32 ref: 00007FF63088AFA1
GetForegroundWindow.USER32 ref: 00007FF63088AFBB
GetWindowTextW.USER32 ref: 00007FF63088AFD8
lstrlenW.KERNEL32 ref: 00007FF63088B00E
GetLocalTime.KERNEL32 ref: 00007FF63088B021
wsprintfW.USER32 ref: 00007FF63088B074
GetKeyState.USER32 ref: 00007FF63088B153
lstrlenW.KERNEL32 ref: 00007FF63088B1A0
lstrlenW.KERNEL32 ref: 00007FF63088B1C1
wsprintfW.USER32 ref: 00007FF63088B211
wsprintfW.USER32 ref: 00007FF63088B22F
lstrlenW.KERNEL32 ref: 00007FF63088B2A7

Strings

[, xrefs: 00007FF63088AEC2
%s%s, xrefs: 00007FF63088B207
[, xrefs: 00007FF63088B05C
%s%s, xrefs: 00007FF63088B21B
%s%s, xrefs: 00007FF63088B24D
[esc], xrefs: 00007FF63088ADFC

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: lstrlen$wsprintf$ClipboardFileGlobal$CloseCountTickWindow$CreateDataForegroundHandleLocalLockMutexObjectOpenPointerReleaseSingleSizeSleepStateTextTimeUnlockWaitWrite
String ID: [$[$%s%s$%s%s$%s%s$[esc]
API String ID: 3669393114-972647286
Opcode ID: e6ab48ff98ca9ddfa9a13a1758a8a9b1ffd3d9cd46131382e05cf3f4eced504b
Instruction ID: dfcd89a7f8056d0808a4ead75e4240b386e66e4c5433872b7bfef44550904fee
Opcode Fuzzy Hash: e6ab48ff98ca9ddfa9a13a1758a8a9b1ffd3d9cd46131382e05cf3f4eced504b
Instruction Fuzzy Hash: 25D19E25A08A42A6FF50DB69E8542BA73A1FF9574CF404236D95EC27A1EF3CE54CE700

Function 00007FF63088D410 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 385stringtimeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00007FF63088D437
wsprintfW.USER32 ref: 00007FF63088D47F
lstrlenW.KERNEL32 ref: 00007FF63088D4C5
lstrlenW.KERNEL32 ref: 00007FF63088D4E6
lstrlenW.KERNEL32 ref: 00007FF63088D4F9
lstrlenW.KERNEL32 ref: 00007FF63088D58D
lstrlenW.KERNEL32 ref: 00007FF63088D5AC
lstrlenW.KERNEL32 ref: 00007FF63088D5BF
lstrlenW.KERNEL32 ref: 00007FF63088D649
lstrlenW.KERNEL32 ref: 00007FF63088D65C
CreateEventA.KERNEL32 ref: 00007FF63088D7AD

Strings

p1:, xrefs: 00007FF63088D4EF
o1:, xrefs: 00007FF63088D5B5
t1:, xrefs: 00007FF63088D652
%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 00007FF63088D471

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: lstrlen$CreateEventLocalTimewsprintf
String ID: %4d.%2d.%2d-%2d:%2d:%2d$o1:$p1:$t1:
API String ID: 2157945651-1225219777
Opcode ID: 4ab38958384f3d8ae6ea9e35e84b41bd479a6b61bb859707b2bd8aeb0401d26c
Instruction ID: ca62b8e31cf93f066e7d41510a827be5d84cfc05091e805bb1b259abfe0b36b8
Opcode Fuzzy Hash: 4ab38958384f3d8ae6ea9e35e84b41bd479a6b61bb859707b2bd8aeb0401d26c
Instruction Fuzzy Hash: 51F1E263B18792A6EF249F25E8407BD23A0FB44B9CF404231DA4E97B95DF3CA589D700

Function 00007FF6308897A0 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 118libraryloaderfileCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF6308897D5
GetProcAddress.KERNEL32 ref: 00007FF6308897E8
GetProcAddress.KERNEL32 ref: 00007FF630889816
FreeLibrary.KERNEL32 ref: 00007FF630889847
CreateFileW.KERNEL32 ref: 00007FF630889874
GetProcAddress.KERNEL32 ref: 00007FF6308898BC
WriteFile.KERNEL32 ref: 00007FF630889906
CloseHandle.KERNEL32 ref: 00007FF63088991E
Sleep.KERNEL32 ref: 00007FF630889931
GetProcAddress.KERNEL32 ref: 00007FF630889941
FreeLibrary.KERNEL32 ref: 00007FF63088995C

Strings

InternetReadFile, xrefs: 00007FF6308898B2
InternetOpenW, xrefs: 00007FF6308897DE
InternetOpenUrlW, xrefs: 00007FF63088980C
MSIE 6.0, xrefs: 00007FF6308897F9
wininet.dll, xrefs: 00007FF6308897C3
InternetCloseHandle, xrefs: 00007FF630889937

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWrite
String ID: InternetCloseHandle$InternetOpenUrlW$InternetOpenW$InternetReadFile$MSIE 6.0$wininet.dll
API String ID: 2977986460-1099148085
Opcode ID: b869be42eea26ef83cf2f127258845e1be2102d2018284c86f6782853b1c64bb
Instruction ID: 70eda4d6569f7f40c6c3495367ad5e3fbd38650b25e380625a025f65f0b4f7b2
Opcode Fuzzy Hash: b869be42eea26ef83cf2f127258845e1be2102d2018284c86f6782853b1c64bb
Instruction Fuzzy Hash: 4941D725A09A43A2EF60DB55B9107BA67A0FF89B98F484230DE9E43754EF3CD14DDB00

Function 00007FF630890E20 Relevance: 27.3, APIs: 18, Instructions: 322clipboardsleepmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63089D14C: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF63089D169
Part of subcall function 00007FF63089D14C: std::locale::_Setgloballocale.LIBCPMT ref: 00007FF63089D18C
Part of subcall function 00007FF63089D14C: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF63089D221

Part of subcall function 00007FF630891620: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF630891639
Part of subcall function 00007FF630891620: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF63089165E
Part of subcall function 00007FF630891620: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF630891688
Part of subcall function 00007FF630891620: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF630891722
Part of subcall function 00007FF630891620: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF630891732
Part of subcall function 00007FF630891620: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF630891757
Part of subcall function 00007FF630891620: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF630891781

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF630891062
lstrlenW.KERNEL32 ref: 00007FF630891085
Sleep.KERNEL32 ref: 00007FF6308910E5
OpenClipboard.USER32 ref: 00007FF6308910FB
GetClipboardData.USER32 ref: 00007FF63089110A
GlobalLock.KERNEL32 ref: 00007FF63089111B
GlobalUnlock.KERNEL32 ref: 00007FF630891136
CloseClipboard.USER32 ref: 00007FF63089113C
CloseClipboard.USER32 ref: 00007FF630891158
OpenClipboard.USER32 ref: 00007FF630891180
EmptyClipboard.USER32 ref: 00007FF63089118A
GlobalAlloc.KERNEL32 ref: 00007FF6308911A2
GlobalLock.KERNEL32 ref: 00007FF6308911B3
GlobalUnlock.KERNEL32 ref: 00007FF6308911DD
SetClipboardData.USER32 ref: 00007FF6308911EB
CloseClipboard.USER32 ref: 00007FF6308911F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF63089127E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF630891284

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Lockitstd::_$Clipboard$GlobalLockit::_$Lockit::~_$Close_invalid_parameter_noinfo_noreturn$DataLockOpenUnlock$AllocEmptySetgloballocaleSleeplstrlenstd::locale::_
String ID:
API String ID: 1851032462-0
Opcode ID: 57475f5eeade9a15ba90b0c6b2e4b195fe2ff05ea7ed50c1724f462bec61f548
Instruction ID: b06e8cc0f9578ad0953b5ad01adda14411276d20a56b87d135e5d39eb85b16cb
Opcode Fuzzy Hash: 57475f5eeade9a15ba90b0c6b2e4b195fe2ff05ea7ed50c1724f462bec61f548
Instruction Fuzzy Hash: AFD1B462B09B82A6EF10AF69E4442BD6361FF84B98F144135EA5D87BD9DF3CE448D700

Function 00007FF63088CD40 Relevance: 26.7, APIs: 7, Strings: 8, Instructions: 406threadinjectionprocessCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32 ref: 00007FF63088CF12
CreateProcessA.KERNEL32 ref: 00007FF63088CF6E
VirtualAllocEx.KERNEL32 ref: 00007FF63088CF97
WriteProcessMemory.KERNEL32 ref: 00007FF63088CFBC
GetThreadContext.KERNEL32 ref: 00007FF63088CFE0
SetThreadContext.KERNEL32 ref: 00007FF63088D001
ResumeThread.KERNEL32 ref: 00007FF63088D014

Strings

h, xrefs: 00007FF63088CEE6
7e604a66-3b67-4656-8552-1184595e4a9f, xrefs: 00007FF63088D262
%s %s, xrefs: 00007FF63088D05B, 00007FF63088D1EF, 00007FF63088D2D3, 00007FF63088D369
%s%s, xrefs: 00007FF63088CF27
plugmark, xrefs: 00007FF63088CE43
@, xrefs: 00007FF63088CF8A
nlyloadinmyself, xrefs: 00007FF63088CD94
Windows\System32\svchost.exe, xrefs: 00007FF63088CF18

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Thread$ContextProcess$AllocCreateDirectoryMemoryResumeSystemVirtualWrite
String ID: %s %s$%s%s$7e604a66-3b67-4656-8552-1184595e4a9f$@$Windows\System32\svchost.exe$h$nlyloadinmyself$plugmark
API String ID: 4033188109-2199735986
Opcode ID: 046c22b18b6f5ac0ccc3cac11c7471c69f57d2820ce8935287c8eeb1aafb36af
Instruction ID: 1c4d44e9fe071c6d36bc04233baf66d64cfd53a6600843cb0e51ebe31774ebf4
Opcode Fuzzy Hash: 046c22b18b6f5ac0ccc3cac11c7471c69f57d2820ce8935287c8eeb1aafb36af
Instruction Fuzzy Hash: EF129362B18B82A2EB20CF25D4442BD77A1FB95B48F448136DB4D87B96DF3CE589D700

Function 00007FF63088E3E9 Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 64shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF63088E3E9
OpenProcessToken.ADVAPI32 ref: 00007FF63088E3FE
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF63088E426
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF63088E44A
GetLastError.KERNEL32 ref: 00007FF63088E450
CloseHandle.KERNEL32 ref: 00007FF63088E45D
ExitWindowsEx.USER32 ref: 00007FF63088E56F
GetCurrentProcess.KERNEL32 ref: 00007FF63088E575
OpenProcessToken.ADVAPI32 ref: 00007FF63088E58A
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF63088E5B2
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF63088E5D6
GetLastError.KERNEL32 ref: 00007FF63088E5DC
CloseHandle.KERNEL32 ref: 00007FF63088E5F1

Strings

SeShutdownPrivilege, xrefs: 00007FF63088E415, 00007FF63088E5A5

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue$ExitWindows
String ID: SeShutdownPrivilege
API String ID: 1423298842-3733053543
Opcode ID: 207f020c3be7a49f4dae7fd528dd377aaad196edefdcd6a65a6542525f0315a2
Instruction ID: 6abb6223bbaf2ba200e3caa0cbf16b0564778ca23fbe37439f61f6638762189b
Opcode Fuzzy Hash: 207f020c3be7a49f4dae7fd528dd377aaad196edefdcd6a65a6542525f0315a2
Instruction Fuzzy Hash: 45311C35A08E82A5EB209F65E8143AA6370FF84B5AF004035DA4E92B65CF3DD58EE700

Function 00007FF63089A5A0 Relevance: 25.8, APIs: 17, Instructions: 347memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63088D242), ref: 00007FF63089A5E5
GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63088D242), ref: 00007FF63089A66A
VirtualAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63088D242), ref: 00007FF63089A6BF
VirtualAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63088D242), ref: 00007FF63089A6DE
VirtualAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63088D242), ref: 00007FF63089A741
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63088D242), ref: 00007FF63089A762
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63088D242), ref: 00007FF63089A776
VirtualFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63088D242), ref: 00007FF63089A793
VirtualFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63088D242), ref: 00007FF63089A7AF
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63088D242), ref: 00007FF63089A7CC
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63088D242), ref: 00007FF63089AAB2

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Virtual$Alloc$ErrorLast$FreeHeap$InfoNativeProcessSystem
String ID:
API String ID: 1282860858-0
Opcode ID: 88d7adfe9b312bdb6fdf674f549a5cc549a824bf45d913ac83d4f697423f226a
Instruction ID: 26e40e6f67f14a4688a5f5f0ac909bab97ac81884b25ab15ae78e5b5d44294b3
Opcode Fuzzy Hash: 88d7adfe9b312bdb6fdf674f549a5cc549a824bf45d913ac83d4f697423f226a
Instruction Fuzzy Hash: AFD19232B19652A6EF60AF56E4507B977A4FF48B88F054035CA4E87B80EE3CE449E340

Function 00007FF63088E46D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 62shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF63088E46D
OpenProcessToken.ADVAPI32 ref: 00007FF63088E482
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF63088E4AA
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF63088E4CE
GetLastError.KERNEL32 ref: 00007FF63088E4D4
CloseHandle.KERNEL32 ref: 00007FF63088E4E1
ExitWindowsEx.USER32 ref: 00007FF63088E56F
GetCurrentProcess.KERNEL32 ref: 00007FF63088E575
OpenProcessToken.ADVAPI32 ref: 00007FF63088E58A
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF63088E5B2
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF63088E5D6
GetLastError.KERNEL32 ref: 00007FF63088E5DC
CloseHandle.KERNEL32 ref: 00007FF63088E5F1

Strings

SeShutdownPrivilege, xrefs: 00007FF63088E499, 00007FF63088E5A5

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue$ExitWindows
String ID: SeShutdownPrivilege
API String ID: 1423298842-3733053543
Opcode ID: eb7aa2d56a82b613c27039d286a92213749df77ba304c44aa2638bc2cb38e150
Instruction ID: 8ce838e329512b71ff1e4cd238a4566fe206f8b117620dde0e890b1291916ff5
Opcode Fuzzy Hash: eb7aa2d56a82b613c27039d286a92213749df77ba304c44aa2638bc2cb38e150
Instruction Fuzzy Hash: CC310C35A08E8295EB209F69EC143AA6371FF84B5AF504035DA4D93B69DF3DD18EDB00

Function 00007FF63088E4EE Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 61shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF63088E4EE
OpenProcessToken.ADVAPI32 ref: 00007FF63088E503
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF63088E52B
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF63088E54F
GetLastError.KERNEL32 ref: 00007FF63088E555
CloseHandle.KERNEL32 ref: 00007FF63088E562
ExitWindowsEx.USER32 ref: 00007FF63088E56F
GetCurrentProcess.KERNEL32 ref: 00007FF63088E575
OpenProcessToken.ADVAPI32 ref: 00007FF63088E58A
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF63088E5B2
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF63088E5D6
GetLastError.KERNEL32 ref: 00007FF63088E5DC
CloseHandle.KERNEL32 ref: 00007FF63088E5F1

Strings

SeShutdownPrivilege, xrefs: 00007FF63088E51A, 00007FF63088E5A5

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue$ExitWindows
String ID: SeShutdownPrivilege
API String ID: 1423298842-3733053543
Opcode ID: 2905a319caa5e6a93b8be62912fe952188e187deaf7a97c308075b004fe8cd81
Instruction ID: 8bf231630bcc2e64b21cc7c831539b059b624aa1f0ad0fc902ee296126c74af6
Opcode Fuzzy Hash: 2905a319caa5e6a93b8be62912fe952188e187deaf7a97c308075b004fe8cd81
Instruction Fuzzy Hash: 5D310C35A08E8295EB209F69EC143AA6370FF84B5AF004035DA4D93B65DF3DD18EDB00

Function 00007FF6308B8584 Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF6308B85D2
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6308B8C3E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6308B8DB4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6308B9072
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6308B9292
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6308B94CF
memcpy_s.LIBCPMT ref: 00007FF6308B95AA
memcpy_s.LIBCPMT ref: 00007FF6308B9655
memcpy_s.LIBCPMT ref: 00007FF6308B9724

Strings

1#QNAN, xrefs: 00007FF6308B86EB
1#IND, xrefs: 00007FF6308B86BF
1#SNAN, xrefs: 00007FF6308B86E2
1#INF, xrefs: 00007FF6308B86FB

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 622423286a591ad007cfa081ef015de5a4a39bf13039204cb660433145fa8b31
Instruction ID: 4c3ec364a9188457ec36eab0ace4959c5c29410b12d3873c5c05b912bffec750
Opcode Fuzzy Hash: 622423286a591ad007cfa081ef015de5a4a39bf13039204cb660433145fa8b31
Instruction Fuzzy Hash: C1B2DE72E182929BEB648E68D4407FD37A1FB5438CF505535DA0E97B88DF38EA09DB40

Function 00007FF63088B410 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 232memorytimeCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 00007FF63088B444

Part of subcall function 00007FF630881200: GetProcessHeap.KERNEL32 ref: 00007FF630881236

HeapCreate.KERNEL32 ref: 00007FF63088B50F
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF63088B56F
CreateEventW.KERNEL32 ref: 00007FF63088B5A2
CreateEventW.KERNEL32 ref: 00007FF63088B5C2
CreateEventW.KERNEL32 ref: 00007FF63088B5E2
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF63088B6B3
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF63088B6C7
timeGetTime.WINMM ref: 00007FF63088B739
CreateEventW.KERNEL32 ref: 00007FF63088B74F
CreateEventW.KERNEL32 ref: 00007FF63088B763

Strings

<, xrefs: 00007FF63088B47D
<, xrefs: 00007FF63088B484

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Create$Event$CountCriticalInitializeSectionSpin$Heap$ProcessTimetime
String ID: <$<
API String ID: 2446585644-213342407
Opcode ID: b1ad8ba58de1e0846612e2a068909c756507ce6fc06109a86d1a20cc9e8294d7
Instruction ID: ff8ae65c57040db5d22b649a6fd9e3a6063831b334fd6b7c64da6e3c735fa403
Opcode Fuzzy Hash: b1ad8ba58de1e0846612e2a068909c756507ce6fc06109a86d1a20cc9e8294d7
Instruction Fuzzy Hash: 62B15B72605B819AEB44DF79E8843A933A9FB44B0CF58413CCB5C4B799DF38A068D718

Function 00007FF630890900 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 129registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF630890970
RegQueryValueExW.ADVAPI32 ref: 00007FF6308909EF
lstrcpyW.KERNEL32 ref: 00007FF630890B72
RegCloseKey.ADVAPI32 ref: 00007FF630890B84
RegCloseKey.ADVAPI32 ref: 00007FF630890B92

Strings

%08X, xrefs: 00007FF630890B0D

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Close$OpenQueryValuelstrcpy
String ID: %08X
API String ID: 2032971926-3773563069
Opcode ID: 5daa38b5fec1510e7cc40f4dc4df9c16a8fb62c5527b438061e7080e78411b39
Instruction ID: 7940b6f3d278f238920e748dbca71f1d94cfdd4305118306d6903157f0e041ca
Opcode Fuzzy Hash: 5daa38b5fec1510e7cc40f4dc4df9c16a8fb62c5527b438061e7080e78411b39
Instruction Fuzzy Hash: 3E515E6260CA81A5EB70DB25E8443ABB3A0FB85758F904135D78DC3BA9DF3CD549DB04

Function 00007FF6308B76DC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6308AEA70: GetLastError.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEA7F
Part of subcall function 00007FF6308AEA70: FlsGetValue.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEA94
Part of subcall function 00007FF6308AEA70: SetLastError.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEB1F

TranslateName.LIBCMT ref: 00007FF6308B7746
TranslateName.LIBCMT ref: 00007FF6308B7781
GetACP.KERNEL32(?,?,?,00000000,00000092,00007FF6308AD4D8), ref: 00007FF6308B77C8
IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,00007FF6308AD4D8), ref: 00007FF6308B7800
GetLocaleInfoW.KERNEL32 ref: 00007FF6308B79BD

Strings

utf8, xrefs: 00007FF6308B78E4

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
String ID: utf8
API String ID: 3069159798-905460609
Opcode ID: 8c099eda83a5c1324d953c8da46f7dcfc7382bd5fb40a4303c146f7c8692acb4
Instruction ID: acb99498da6fb3ba8c4ddf7ab1fc83aae817955eb7471faacad16e72d406c6cb
Opcode Fuzzy Hash: 8c099eda83a5c1324d953c8da46f7dcfc7382bd5fb40a4303c146f7c8692acb4
Instruction Fuzzy Hash: 6691BE32A08742A1EF24AF21D4416BA27A4FF44B88F444531DA5DD7BD6DF3CEA59E340

Function 00007FF6308B8124 Relevance: 10.7, APIs: 7, Instructions: 172COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6308AEA70: GetLastError.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEA7F
Part of subcall function 00007FF6308AEA70: FlsGetValue.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEA94
Part of subcall function 00007FF6308AEA70: SetLastError.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEB1F

Part of subcall function 00007FF6308AEA70: FlsSetValue.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEAB5

GetUserDefaultLCID.KERNEL32(00000000,00000092,?,?), ref: 00007FF6308B8294

Part of subcall function 00007FF6308AEA70: FlsSetValue.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEAE2
Part of subcall function 00007FF6308AEA70: FlsSetValue.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEAF3
Part of subcall function 00007FF6308AEA70: FlsSetValue.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEB04

EnumSystemLocalesW.KERNEL32(00000000,00000092,?,?,00000000,?,?,00007FF6308AD4D1), ref: 00007FF6308B827B
ProcessCodePage.LIBCMT ref: 00007FF6308B82BE
IsValidCodePage.KERNEL32 ref: 00007FF6308B82D0
IsValidLocale.KERNEL32 ref: 00007FF6308B82E6
GetLocaleInfoW.KERNEL32 ref: 00007FF6308B8342
GetLocaleInfoW.KERNEL32 ref: 00007FF6308B835E

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 2591520935-0
Opcode ID: f1a69095846091a71a20ee3ef6c788d879191f60c9ca7d1b933c088628ba7f76
Instruction ID: 7751e56d529aef43da5d53fd1db0c442b4c512e639a7f90ab9a8afbb5c85bf32
Opcode Fuzzy Hash: f1a69095846091a71a20ee3ef6c788d879191f60c9ca7d1b933c088628ba7f76
Instruction Fuzzy Hash: 64714832B19A12AAFF519B64D8506BD33A0FF48B48F484935CA1D93795EF3CE449E350

Function 00007FF63089E54C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF63089E568
RtlCaptureContext.KERNEL32 ref: 00007FF63089E595
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF63089E5AF
RtlVirtualUnwind.KERNEL32 ref: 00007FF63089E5F0
IsDebuggerPresent.KERNEL32 ref: 00007FF63089E644
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF63089E661
UnhandledExceptionFilter.KERNEL32 ref: 00007FF63089E66C

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 18c7dfee12948f11b2b1ef149d65aa3e1b9c7e2d1ea7ed06afb51cbb3a88d299
Instruction ID: 4b615b8de047511eb48da11f66674ca7ac3fc19d4c4df39b6e2ae84b55226fce
Opcode Fuzzy Hash: 18c7dfee12948f11b2b1ef149d65aa3e1b9c7e2d1ea7ed06afb51cbb3a88d299
Instruction Fuzzy Hash: 84313E72609B819AEB609FA0E8907ED7364FB84748F44403ADB4E87B95EF38D54CC714

Function 00007FF63088E36A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

OpenEventLogW.ADVAPI32 ref: 00007FF63088E397
ClearEventLogW.ADVAPI32 ref: 00007FF63088E3AA
CloseEventLog.ADVAPI32 ref: 00007FF63088E3B3

Strings

Application, xrefs: 00007FF63088E36A
System, xrefs: 00007FF63088E382
Security, xrefs: 00007FF63088E376

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Event$ClearCloseOpen
String ID: Application$Security$System
API String ID: 1391105993-2169399579
Opcode ID: 2cf3709b3cb76df16a2a92579992847c2f846cbe0948eda6c13293e34c808135
Instruction ID: 8ef0e5c01c98212ea4dbc9edc5f39e0e3d14d64b79f1926b51bd8a15614b7937
Opcode Fuzzy Hash: 2cf3709b3cb76df16a2a92579992847c2f846cbe0948eda6c13293e34c808135
Instruction Fuzzy Hash: 2DF0FF36E4DF4291EE15DB19F84026AA3A4FF897A9F040136C94E83765EE3CD49AA700

Function 00007FF6308A3A6C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6308A3AE5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6308A3AFD
RtlVirtualUnwind.KERNEL32 ref: 00007FF6308A3B38
IsDebuggerPresent.KERNEL32 ref: 00007FF6308A3B71
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6308A3B7B
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6308A3B86

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: e6fb25ffa18b66ffda036dc74a26e2becfae59b68bb230e1827b5a608bc93c87
Instruction ID: bebb7fa6f8b9da13d49bbb6f1269a224941c01abad2e6a04c32d053194b3f5e6
Opcode Fuzzy Hash: e6fb25ffa18b66ffda036dc74a26e2becfae59b68bb230e1827b5a608bc93c87
Instruction Fuzzy Hash: 50315032618F81A6DB60CF65E8503AE73A4FB89758F540136EA9D83B95EF3CD549CB00

Function 00007FF6308B3EF0 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6308B3F3C
FindFirstFileExW.KERNEL32 ref: 00007FF6308B4046

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 116a84698524b3bcd43aaaa4f2cca2c7c536e0f4c45a8280c933762a24cf8a5b
Instruction ID: 1c37c5fc460e03eb4d2bfa47cb6193138502e87eb0eabbe57d8be4242e87f869
Opcode Fuzzy Hash: 116a84698524b3bcd43aaaa4f2cca2c7c536e0f4c45a8280c933762a24cf8a5b
Instruction Fuzzy Hash: CCB1E622F1869261EE609B65E8012B973A0EF54BE8F546131EE5D87FC5DF7CE449E300

Function 00007FF63089C70C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF63089C76D
IsDebuggerPresent.KERNEL32 ref: 00007FF63089C785
OutputDebugStringW.KERNEL32 ref: 00007FF63089C796

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF63089C78F

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: efbf15865cd5c1087f73e292c5c5f3e8b2dd5a504a7ddbe30f15df4fd023cf7f
Instruction ID: 741ae5996d1a9346f62314b44b7aac59d1e022cea61f24226a5a69c6016cc820
Opcode Fuzzy Hash: efbf15865cd5c1087f73e292c5c5f3e8b2dd5a504a7ddbe30f15df4fd023cf7f
Instruction Fuzzy Hash: 49113A32A14B42B7EB449B66E6543B933A4FF48749F404135CA4D82B51EF7DE0689710

Function 00007FF6308AB350 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF6308AB3B6
memcpy_s.LIBCPMT ref: 00007FF6308AB3E1

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: a3a34dc7f104a5757306e0e4006adbba08ef9a00a3e13a0073f806107d450ba3
Instruction ID: 9053f5398606b4c966a74e7a19961b28a0c268d92fca12426b1b133044a152e9
Opcode Fuzzy Hash: a3a34dc7f104a5757306e0e4006adbba08ef9a00a3e13a0073f806107d450ba3
Instruction Fuzzy Hash: 41C11872B296C597EB24CF19A04467AB791FB98B88F548134DB4E83B85DF3DE805DB00

Function 00007FF6308B7BA0 Relevance: 4.7, APIs: 3, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6308AEA70: GetLastError.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEA7F
Part of subcall function 00007FF6308AEA70: FlsGetValue.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEA94
Part of subcall function 00007FF6308AEA70: SetLastError.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEB1F

Part of subcall function 00007FF6308AEA70: FlsSetValue.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEAB5

GetLocaleInfoW.KERNEL32 ref: 00007FF6308B7C0C

Part of subcall function 00007FF6308B3D2C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6308B3D49

GetLocaleInfoW.KERNEL32 ref: 00007FF6308B7C55

Part of subcall function 00007FF6308B3D2C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6308B3DA2

GetLocaleInfoW.KERNEL32 ref: 00007FF6308B7D1D

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: InfoLocale$ErrorLastValue_invalid_parameter_noinfo
String ID:
API String ID: 1791019856-0
Opcode ID: 605c002cd1232363f8b97f7bb09a672fc6956a026fdc72186da3fd3d1de90a13
Instruction ID: 659694e2180394933971903c3d79464ecff77d9d8eb2528c6c01fa17a74cccac
Opcode Fuzzy Hash: 605c002cd1232363f8b97f7bb09a672fc6956a026fdc72186da3fd3d1de90a13
Instruction Fuzzy Hash: 22618F32A08642AAEF748F21D4902BA77A1FB84788F448139CB9ED7795DE3CE559D700

Function 00007FF6308B0D10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,00007FF6308AD6AA), ref: 00007FF6308B0D84

Strings

GetLocaleInfoEx, xrefs: 00007FF6308B0D2C, 00007FF6308B0D3D

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 053289818baea42516c59c341b95a57cf593464f2c81e046735848086310e6c4
Instruction ID: dc12a710892ec8e04ab7c0a7cf2f953df3b6b54e7cf069ce133678b8e4ffe6d7
Opcode Fuzzy Hash: 053289818baea42516c59c341b95a57cf593464f2c81e046735848086310e6c4
Instruction Fuzzy Hash: 4801A720B08B41A6FF049B56B4401A6A760EF84BD4F584135DE4E87BA6CE3CD5499740

Function 00007FF6308B3760 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF6308B39AF
RaiseException.KERNEL32 ref: 00007FF6308B39C0

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: d1d57c0b9bdf7be1867346d5e9c7cf9c26021b93baf768b42c1e913034eff148
Instruction ID: afa259f6d433f409528e3c2778d30e147d26b0f5d8a30eb8cc912f23ea866070
Opcode Fuzzy Hash: d1d57c0b9bdf7be1867346d5e9c7cf9c26021b93baf768b42c1e913034eff148
Instruction Fuzzy Hash: D9B16A73A04B898BEB15CF29C8463687BA0F784B4CF188922DBAD837A4CF79D455C704

Function 00007FF6308A7340 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6308A74AE
, xrefs: 00007FF6308A76F0

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: f4d1caadcdf6a988165dfb6027386ea397a00727bebf28c93510380ffb834353
Instruction ID: 9234acbe72efe80a018afb9eabe38dd922140ff06b60be628927c6a927a0c6ac
Opcode Fuzzy Hash: f4d1caadcdf6a988165dfb6027386ea397a00727bebf28c93510380ffb834353
Instruction Fuzzy Hash: EEE18332A0964696EF688E29885013E37A0FF49B4CF345135DA4E87BD4DF39E859F740

Function 00007FF6308AF6B0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 00007FF6308AF7BD
gfff, xrefs: 00007FF6308AF83A

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: 7a480f9cb63785b231e93cdb4053ba6ead140b4a31814c2e6dd1f53a1ff5a9d1
Instruction ID: 54180a075c59e2852c2103811227ad48b75d8c1c5ce1980a43768424447ea123
Opcode Fuzzy Hash: 7a480f9cb63785b231e93cdb4053ba6ead140b4a31814c2e6dd1f53a1ff5a9d1
Instruction Fuzzy Hash: ED518A22F182C596EB208E759801769BB91EB44B98F58D231CBAC87FC6CF3DD049D700

Function 00007FF6308AA4F8 Relevance: 1.9, APIs: 1, Instructions: 373COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00007FF6308AA640

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 7f0259b4a75c2d79dd05197e9e3c50a83c61ba8df8d38db5a1941d1f165b01d3
Instruction ID: 6c661084a329f822ac4000826275472af6fce2647be765a7f7c2cb217d64e440
Opcode Fuzzy Hash: 7f0259b4a75c2d79dd05197e9e3c50a83c61ba8df8d38db5a1941d1f165b01d3
Instruction Fuzzy Hash: C4128122A08BD196EB51CF2895443FD73A4FB68748F159235EB9C82B92DF39E189D700

Function 00007FF6308B5D34 Relevance: 1.8, APIs: 1, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a91221a961958e25f62bfb1168308d288fd5f56a1465658bce0cb830e97a7a
Instruction ID: f62d0dc926d27262c5c694d5fd1769d95e2eae257fff50ddf71c5b4cb9723b13
Opcode Fuzzy Hash: a2a91221a961958e25f62bfb1168308d288fd5f56a1465658bce0cb830e97a7a
Instruction Fuzzy Hash: 67E17132A08B8196EB20DB61E4502EE77A4FB54788F404635DF9D93B96EF3CE249D344

Function 00007FF630882E50 Relevance: 1.8, Strings: 1, Instructions: 571COMMON

Download Yara Rule

Strings

[RO] %ld bytes, xrefs: 00007FF630883450, 00007FF6308835BB

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID: [RO] %ld bytes
API String ID: 0-772938740
Opcode ID: 2a2e8e66bac2129e6156a5cab3092c46a0c869edfc0550a0c0319ad8eb13d815
Instruction ID: afccbfe8a67da4a692f168b9ee1de162efe5fb294069e0ea6b504fc4c2cba5ec
Opcode Fuzzy Hash: 2a2e8e66bac2129e6156a5cab3092c46a0c869edfc0550a0c0319ad8eb13d815
Instruction Fuzzy Hash: 9542BF336093C5DFC729CF28E44026E7BA0F765B48F448129DB8A87B46DB38E959CB51

Function 00007FF6308B7DE8 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6308AEA70: GetLastError.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEA7F
Part of subcall function 00007FF6308AEA70: FlsGetValue.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEA94
Part of subcall function 00007FF6308AEA70: SetLastError.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEB1F

Part of subcall function 00007FF6308AEA70: FlsSetValue.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEAB5

GetLocaleInfoW.KERNEL32 ref: 00007FF6308B7E50

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorLastValue$InfoLocale
String ID:
API String ID: 673564084-0
Opcode ID: b88317f099404d3c0d10a5a24cf9ae58312b9b643a33a099b411d16474a7bbc4
Instruction ID: ad222d38061df67771c56a2dbb3a42676028755565eaecba72474cb1bae4b44f
Opcode Fuzzy Hash: b88317f099404d3c0d10a5a24cf9ae58312b9b643a33a099b411d16474a7bbc4
Instruction Fuzzy Hash: 01318E32A0878296EF648B25E4413AA73A1FF48B88F448535EA4DC7796DF3CE8499700

Function 00007FF6308B7A38 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6308AEA70: GetLastError.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEA7F
Part of subcall function 00007FF6308AEA70: FlsGetValue.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEA94
Part of subcall function 00007FF6308AEA70: SetLastError.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEB1F

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF6308B8227,00000000,00000092,?,?,00000000,?,?,00007FF6308AD4D1), ref: 00007FF6308B7AD6

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: ddf0bcd54fee30cee3c2fa2f3cf32a3156214357c3b61558b17e74e9ba4e1d34
Instruction ID: c62d519b90819df5fc00b1960611a20b23d5017d43ac61d2a49050ef960bd662
Opcode Fuzzy Hash: ddf0bcd54fee30cee3c2fa2f3cf32a3156214357c3b61558b17e74e9ba4e1d34
Instruction Fuzzy Hash: 5B11E167E087459AEF548F25D0806AD7BA1FB90FE8F549135C62A833C0DE38E6D9D740

Function 00007FF6308B7FF0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6308AEA70: GetLastError.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEA7F
Part of subcall function 00007FF6308AEA70: FlsGetValue.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEA94
Part of subcall function 00007FF6308AEA70: SetLastError.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEB1F

GetLocaleInfoW.KERNEL32(?,?,?,00007FF6308B7D9A), ref: 00007FF6308B8027

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorLast$InfoLocaleValue
String ID:
API String ID: 3796814847-0
Opcode ID: 4756a55a6f6df2e1738916ac1a71c6225747ce609875c26223506d2cfc4742c0
Instruction ID: 104aba5ea4aace31bc385e71a560965f49170c5769f4a7af9f57ce4d6672193e
Opcode Fuzzy Hash: 4756a55a6f6df2e1738916ac1a71c6225747ce609875c26223506d2cfc4742c0
Instruction Fuzzy Hash: 22112732F18952D3EB64A625A04067A62A1EB507E8F144A31D66E837C5DE3AD88EE700

Function 00007FF6308B7B08 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6308AEA70: GetLastError.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEA7F
Part of subcall function 00007FF6308AEA70: FlsGetValue.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEA94
Part of subcall function 00007FF6308AEA70: SetLastError.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEB1F

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF6308B81E3,00000000,00000092,?,?,00000000,?,?,00007FF6308AD4D1), ref: 00007FF6308B7B86

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: bc703af400f14b42b20c9fcb5047461b7f50c903457c8d4997ca4285d83e45ea
Instruction ID: 04794323d95053258593ac23d5ef4a31ab8797f502749bb1450adee2e8ebcf6d
Opcode Fuzzy Hash: bc703af400f14b42b20c9fcb5047461b7f50c903457c8d4997ca4285d83e45ea
Instruction Fuzzy Hash: D601B572F0C38556EF104F15E4407BA76A2EF50BB8F559231D629873C4DF789489AB00

Function 00007FF6308B0838 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF6308B0CDF,?,?,?,?,?,?,?,?,00000000,00007FF6308B7088), ref: 00007FF6308B0887

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 0da49028f00012ccddbac4aa6a8129618cfbebd136c027dc8325545b3ece71c8
Instruction ID: b4303b003cf92a966e9efda9b0cdfbf879eed8ca8ce68d36b12ddf0c155cc73d
Opcode Fuzzy Hash: 0da49028f00012ccddbac4aa6a8129618cfbebd136c027dc8325545b3ece71c8
Instruction Fuzzy Hash: 17F08C72B08B4193EB00DB59E8902A93362EF88B84F548136DA4DC37A5CF3CD899D740

Function 00007FF6308AF21C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF6308AF55E

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: 172941b2f1d4039ba21c6dc8853c143536a16ca8654b5df5f12dde2487208479
Instruction ID: 95fe053da8953418978a2959e6f815cb4a0fe8691092e5d7091bd2152b859842
Opcode Fuzzy Hash: 172941b2f1d4039ba21c6dc8853c143536a16ca8654b5df5f12dde2487208479
Instruction Fuzzy Hash: F0A14662B0978696EF21CF6AA0407AE7791AF54B88F248131DE8D87BC2DE3DD509D701

Function 00007FF6308A65AC Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6308A678E

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6871d27396c91e0bed272bc22aae0ea20e11987830d478801ef476eeb5b70fb8
Instruction ID: ab7292ee1c23840c9fdeb2d09410166c1c248b5c42f3006608c023b9b0be79ef
Opcode Fuzzy Hash: 6871d27396c91e0bed272bc22aae0ea20e11987830d478801ef476eeb5b70fb8
Instruction Fuzzy Hash: 0FB18C72A0869596EF648F39C05423C3BA4EB49B4CF384235CA4E87BD9CF39D469E744

Function 00007FF6308B2744 Relevance: 1.4, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6308B27E9

Part of subcall function 00007FF6308B0788: HeapAlloc.KERNEL32(?,?,00000000,00007FF6308AEC4A,?,?,0000114ED97129F6,00007FF6308A8B05,?,?,?,?,00007FF6308B2546,?,?,00000000), ref: 00007FF6308B07DD

Part of subcall function 00007FF6308AE6BC: RtlFreeHeap.NTDLL(?,?,?,00007FF6308B65C2,?,?,?,00007FF6308B693F,?,?,00000000,00007FF6308B6D85,?,?,?,00007FF6308B6CB7), ref: 00007FF6308AE6D2
Part of subcall function 00007FF6308AE6BC: GetLastError.KERNEL32(?,?,?,00007FF6308B65C2,?,?,?,00007FF6308B693F,?,?,00000000,00007FF6308B6D85,?,?,?,00007FF6308B6CB7), ref: 00007FF6308AE6DC

Part of subcall function 00007FF6308B9FAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6308B9FDF

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorHeapLast$AllocFree_invalid_parameter_noinfo
String ID:
API String ID: 916656526-0
Opcode ID: c069c10827176b9df77e9eacd146a24f3ebe0e1c557e8cf5116eb7accc2f9201
Instruction ID: 54a64324fd153329d456fa458f7ee1177175fbdfdeb14aba40ad9177defcc609
Opcode Fuzzy Hash: c069c10827176b9df77e9eacd146a24f3ebe0e1c557e8cf5116eb7accc2f9201
Instruction Fuzzy Hash: D641F321F0D24361FE705A2668117BAA680FF957C8F544539EE8DCBBC6EE3CE409A740

Function 00007FF630899250 Relevance: .7, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d3e26cd520c0d7484bca21c75386a0081201fe8f2cf936fcf25e5b7a4aa551
Instruction ID: 6eaab0d200a2720ef0257cfc42710b5469d2d695536d98b8edda293361fb8c78
Opcode Fuzzy Hash: f9d3e26cd520c0d7484bca21c75386a0081201fe8f2cf936fcf25e5b7a4aa551
Instruction Fuzzy Hash: BC22CEB7B3805047D36DCB1DEC52FA97692B7A5308748A02CFA07C3F45EA3DEA458A44

Function 00007FF6308978F0 Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dbab6f601d912f7832fe87e6cb8010b159b99cec89eaaed4f22644e13967388
Instruction ID: c6cf87e3b90bd6b20f70d09ddc9ee3f709aa0aa7b75c9d9fe3e6122b2ad5b026
Opcode Fuzzy Hash: 2dbab6f601d912f7832fe87e6cb8010b159b99cec89eaaed4f22644e13967388
Instruction Fuzzy Hash: 5CC11373B0869197EB49CF26D95057AB792FBC4BE8B55C134DA4A47B88DE3CD805CB00

Function 00007FF6308A6F3C Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe8ec01f60584a1ee149ae2a08fff37cdae008ac808ef4f9df4273de0df04db
Instruction ID: dff3723d2c9c53bb029c998ed91dd1c34883df0a161dfda69d8a97ce16c09bed
Opcode Fuzzy Hash: 4fe8ec01f60584a1ee149ae2a08fff37cdae008ac808ef4f9df4273de0df04db
Instruction Fuzzy Hash: 2ED1B322A08A42A5EF688E25985027F37A0EB45B4CF344235DE4D87FD5DF39E859F740

Function 00007FF6308AD320 Relevance: .3, Instructions: 310COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodePageValidValue_invalid_parameter_noinfo
String ID:
API String ID: 4023145424-0
Opcode ID: 8a64524f1fb9e6959651956f91e34aa30073aa11383fd560e196b95c26644943
Instruction ID: bc3d4ab0df8c799ce5602ad943280bffd6e99bd63c862b59b496f6c7ee60cf2c
Opcode Fuzzy Hash: 8a64524f1fb9e6959651956f91e34aa30073aa11383fd560e196b95c26644943
Instruction Fuzzy Hash: 65C1C266A08782A5EF649B6198103BA37A0FB9478CF604035DE9EC7BD5EF3CE549D700

Function 00007FF6308B714C Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorLast$Value_invalid_parameter_noinfo
String ID:
API String ID: 1500699246-0
Opcode ID: 40463cb8fd89e5f38144c8e404f20e2a32259e43623898d7ad92a87b920fc9c4
Instruction ID: 749024beedff7869680452ec516f37c0568ed7779f451ca50e9180b85938dd22
Opcode Fuzzy Hash: 40463cb8fd89e5f38144c8e404f20e2a32259e43623898d7ad92a87b920fc9c4
Instruction Fuzzy Hash: 1CB1FF22A08746A2EF649F21D4116BB33A0EB84B8CF544231EE5AC37C9DF7CE549A740

Function 00007FF6308A6228 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe3a20954eaf19cca18b720aca6cea66dcaf64d55a17c7986fbc43ae61592d0
Instruction ID: 715c47326f3b486d080901dfef2a120cced249a9e9c1ad35593b17339f2546f9
Opcode Fuzzy Hash: 4fe3a20954eaf19cca18b720aca6cea66dcaf64d55a17c7986fbc43ae61592d0
Instruction Fuzzy Hash: 9AB16A72909A8596EF648F29C05027C3BA0EB49F4CF385139CA4E87BD9CF39D469E744

Function 00007FF6308AAC80 Relevance: .2, Instructions: 207COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7c967eb539ab6c81368948c69a9b6320c10fa2f7b73efbe3c4b6df7895ae468e
Instruction ID: fe6914360543cf15c9c33134cf1469338f59bf548009860e752b7d3ce301ce58
Opcode Fuzzy Hash: 7c967eb539ab6c81368948c69a9b6320c10fa2f7b73efbe3c4b6df7895ae468e
Instruction Fuzzy Hash: 19818C72A04A51A6EF648E29D4813B92360FB84B9CF244A36EE5ED7FC5DF3CD4599300

Function 00007FF6308AFD30 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa2f4ae56baf169408e60df2444458542a3c73068db43e6345bf2ec4a63d4b14
Instruction ID: 7de33f9327c5bb1975cef6086251f5966c5089f32ef14f26c0ac6cc70f5fdcf8
Opcode Fuzzy Hash: aa2f4ae56baf169408e60df2444458542a3c73068db43e6345bf2ec4a63d4b14
Instruction Fuzzy Hash: D881D272A087815AEB74CF59944036A7A91FF86798F244235EA8D87FDADF3CD4089B00

Function 00007FF630892EC0 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f6a1a1a1cf9baf0de81f1e4df80e775a01d7d2970379cd065fadcfc056c7f6
Instruction ID: 8e6e0fb072db24d4a128f1a6e46b10bea0efbec1640e7d4cc35918420ebcf76a
Opcode Fuzzy Hash: f6f6a1a1a1cf9baf0de81f1e4df80e775a01d7d2970379cd065fadcfc056c7f6
Instruction Fuzzy Hash: E6610662B18B8992DF209F19E4412B9A370FB99784F549231EF9C97B94EF3DE184C340

Function 00007FF6308A536C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: bbd1b7e74ca56173cef511c273a0e9a269394e82a0bd899bc7c376dc1a8a5eb8
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: 2D517172A1AA5196EF248B29C05422833B1EB49B6CF345131DE4D97BD4DF3AE8C7D740

Function 00007FF6308A4F5C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: b06606ab5a3d8e579cb8c82dfd006f6a1648dd8506e437ba9c3863aeb9efd128
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: 62518436A19A5196EF248B29C04023833B0EB85B5CF345131DA4D97FD4CF7AE897D780

Function 00007FF6308A577C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: 589098adb778f59d7aa41d59498d83306ec48a7e93c598a293484eb9a8df76f6
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 38515F76A19A51D6EB248B29D05422937B0EB44B6CF388131CE4D97BD4CF3AE88BD740

Function 00007FF6308A5168 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a3dccb135ddd09f63c505db29ff29986bf9dd63497299e7c799fac6b959aa4
Instruction ID: cc34c6376fa511846bce752f905e27eba256465774938729da402c572ca4221b
Opcode Fuzzy Hash: f6a3dccb135ddd09f63c505db29ff29986bf9dd63497299e7c799fac6b959aa4
Instruction Fuzzy Hash: 4E519032A1A65196EF248B29D04033837B0EB59B5CF745131CE4D97BD4DF3AE98AE780

Function 00007FF6308A4D58 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db363646d287334b7a31293e9082935613ba5dde14aee32d187fc7345eaa1eeb
Instruction ID: 3c7d7f9e8c6c07034bad70600709acf08cf6ef452f21d78477f509295e9a85b4
Opcode Fuzzy Hash: db363646d287334b7a31293e9082935613ba5dde14aee32d187fc7345eaa1eeb
Instruction Fuzzy Hash: CA517F36A1865196EF248B29C04023837A0EB95F6CF346131CE4D97FD4DF7AE85AD780

Function 00007FF6308A5578 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e46230d8c0bb23a9b26f12389beaf27d8e9063d4bba2e4d98de2a57eaa924be5
Instruction ID: a097721c2c27600ff3287c2ef541f43323d0ec14b8747ff08336d08927fc99ef
Opcode Fuzzy Hash: e46230d8c0bb23a9b26f12389beaf27d8e9063d4bba2e4d98de2a57eaa924be5
Instruction Fuzzy Hash: 9F51B136A1AA5196EB248B29C04023937B1EB54F5CF744131CE4D97BE5CF3AE88AD740

Function 00007FF6308AC51C Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4d1d88932efd7b63ecfdde29945dfc17fd218d95b7e0763bafd054a92f058063
Instruction ID: c269363f6d6d23aa8ce68c14ca68443fcab0fc79ee59a6e5dd41526233acd9c5
Opcode Fuzzy Hash: 4d1d88932efd7b63ecfdde29945dfc17fd218d95b7e0763bafd054a92f058063
Instruction Fuzzy Hash: 2C41F172B14A5492EF04CF2AD9242A973A1BB48FD8B59A037EE0DD7B98DE3CD4459340

Function 00007FF6308BC8C0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8325bb8896eb9c8ae2d46c5932a003c3c7f8bfc008283704c68a5069cd28ac66
Instruction ID: 769bcd93eab44ae713936e3ce8c70169194a45e83a4663b89c5bfdc87bb2d8bc
Opcode Fuzzy Hash: 8325bb8896eb9c8ae2d46c5932a003c3c7f8bfc008283704c68a5069cd28ac66
Instruction Fuzzy Hash: DFF068717182559ADF94AF28A442A2977D5FB08384F40853AE58DC3B04DF3C94659F04

Function 00007FF63089E6F4 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 174bfe62ffdb35f0a8b82215b8c446e4258c47945d5cfe3425f7157a53489505
Instruction ID: 67b4ca929ab9bf6f59e711d6bb9db30a6535b929c1541ed6218098df17d16ab4
Opcode Fuzzy Hash: 174bfe62ffdb35f0a8b82215b8c446e4258c47945d5cfe3425f7157a53489505
Instruction Fuzzy Hash: EDA0026190CC06F0EE049B84E9555307770FF54309F410031D11EC1361AF3CB508E302

Function 00007FF630884C50 Relevance: 33.2, APIs: 22, Instructions: 199windowthreadnetworkCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF630884C65
SwitchToThread.KERNEL32 ref: 00007FF630884C9D
SetLastError.KERNEL32 ref: 00007FF630884CDC
SetEvent.KERNEL32 ref: 00007FF630884D17
MsgWaitForMultipleObjects.USER32 ref: 00007FF630884D4B
PeekMessageW.USER32 ref: 00007FF630884D66
TranslateMessage.USER32 ref: 00007FF630884D75
DispatchMessageW.USER32 ref: 00007FF630884D80
PeekMessageW.USER32 ref: 00007FF630884D97
CloseHandle.KERNEL32 ref: 00007FF630884DC4
send.WS2_32 ref: 00007FF630884E01
SetEvent.KERNEL32 ref: 00007FF630884E18
WSACloseEvent.WS2_32 ref: 00007FF630884E2D
shutdown.WS2_32 ref: 00007FF630884E49
closesocket.WS2_32 ref: 00007FF630884E53
EnterCriticalSection.KERNEL32 ref: 00007FF630884E70
ResetEvent.KERNEL32 ref: 00007FF630884E7D
ResetEvent.KERNEL32 ref: 00007FF630884E8A
ResetEvent.KERNEL32 ref: 00007FF630884E97
SetEvent.KERNEL32 ref: 00007FF630884F2C
LeaveCriticalSection.KERNEL32 ref: 00007FF630884F39
SetLastError.KERNEL32 ref: 00007FF630884F79

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Event$Message$Reset$CloseCriticalErrorLastPeekSectionThread$CurrentDispatchEnterHandleLeaveMultipleObjectsSwitchTranslateWaitclosesocketsendshutdown
String ID:
API String ID: 4058177064-0
Opcode ID: 1d5cc57fb7fbf7527f04433d1c2939eb4b1b6e6938b0e21f75a258dbfa576023
Instruction ID: 958f78fff81257451a2f19864cc3081adca657945ada2c332cc046ec19ea7421
Opcode Fuzzy Hash: 1d5cc57fb7fbf7527f04433d1c2939eb4b1b6e6938b0e21f75a258dbfa576023
Instruction Fuzzy Hash: 6F917D73B08A82A7EB689F25D9446A973A5FB44758F005535CB6DC3B91CF3CE4A8E700

Function 00007FF6308906A0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 140stringprocessCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00007FF630890718
lstrlenW.KERNEL32 ref: 00007FF63089073A
wsprintfW.USER32 ref: 00007FF6308907A2
ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF630890806
lstrcatW.KERNEL32 ref: 00007FF630890841
lstrcatW.KERNEL32 ref: 00007FF63089084E
lstrcpyW.KERNEL32 ref: 00007FF63089085C
CreateProcessW.KERNEL32 ref: 00007FF6308908DB

Strings

"%1, xrefs: 00007FF63089080C
%s\shell\open\command, xrefs: 00007FF630890794
WinSta0\Default, xrefs: 00007FF630890893
h, xrefs: 00007FF630890865

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: lstrcatlstrlen$CreateEnvironmentExpandProcessStringslstrcpywsprintf
String ID: "%1$%s\shell\open\command$WinSta0\Default$h
API String ID: 1783372451-551013563
Opcode ID: 2aa4d3ebf5c45bd74505c1267e1058c2c24ed9b570e41b1434e0a24903c1c98a
Instruction ID: 525060c9ca2fef2889906e0e76538aa42a5a5fb10dc6113e51b6b5eb3cfdd02d
Opcode Fuzzy Hash: 2aa4d3ebf5c45bd74505c1267e1058c2c24ed9b570e41b1434e0a24903c1c98a
Instruction Fuzzy Hash: A8615122E18B42A9FF20EB64D8502FD6361FB8974CF444135DA4D96B99EF3CD548DB40

Function 00007FF630884270 Relevance: 21.1, APIs: 14, Instructions: 119networkstringCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FF63088429F
WSAIoctl.WS2_32 ref: 00007FF6308842F8
setsockopt.WS2_32 ref: 00007FF63088431D
setsockopt.WS2_32 ref: 00007FF630884342
WSACreateEvent.WS2_32 ref: 00007FF630884348
lstrlenW.KERNEL32 ref: 00007FF630884355
WideCharToMultiByte.KERNEL32 ref: 00007FF630884378
lstrlenW.KERNEL32 ref: 00007FF630884390
WideCharToMultiByte.KERNEL32 ref: 00007FF6308843B3
gethostbyname.WS2_32 ref: 00007FF6308843C0
htons.WS2_32 ref: 00007FF6308843ED
WSAEventSelect.WS2_32 ref: 00007FF630884413
connect.WS2_32 ref: 00007FF63088442D
WSAGetLastError.WS2_32 ref: 00007FF63088443C

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
String ID:
API String ID: 1455939504-0
Opcode ID: 6f0a85a34c6bb75636ccf932ec56d1350418621ff62b1755ad958c4a4e8ec29f
Instruction ID: 6cfa6eb2bb3932efbacd58d0b6ffbe8bcad6d1ad5830e64f1ff6ee68cc7e3e4a
Opcode Fuzzy Hash: 6f0a85a34c6bb75636ccf932ec56d1350418621ff62b1755ad958c4a4e8ec29f
Instruction Fuzzy Hash: 45518432608B9196EB20DF65F84026A77A5FB84BA8F100235EE9D87F99CF3CD549D704

Function 00007FF630891620 Relevance: 18.2, APIs: 12, Instructions: 153COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF630891639
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF63089165E
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF630891688
std::_Facet_Register.LIBCPMT ref: 00007FF630891708
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF630891722
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF630891732
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF630891757
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF630891781
std::_Facet_Register.LIBCPMT ref: 00007FF6308917F7
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF630891811
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF63089182A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF630891830

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 86a4ff4925cbc545ad5961b211c5cb2ede80d6a6447645a52bcc9b3ede11fd42
Instruction ID: 987481f817598c8cfe3706ca044c2a0026f463cf6933540acab0ae3e217cbb5b
Opcode Fuzzy Hash: 86a4ff4925cbc545ad5961b211c5cb2ede80d6a6447645a52bcc9b3ede11fd42
Instruction Fuzzy Hash: A2518436A0CA42A5EE15EB19E44417973A1FF54B98F580232DA5E837A5DF3CE44AE700

Function 00007FF6308846A0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 171networktimeCOMMON

Download Yara Rule

APIs

WSAEnumNetworkEvents.WS2_32 ref: 00007FF6308846C7
WSAGetLastError.WS2_32 ref: 00007FF6308846D8
WSAResetEvent.WS2_32 ref: 00007FF630884717
WSAEventSelect.WS2_32 ref: 00007FF63088479C
WSAGetLastError.WS2_32 ref: 00007FF6308847A7
timeGetTime.WINMM ref: 00007FF6308847D2
timeGetTime.WINMM ref: 00007FF63088481D
send.WS2_32 ref: 00007FF630884852
WSAGetLastError.WS2_32 ref: 00007FF63088485D

Strings

, xrefs: 00007FF6308848F8

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorLast$EventTimetime$EnumEventsNetworkResetSelectsend
String ID:
API String ID: 957247320-3916222277
Opcode ID: 70faab5df619376ecbd789658116d1a95d03484d4b81b7d6c2cb32eb3eab3399
Instruction ID: af942291e8e6e5e23817381e9505e30831133ee3139cc9cc789c856380f88a4d
Opcode Fuzzy Hash: 70faab5df619376ecbd789658116d1a95d03484d4b81b7d6c2cb32eb3eab3399
Instruction Fuzzy Hash: DB715B72A08682ABEB608F69D58436977E0FB44B4CF145035CB4DC3B95DF7DE849AB40

Function 00007FF630885A80 Relevance: 16.7, APIs: 11, Instructions: 154networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF630885AC4
WSASetLastError.WS2_32 ref: 00007FF630885C69
LeaveCriticalSection.KERNEL32 ref: 00007FF630885C73

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: ce0fa88aebe3efe6d4cfa5056a018ff2338e1d011f624170396f62e2d62db8ee
Instruction ID: f7a4d3c7cc8822be8ea4ff05e7eb8f64053a8860068fd25f4ce02691d64be6ee
Opcode Fuzzy Hash: ce0fa88aebe3efe6d4cfa5056a018ff2338e1d011f624170396f62e2d62db8ee
Instruction Fuzzy Hash: AE619F32B09A42A2EF689B25D55467E73A6FB84B88F804035CA1EC7791DF3CE559E700

Function 00007FF630885090 Relevance: 16.6, APIs: 11, Instructions: 87COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6308850F5
LeaveCriticalSection.KERNEL32 ref: 00007FF630885107
SetLastError.KERNEL32 ref: 00007FF6308851DB

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: b12bcef403b9db2977f705d0ecef41abbd2038a6eeb512479f31e0cb207d576e
Instruction ID: 72da00aa1c931fa89d694e431d784a528d4271140d2669bc1d262ca646eb6411
Opcode Fuzzy Hash: b12bcef403b9db2977f705d0ecef41abbd2038a6eeb512479f31e0cb207d576e
Instruction Fuzzy Hash: 36315F25B0DA42A2EF989B59998C27A7365FF44B89F140034DA5EC6792CF3CE84DE704

Function 00007FF630890BC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 52registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF630890C11
RegDeleteValueW.ADVAPI32 ref: 00007FF630890C1F
RegCloseKey.ADVAPI32 ref: 00007FF630890C2A
RegCreateKeyW.ADVAPI32 ref: 00007FF630890C4A
lstrlenW.KERNEL32 ref: 00007FF630890C57
RegSetValueExW.ADVAPI32 ref: 00007FF630890C79
RegCloseKey.ADVAPI32 ref: 00007FF630890C84

Strings

VenNetwork, xrefs: 00007FF630890BE9
Software, xrefs: 00007FF630890BF3

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CloseValue$CreateDeleteOpenlstrlen
String ID: Software$VenNetwork
API String ID: 3197061591-1820303132
Opcode ID: 977d34d6a8543d540e474d7a41a606a027e4303f67bb5f64f5b8d5885a1a35b1
Instruction ID: cabef6bf9386efb4d6b515bf6bf9b46cd3b1eb866d8e7c61743b48115304253b
Opcode Fuzzy Hash: 977d34d6a8543d540e474d7a41a606a027e4303f67bb5f64f5b8d5885a1a35b1
Instruction Fuzzy Hash: E0215136618A8096EB10DB66F84435AB361FB88BE9F444131DE4D83B6ADF7CD14EDB04

Function 00007FF630885FC0 Relevance: 15.1, APIs: 10, Instructions: 140COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF630885FE4
EnterCriticalSection.KERNEL32 ref: 00007FF630886004
SetLastError.KERNEL32 ref: 00007FF630886016
LeaveCriticalSection.KERNEL32 ref: 00007FF63088606F

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 1e7b01e8061498853063041e14b47fd2e59aeeeabd15da1d9f1fa77a953021b1
Instruction ID: b4d5bab7e98bf831311fdf332d789a9508daab4d494634b43848ee38b0d2e25e
Opcode Fuzzy Hash: 1e7b01e8061498853063041e14b47fd2e59aeeeabd15da1d9f1fa77a953021b1
Instruction Fuzzy Hash: 8D51DD36A08A469BEB649F19E44467D77A5FB48B88F054139DE4EC7392DF3CE809D700

Function 00007FF6308A45E0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6308A4620
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6308A49E8
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6308A4C87

Strings

p, xrefs: 00007FF6308A472A
p, xrefs: 00007FF6308A46C5
f, xrefs: 00007FF6308A4722
f, xrefs: 00007FF6308A46B8
f, xrefs: 00007FF6308A486D

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 338c2a64cdc3021812c5b6ddca5db7159329e9a17ba8d876efc02d9e71b2fbd5
Instruction ID: 07e242f9bb61456ac882ae2e426b0337f068962d4a0f2cbb20d49cf49fac9c4e
Opcode Fuzzy Hash: 338c2a64cdc3021812c5b6ddca5db7159329e9a17ba8d876efc02d9e71b2fbd5
Instruction Fuzzy Hash: E312A622A0C193A6FF249E14E0447BA7651FBD0758FB85131E68987FC8DF3CE499AB14

Function 00007FF630884080 Relevance: 13.6, APIs: 9, Instructions: 111timenetworkCOMMON

Download Yara Rule

APIs

CreateWaitableTimerW.KERNEL32 ref: 00007FF6308840C6
setsockopt.WS2_32 ref: 00007FF630884165
setsockopt.WS2_32 ref: 00007FF63088418F
ResetEvent.KERNEL32 ref: 00007FF6308841DE
SetLastError.KERNEL32 ref: 00007FF63088420A
WSAGetLastError.WS2_32 ref: 00007FF630884216
SetLastError.KERNEL32 ref: 00007FF630884228
GetLastError.KERNEL32 ref: 00007FF630884241
SetLastError.KERNEL32 ref: 00007FF630884253

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorLast$setsockopt$CreateEventResetTimerWaitable
String ID:
API String ID: 2911610646-0
Opcode ID: 38ec76155e6582f6451855719efb9cc3d848e3c7da57bc883881785bdfc9cc07
Instruction ID: 0e76bc9b0a93dc69d893b54188bd8992f56fdcbfae27a69428d43c10e3719027
Opcode Fuzzy Hash: 38ec76155e6582f6451855719efb9cc3d848e3c7da57bc883881785bdfc9cc07
Instruction Fuzzy Hash: 1C518D72A09A82A7EB148F69E90436E77A0FB48759F100135DB4DC7B91DF7DE06ADB00

Function 00007FF630885D10 Relevance: 13.6, APIs: 9, Instructions: 93timenetworkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,-00000004,00007FF6308849B9), ref: 00007FF630885D5E
timeGetTime.WINMM(?,?,-00000004,00007FF6308849B9), ref: 00007FF630885D95
LeaveCriticalSection.KERNEL32(?,?,-00000004,00007FF6308849B9), ref: 00007FF630885DB5
timeGetTime.WINMM(?,?,-00000004,00007FF6308849B9), ref: 00007FF630885DFA
SetEvent.KERNEL32 ref: 00007FF630885E27
LeaveCriticalSection.KERNEL32 ref: 00007FF630885E3B
WSASetLastError.WS2_32(?,?,-00000004,00007FF6308849B9), ref: 00007FF630885E52
LeaveCriticalSection.KERNEL32(?,?,-00000004,00007FF6308849B9), ref: 00007FF630885E61
WSASetLastError.WS2_32(?,?,-00000004,00007FF6308849B9), ref: 00007FF630885E73

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEvent
String ID:
API String ID: 3019579578-0
Opcode ID: 0f5c7540d6a6d13954bf3b0610fbdb20e4227d3d9c7ae04a05d2493569245aae
Instruction ID: aaca6dd5b41af2b8897e6130bd2f90f583ff068766bdef3825b3acff00d82862
Opcode Fuzzy Hash: 0f5c7540d6a6d13954bf3b0610fbdb20e4227d3d9c7ae04a05d2493569245aae
Instruction Fuzzy Hash: C6411932A09A42A7EF708B15E94423EB7A1FB94748F144135DB8E83B95DF3CF9899740

Function 00007FF630885E90 Relevance: 13.6, APIs: 9, Instructions: 77COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF630885EAA
TryEnterCriticalSection.KERNEL32 ref: 00007FF630885ECB
TryEnterCriticalSection.KERNEL32 ref: 00007FF630885EDD
SetLastError.KERNEL32 ref: 00007FF630885EF6
LeaveCriticalSection.KERNEL32 ref: 00007FF630885F00
LeaveCriticalSection.KERNEL32 ref: 00007FF630885F0A

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: 67fb679d431cd07a0a75245ad9faae6b58536de87acf8e54a525854fe2ab2b98
Instruction ID: f73b573e8c62788ffb07db77ab2e6925a89dd4af9c2aa6794c8ca851a5879e6d
Opcode Fuzzy Hash: 67fb679d431cd07a0a75245ad9faae6b58536de87acf8e54a525854fe2ab2b98
Instruction Fuzzy Hash: 62313A32A19982AAEB908F68D84827D33A4FF44B4DF441031DA0EC6796DF3CE85DE701

Function 00007FF6308A0C08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF6308A0C65

Part of subcall function 00007FF6308A2FC8: __GetUnwindTryBlock.LIBCMT ref: 00007FF6308A300B
Part of subcall function 00007FF6308A2FC8: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF6308A3030

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6308A0D3D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF6308A0F8B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6308A1098

Strings

csm, xrefs: 00007FF6308A0CE6
csm, xrefs: 00007FF6308A0D60
csm, xrefs: 00007FF6308A0C7F

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 2b2ef099c7c498c1f83d83cf8365c45f4a2add1e44776cae4b3bb5ec5925f551
Instruction ID: 6a65eeb3353b55d76dc8c218a8fb77b8685709b8f60fb173dddf5a2baf10d944
Opcode Fuzzy Hash: 2b2ef099c7c498c1f83d83cf8365c45f4a2add1e44776cae4b3bb5ec5925f551
Instruction Fuzzy Hash: F3D18132A08B41AAEF209B65D4403AD77A0FB5579CF200135EE8D97BD6DF38E599DB00

Function 00007FF6308B08B4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FF6308B0A30
GetProcAddress.KERNEL32 ref: 00007FF6308B0A3C

Strings

api-ms-, xrefs: 00007FF6308B097A
ext-ms-, xrefs: 00007FF6308B098D

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 7440c042807cac739352953deb803b73dd017de38a4217708bea05fa604c5186
Instruction ID: 30c3aa0b3a261bcbb1a9a1b45f301dceee2c293eedacfb6aa724dbe0b537c0e9
Opcode Fuzzy Hash: 7440c042807cac739352953deb803b73dd017de38a4217708bea05fa604c5186
Instruction Fuzzy Hash: 9B412121B1DB02A5FE66CB16A8102762790FF04BA8F185636DD0DD7785EF3CE44DA700

Function 00007FF63088E01F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF63088E0E9
WriteFile.KERNEL32 ref: 00007FF63088E119
CloseHandle.KERNEL32 ref: 00007FF63088E12A
lstrlenW.KERNEL32 ref: 00007FF63088E135
wsprintfW.USER32 ref: 00007FF63088E159
lstrcpyW.KERNEL32 ref: 00007FF63088E168

Part of subcall function 00007FF6308906A0: lstrlenW.KERNEL32 ref: 00007FF630890718
Part of subcall function 00007FF6308906A0: wsprintfW.USER32 ref: 00007FF6308907A2
Part of subcall function 00007FF6308906A0: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF630890806
Part of subcall function 00007FF6308906A0: lstrcatW.KERNEL32 ref: 00007FF630890841
Part of subcall function 00007FF6308906A0: lstrcatW.KERNEL32 ref: 00007FF63089084E

Strings

%s %s, xrefs: 00007FF63088E152

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Filelstrcatlstrlenwsprintf$CloseCreateEnvironmentExpandHandleStringsWritelstrcpy
String ID: %s %s
API String ID: 958574092-2939940506
Opcode ID: eceb82c3cd3af4ca55499d5fe9bd5fadc0488819e054981a88d383308b1fa06d
Instruction ID: 8a3ad4400b766678df04a288b22fadaa9c3a4a5c5ecb97c7a2e486923b73eb95
Opcode Fuzzy Hash: eceb82c3cd3af4ca55499d5fe9bd5fadc0488819e054981a88d383308b1fa06d
Instruction Fuzzy Hash: CF413F26A18BC691EB118F28D9042FD2320FBA5B4CF55A325DB4C56762EF39E2D9D700

Function 00007FF630884A90 Relevance: 12.1, APIs: 8, Instructions: 104networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF630884AD0
LeaveCriticalSection.KERNEL32 ref: 00007FF630884B20
send.WS2_32 ref: 00007FF630884B49
EnterCriticalSection.KERNEL32 ref: 00007FF630884B58
LeaveCriticalSection.KERNEL32 ref: 00007FF630884B6F
WSAGetLastError.WS2_32 ref: 00007FF630884BA9
EnterCriticalSection.KERNEL32 ref: 00007FF630884BB9
LeaveCriticalSection.KERNEL32 ref: 00007FF630884BFB

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ErrorLastsend
String ID:
API String ID: 3480985631-0
Opcode ID: dcbfb0b2159904ea6d1c624c1834ef820b2325ccb56d393d0a5f1f6bb36a758c
Instruction ID: 565f7b5ae502bf4e59be6483d901b7337e2b7b8aaedfa741849f36bef9491392
Opcode Fuzzy Hash: dcbfb0b2159904ea6d1c624c1834ef820b2325ccb56d393d0a5f1f6bb36a758c
Instruction Fuzzy Hash: 4E417B32608B81A2EB54CF66E5402AC73A4FB08F9CF181135CE1D8BB59DF38E599E704

Function 00007FF6308A9480 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6308A94C3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6308A98B0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6308A9B4C

Strings

f, xrefs: 00007FF6308A95E5
p, xrefs: 00007FF6308A95ED
p, xrefs: 00007FF6308A9575

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: 42fb3e65d0f17d18353857ebdda260012259b146ac6ef5ada1715a4ca3ec7708
Instruction ID: 586a076beb98a548cee642eee75804a05f19a672cef47225950da61957c2c961
Opcode Fuzzy Hash: 42fb3e65d0f17d18353857ebdda260012259b146ac6ef5ada1715a4ca3ec7708
Instruction Fuzzy Hash: A312A332E0C153A6FF205A15E0542BA7691FB90758FA84036E6DD86FC4DF3CE58AEB14

Function 00007FF630884470 Relevance: 10.6, APIs: 7, Instructions: 143threadnetworktimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF63088448E
SetWaitableTimer.KERNEL32 ref: 00007FF6308844C3
WSAWaitForMultipleEvents.WS2_32 ref: 00007FF63088456D
GetCurrentThreadId.KERNEL32 ref: 00007FF630884676

Part of subcall function 00007FF630884A90: EnterCriticalSection.KERNEL32 ref: 00007FF630884AD0
Part of subcall function 00007FF630884A90: LeaveCriticalSection.KERNEL32 ref: 00007FF630884B20
Part of subcall function 00007FF630884A90: send.WS2_32 ref: 00007FF630884B49
Part of subcall function 00007FF630884A90: EnterCriticalSection.KERNEL32 ref: 00007FF630884B58
Part of subcall function 00007FF630884A90: LeaveCriticalSection.KERNEL32 ref: 00007FF630884B6F
Part of subcall function 00007FF630884A90: WSAGetLastError.WS2_32 ref: 00007FF630884BA9
Part of subcall function 00007FF630884A90: EnterCriticalSection.KERNEL32 ref: 00007FF630884BB9
Part of subcall function 00007FF630884A90: LeaveCriticalSection.KERNEL32 ref: 00007FF630884BFB

SetLastError.KERNEL32 ref: 00007FF630884616

Part of subcall function 00007FF630885FC0: SetLastError.KERNEL32 ref: 00007FF630885FE4

GetLastError.KERNEL32 ref: 00007FF63088461C
WSAGetLastError.WS2_32 ref: 00007FF630884641

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CriticalSection$ErrorLast$EnterLeave$CurrentThread$EventsMultipleTimerWaitWaitablesend
String ID:
API String ID: 2807917265-0
Opcode ID: 495490e7d3477735b75ad2edb0a11b0efccf73ea01b4538bcbeaf1220e2ab4c3
Instruction ID: f98cae654720ddcc97b33eebb81b30a549fad00afc798eda075b9356eb4b8f6d
Opcode Fuzzy Hash: 495490e7d3477735b75ad2edb0a11b0efccf73ea01b4538bcbeaf1220e2ab4c3
Instruction Fuzzy Hash: C2516D72A0864296FF60CF25A84027D23A4FB55B5CF146635DE2EC7B95EF38E448A700

Function 00007FF63088B9E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF63088BA4B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF63088BA93
_Getctype.LIBCPMT ref: 00007FF63088BAAB
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF63088BB63
_Getwctype.LIBCPMT ref: 00007FF63088BBB1

Strings

bad locale name, xrefs: 00007FF63088BB86

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: std::_$Lockit$GetctypeGetwctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1386471777-1405518554
Opcode ID: 1e5e98c9536fad76aa215f10c33411828afcd6fe37bfa1046ea3f08e32c02a87
Instruction ID: 84df99b368f95a7dc97753d352fcc0271ade6bacec95b4d990a937f0869b38ec
Opcode Fuzzy Hash: 1e5e98c9536fad76aa215f10c33411828afcd6fe37bfa1046ea3f08e32c02a87
Instruction Fuzzy Hash: 7E517A22B09B41AAFF14DBB4D4502BC2370EF9575CF444138DE8D66B9ADF38E55AA304

Function 00007FF630891D30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF630891DA0
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF630891DE8
_Getcoll.LIBCPMT ref: 00007FF630891E00
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF630891E8F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF630891EE9

Strings

bad locale name, xrefs: 00007FF630891EEF

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: std::_$Lockit$GetcollLocinfo::_Locinfo_ctorLockit::_Lockit::~__invalid_parameter_noinfo_noreturn
String ID: bad locale name
API String ID: 3908275632-1405518554
Opcode ID: b631740363b0e831fde9baf712990589db3f9d8b5b5567fa3c7a7b01eb85b2e8
Instruction ID: 53b7160f6bcbe1e4cb89b37f692744803803b6120731673aaaf6fc9aeaec9530
Opcode Fuzzy Hash: b631740363b0e831fde9baf712990589db3f9d8b5b5567fa3c7a7b01eb85b2e8
Instruction Fuzzy Hash: E4515832B09B81A9FF10EBB4D4503AC33A5AF4574CF444135EE4DA7B99DF38A44AA304

Function 00007FF6308A352C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF6308A37DE,?,?,?,00007FF6308A34D0,?,?,?,00007FF6308A0109), ref: 00007FF6308A35B1
GetLastError.KERNEL32(?,?,?,00007FF6308A37DE,?,?,?,00007FF6308A34D0,?,?,?,00007FF6308A0109), ref: 00007FF6308A35BF
LoadLibraryExW.KERNEL32(?,?,?,00007FF6308A37DE,?,?,?,00007FF6308A34D0,?,?,?,00007FF6308A0109), ref: 00007FF6308A35E9
FreeLibrary.KERNEL32(?,?,?,00007FF6308A37DE,?,?,?,00007FF6308A34D0,?,?,?,00007FF6308A0109), ref: 00007FF6308A3657
GetProcAddress.KERNEL32(?,?,?,00007FF6308A37DE,?,?,?,00007FF6308A34D0,?,?,?,00007FF6308A0109), ref: 00007FF6308A3663

Strings

api-ms-, xrefs: 00007FF6308A35D1

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 79f1708f0d73a3895a2fe6d32fc30880b345232a89ca131bb8ab1f3b75cbd6b1
Instruction ID: 46c6670847ed427a7268d1f96b7e3485fe5dc187813477a5f8bc01e1f0ec38d8
Opcode Fuzzy Hash: 79f1708f0d73a3895a2fe6d32fc30880b345232a89ca131bb8ab1f3b75cbd6b1
Instruction Fuzzy Hash: 0831E321B1AB42B1EE61DB56A8001792394FF58BA8F690536ED1DC7BD0FF3CE449A704

Function 00007FF630890CA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82processstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00007FF630890CB0
GetFileAttributesW.KERNEL32 ref: 00007FF630890D3D
GetLastError.KERNEL32 ref: 00007FF630890D4C
CreateProcessW.KERNEL32 ref: 00007FF630890DD9

Strings

h, xrefs: 00007FF630890DB9
WinSta0\Default, xrefs: 00007FF630890D6B

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: AttributesCreateErrorFileLastProcesslstrlen
String ID: WinSta0\Default$h
API String ID: 591566999-1620045033
Opcode ID: 9328811ce07eccb9baa46191bf573199de9204eba7fc0589a085695e6e112cb4
Instruction ID: f0c4c8b6245abf0e85fbe8e6af31598f2897f04e3e635fcc6103f9d418204b97
Opcode Fuzzy Hash: 9328811ce07eccb9baa46191bf573199de9204eba7fc0589a085695e6e112cb4
Instruction Fuzzy Hash: 8B316821E0C7C296DA709B15B90137E6391FB95798F405335E69DC7B95EF3CE0989B00

Function 00007FF6308AEA70 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEA7F
FlsGetValue.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEA94
FlsSetValue.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEAB5
FlsSetValue.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEAE2
FlsSetValue.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEAF3
FlsSetValue.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEB04
SetLastError.KERNEL32(?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F,?,?,?,00007FF6308A6443), ref: 00007FF6308AEB1F

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 0e252fc1aa08c509f0e93816402eca9f1f65028cc0729f634b753678d4cd798a
Instruction ID: a3816d1378a779e6eade3531306693b1bcce6b5ba9c2cb99472d347ec06556c3
Opcode Fuzzy Hash: 0e252fc1aa08c509f0e93816402eca9f1f65028cc0729f634b753678d4cd798a
Instruction Fuzzy Hash: B4218E20F0D61662FE68677155652396242AF547BCF244B35E83EC7FD6EE3CB809A700

Function 00007FF6308BCC80 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6308BCCB1
GetLastError.KERNEL32 ref: 00007FF6308BCCBD
CloseHandle.KERNEL32 ref: 00007FF6308BCCD5
CreateFileW.KERNEL32 ref: 00007FF6308BCD00
WriteConsoleW.KERNEL32 ref: 00007FF6308BCD1F

Strings

CONOUT$, xrefs: 00007FF6308BCCE1

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: c477bea2d07ef44c7e07df60decfd2619db83e7f0bc9226f08f6201d8069434b
Instruction ID: dae3e1306025555c2bbd5e88875d451ac81552f8fffe179225131ac51855fed7
Opcode Fuzzy Hash: c477bea2d07ef44c7e07df60decfd2619db83e7f0bc9226f08f6201d8069434b
Instruction Fuzzy Hash: 0B115E21A28B4196EB608B56E854329B7A1FF88FE8F444334EA5DC77A5DF3CD8488744

Function 00007FF63088ACF0 Relevance: 10.5, APIs: 7, Instructions: 40filesynchronizationstringCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF63088AD09
CreateFileW.KERNEL32 ref: 00007FF63088AD3D
SetFilePointer.KERNEL32 ref: 00007FF63088AD62
lstrlenW.KERNEL32 ref: 00007FF63088AD6B
WriteFile.KERNEL32 ref: 00007FF63088AD89
CloseHandle.KERNEL32 ref: 00007FF63088AD92
ReleaseMutex.KERNEL32 ref: 00007FF63088AD9F

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: File$CloseCreateHandleMutexObjectPointerReleaseSingleWaitWritelstrlen
String ID:
API String ID: 4202892810-0
Opcode ID: 6d311e261bfe59e5949d3104aa2c883e73ffb96b44e413d4cc9c1204dacd56c9
Instruction ID: 10e1ec7292a5e833ded448ef94ca19e02bc38babb009cf275055e9d8f133ea1f
Opcode Fuzzy Hash: 6d311e261bfe59e5949d3104aa2c883e73ffb96b44e413d4cc9c1204dacd56c9
Instruction Fuzzy Hash: 1C115E71608A4292FB109B55F9087667360EF88BA8F104331DA6E43BE5CF7CD44D9B04

Function 00007FF63088EF25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF63088EF4F
RegDeleteValueW.ADVAPI32 ref: 00007FF63088EF63
RegSetValueExW.ADVAPI32 ref: 00007FF63088EF8D
RegCloseKey.ADVAPI32 ref: 00007FF63088EF9A

Strings

Console, xrefs: 00007FF63088EF41
IpDatespecial, xrefs: 00007FF63088EF5C, 00007FF63088EF70

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Value$CloseDeleteOpen
String ID: Console$IpDatespecial
API String ID: 3183427449-1840232981
Opcode ID: f23957102dd5c337703c86b23f0909451c31f6d4053b1f337106711f9d04a52f
Instruction ID: d00255f65c0234683ae64de90bfdcacb898f3e5ff410a5fdcf323655a899cfc0
Opcode Fuzzy Hash: f23957102dd5c337703c86b23f0909451c31f6d4053b1f337106711f9d04a52f
Instruction Fuzzy Hash: AE015E36608EC196EB219F24EC107697760FB84B69F044122CA4D8376ADF3CD59EDB04

Function 00007FF630889220 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 26processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FF630889239
GetCommandLineW.KERNEL32 ref: 00007FF63088923F
GetStartupInfoW.KERNEL32 ref: 00007FF63088924D
CreateProcessW.KERNEL32 ref: 00007FF630889290
ExitProcess.KERNEL32 ref: 00007FF63088929B

Strings

, xrefs: 00007FF630889284

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
String ID:
API String ID: 3421218197-3916222277
Opcode ID: 190dd20226834de6593c2658ef490eeec5e65b5d977b517c4b94419b13326a92
Instruction ID: 4a1b183193142fa248da66712170958143c79f83fa95a146291d49f531956f94
Opcode Fuzzy Hash: 190dd20226834de6593c2658ef490eeec5e65b5d977b517c4b94419b13326a92
Instruction Fuzzy Hash: 94F03132618A82D6DB608F68F84875FB7A4FB88758F500235E68E87B64DF3CC149CB00

Function 00007FF630884940 Relevance: 9.1, APIs: 6, Instructions: 80networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF630884964
SetLastError.KERNEL32 ref: 00007FF630884977
WSAGetLastError.WS2_32 ref: 00007FF6308849C8
SetLastError.KERNEL32 ref: 00007FF630884A32
WSASetLastError.WS2_32 ref: 00007FF630884A3D
GetLastError.KERNEL32 ref: 00007FF630884A43

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorLast$recv
String ID:
API String ID: 316788870-0
Opcode ID: 4d768c99772465553fa61935876ff201d4a32ce5a3f2b2de379ff66690b2a509
Instruction ID: b843a943d9e30b935987fd4b9dbfe5187db3f50264e3352fb10daf83f44b5696
Opcode Fuzzy Hash: 4d768c99772465553fa61935876ff201d4a32ce5a3f2b2de379ff66690b2a509
Instruction Fuzzy Hash: 06318E36A0864292EF648F78E48437D27A1FB84B4CF541536CA0DC77A9EF3DD888A705

Function 00007FF6308A10D8 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 320COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6308A1276
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6308A159F

Strings

csm, xrefs: 00007FF6308A11BD
csm, xrefs: 00007FF6308A129D
csm, xrefs: 00007FF6308A121F

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 89a7cbb458af1ec799ed0823309e47d85c371afd6e512bd69dcc86c67ccd7e4c
Instruction ID: e4966d85a4d34b158702932af8c41c90b9741cf8863420c6c3e0b60274d300f6
Opcode Fuzzy Hash: 89a7cbb458af1ec799ed0823309e47d85c371afd6e512bd69dcc86c67ccd7e4c
Instruction Fuzzy Hash: 98E19173D086829AEF60DF69D4803AD37A0FB4574CF244135DA8D87B96DE38E589D740

Function 00007FF630885300 Relevance: 9.1, APIs: 6, Instructions: 63synchronizationtimeCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32 ref: 00007FF63088531C
ResetEvent.KERNEL32 ref: 00007FF630885329
timeGetTime.WINMM ref: 00007FF63088532F
WaitForSingleObject.KERNEL32 ref: 00007FF630885379
ResetEvent.KERNEL32 ref: 00007FF630885396

Part of subcall function 00007FF630884C50: GetCurrentThreadId.KERNEL32 ref: 00007FF630884C65
Part of subcall function 00007FF630884C50: SwitchToThread.KERNEL32 ref: 00007FF630884C9D
Part of subcall function 00007FF630884C50: SetLastError.KERNEL32 ref: 00007FF630884CDC

ResetEvent.KERNEL32 ref: 00007FF6308853BD

Part of subcall function 00007FF6308A8940: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6308A896B

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: EventReset$Thread$CurrentErrorLastObjectSingleSwitchTimeWait_invalid_parameter_noinfotime
String ID:
API String ID: 2235205178-0
Opcode ID: dd32348ce441aaf97619a2f265975deae253349b76a9a1e61c24f21497cea129
Instruction ID: fe3b47a8907ae19e42bcfbe4aeab13f44394fb4a60a631859083c921bb93b1f3
Opcode Fuzzy Hash: dd32348ce441aaf97619a2f265975deae253349b76a9a1e61c24f21497cea129
Instruction Fuzzy Hash: 15218932A08A8292EB50CF25E8402AE73A4FB88F98F184131DE4DC7769CF38D489D754

Function 00007FF6308AEBE8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0000114ED97129F6,00007FF6308A8B05,?,?,?,?,00007FF6308B2546,?,?,00000000,00007FF6308AA3FB,?,?,?), ref: 00007FF6308AEBF7
FlsSetValue.KERNEL32(?,?,0000114ED97129F6,00007FF6308A8B05,?,?,?,?,00007FF6308B2546,?,?,00000000,00007FF6308AA3FB,?,?,?), ref: 00007FF6308AEC2D
FlsSetValue.KERNEL32(?,?,0000114ED97129F6,00007FF6308A8B05,?,?,?,?,00007FF6308B2546,?,?,00000000,00007FF6308AA3FB,?,?,?), ref: 00007FF6308AEC5A
FlsSetValue.KERNEL32(?,?,0000114ED97129F6,00007FF6308A8B05,?,?,?,?,00007FF6308B2546,?,?,00000000,00007FF6308AA3FB,?,?,?), ref: 00007FF6308AEC6B
FlsSetValue.KERNEL32(?,?,0000114ED97129F6,00007FF6308A8B05,?,?,?,?,00007FF6308B2546,?,?,00000000,00007FF6308AA3FB,?,?,?), ref: 00007FF6308AEC7C
SetLastError.KERNEL32(?,?,0000114ED97129F6,00007FF6308A8B05,?,?,?,?,00007FF6308B2546,?,?,00000000,00007FF6308AA3FB,?,?,?), ref: 00007FF6308AEC97

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: c7396dbfbcb47cfb6cfc33ed0fb29296ace80fe16ba5d506c85f3ecfa09c6d8f
Instruction ID: 8436e3e2dd5f870af231c068c9d636a438cf5fbb3966151a9d06dfd84988bdff
Opcode Fuzzy Hash: c7396dbfbcb47cfb6cfc33ed0fb29296ace80fe16ba5d506c85f3ecfa09c6d8f
Instruction Fuzzy Hash: 00116D20F1D64262FE546B75566123966429F447B8F240B34D83EC6BD6EE3CB409B600

Function 00007FF6308ABC90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6308ABCB5
GetProcAddress.KERNEL32 ref: 00007FF6308ABCCB
FreeLibrary.KERNEL32 ref: 00007FF6308ABCF2

Strings

mscoree.dll, xrefs: 00007FF6308ABCAC
CorExitProcess, xrefs: 00007FF6308ABCC4

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4e200ac4912f663bf200d97a0492af6b570e41165da9f834e6f0b0fe5145a0ad
Instruction ID: 34c75cf3e1cedd87cedebba6ce3c65c9cebd077d777b06262c42c3fbc28e5154
Opcode Fuzzy Hash: 4e200ac4912f663bf200d97a0492af6b570e41165da9f834e6f0b0fe5145a0ad
Instruction Fuzzy Hash: 0EF06D61A29B02A1EE248B68E4847796320EF89779F540335CA6E857F5DF3CD08DE300

Function 00007FF63088EFA3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF63088EFC9
RegDeleteValueW.ADVAPI32 ref: 00007FF63088EFDD
RegCloseKey.ADVAPI32 ref: 00007FF63088EFEA

Strings

Console, xrefs: 00007FF63088EFBB
IpDatespecial, xrefs: 00007FF63088EFD6

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Console$IpDatespecial
API String ID: 849931509-1840232981
Opcode ID: 6e7d2c7a670a32b5de56c4a84771261a6cdbf4bc2880aa7204407435697e958c
Instruction ID: edf2c12495504d17a5066bdf6c39f70a5cc504aa12ac7121d9175709a3fff953
Opcode Fuzzy Hash: 6e7d2c7a670a32b5de56c4a84771261a6cdbf4bc2880aa7204407435697e958c
Instruction Fuzzy Hash: ABF0F936A08DC195EB208B28EC107A96360EB8476AF000231C90D97769DE39E59E9B04

Function 00007FF6308A04D8 Relevance: 7.8, APIs: 5, Instructions: 290COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FF6308A05FB
__AdjustPointer.LIBCMT ref: 00007FF6308A0646

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: f957c6767cf5b81622e8ff6fae34e0b794288dc4cc0809d74a0a7b197e878a35
Instruction ID: 6fbbe7dc39f09e21f43da29ffc73606cad57808ec0e7a36154dcb6e441c26987
Opcode Fuzzy Hash: f957c6767cf5b81622e8ff6fae34e0b794288dc4cc0809d74a0a7b197e878a35
Instruction Fuzzy Hash: 2CB1E322E0AB42A1FEA59F1194402396790EF94BCCF288435DE4D87FD6DE3CE459AF40

Function 00007FF6308BC6BC Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6308BC6E4
_set_statfp.LIBCMT ref: 00007FF6308BC6FF
_set_statfp.LIBCMT ref: 00007FF6308BC71B
_set_statfp.LIBCMT ref: 00007FF6308BC757

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 3a9c703ea5aaac55ee3dcba71a43574e980d604707a0521e319b1fc91c9c8b59
Instruction ID: e9eaf26cd002d3d1fa495b156891cacaaf462f2c0889d7d878214d5ebf3c225f
Opcode Fuzzy Hash: 3a9c703ea5aaac55ee3dcba71a43574e980d604707a0521e319b1fc91c9c8b59
Instruction Fuzzy Hash: B2119E22E98A5321FFE8116CE4423791141EF55378E090635EA7EC67DAAF7CAC49660C

Function 00007FF6308AECB0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF6308A39FB,?,?,00000000,00007FF6308A3C96,?,?,?,?,?,00007FF6308A3C22), ref: 00007FF6308AECCF
FlsSetValue.KERNEL32(?,?,?,00007FF6308A39FB,?,?,00000000,00007FF6308A3C96,?,?,?,?,?,00007FF6308A3C22), ref: 00007FF6308AECEE
FlsSetValue.KERNEL32(?,?,?,00007FF6308A39FB,?,?,00000000,00007FF6308A3C96,?,?,?,?,?,00007FF6308A3C22), ref: 00007FF6308AED16
FlsSetValue.KERNEL32(?,?,?,00007FF6308A39FB,?,?,00000000,00007FF6308A3C96,?,?,?,?,?,00007FF6308A3C22), ref: 00007FF6308AED27
FlsSetValue.KERNEL32(?,?,?,00007FF6308A39FB,?,?,00000000,00007FF6308A3C96,?,?,?,?,?,00007FF6308A3C22), ref: 00007FF6308AED38

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 8e80255def71e26e38969c6b9ad95fb919b46607e2d80395ee43e046c775e245
Instruction ID: efc2c28b658555c8847354ba5ff74fc198688cb803811b06c2cc3f95867a99a0
Opcode Fuzzy Hash: 8e80255def71e26e38969c6b9ad95fb919b46607e2d80395ee43e046c775e245
Instruction Fuzzy Hash: 96119820F0D60661FE98672595612796241AF447BCF385B35E87DC6BE6EE3CF409B600

Function 00007FF6308AEB44 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F), ref: 00007FF6308AEB55
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F), ref: 00007FF6308AEB74
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F), ref: 00007FF6308AEB9C
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F), ref: 00007FF6308AEBAD
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6308B6E73,?,?,?,00007FF6308AF1A4,?,?,?,00007FF6308A819F), ref: 00007FF6308AEBBE

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: be4a96ff5b18d49a05f4adbf766956ae433ebef540c65d26a29db4b7139a2023
Instruction ID: 63230e1dcbe7bb57363e2fec072b9502794e6175575868ee1fd1e681da42d57b
Opcode Fuzzy Hash: be4a96ff5b18d49a05f4adbf766956ae433ebef540c65d26a29db4b7139a2023
Instruction Fuzzy Hash: 8F11FA50E0D20771FEA86661547527922418F5537CF280F39E93EDABD2ED3CB40AB610

Function 00007FF6308856C0 Relevance: 7.5, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6308856E5
EnterCriticalSection.KERNEL32 ref: 00007FF6308856EF
LeaveCriticalSection.KERNEL32 ref: 00007FF6308856FF
LeaveCriticalSection.KERNEL32 ref: 00007FF630885709

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: ec8515e0b6118a22be018e0c36bf8043355ac570717b599eb6440d7a0495df03
Instruction ID: e1eae79562a1f60a1700ceaac44f24df45eb6d3fb33453cf5449bcceeb837393
Opcode Fuzzy Hash: ec8515e0b6118a22be018e0c36bf8043355ac570717b599eb6440d7a0495df03
Instruction Fuzzy Hash: 5011FE32A2898193EF909B69F4943AA73A0FB44749F445031DB8F82B56DF3CE48AD704

Function 00007FF63088C0C0 Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FF63088C103
EnterCriticalSection.KERNEL32(?,?,?,00007FF63088C094), ref: 00007FF63088C115
EnterCriticalSection.KERNEL32 ref: 00007FF63088C125
GdiplusShutdown.GDIPLUS ref: 00007FF63088C133
LeaveCriticalSection.KERNEL32 ref: 00007FF63088C140

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CriticalSection$Enter$DeleteGdiplusLeaveObjectShutdown
String ID:
API String ID: 1513102227-0
Opcode ID: cdd56314798a8dc9bb9b375cd871b4762f9b413abb23fcd634828e7dcd198d12
Instruction ID: a75f794400437fcb576d7479556e5a28b831e651048c178096683c3fee6902a4
Opcode Fuzzy Hash: cdd56314798a8dc9bb9b375cd871b4762f9b413abb23fcd634828e7dcd198d12
Instruction Fuzzy Hash: 9A113632905B52D1EF108F69E88406973B4FB48FACB284236D69D827A6DF3CD95BD344

Function 00007FF630885640 Relevance: 7.5, APIs: 5, Instructions: 26synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF630885652
WaitForSingleObject.KERNEL32 ref: 00007FF630885664
Sleep.KERNEL32 ref: 00007FF63088566F
CloseHandle.KERNEL32 ref: 00007FF63088568C
CloseHandle.KERNEL32 ref: 00007FF630885699

Part of subcall function 00007FF630884C50: GetCurrentThreadId.KERNEL32 ref: 00007FF630884C65
Part of subcall function 00007FF630884C50: SwitchToThread.KERNEL32 ref: 00007FF630884C9D
Part of subcall function 00007FF630884C50: SetLastError.KERNEL32 ref: 00007FF630884CDC

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CloseHandleObjectSingleThreadWait$CurrentErrorLastSleepSwitch
String ID:
API String ID: 1535946027-0
Opcode ID: 6bee8a0a4dea1eafbbaf25a2cc800b23e58b43f259c7b6e2f946ecae76c8c5a2
Instruction ID: 6c946a265d20cc547e359826c794b465da67b1802724e5dddc1420872811ccc1
Opcode Fuzzy Hash: 6bee8a0a4dea1eafbbaf25a2cc800b23e58b43f259c7b6e2f946ecae76c8c5a2
Instruction Fuzzy Hash: 4DF01D36A04A4596EF049F65EC541793321EB89F69F184230DE2EC73A5DF3CD889D364

Function 00007FF6308A184C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6308A18BC
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6308A1907

Strings

RCC, xrefs: 00007FF6308A18D8
MOC, xrefs: 00007FF6308A18D0

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: a53d2363c14758023286afc4a6ab41b9c25c1dd74b553e4400a7d45858c9584b
Instruction ID: 34d5e0b583d89f3f9e0b23fc9d12c9acef9a9fc9076be3653c1122b2d186d3cc
Opcode Fuzzy Hash: a53d2363c14758023286afc4a6ab41b9c25c1dd74b553e4400a7d45858c9584b
Instruction Fuzzy Hash: 1A91B273A087919AEF50DF68D4402AD7BA0FB4478CF24413AEA4D97B95DF38D199DB00

Function 00007FF63089FA80 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF63089FAAB
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF63089FB42
RtlUnwindEx.KERNEL32 ref: 00007FF63089FB9C

Strings

csm, xrefs: 00007FF63089FB29

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 97e6136df740a7f50eb7a5892aa497e90dc07242db7e08e9cb4e882c62b2f360
Instruction ID: 27588f2a15217e2220f34598f39e1e7dc0dee626e193939832ce8f67aa0141d4
Opcode Fuzzy Hash: 97e6136df740a7f50eb7a5892aa497e90dc07242db7e08e9cb4e882c62b2f360
Instruction Fuzzy Hash: 7C51C132B19612AADF18EF15E454A787391EB44B9CF108131EE4E8778ADF7CE849E700

Function 00007FF6308A1DCC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6308A1DF4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF6308A1EDC

Strings

csm, xrefs: 00007FF6308A1E16
csm, xrefs: 00007FF6308A1F2E

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1c7f32590a0a5e31803e0cd6c6efa8edac5466215bfbb7b2d07330e269dc0479
Instruction ID: 501911b20d0730c1d3850b3af0a8e71d7fa43283d8644c4c41b46654f61a9e53
Opcode Fuzzy Hash: 1c7f32590a0a5e31803e0cd6c6efa8edac5466215bfbb7b2d07330e269dc0479
Instruction Fuzzy Hash: EF515E32A08282AAEF748F1A954437877A0EB54B9CF244135DA9D87FD5CF3CE469DB01

Function 00007FF6308A15DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6308A163B
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6308A1687

Strings

RCC, xrefs: 00007FF6308A1657
MOC, xrefs: 00007FF6308A164F

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: b953805b3f16366bb71475c1063139944ec3feeea47b818f87e78a0e56bad00b
Instruction ID: c923c687a9dc3651e666e6cba108359e98c68b5411e19f146cf3c3eae068389b
Opcode Fuzzy Hash: b953805b3f16366bb71475c1063139944ec3feeea47b818f87e78a0e56bad00b
Instruction Fuzzy Hash: 4F61C532908BC591DF619F19E4407AAB7A0FB95B88F144235EB9C83B95DF7CE198CB00

Function 00007FF6308BA7BC Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6308BA83B
WriteFile.KERNEL32 ref: 00007FF6308BAB03
WriteFile.KERNEL32 ref: 00007FF6308BAB49
GetLastError.KERNEL32 ref: 00007FF6308BABFF

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 77dd5d4aa20de0d79966c3f830593b01910af74af4cc21fda2ecf357b99f0be0
Instruction ID: de85300666a8aa48888ff13f462303d469bf93f7e58b4776db70e8e05412b18c
Opcode Fuzzy Hash: 77dd5d4aa20de0d79966c3f830593b01910af74af4cc21fda2ecf357b99f0be0
Instruction Fuzzy Hash: B6D1D432B08A819AEB21CF69D4502EC3BB6FB447DCB544236DE5D97B99DE38D44AD300

Function 00007FF630897530 Relevance: 6.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6308978D6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6308978DC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6308978E2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6308978E8

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 7d7153dc9ae7d5b3424c28ff14d58aef55a80775f13d9447e24f61463487f32c
Instruction ID: f2cbf695a10e48451fb5cd2c5cbe92cfee048d9d9a8561606aaa36fecbcfb05e
Opcode Fuzzy Hash: 7d7153dc9ae7d5b3424c28ff14d58aef55a80775f13d9447e24f61463487f32c
Instruction Fuzzy Hash: 15B1AC62F14B55A5FF009BA4C4487AD2372FB04BACF409225DE6C67B99DF78A885D304

Function 00007FF6308BB0E4 Relevance: 6.2, APIs: 4, Instructions: 219COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00007FF6308BB0CF), ref: 00007FF6308BB200
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00007FF6308BB0CF), ref: 00007FF6308BB28B

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 8d852cd364b953300601feb318994bc5f66eb9b85f3205e0d4ed1d6cdd918134
Instruction ID: db210b7d34bcfb6be06f97003ea568a68658aff14e5e3b367bfc42f3d2d0849c
Opcode Fuzzy Hash: 8d852cd364b953300601feb318994bc5f66eb9b85f3205e0d4ed1d6cdd918134
Instruction Fuzzy Hash: D991A122E08652A5FF608F6994502BD2BE0FF04B9CF544139DE4E97B95DEB8E44AE700

Function 00007FF630898750 Relevance: 6.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF630898994
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6308989A0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6308989A6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF630898A07

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID:
API String ID: 3936042273-0
Opcode ID: aa83a4776d611bfa6910a88996202f0a13839e5925797b86addcbd2790bd8b35
Instruction ID: 041271d0f4e6a0da6c02464b88e0deeaa64617f57292777a9f8238ee1dfd918a
Opcode Fuzzy Hash: aa83a4776d611bfa6910a88996202f0a13839e5925797b86addcbd2790bd8b35
Instruction Fuzzy Hash: F571B062B18B86A6EE04EB25D40437C6760EB84FE8F548A31EE6C57BD5DF38E485D300

Function 00007FF63088F160 Relevance: 6.2, APIs: 4, Instructions: 190processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF63088F1AD
Process32FirstW.KERNEL32 ref: 00007FF63088F23F
Process32NextW.KERNEL32 ref: 00007FF63088F333

Part of subcall function 00007FF6308A87A0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6308A87C6

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF63088F3FB

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32_invalid_parameter_noinfo_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 4260596558-0
Opcode ID: 7762ce93aa6985307a259bfb251e473b870e7df6f058cf487220d00444a178a1
Instruction ID: eee484e8a6165859d2b0bcb61f9adff828a3c44e774f435ff611f2701390da48
Opcode Fuzzy Hash: 7762ce93aa6985307a259bfb251e473b870e7df6f058cf487220d00444a178a1
Instruction Fuzzy Hash: 6871D462A08B86A1EE209B25D44427E6361FB85BA8F508331EA6E837D5DF7CE548D700

Function 00007FF6308A9344 Relevance: 6.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF6308A939B
GetSystemInfo.KERNEL32 ref: 00007FF6308A93B4
VirtualAlloc.KERNEL32 ref: 00007FF6308A9422
VirtualProtect.KERNEL32 ref: 00007FF6308A943D

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: 8276b17d3f0086b027f55cc71dd443fed715192864dd3a3d0b6a65bee2902499
Instruction ID: 5842a0adacd3f5d57b7ca4dd54457e3163164f6df5a4d9b316b2276785423c16
Opcode Fuzzy Hash: 8276b17d3f0086b027f55cc71dd443fed715192864dd3a3d0b6a65bee2902499
Instruction Fuzzy Hash: AF313932718A81AEDB20CF35D8547E933A5FB48788F944036EA4D87B59DF38E64AD700

Function 00007FF630884F90 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF630884FAC
LeaveCriticalSection.KERNEL32 ref: 00007FF630884FC3
LeaveCriticalSection.KERNEL32 ref: 00007FF63088504B
SetEvent.KERNEL32 ref: 00007FF63088506B

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: ee59a16ddcb61b2f30476306e2c70f7e991c931b41d410101ed0a7d795a74e2b
Instruction ID: 4d5cc1566f898b755ddab28cd5840deb70ae8d16cb1a0b54b6ca80be111c5252
Opcode Fuzzy Hash: ee59a16ddcb61b2f30476306e2c70f7e991c931b41d410101ed0a7d795a74e2b
Instruction Fuzzy Hash: 4D21F836704B81A7DB48CF2AE5802ADB3A4FB48B88F544135DB6D83766DF38E4A5C740

Function 00007FF63089E760 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF63089E78C
GetCurrentThreadId.KERNEL32 ref: 00007FF63089E79A
GetCurrentProcessId.KERNEL32 ref: 00007FF63089E7A6
QueryPerformanceCounter.KERNEL32 ref: 00007FF63089E7B6

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: cc56691cd60568e6146a7dde9c83608ec099c6c6a56f3e0ff612a8b3836fe06a
Instruction ID: fc42bcea54b87e160da34f52148d97ecf848ea39426c6978c0502f6fec7c4a2f
Opcode Fuzzy Hash: cc56691cd60568e6146a7dde9c83608ec099c6c6a56f3e0ff612a8b3836fe06a
Instruction Fuzzy Hash: 16117C26B15F019AEF00DFA0E8542B833A4FB1975CF440E32EA2D867A4DF3CD1588380

Function 00007FF6308837A0 Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FF6308837DD
CancelIo.KERNEL32 ref: 00007FF6308837EA
closesocket.WS2_32 ref: 00007FF6308837FA
SetEvent.KERNEL32 ref: 00007FF630883804

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CancelEventclosesocketsetsockopt
String ID:
API String ID: 852421847-0
Opcode ID: 2fb1975f05564cd4b635324778d61c2216334fb941b2a99bb5b0bfd9df8af0fc
Instruction ID: dc13bdb3d72bf3596dff18b8ef12196c9c817c7464727a5384305936e9eaa633
Opcode Fuzzy Hash: 2fb1975f05564cd4b635324778d61c2216334fb941b2a99bb5b0bfd9df8af0fc
Instruction Fuzzy Hash: 7BF06932604A8197DB108F69E45432AB330FB84BA8F504335CBAC87BA4CF39D0698B04

Function 00007FF630883FF0 Relevance: 6.0, APIs: 4, Instructions: 22synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF630884002
Sleep.KERNEL32 ref: 00007FF63088400D
WaitForSingleObject.KERNEL32 ref: 00007FF630884024
WaitForSingleObject.KERNEL32 ref: 00007FF630884036

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ObjectSingleWait$Sleep
String ID:
API String ID: 2961732021-0
Opcode ID: 4ede45267323656183b3c0ec57ef8ecec2c46d3b5a24cc8965c2015fc5653a59
Instruction ID: 3300d5a6944f4848a1cabc5ddfa6b68199a49cdbeb463b93aa2dbf3482609e76
Opcode Fuzzy Hash: 4ede45267323656183b3c0ec57ef8ecec2c46d3b5a24cc8965c2015fc5653a59
Instruction Fuzzy Hash: D0F0FE72704A459ADB409F79D8542293361EF89B39F154330CA2D873E5CF38C489D358

Function 00007FF630891840 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF630891A68
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF630891AD7

Strings

^(T[A-Za-z0-9]*|0x[A-Za-z0-9]*)$, xrefs: 00007FF630891868

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: ^(T[A-Za-z0-9]*|0x[A-Za-z0-9]*)$
API String ID: 3668304517-660079095
Opcode ID: 1a7bd3f9ad1e2be3bb215426da79a080b2b48fcb5330e2929561e3c4d22847e3
Instruction ID: 4f7ee0126317ed945ba19c5f8b99484c76f7de038483dc534d3b33b46c6d3117
Opcode Fuzzy Hash: 1a7bd3f9ad1e2be3bb215426da79a080b2b48fcb5330e2929561e3c4d22847e3
Instruction Fuzzy Hash: A281BE72B19B41AAEF50EF68D0503AC33A5EB48B9CF444235EA5D83B88DF38D954D304

Function 00007FF6308A2004 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6308A202E

Strings

csm, xrefs: 00007FF6308A2053
csm, xrefs: 00007FF6308A21C2

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: 2e13650262a6f61ea207b4025eb27adbf5cb157b43e28d55221f4b040b54e9a1
Instruction ID: 3c6882e1922a57a0dc5cf125014524984baf6a003db1d46296121028351eb53a
Opcode Fuzzy Hash: 2e13650262a6f61ea207b4025eb27adbf5cb157b43e28d55221f4b040b54e9a1
Instruction Fuzzy Hash: 6A717F72508681A6DF708F6994407B9BBA1FB05B89F248135DA8C87FC9CE3CD569D740

Function 00007FF63088DC4D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00007FF63088DCA0
CloseHandle.KERNEL32 ref: 00007FF63088DE27

Strings

%s_bin, xrefs: 00007FF63088DC95

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CloseHandlewsprintf
String ID: %s_bin
API String ID: 3088109604-2665034546
Opcode ID: bf08d8ccf84c14e0f8f08288333c875e1effe39fc0f5fec286a8512f3a06db3b
Instruction ID: 3e53c0f8d7a74ccc164837d5cc450f890f9711c7f8eee6efcd7f013ddd68d662
Opcode Fuzzy Hash: bf08d8ccf84c14e0f8f08288333c875e1effe39fc0f5fec286a8512f3a06db3b
Instruction Fuzzy Hash: 8D51D162B19BA6A2EF60DB21C414BBD2365EF84B4CF568136DA0D877C5EE3CD809D301

Function 00007FF6308B1CC4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6308A9248: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6308A927B

_get_daylight.LIBCMT ref: 00007FF6308B1DDC
_get_daylight.LIBCMT ref: 00007FF6308B1DED

Strings

?, xrefs: 00007FF6308B1D6D

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 0b7c1d742c13ddddedbe4d6e2c5e7ad1023c035335ca7369220edd5dde904ae5
Instruction ID: 5aa95c94bd839bc1d82c005518f297c502630fc0a17e7bf5262c1d00914f7445
Opcode Fuzzy Hash: 0b7c1d742c13ddddedbe4d6e2c5e7ad1023c035335ca7369220edd5dde904ae5
Instruction Fuzzy Hash: 66415B22A0878262FF609B29D45137A6661EF80BACF544235EF5E8BBD5DF3CE449D700

Function 00007FF6308A269C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6308A2746
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF6308A276F

Strings

csm, xrefs: 00007FF6308A286F

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: 503767daf86984436527780b72ab736630531d0d6d2b9058069c45c3b2766ca2
Instruction ID: afe1bac7182e1984a2f99ff9884c006b4722e9fc99ac81fe43270458af97e992
Opcode Fuzzy Hash: 503767daf86984436527780b72ab736630531d0d6d2b9058069c45c3b2766ca2
Instruction Fuzzy Hash: BF517033A19741A6EA20EF15E44026D77A4FB89B94F240134EF8D87B96CF3CE469DB00

Function 00007FF6308ABF84 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6308ABFB6

Part of subcall function 00007FF6308AE6BC: RtlFreeHeap.NTDLL(?,?,?,00007FF6308B65C2,?,?,?,00007FF6308B693F,?,?,00000000,00007FF6308B6D85,?,?,?,00007FF6308B6CB7), ref: 00007FF6308AE6D2
Part of subcall function 00007FF6308AE6BC: GetLastError.KERNEL32(?,?,?,00007FF6308B65C2,?,?,?,00007FF6308B693F,?,?,00000000,00007FF6308B6D85,?,?,?,00007FF6308B6CB7), ref: 00007FF6308AE6DC

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF63089DF31), ref: 00007FF6308ABFD4

Strings

C:\Users\user\Desktop\WgnsGjhA3P.exe, xrefs: 00007FF6308ABFC2

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\WgnsGjhA3P.exe
API String ID: 3580290477-2952926942
Opcode ID: 3a5b6248115956fb8c5867fcb2c099a73d6e8c573ad95eb16c3a51b61da9d299
Instruction ID: 95aa9ec4cbc65c3cc93ad01db274e1727c658bc37d728c6740acd9cdbbab1bac
Opcode Fuzzy Hash: 3a5b6248115956fb8c5867fcb2c099a73d6e8c573ad95eb16c3a51b61da9d299
Instruction Fuzzy Hash: E9417F36A08B12E6EF14EF2998401B93794EF4479CB644436EA4E87FC5DF3CE4499340

Function 00007FF6308BAE54 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6308BAF6B
GetLastError.KERNEL32 ref: 00007FF6308BAF8D

Strings

U, xrefs: 00007FF6308BAF17

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 54112263acd02f42df0a8cef6501b04abbfb211da2f70ad802a6942ee1910395
Instruction ID: 58a288da4eb0d4c52c6e563c215f2fe3da4b83d56bb7be2468eb6a0f5848f77a
Opcode Fuzzy Hash: 54112263acd02f42df0a8cef6501b04abbfb211da2f70ad802a6942ee1910395
Instruction Fuzzy Hash: 7541B072A18A81A1DB209F65E4443FA7BA0FB88798F414032EE4DC7798EF3CD449D740

Function 00007FF6308A0050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF630881111), ref: 00007FF6308A00A0
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF630881111), ref: 00007FF6308A00E1

Strings

csm, xrefs: 00007FF6308A00CE

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 3c98ac448948905eff4ad47a47963f754950c65019d46630b15deedf807f34ab
Instruction ID: d220f718ebd9bdcca12dc0ef82c137b8a6d0a48c148dc89725252d75b967cf47
Opcode Fuzzy Hash: 3c98ac448948905eff4ad47a47963f754950c65019d46630b15deedf807f34ab
Instruction Fuzzy Hash: C4113D32618B8192EB218F15F440369B7E5FB88B98F684231DF8C87B99DF3DD5559B00

Function 00007FF63089A3D0 Relevance: 5.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 00007FF63089A40E
IsBadReadPtr.KERNEL32 ref: 00007FF63089A4E3
SetLastError.KERNEL32(?,00000000,00007FF63089A9E9,?,?,?,?,?,?,?,?,?,00007FF63088D242), ref: 00007FF63089A505
SetLastError.KERNEL32(?,00000000,00007FF63089A9E9,?,?,?,?,?,?,?,?,?,00007FF63088D242), ref: 00007FF63089A523

Memory Dump Source

Source File: 00000000.00000002.3503940103.00007FF630881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630880000, based on PE: true

Associated: 00000000.00000002.3503926231.00007FF630880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3503989197.00007FF6308BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504027915.00007FF6308D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504046773.00007FF6308D8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504067876.00007FF6308DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3504114261.00007FF6308E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630880000_WgnsGjhA3P.jbxd

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: e0e517c51036cec7b570afbeb596ed896a79d3929b09d4426d0e27ecdcf8b3b8
Instruction ID: b046c7bc32349a6cb00c8215fc358f09fb8b14352a848db540c004954b15635c
Opcode Fuzzy Hash: e0e517c51036cec7b570afbeb596ed896a79d3929b09d4426d0e27ecdcf8b3b8
Instruction Fuzzy Hash: 00413862B09B42A6EF109B66E4442A933A0FB48B98F054435CF4E87B94DF7CE4A9D740

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WgnsGjhA3P.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\kernelquick.sys

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
WgnsGjhA3P.exe

Function 00007FF6308862F0 Relevance: 193.3, APIs: 81, Strings: 29, Instructions: 845
registrystringprocessCOMMON

Function 00007FF63089B500 Relevance: 103.7, APIs: 41, Strings: 18, Instructions: 406
registrylibrarysleepCOMMON

Function 00007FF63088F410 Relevance: 81.0, APIs: 35, Strings: 11, Instructions: 532
registryprocessfileCOMMON

Function 00007FF63088FD10 Relevance: 56.3, APIs: 27, Strings: 5, Instructions: 326
windowCOMMON

Function 00007FF630887250 Relevance: 54.7, APIs: 26, Strings: 5, Instructions: 457
COMMON

Function 00007FF6308879E0 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 216
stringregistrycomCOMMON

Function 00007FF630888690 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 149
memoryCOMMON

Function 00007FF630888900 Relevance: 45.7, APIs: 22, Strings: 4, Instructions: 225
memoryCOMMON

Function 00007FF6308902A0 Relevance: 45.3, APIs: 30, Instructions: 260
memorywindowCOMMON

Function 00007FF63088C340 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 297
windowCOMMON

Function 00007FF630883820 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 157
networkstringtimeCOMMON

Function 00007FF630888AD0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 101
memoryCOMMON

Function 00007FF63089BDD0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 223
memoryCOMMON

Function 00007FF63088D9C0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 137
registryCOMMON

Function 00007FF63089C2E0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 128
fileCOMMON