Play interactive tour

Edit tour

Analysis Report anchorDNS_x64.exe

Overview

General Information

Sample Name:	anchorDNS_x64.exe
Analysis ID:	381811
MD5:	7160ac4abb26f0ca4c1b6dfba44f8d36
SHA1:	3820ff0d04a233745c79932b77eccfe743a81d34
SHA256:	9fdbd76141ec43b6867f091a2dca503edb2a85e4b98a4500611f5fe484109513
Infos:
Most interesting Screenshot:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to inject threads in other processes

Machine Learning detection for sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

anchorDNS_x64.exe (PID: 6344 cmdline: 'C:\Users\user\Desktop\anchorDNS_x64.exe' MD5: 7160AC4ABB26F0CA4C1B6DFBA44F8D36)

cmd.exe (PID: 6368 cmdline: cmd.exe /c timeout 3 && del C:\Users\user\Desktop\anchorDNS_x64.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 6424 cmdline: timeout 3 MD5: EB9A65078396FB5D4E3813BB9198CB18)

cmd.exe (PID: 6376 cmdline: cmd.exe /C PowerShell 'Start-Sleep 3; Remove-Item C:\Users\user\Desktop\anchorDNS_x64.exe' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6456 cmdline: PowerShell 'Start-Sleep 3; Remove-Item C:\Users\user\Desktop\anchorDNS_x64.exe' MD5: 95000560239032BC68B4C2FDFCDEF913)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: anchorDNS_x64.exe	Virustotal: Detection: 10%			Perma Link
Source: anchorDNS_x64.exe	ReversingLabs: Detection: 25%

Machine Learning detection for sample

Show sources

Source: anchorDNS_x64.exe

Joe Sandbox ML: detected

Source: anchorDNS_x64.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: Z:\D\GIT\anchorDns.llvm\Bin\x64\Release\anchorDNS_x64.pdbt source: anchorDNS_x64.exe
Source:	Binary string: Z:\D\GIT\anchorDns.llvm\Bin\x64\Release\anchorDNS_x64.pdb source: anchorDNS_x64.exe

Source: C:\Users\user\Desktop\anchorDNS_x64.exe

Code function: 0_2_00007FF63EC3D404 FindFirstFileExW,

0_2_00007FF63EC3D404

Source: powershell.exe, 00000006.00000003.217179808.0000012B7D198000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000006.00000002.226355731.0000012B101A6000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.230782159.0000012B7D140000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.218129835.0000012B00210000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.217765028.0000012B00001000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.230782159.0000012B7D140000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.218129835.0000012B00210000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.226355731.0000012B101A6000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.226355731.0000012B101A6000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.226355731.0000012B101A6000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.230782159.0000012B7D140000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.218129835.0000012B00210000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.224611933.0000012B01C61000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000006.00000002.226355731.0000012B101A6000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: C:\Users\user\Desktop\anchorDNS_x64.exe

Code function: 0_2_00007FF63EC2048A GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,CreateDesktopA,Sleep,CloseDesktop,GetLastError,GetLastError,GetLastError,CloseHandle,

0_2_00007FF63EC2048A

Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC0F1C7	0_2_00007FF63EC0F1C7
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC352C0	0_2_00007FF63EC352C0
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC042E4	0_2_00007FF63EC042E4
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC2D00C	0_2_00007FF63EC2D00C
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC0F80E	0_2_00007FF63EC0F80E
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC1D004	0_2_00007FF63EC1D004
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC0777A	0_2_00007FF63EC0777A
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC1AFAE	0_2_00007FF63EC1AFAE
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC32754	0_2_00007FF63EC32754
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC2FF60	0_2_00007FF63EC2FF60
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC0176B	0_2_00007FF63EC0176B
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC1890E	0_2_00007FF63EC1890E
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC0C0FC	0_2_00007FF63EC0C0FC
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC28926	0_2_00007FF63EC28926
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC0E8EC	0_2_00007FF63EC0E8EC
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC020D8	0_2_00007FF63EC020D8
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC2908C	0_2_00007FF63EC2908C
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC2E894	0_2_00007FF63EC2E894
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC01094	0_2_00007FF63EC01094
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC0C8B2	0_2_00007FF63EC0C8B2
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC23609	0_2_00007FF63EC23609
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC0A5F6	0_2_00007FF63EC0A5F6
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC3EE18	0_2_00007FF63EC3EE18
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC08E1C	0_2_00007FF63EC08E1C
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC0C5BE	0_2_00007FF63EC0C5BE
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC195A8	0_2_00007FF63EC195A8
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC2F5B0	0_2_00007FF63EC2F5B0
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC1CD36	0_2_00007FF63EC1CD36
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC03575	0_2_00007FF63EC03575
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC09F0A	0_2_00007FF63EC09F0A
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC08716	0_2_00007FF63EC08716
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC1BF22	0_2_00007FF63EC1BF22
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC066C4	0_2_00007FF63EC066C4
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC216CE	0_2_00007FF63EC216CE
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC0AED2	0_2_00007FF63EC0AED2
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC3B6E8	0_2_00007FF63EC3B6E8
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC3CEEC	0_2_00007FF63EC3CEEC
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC06EEC	0_2_00007FF63EC06EEC
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC0B68A	0_2_00007FF63EC0B68A
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC0BE8E	0_2_00007FF63EC0BE8E
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC07E98	0_2_00007FF63EC07E98
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC42E48	0_2_00007FF63EC42E48
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC0CE64	0_2_00007FF63EC0CE64
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC25414	0_2_00007FF63EC25414
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC103FD	0_2_00007FF63EC103FD
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC3D404	0_2_00007FF63EC3D404
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC17C28	0_2_00007FF63EC17C28
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC22C2F	0_2_00007FF63EC22C2F
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC06BCC	0_2_00007FF63EC06BCC
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC1C3C2	0_2_00007FF63EC1C3C2
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC073F4	0_2_00007FF63EC073F4
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC1EBAA	0_2_00007FF63EC1EBAA
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC1A3AE	0_2_00007FF63EC1A3AE
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC1FBB4	0_2_00007FF63EC1FBB4
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC0AB96	0_2_00007FF63EC0AB96
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC3FB64	0_2_00007FF63EC3FB64
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC27CCD	0_2_00007FF63EC27CCD
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC27CCC	0_2_00007FF63EC27CCC
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC144C3	0_2_00007FF63EC144C3
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC174C4	0_2_00007FF63EC174C4
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC1B4E4	0_2_00007FF63EC1B4E4
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC2048A	0_2_00007FF63EC2048A
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC08476	0_2_00007FF63EC08476
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC3BC9C	0_2_00007FF63EC3BC9C
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC09CA4	0_2_00007FF63EC09CA4
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC0B45A	0_2_00007FF63EC0B45A
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC0BC62	0_2_00007FF63EC0BC62
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC15209	0_2_00007FF63EC15209
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC039FB	0_2_00007FF63EC039FB
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC071F6	0_2_00007FF63EC071F6
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC279D8	0_2_00007FF63EC279D8
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC0E192	0_2_00007FF63EC0E192
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC08992	0_2_00007FF63EC08992
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC2217C	0_2_00007FF63EC2217C
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC1F148	0_2_00007FF63EC1F148
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC1614C	0_2_00007FF63EC1614C
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC0693C	0_2_00007FF63EC0693C
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC0A16E	0_2_00007FF63EC0A16E
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC1DB2C	0_2_00007FF63EC1DB2C
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC07B16	0_2_00007FF63EC07B16
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC1F31E	0_2_00007FF63EC1F31E
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC012B6	0_2_00007FF63EC012B6
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC0C2F2	0_2_00007FF63EC0C2F2
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC08248	0_2_00007FF63EC08248
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC28250	0_2_00007FF63EC28250
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC2FA54	0_2_00007FF63EC2FA54
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC0BA3A	0_2_00007FF63EC0BA3A

Source: anchorDNS_x64.exe

Static PE information: Number of sections : 11 > 10

Source: classification engine

Classification label: mal56.evad.winEXE@11/4@0/0

Source: C:\Users\user\Desktop\anchorDNS_x64.exe

0_2_00007FF63EC2048A

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20210405

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6396:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6384:120:WilError_01

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0nn5oih2.opl.ps1

Jump to behavior

Source: anchorDNS_x64.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\anchorDNS_x64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: anchorDNS_x64.exe	Virustotal: Detection: 10%
Source: anchorDNS_x64.exe	ReversingLabs: Detection: 25%

Source: unknown	Process created: C:\Users\user\Desktop\anchorDNS_x64.exe 'C:\Users\user\Desktop\anchorDNS_x64.exe'
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c timeout 3 && del C:\Users\user\Desktop\anchorDNS_x64.exe
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C PowerShell 'Start-Sleep 3; Remove-Item C:\Users\user\Desktop\anchorDNS_x64.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell 'Start-Sleep 3; Remove-Item C:\Users\user\Desktop\anchorDNS_x64.exe'
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c timeout 3 && del C:\Users\user\Desktop\anchorDNS_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C PowerShell 'Start-Sleep 3; Remove-Item C:\Users\user\Desktop\anchorDNS_x64.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell 'Start-Sleep 3; Remove-Item C:\Users\user\Desktop\anchorDNS_x64.exe'	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: anchorDNS_x64.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: anchorDNS_x64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: anchorDNS_x64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: anchorDNS_x64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: anchorDNS_x64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: anchorDNS_x64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: anchorDNS_x64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: anchorDNS_x64.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: anchorDNS_x64.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Z:\D\GIT\anchorDns.llvm\Bin\x64\Release\anchorDNS_x64.pdbt source: anchorDNS_x64.exe
Source:	Binary string: Z:\D\GIT\anchorDns.llvm\Bin\x64\Release\anchorDNS_x64.pdb source: anchorDNS_x64.exe

Source: anchorDNS_x64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: anchorDNS_x64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: anchorDNS_x64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: anchorDNS_x64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: anchorDNS_x64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: anchorDNS_x64.exe	Static PE information: section name: .00cfg
Source: anchorDNS_x64.exe	Static PE information: section name: .addr
Source: anchorDNS_x64.exe	Static PE information: section name: .rand
Source: anchorDNS_x64.exe	Static PE information: section name: _RDATA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 6_2_00007FFAEEE23767 push esp; retf

6_2_00007FFAEEE23768

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3590			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5441			Jump to behavior

Source: C:\Users\user\Desktop\anchorDNS_x64.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_0-19873

Source: C:\Users\user\Desktop\anchorDNS_x64.exe

API coverage: 6.1 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6588	Thread sleep count: 3590 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6592	Thread sleep count: 5441 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6664	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\anchorDNS_x64.exe

Code function: 0_2_00007FF63EC3D404 FindFirstFileExW,

0_2_00007FF63EC3D404

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\anchorDNS_x64.exe

Code function: 0_2_00007FF63EC359E4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF63EC359E4

Source: C:\Users\user\Desktop\anchorDNS_x64.exe

Code function: 0_2_00007FF63EC39600 GetProcessHeap,

0_2_00007FF63EC39600

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC2A698 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF63EC2A698
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC359E4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF63EC359E4
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC2A284 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF63EC2A284
Source: C:\Users\user\Desktop\anchorDNS_x64.exe	Code function: 0_2_00007FF63EC2A274 SetUnhandledExceptionFilter,	0_2_00007FF63EC2A274

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to inject threads in other processes

Show sources

Source: C:\Users\user\Desktop\anchorDNS_x64.exe

Code function: 0_2_00007FF63EC216CE VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,GetLastError,GetLastError,GetLastError,GetLastError,CloseHandle,

0_2_00007FF63EC216CE

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell 'Start-Sleep 3; Remove-Item C:\Users\user\Desktop\anchorDNS_x64.exe'			Jump to behavior

Source: C:\Users\user\Desktop\anchorDNS_x64.exe

Code function: 0_2_00007FF63EC42C60 cpuid

0_2_00007FF63EC42C60

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\anchorDNS_x64.exe

Code function: 0_2_00007FF63EC03912 GetLocalTime,SystemTimeToFileTime,

0_2_00007FF63EC03912

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Create Account1	Access Token Manipulation1	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection111	Virtualization/Sandbox Evasion21	LSASS Memory	Security Software Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Access Token Manipulation1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection111	NTDS	Virtualization/Sandbox Evasion21	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery22	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
anchorDNS_x64.exe	10%	Virustotal		Browse
anchorDNS_x64.exe	5%	Metadefender		Browse
anchorDNS_x64.exe	25%	ReversingLabs	Win64.Trojan.Bingoml
anchorDNS_x64.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000006.00000002.226355731.0000012B101A6000.00000004.00000001.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000006.00000002.230782159.0000012B7D140000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.218129835.0000012B00210000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000006.00000002.217765028.0000012B00001000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000006.00000002.230782159.0000012B7D140000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.218129835.0000012B00210000.00000004.00000001.sdmp	false		high
https://go.micro	powershell.exe, 00000006.00000002.224611933.0000012B01C61000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000006.00000002.230782159.0000012B7D140000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.218129835.0000012B00210000.00000004.00000001.sdmp	false		high
https://contoso.com/	powershell.exe, 00000006.00000002.226355731.0000012B101A6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000006.00000002.226355731.0000012B101A6000.00000004.00000001.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000006.00000002.226355731.0000012B101A6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000006.00000002.226355731.0000012B101A6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	381811
Start date:	05.04.2021
Start time:	07:12:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	anchorDNS_x64.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.evad.winEXE@11/4@0/0
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 100% (good quality ratio 88.2%) Quality average: 66.5% Quality standard deviation: 33.4%
HCA Information:	Successful, ratio: 53% Number of executed functions: 22 Number of non-executed functions: 112
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe Execution Graph export aborted for target powershell.exe, PID 6456 because it is empty

Simulations

Behavior and APIs

Time	Type	Description
07:13:02	API Interceptor	45x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.9260988789684415
Encrypted:	false
SSDEEP:	3:Nlllulb/lj:NllUb/l
MD5:	13AF6BE1CB30E2FB779EA728EE0A6D67
SHA1:	F33581AC2C60B1F02C978D14DC220DCE57CC9562
SHA-256:	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
SHA-512:	1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
Malicious:	false
Reputation:	high, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0nn5oih2.opl.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmyrl5t1.x3u.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\Documents\20210405\PowerShell_transcript.980108.ial1LKzt.20210405071301.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3372
Entropy (8bit):	5.398935195102093
Encrypted:	false
SSDEEP:	96:BZ9uh8NvqDo1ZHrZ9Ph8NvqDo1ZHqq8NF8NF2LqZrr:hBToHiiamr
MD5:	62E57036AEB9786FD3F177050567D62F
SHA1:	988AD6610E949A985DC2598B4CAFECCCC573E812
SHA-256:	65B1BDE81C296B43C79EADB7F6E8ADEC632C4FF2DE6273CE8BF43AB36DCED0E8
SHA-512:	1750544293022954D6B80789AF398AD241460118D0168E9C323BE05A747AE05A16D57F61225D23FA4EDC27648B00AD42D04DCD1C11A1AF2409FEED0983DADDA3
Malicious:	false
Reputation:	low
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210405071301..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 980108 (Microsoft Windows NT 10.0.17134.0)..Host Application: PowerShell Start-Sleep 3; Remove-Item C:\Users\user\Desktop\anchorDNS_x64.exe..Process ID: 6456..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210405071301..******************..PS>Start-Sleep 3; Remove-Item C:\Users\user\Desktop\anchorDNS_x64.exe..********************..Windows PowerShell transcript start..Start time: 20210405071739..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 980108 (Microsoft Windows NT 10.0

Static File Info

General
File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.560316865693318
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	anchorDNS_x64.exe
File size:	347648
MD5:	7160ac4abb26f0ca4c1b6dfba44f8d36
SHA1:	3820ff0d04a233745c79932b77eccfe743a81d34
SHA256:	9fdbd76141ec43b6867f091a2dca503edb2a85e4b98a4500611f5fe484109513
SHA512:	d52fd1c50865aae16d63a1a7d00d29a2642ddece12b004cfa85e2abcfa25e178d1570aecdafaffefe4889906b81c92f2a2a7ca9032faabe73309f4ba33b70d93
SSDEEP:	6144:eC1p/6YfIQrMRU+YqwQR/off22+IJdxKgpCzl2Ac:vb3oK+r/oX22Tb6zl
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......_.........."......(...".................@..........................................`........................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x14002ad04
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x5FCA06FB [Fri Dec 4 09:52:59 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	e2450fb3cc5b1b7305e3193fe03f3369

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F61C4D4A5E0h
dec eax
add esp, 28h
jmp 00007F61C4D4A44Fh
int3
int3
dec eax
mov dword ptr [esp+20h], ebx
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 20h
dec eax
mov eax, dword ptr [000273BCh]
dec eax
mov ebx, 2DDFA232h
cdq
sub eax, dword ptr [eax]
add byte ptr [eax+3Bh], cl
ret
jne 00007F61C4D4A646h
dec eax
and dword ptr [ebp+18h], 00000000h
dec eax
lea ecx, dword ptr [ebp+18h]
call dword ptr [00022906h]
dec eax
mov eax, dword ptr [ebp+18h]
dec eax
mov dword ptr [ebp+10h], eax
call dword ptr [00022878h]
mov eax, eax
dec eax
xor dword ptr [ebp+10h], eax
call dword ptr [00022864h]
mov eax, eax
dec eax
lea ecx, dword ptr [ebp+20h]
dec eax
xor dword ptr [ebp+10h], eax
call dword ptr [0002296Ch]
mov eax, dword ptr [ebp+20h]
dec eax
lea ecx, dword ptr [ebp+10h]
dec eax
shl eax, 20h
dec eax
xor eax, dword ptr [ebp+20h]
dec eax
xor eax, dword ptr [ebp+10h]
dec eax
xor eax, ecx
dec eax
mov ecx, FFFFFFFFh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4d030	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5e000	0x260	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x56000	0x25e0	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f000	0x6d0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4cefe	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4a170	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x445b0	0x130	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4d458	0x398	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x42676	0x42800	False	0.550010279605	data	6.70629418853	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x44000	0xd804	0xda00	False	0.422717173165	data	5.15584786179	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x52000	0x3a28	0xc00	False	0.167317708333	data	2.31158956423	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x56000	0x25e0	0x2600	False	0.481907894737	data	5.68387884943	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.00cfg	0x59000	0x28	0x200	False	0.05859375	data	0.42098230856	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.addr	0x5a000	0x84	0x200	False	0.0390625	ASCII text, with no line terminators	0.881747790692	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rand	0x5b000	0x10	0x200	False	0.03125	ASCII text, with no line terminators	0.200622324313	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x5c000	0x9	0x200	False	0.033203125	data	0.0203931352361	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
_RDATA	0x5d000	0x94	0x200	False	0.208984375	data	1.42653530093	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x5e000	0x260	0x400	False	0.33203125	data	3.65313012836	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5f000	0x6d0	0x800	False	0.55078125	data	5.07768877682	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x5e060	0x1fb	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	English	United States

Imports

DLL	Import
USER32.dll	CloseDesktop, CreateDesktopA
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear, VariantInit
ADVAPI32.dll	AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken
WS2_32.dll	WSAGetLastError, freeaddrinfo, getaddrinfo, htonl
RPCRT4.dll	UuidCreate
KERNEL32.dll	CloseHandle, CreateEventW, CreateFileA, CreateFileW, CreateRemoteThread, CreateThread, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, ExitThread, FileTimeToSystemTime, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleCP, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileType, GetLastError, GetLocalTime, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetTickCount, GetTickCount64, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, LocalAlloc, LocalFree, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ResetEvent, RtlCaptureContext, RtlLookupFunctionEntry, RtlPcToFileHeader, RtlUnwindEx, RtlVirtualUnwind, SetEndOfFile, SetEvent, SetFilePointer, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, Sleep, SystemTimeToFileTime, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualAllocEx, VirtualFree, WTSGetActiveConsoleSessionId, WaitForSingleObjectEx, WideCharToMultiByte, WriteConsoleW, WriteFile, WriteProcessMemory, lstrcmpA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: anchorDNS_x64.exe PID: 6344 Parent PID: 5660

General

Start time:	07:12:59
Start date:	05/04/2021
Path:	C:\Users\user\Desktop\anchorDNS_x64.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\anchorDNS_x64.exe'
Imagebase:	0x7ff63ec00000
File size:	347648 bytes
MD5 hash:	7160AC4ABB26F0CA4C1B6DFBA44F8D36
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 6368 Parent PID: 6344

General

Start time:	07:12:59
Start date:	05/04/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c timeout 3 && del C:\Users\user\Desktop\anchorDNS_x64.exe
Imagebase:	0x7ff77d8b0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6376 Parent PID: 6344

General

Start time:	07:12:59
Start date:	05/04/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C PowerShell 'Start-Sleep 3; Remove-Item C:\Users\user\Desktop\anchorDNS_x64.exe'
Imagebase:	0x7ff77d8b0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6384 Parent PID: 6368

General

Start time:	07:12:59
Start date:	05/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6396 Parent PID: 6376

General

Start time:	07:13:00
Start date:	05/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: timeout.exe PID: 6424 Parent PID: 6368

General

Start time:	07:13:00
Start date:	05/04/2021
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 3
Imagebase:	0x7ff6c1c10000
File size:	30720 bytes
MD5 hash:	EB9A65078396FB5D4E3813BB9198CB18
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 6456 Parent PID: 6376

General

Start time:	07:13:00
Start date:	05/04/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	PowerShell 'Start-Sleep 3; Remove-Item C:\Users\user\Desktop\anchorDNS_x64.exe'
Imagebase:	0x7ff785e30000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: anchorDNS_x64.exe PID: 6344 Parent PID: 5660 anchorDNS_x64.exeCOMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	27.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	14

Executed Functions

Function 00007FF63EC042E4, Relevance: 39.9, APIs: 6, Strings: 16, Instructions: 1360
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00007FF63EC043E5
CreateFileMappingA.KERNEL32 ref: 00007FF63EC045D7
MapViewOfFile.KERNELBASE ref: 00007FF63EC04600
GetLastError.KERNEL32 ref: 00007FF63EC04F65
GetLastError.KERNEL32 ref: 00007FF63EC050C4
FindCloseChangeNotification.KERNELBASE ref: 00007FF63EC05672

Strings

Z, xrefs: 00007FF63EC0503C
a, xrefs: 00007FF63EC04CF3
=, xrefs: 00007FF63EC04FD0
=, xrefs: 00007FF63EC04D18
w, xrefs: 00007FF63EC04BBC
3:<KU, xrefs: 00007FF63EC04EBD
z, xrefs: 00007FF63EC04BE9
&, xrefs: 00007FF63EC04EA8
q, xrefs: 00007FF63EC04BA5
p, xrefs: 00007FF63EC04EA0
:, xrefs: 00007FF63EC04C39
K, xrefs: 00007FF63EC04C2F
;, xrefs: 00007FF63EC05008
|, xrefs: 00007FF63EC054DA
<, xrefs: 00007FF63EC04C34
!, xrefs: 00007FF63EC046F9

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: File$CreateErrorLast$ChangeCloseFindMappingNotificationView
String ID: !$&$3:<KU$:$;$<$=$=$K$Z$a$p$q$w$z$|
API String ID: 22809042-863818155
Opcode ID: 7c483ff31ffa63e407df1a0290c0d0c56f73aff22cc9704d1455be2e97b2d163
Instruction ID: cc14da68fc9292169e81220f97bad3c1b0a77d7c7212c4dcf5c4dae144ec9294
Opcode Fuzzy Hash: 7c483ff31ffa63e407df1a0290c0d0c56f73aff22cc9704d1455be2e97b2d163
Instruction Fuzzy Hash: 5EB2706361D2C08BF7218638A0A13DBAF92D7A2364F249518D7D447BEBCA6EC50DDF11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC0F1C7, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 307
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 00007FF63EC0F37E
CreateProcessW.KERNELBASE ref: 00007FF63EC0F5C4

Strings

%s%s, xrefs: 00007FF63EC0F325
%s%s", xrefs: 00007FF63EC0F579

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: CreateProcess
String ID: %s%s$%s%s"
API String ID: 963392458-3970236042
Opcode ID: 2c53f94690d710ff52d975b19985bc04d770dff98ea3af100831d4714eaa257a
Instruction ID: 1da70af0ae0dc801132f466a62d33affa99b52dff9f7dbfac9c5d06a06553bff
Opcode Fuzzy Hash: 2c53f94690d710ff52d975b19985bc04d770dff98ea3af100831d4714eaa257a
Instruction Fuzzy Hash: 9CE1D461A086D281FB718B68A8057FD23B0FFA4348F040235FE5D96B95DF7DE6899320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC352C0, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 392c3d8147f14a5988bd6e81e08928f6685ac7a6814d1fd57e6d66c548fd3368
Instruction ID: b4012be708b82a0df2024893c8d457b9050d4e9dac4c249e4aabbde9a27d7336
Opcode Fuzzy Hash: 392c3d8147f14a5988bd6e81e08928f6685ac7a6814d1fd57e6d66c548fd3368
Instruction Fuzzy Hash: B241B032714A5486EF48CF2ADD6416DA3B1AB58FD4B099037EE2DC7B69DE3CD4499300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC298CC, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 52
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF63EC298E2
GetModuleHandleW.KERNELBASE ref: 00007FF63EC298EF
GetModuleHandleW.KERNEL32 ref: 00007FF63EC29904
GetProcAddress.KERNEL32 ref: 00007FF63EC2991C
GetProcAddress.KERNEL32 ref: 00007FF63EC2992F
CreateEventW.KERNEL32 ref: 00007FF63EC2995B

Strings

kernel32.dll, xrefs: 00007FF63EC298FD
SleepConditionVariableCS, xrefs: 00007FF63EC29912
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF63EC298E8
WakeAllConditionVariable, xrefs: 00007FF63EC29922

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: AddressHandleModuleProc$CountCreateCriticalEventInitializeSectionSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 4003212759-3242537097
Opcode ID: c90e6321c21e8170757152ffd5828284882e8311bafeae04178b06d48b048fe3
Instruction ID: 09bd757905d4462c4cfb43c2fd8a90fdbb461089674fdfa0c4c118903e938d40
Opcode Fuzzy Hash: c90e6321c21e8170757152ffd5828284882e8311bafeae04178b06d48b048fe3
Instruction Fuzzy Hash: F8212120A09B0381FE16AB11F8555BC63B0AF78750F456436F97EC27A0EE2CE44CAA30

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC2AB90, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF63EC2AB9F

Part of subcall function 00007FF63EC29D60: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF63EC29D82

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF63EC2ABB4
__scrt_release_startup_lock.LIBCMT ref: 00007FF63EC2AC22
__scrt_get_show_window_mode.LIBCMT ref: 00007FF63EC2AC75
__scrt_is_managed_app.LIBCMT ref: 00007FF63EC2AC98

Strings

MZx, xrefs: 00007FF63EC2AC8A

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock
String ID: MZx
API String ID: 4144305933-2575928145
Opcode ID: 30e58f7d77d9314959c3941e1e81b958be870a7e3f97932d04362d4405c0f434
Instruction ID: e4af738eca6ee62e831547151c66241ded43aff0c512f9caf352dd2238a8281b
Opcode Fuzzy Hash: 30e58f7d77d9314959c3941e1e81b958be870a7e3f97932d04362d4405c0f434
Instruction Fuzzy Hash: 76311721A0C64246FE25AB6598513FD62B1AF75384F446435F96ECB3D3CE2EA84CB270

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC34AC4, Relevance: 4.5, APIs: 3, Instructions: 19
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,00000003,00007FF63EC34BD7), ref: 00007FF63EC34AED
TerminateProcess.KERNEL32(?,?,00000003,00007FF63EC34BD7), ref: 00007FF63EC34AF8
ExitProcess.KERNEL32 ref: 00007FF63EC34B07

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3dd67f1416581bf9e0c8d03f5868528173d187c597f887881cfbb1e3b75360a8
Instruction ID: 5a59e3e5eeeaffa72236acc4a69168fa09c66c7f6c5c1eb262bfa412ad3e9bdc
Opcode Fuzzy Hash: 3dd67f1416581bf9e0c8d03f5868528173d187c597f887881cfbb1e3b75360a8
Instruction Fuzzy Hash: FDE04F20B0431582EB147B349C952BD2672AFA4B01F015439E82EC2396DE3DE85CA730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC392D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF63EC392F3

Strings

AppPolicyGetProcessTerminationMethod, xrefs: 00007FF63EC392EC

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: try_get_function
String ID: AppPolicyGetProcessTerminationMethod
API String ID: 2742660187-2031265017
Opcode ID: 0ee33bcf2f392076532c211148755c603bfa5807e7bb45c1ddf4ce0e1e4b9a82
Instruction ID: 6a654cf69ed04ce21a6cb4ff32874f05a1ba05695526336b65ac832d11363814
Opcode Fuzzy Hash: 0ee33bcf2f392076532c211148755c603bfa5807e7bb45c1ddf4ce0e1e4b9a82
Instruction Fuzzy Hash: 8BE04FD1E0850691FE154795A8015B8A2319F6C370E484732F93E863E19E3C999CEA60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC2AAAC, Relevance: 3.1, APIs: 2, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_set_fmode.LIBCMT ref: 00007FF63EC2AAC3
_RTC_Initialize.LIBCMT ref: 00007FF63EC2AAE4

Part of subcall function 00007FF63EC34E58: _invalid_parameter_noinfo.LIBCMT ref: 00007FF63EC34E8A

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: Initialize_invalid_parameter_noinfo_set_fmode
String ID:
API String ID: 3548387204-0
Opcode ID: 6e591508efc2d5365d5a76a1ad96f94e93c6647110e43ba5251986789219c34b
Instruction ID: bf6db059be7117e703cfc6711fcb31de78a6a2774a4fdba31e80610f91eec0f2
Opcode Fuzzy Hash: 6e591508efc2d5365d5a76a1ad96f94e93c6647110e43ba5251986789219c34b
Instruction Fuzzy Hash: B2115810E0920346FE1873B049562FC02B24FB0781F442834F92DDA7D3AD2EA899A632

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC349F8, Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EC37771,?,?,?,?,00007FF63EC3975B), ref: 00007FF63EC34B3B

Part of subcall function 00007FF63EC34A68: GetModuleHandleExW.KERNEL32 ref: 00007FF63EC34A84
Part of subcall function 00007FF63EC34A68: GetProcAddress.KERNEL32 ref: 00007FF63EC34A9A
Part of subcall function 00007FF63EC34A68: FreeLibrary.KERNEL32 ref: 00007FF63EC34AB7

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: ad0b6c8c18660d1b11e8c5c70b0d1bbfb5c01e0827e39ccbe49000612891cb51
Instruction ID: 431cb37934efb7d0fb4ad756568d7f773b24ee5c129ac23b4a896dcfd2bb718d
Opcode Fuzzy Hash: ad0b6c8c18660d1b11e8c5c70b0d1bbfb5c01e0827e39ccbe49000612891cb51
Instruction Fuzzy Hash: 7E216932E04A418AEB119F64C8403EC33B4FB5471CF04553AE62D82B89DF7DD589DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC3DFD0, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF63EC3DFFB

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5f4a2476c7093d8de22d6614e3f9c9decae07cef510fc887f15bdf7dd5a96ddb
Instruction ID: e0882d90c6df31e39c410639cb2193b2daa5271b864eb93fb8620bad68f83180
Opcode Fuzzy Hash: 5f4a2476c7093d8de22d6614e3f9c9decae07cef510fc887f15bdf7dd5a96ddb
Instruction Fuzzy Hash: 7C115532A187428AE6109B15A88017DA3B4EBA0740F850535F6BDC77A2DE3CF919AB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC3C4D8, Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF63EC39861,?,?,000000F8,00007FF63EC3B195,?,?,?,?,00007FF63EC3A971), ref: 00007FF63EC3C52D

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 50ee23321bb0392af5e36db0a14a67e004919aab705170532cb16fd1e2da9a79
Instruction ID: e5d63115faa7ce1ce6dd32859cddbbe281d13826e2be46feb9a7a7b1436d3f9e
Opcode Fuzzy Hash: 50ee23321bb0392af5e36db0a14a67e004919aab705170532cb16fd1e2da9a79
Instruction Fuzzy Hash: FAF06D44B0920681FE5556A66C21BFC12A05FA8B80F4C4530FD2EC63C2DE2CE889B230

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC3B264, Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,?,0000000100000002,00007FF63EC41B15,?,?,00000000,00007FF63EC3DBCF,?,?,0000000100000002,00007FF63EC35377,00000000,00000000,?,00007FF63EC355AD), ref: 00007FF63EC3B2A2

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6da3bee6b59dccd8d17a81d4324de9a97876941589f4a15ec500e38210a561e7
Instruction ID: a193c86a76286cac55b3e034540cc2417d0f2cf74e18e0bdac58e6eb0dc0515f
Opcode Fuzzy Hash: 6da3bee6b59dccd8d17a81d4324de9a97876941589f4a15ec500e38210a561e7
Instruction Fuzzy Hash: F3F0F200F1D20381FE656AA25D416BD22A15FB97A0F090730F93EC63C2DE2DE898A630

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC41AF8, Relevance: 1.3, APIs: 1, Instructions: 38
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF63EC3B264: RtlAllocateHeap.NTDLL(?,?,0000000100000002,00007FF63EC41B15,?,?,00000000,00007FF63EC3DBCF,?,?,0000000100000002,00007FF63EC35377,00000000,00000000,?,00007FF63EC355AD), ref: 00007FF63EC3B2A2

HeapReAlloc.KERNEL32(?,?,00000000,00007FF63EC3DBCF,?,?,0000000100000002,00007FF63EC35377,00000000,00000000,?,00007FF63EC355AD,?,?,000000F8,00007FF63EC3526E), ref: 00007FF63EC41B65

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: Heap$AllocAllocate
String ID:
API String ID: 2177240990-0
Opcode ID: 185bad2c8ce41f127a627d581bddb9ac587d1fb32a341f829627fe44d33ae8b4
Instruction ID: 6238e92397e89958f5286757435308570bd0f73b60c2be3c8514a60f847a4b71
Opcode Fuzzy Hash: 185bad2c8ce41f127a627d581bddb9ac587d1fb32a341f829627fe44d33ae8b4
Instruction Fuzzy Hash: 1E014F90E0C24384FD666763A9412BD11701F757A0F084232F9BDC73D2ED2CE8586A20

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF63EC103FD, Relevance: 87.7, APIs: 45, Strings: 3, Instructions: 3731memorytimeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00007FF63EC10AE3
VariantInit.OLEAUT32 ref: 00007FF63EC115E8
VariantInit.OLEAUT32 ref: 00007FF63EC1160A
VariantInit.OLEAUT32 ref: 00007FF63EC1162C
VariantInit.OLEAUT32 ref: 00007FF63EC1164D
VariantClear.OLEAUT32 ref: 00007FF63EC1168C
VariantClear.OLEAUT32 ref: 00007FF63EC11695
VariantClear.OLEAUT32 ref: 00007FF63EC1169E
VariantClear.OLEAUT32 ref: 00007FF63EC116A7
SysAllocString.OLEAUT32 ref: 00007FF63EC116E2
SysFreeString.OLEAUT32 ref: 00007FF63EC11725

Part of subcall function 00007FF63EC15E0C: LocalFree.KERNEL32(?,?,?,?,?,?,?,00000000,00007FF63EC11999), ref: 00007FF63EC15E72

VariantClear.OLEAUT32 ref: 00007FF63EC11833
SysFreeString.OLEAUT32 ref: 00007FF63EC11916
VariantClear.OLEAUT32 ref: 00007FF63EC139EA
VariantClear.OLEAUT32 ref: 00007FF63EC139F3
VariantClear.OLEAUT32 ref: 00007FF63EC139FC
VariantClear.OLEAUT32 ref: 00007FF63EC13A05

Strings

@, xrefs: 00007FF63EC134AC
AnchorDNS.cpp, xrefs: 00007FF63EC11903, 00007FF63EC1194E, 00007FF63EC119A8, 00007FF63EC119ED, 00007FF63EC11A21, 00007FF63EC11A49, 00007FF63EC11AFD, 00007FF63EC11C1B, 00007FF63EC11CD0, 00007FF63EC11DFF, 00007FF63EC11E51, 00007FF63EC11F27, 00007FF63EC11F66, 00007FF63EC11FB0, 00007FF63EC11FEE, 00007FF63EC12236, 00007FF63EC1274D, 00007FF63EC12809, 00007FF63EC12E85, 00007FF63EC12EE6, 00007FF63EC132F6, 00007FF63EC133D2, 00007FF63EC13857
%iM, xrefs: 00007FF63EC1237D

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: Variant$Clear$Init$FreeString$Local$AllocTime
String ID: %iM$@$AnchorDNS.cpp
API String ID: 2740604783-121187856
Opcode ID: 21d90337bb69b6b6baac76ed175b79abc14d48f35b04f2e97a9a73dbcba91590
Instruction ID: 7d0759be24ee10c66a08fa4cd50cc09819cf5f37c449a2e9a482128f57d74937
Opcode Fuzzy Hash: 21d90337bb69b6b6baac76ed175b79abc14d48f35b04f2e97a9a73dbcba91590
Instruction Fuzzy Hash: 2363E2236096C18FEB21CF38D4903EE3BB2EB66758F059125DA5987392DE39D60ED710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC012B6, Relevance: 78.9, Strings: 63, Instructions: 199COMMON

Download Yara Rule

Strings

), xrefs: 00007FF63EC013F2
t, xrefs: 00007FF63EC0137A
,, xrefs: 00007FF63EC013D9
r, xrefs: 00007FF63EC01398
Y, xrefs: 00007FF63EC012E9
J, xrefs: 00007FF63EC0133E
[, xrefs: 00007FF63EC012F3
x, xrefs: 00007FF63EC01366
Q, xrefs: 00007FF63EC01311
z, xrefs: 00007FF63EC01370
^, xrefs: 00007FF63EC012DA
q, xrefs: 00007FF63EC01393
s, xrefs: 00007FF63EC0139D
D, xrefs: 00007FF63EC01348
d, xrefs: 00007FF63EC013CA
k, xrefs: 00007FF63EC013C5
e, xrefs: 00007FF63EC013CF
(, xrefs: 00007FF63EC013ED
/, xrefs: 00007FF63EC013E8
], xrefs: 00007FF63EC012D5
m, xrefs: 00007FF63EC013A7
W, xrefs: 00007FF63EC01307
U, xrefs: 00007FF63EC012FD
u, xrefs: 00007FF63EC0137F
{, xrefs: 00007FF63EC01375
P, xrefs: 00007FF63EC0130C
V, xrefs: 00007FF63EC01302
~, xrefs: 00007FF63EC0135C
7, xrefs: 00007FF63EC0140B
N, xrefs: 00007FF63EC0132A
K, xrefs: 00007FF63EC01343
f, xrefs: 00007FF63EC013D4
j, xrefs: 00007FF63EC013C0
-, xrefs: 00007FF63EC013DE
E, xrefs: 00007FF63EC0134D
Z, xrefs: 00007FF63EC012EE
n, xrefs: 00007FF63EC013AC
S, xrefs: 00007FF63EC0131B
_, xrefs: 00007FF63EC012DF
%, xrefs: 00007FF63EC01406
}, xrefs: 00007FF63EC01357
*, xrefs: 00007FF63EC013F7
v, xrefs: 00007FF63EC01384
$, xrefs: 00007FF63EC01401
T, xrefs: 00007FF63EC012F8
i, xrefs: 00007FF63EC013BB
M, xrefs: 00007FF63EC01325
R, xrefs: 00007FF63EC01316
L, xrefs: 00007FF63EC01320
o, xrefs: 00007FF63EC013B1
I, xrefs: 00007FF63EC01339
O, xrefs: 00007FF63EC0132F
l, xrefs: 00007FF63EC013A2
X, xrefs: 00007FF63EC012E4
y, xrefs: 00007FF63EC0136B
w, xrefs: 00007FF63EC01389
3, xrefs: 00007FF63EC01410
., xrefs: 00007FF63EC013E3
p, xrefs: 00007FF63EC0138E
F, xrefs: 00007FF63EC01352
H, xrefs: 00007FF63EC01334
+, xrefs: 00007FF63EC013FC
h, xrefs: 00007FF63EC013B6

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID: $$%$($)$*$+$,$-$.$/$3$7$D$E$F$H$I$J$K$L$M$N$O$P$Q$R$S$T$U$V$W$X$Y$Z$[$]$^$_$d$e$f$h$i$j$k$l$m$n$o$p$q$r$s$t$u$v$w$x$y$z${$}$~
API String ID: 0-1365822169
Opcode ID: 590e0402bee17ec44ebb9210a0617c2d0f30fdc08742d61b04fab8db75b1eb80
Instruction ID: 824f1778e576c6e5b4679570805aa310ed7af6184b336593c26a1d90cadfba2d
Opcode Fuzzy Hash: 590e0402bee17ec44ebb9210a0617c2d0f30fdc08742d61b04fab8db75b1eb80
Instruction Fuzzy Hash: 96915C5350D2C089E3128639A44839FFFA183B3358F0C5199E7D90BB9BC2AED449DF22

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC020D8, Relevance: 69.8, APIs: 3, Strings: 36, Instructions: 1515COMMON

Download Yara Rule

APIs

_Init_thread_header.LIBCMT ref: 00007FF63EC023AD
_Init_thread_header.LIBCMT ref: 00007FF63EC023F8
_Init_thread_header.LIBCMT ref: 00007FF63EC03320

Part of subcall function 00007FF63EC2999C: EnterCriticalSection.KERNEL32(?,?,00000007,00007FF63EC063F7,?,?,?,?,00007FF63EC064A6), ref: 00007FF63EC299AC

Strings

j, xrefs: 00007FF63EC0314A
[, xrefs: 00007FF63EC02E20
v, xrefs: 00007FF63EC02D11
X, xrefs: 00007FF63EC0240A
^, xrefs: 00007FF63EC02CFD
x, xrefs: 00007FF63EC0315E
e, xrefs: 00007FF63EC03154
6, xrefs: 00007FF63EC02E6B
<, xrefs: 00007FF63EC02E7A
h, xrefs: 00007FF63EC02E2F
u, xrefs: 00007FF63EC02D07
r, xrefs: 00007FF63EC0241E
n, xrefs: 00007FF63EC02415
}, xrefs: 00007FF63EC02D37
r, xrefs: 00007FF63EC02E2A
z, xrefs: 00007FF63EC02423
W, xrefs: 00007FF63EC02E49
t, xrefs: 00007FF63EC03163
s, xrefs: 00007FF63EC02E34
Y, xrefs: 00007FF63EC02D61
o, xrefs: 00007FF63EC0314F
w, xrefs: 00007FF63EC02E3E
Z, xrefs: 00007FF63EC02D26
m, xrefs: 00007FF63EC02E25
p, xrefs: 00007FF63EC03159
{, xrefs: 00007FF63EC02E39
p, xrefs: 00007FF63EC02D02
k, xrefs: 00007FF63EC02D0C
?, xrefs: 00007FF63EC02D58
!, xrefs: 00007FF63EC03168
z, xrefs: 00007FF63EC02E5A
Y, xrefs: 00007FF63EC0316D
~, xrefs: 00007FF63EC02D16
Q, xrefs: 00007FF63EC03172
z, xrefs: 00007FF63EC02D1B
X, xrefs: 00007FF63EC03145

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: Init_thread_header$CriticalEnterSection
String ID: !$6$<$?$Q$W$X$X$Y$Y$Z$[$^$e$h$j$k$m$n$o$p$p$r$r$s$t$u$v$w$x$z$z$z${$}$~
API String ID: 640747144-3305837859
Opcode ID: d289debaf4cabb33d861810eae78fdffde80523ce52a8c9c752a87a1d7701e8c
Instruction ID: a2ae06ab7dade61076e8fe8643392d4832ddf3930bec9a9d79bd4ccc98e1de81
Opcode Fuzzy Hash: d289debaf4cabb33d861810eae78fdffde80523ce52a8c9c752a87a1d7701e8c
Instruction Fuzzy Hash: DAC2CF63A092C18EE715CA3891843CE7FA2E373314F05A425D39487797DB6AEA2FD711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC2FF60, Relevance: 40.4, APIs: 20, Strings: 2, Instructions: 1864COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF63EC30C7C
memcpy_s.LIBCPMT ref: 00007FF63EC30D11
memcpy_s.LIBCPMT ref: 00007FF63EC31409
memcpy_s.LIBCPMT ref: 00007FF63EC31450
memcpy_s.LIBCPMT ref: 00007FF63EC31684
memcpy_s.LIBCPMT ref: 00007FF63EC316ED
memcpy_s.LIBCPMT ref: 00007FF63EC31728
memcpy_s.LIBCPMT ref: 00007FF63EC317D0
memcpy_s.LIBCPMT ref: 00007FF63EC319E4
memcpy_s.LIBCPMT ref: 00007FF63EC30EC3

Part of subcall function 00007FF63EC2F400: _invalid_parameter_noinfo.LIBCMT ref: 00007FF63EC2F432

memcpy_s.LIBCPMT ref: 00007FF63EC31099
memcpy_s.LIBCPMT ref: 00007FF63EC31187
memcpy_s.LIBCPMT ref: 00007FF63EC311BD
memcpy_s.LIBCPMT ref: 00007FF63EC31252
memcpy_s.LIBCPMT ref: 00007FF63EC31363
memcpy_s.LIBCPMT ref: 00007FF63EC31BB3

Strings

MZx, xrefs: 00007FF63EC2FF93, 00007FF63EC30191, 00007FF63EC30506, 00007FF63EC305C9, 00007FF63EC3067E, 00007FF63EC306CC, 00007FF63EC30A62, 00007FF63EC30D7A, 00007FF63EC30DAF, 00007FF63EC310D7, 00007FF63EC312BF, 00007FF63EC312F4, 00007FF63EC316BF
, xrefs: 00007FF63EC319F6

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: memcpy_s$_invalid_parameter_noinfo
String ID: $MZx
API String ID: 2880407647-1316729395
Opcode ID: bc193ee7fd2add63f8d1ef46771125166fe55af57fce5cc31dc074751e44201c
Instruction ID: 5ff72ee239c39e325cbb4beebc3d241739d752719f86193d54a377a9088e31d1
Opcode Fuzzy Hash: bc193ee7fd2add63f8d1ef46771125166fe55af57fce5cc31dc074751e44201c
Instruction Fuzzy Hash: E503E6B2A181928FD7758E24D8407FD37B5F7A878CF001135EA5A97B49DF3CAA089B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC216CE, Relevance: 38.8, APIs: 9, Strings: 13, Instructions: 347injectionmemorythreadCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32 ref: 00007FF63EC21747
WriteProcessMemory.KERNEL32 ref: 00007FF63EC21776
CreateRemoteThread.KERNEL32 ref: 00007FF63EC217A3
CloseHandle.KERNEL32 ref: 00007FF63EC217B5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF63EC1D634,?,00000000,000000F5,0000006B,00000021,000000F4,00007FF63EC2160C), ref: 00007FF63EC217C0
GetLastError.KERNEL32 ref: 00007FF63EC218C0
GetLastError.KERNEL32 ref: 00007FF63EC219EF
GetLastError.KERNEL32 ref: 00007FF63EC21ADC
CloseHandle.KERNEL32 ref: 00007FF63EC21BD7

Strings

W, xrefs: 00007FF63EC21B24
y, xrefs: 00007FF63EC21A5F
n, xrefs: 00007FF63EC21B9F
*, xrefs: 00007FF63EC21B9A
Y, xrefs: 00007FF63EC21B42
1, xrefs: 00007FF63EC21B5F
@, xrefs: 00007FF63EC21731
p, xrefs: 00007FF63EC21AA0
\, xrefs: 00007FF63EC21A32
r, xrefs: 00007FF63EC21B2D
m, xrefs: 00007FF63EC219FD
H, xrefs: 00007FF63EC21B04
m, xrefs: 00007FF63EC21B47

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: ErrorLast$CloseHandle$AllocCreateMemoryProcessRemoteThreadVirtualWrite
String ID: *$1$@$H$W$Y$\$m$m$n$p$r$y
API String ID: 2672033360-2450132792
Opcode ID: 509527a9178011772fbb75b66973a6ae0779f64e2d2f48fec426633055b94f00
Instruction ID: 524ca1265d28a81b101889b1ef312625816160408e1b5e076d870be14a1e2b7c
Opcode Fuzzy Hash: 509527a9178011772fbb75b66973a6ae0779f64e2d2f48fec426633055b94f00
Instruction Fuzzy Hash: FFF14B1350E3C0C9D712877C645028EAFE197B3A48F2C8099E7D5077A6CAAFC51ADB76

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC25414, Relevance: 35.8, APIs: 1, Strings: 21, Instructions: 2813sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FF63EC254DC

Strings

k, xrefs: 00007FF63EC261E2
v, xrefs: 00007FF63EC26409
u, xrefs: 00007FF63EC26281
c, xrefs: 00007FF63EC2741B
~, xrefs: 00007FF63EC263CB
z, xrefs: 00007FF63EC274DA
Z, xrefs: 00007FF63EC2740A
@, xrefs: 00007FF63EC264E3
Y, xrefs: 00007FF63EC27480
Z, xrefs: 00007FF63EC263E3
o, xrefs: 00007FF63EC273D9
t, xrefs: 00007FF63EC26397
{, xrefs: 00007FF63EC27497
1, xrefs: 00007FF63EC27520
w, xrefs: 00007FF63EC263A7
V, xrefs: 00007FF63EC263D3
y, xrefs: 00007FF63EC2748F
t, xrefs: 00007FF63EC26236
,, xrefs: 00007FF63EC262C7
b, xrefs: 00007FF63EC27447
m, xrefs: 00007FF63EC263DB

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: Sleep
String ID: ,$1$@$V$Y$Z$Z$b$c$k$m$o$t$t$u$v$w$y$z${$~
API String ID: 3472027048-1889956645
Opcode ID: b883412409f385da3dccdaedf41a5f72889cee189f3be9252496c239270b3145
Instruction ID: becf506b2f34c5a60e59b016b3b3a0e3b1b9732f32f3d588a8556f25fa39b074
Opcode Fuzzy Hash: b883412409f385da3dccdaedf41a5f72889cee189f3be9252496c239270b3145
Instruction Fuzzy Hash: AF23082365E2C18FE721CB3C90947CF7FA1D376318F29A558C791073A3C66A860ADB65

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC0176B, Relevance: 33.2, Strings: 26, Instructions: 707COMMON

Download Yara Rule

Strings

K, xrefs: 00007FF63EC01C1D
\, xrefs: 00007FF63EC01BE1
a, xrefs: 00007FF63EC01C0E
R, xrefs: 00007FF63EC01BCD
P, xrefs: 00007FF63EC01BF0
^, xrefs: 00007FF63EC01BC8
c, xrefs: 00007FF63EC01C09
M, xrefs: 00007FF63EC01BE6
[, xrefs: 00007FF63EC01BB9
_, xrefs: 00007FF63EC01C18
T, xrefs: 00007FF63EC01BFF
U, xrefs: 00007FF63EC01C04
X, xrefs: 00007FF63EC01BD2
W, xrefs: 00007FF63EC01C22
N, xrefs: 00007FF63EC01BB4
Z, xrefs: 00007FF63EC01BAA
J, xrefs: 00007FF63EC01BDC
S, xrefs: 00007FF63EC01BFA
Q, xrefs: 00007FF63EC01BF5
b, xrefs: 00007FF63EC01BC3
`, xrefs: 00007FF63EC01BAF
], xrefs: 00007FF63EC01BBE
V, xrefs: 00007FF63EC01C27
Y, xrefs: 00007FF63EC01BD7
L, xrefs: 00007FF63EC01C13
O, xrefs: 00007FF63EC01BEB

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID: J$K$L$M$N$O$P$Q$R$S$T$U$V$W$X$Y$Z$[$\$]$^$_$`$a$b$c
API String ID: 0-709081789
Opcode ID: 95e4a524beecc5d3375392c90eb3e29f890008fe832452cbeb287093093b9316
Instruction ID: 5befff55eabf4d1d3c59964fb2b1b1ddab650d3d35693bc504f4217be43962dd
Opcode Fuzzy Hash: 95e4a524beecc5d3375392c90eb3e29f890008fe832452cbeb287093093b9316
Instruction Fuzzy Hash: 8F42F523B5E6914FFB01CA3494A53DF6B92C372328F19A529DB65077C7CA2D8A0DDB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC27CCC, Relevance: 26.6, APIs: 2, Strings: 13, Instructions: 341sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63EC28250: GetTickCount.KERNEL32 ref: 00007FF63EC282AE
Part of subcall function 00007FF63EC28250: UuidCreate.RPCRT4 ref: 00007FF63EC282DB

Sleep.KERNEL32 ref: 00007FF63EC27ECC
htonl.WS2_32 ref: 00007FF63EC2806F

Strings

v, xrefs: 00007FF63EC27F49
w, xrefs: 00007FF63EC27F16
q, xrefs: 00007FF63EC27DB1
~, xrefs: 00007FF63EC27F33
i, xrefs: 00007FF63EC27F44
n, xrefs: 00007FF63EC27F1B
o, xrefs: 00007FF63EC27DF4
d, xrefs: 00007FF63EC27DE2
x, xrefs: 00007FF63EC27DEB
u, xrefs: 00007FF63EC27DB6
-, xrefs: 00007FF63EC27F8D
v, xrefs: 00007FF63EC27E16
y, xrefs: 00007FF63EC27DC9

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: CountCreateSleepTickUuidhtonl
String ID: -$d$i$n$o$q$u$v$v$w$x$y$~
API String ID: 3289394829-175494460
Opcode ID: 128d2acbc99dae409a441b2b5b9585aaca3754f24f26254c70192992c32f7fd9
Instruction ID: 746228a32930e15b4d5f09e8237f9a2050edf96cfe808915af51cf0adb975cc1
Opcode Fuzzy Hash: 128d2acbc99dae409a441b2b5b9585aaca3754f24f26254c70192992c32f7fd9
Instruction Fuzzy Hash: 57E1A82350C6C08AD721CA29A44039FBBA1F7B6794F185164EBD887BD9CE7CD409DF21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC3FB64, Relevance: 25.7, APIs: 9, Strings: 5, Instructions: 1207COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF63EC3FBAD
_invalid_parameter_noinfo.LIBCMT ref: 00007FF63EC401B8
_invalid_parameter_noinfo.LIBCMT ref: 00007FF63EC4037B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF63EC40582
_invalid_parameter_noinfo.LIBCMT ref: 00007FF63EC40846
_invalid_parameter_noinfo.LIBCMT ref: 00007FF63EC40A41
memcpy_s.LIBCPMT ref: 00007FF63EC40B2F
memcpy_s.LIBCPMT ref: 00007FF63EC40BDA
memcpy_s.LIBCPMT ref: 00007FF63EC40CA3

Strings

1#QNAN, xrefs: 00007FF63EC40D5B
MZx, xrefs: 00007FF63EC401D7, 00007FF63EC4023E, 00007FF63EC405A5, 00007FF63EC406CA, 00007FF63EC4072D, 00007FF63EC40A5E
1#IND, xrefs: 00007FF63EC40D49
1#INF, xrefs: 00007FF63EC40D77
1#SNAN, xrefs: 00007FF63EC40D52

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$MZx
API String ID: 808467561-2638907429
Opcode ID: d012cead53beefa769b0082b3f3d7855ca9d1f1ad9093c85bdf3b4fc5cd47282
Instruction ID: bad7f8aa8d68efe488ae8383e9c333679dbd8fa86b69c59ffc2127ccf49548ea
Opcode Fuzzy Hash: d012cead53beefa769b0082b3f3d7855ca9d1f1ad9093c85bdf3b4fc5cd47282
Instruction Fuzzy Hash: 74B20972A581828AE7768E24D4417FD37B1FB64388F501136EA2A97B85DF3CE908DF11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC0F80E, Relevance: 25.3, APIs: 1, Strings: 13, Instructions: 838COMMON

Download Yara Rule

APIs

_Init_thread_header.LIBCMT ref: 00007FF63EC103B7

Strings

C, xrefs: 00007FF63EC10243
t, xrefs: 00007FF63EC1022C
W, xrefs: 00007FF63EC10231
m, xrefs: 00007FF63EC0FE4F
m, xrefs: 00007FF63EC1032F
-, xrefs: 00007FF63EC0FE9C
t, xrefs: 00007FF63EC0FE6A
u, xrefs: 00007FF63EC1029D
u, xrefs: 00007FF63EC0FE32
], xrefs: 00007FF63EC10219
v, xrefs: 00007FF63EC1023A
5, xrefs: 00007FF63EC102EE
p, xrefs: 00007FF63EC10206

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: Init_thread_header
String ID: -$5$C$W$]$m$m$p$t$t$u$u$v
API String ID: 3738618077-576874599
Opcode ID: bcbf8ffac54b1773aa721f673119574997edb21e1206f49bdf9cb5a6c40c426a
Instruction ID: 11f6da7a9bc0730765301125a582d25b96c1edb7b8fe1a22bace4be094e1e7bc
Opcode Fuzzy Hash: bcbf8ffac54b1773aa721f673119574997edb21e1206f49bdf9cb5a6c40c426a
Instruction Fuzzy Hash: E872062360E3C08AE711C738A4403DEAFA1D772758F188669E7A4477D7CA6ED50EDB21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC1FBB4, Relevance: 24.2, Strings: 19, Instructions: 477COMMON

Download Yara Rule

Strings

7, xrefs: 00007FF63EC1FC08
g, xrefs: 00007FF63EC1FFEC
g, xrefs: 00007FF63EC1FF10
u, xrefs: 00007FF63EC1FBF8
1, xrefs: 00007FF63EC1FF15
m, xrefs: 00007FF63EC1FBE8
r, xrefs: 00007FF63EC1FFF1
p, xrefs: 00007FF63EC1FF0B
4, xrefs: 00007FF63EC1FFFA
s, xrefs: 00007FF63EC1FBE0
{, xrefs: 00007FF63EC1FF20
8, xrefs: 00007FF63EC1FC00
|, xrefs: 00007FF63EC1FBD0
3, xrefs: 00007FF63EC1FC10
n, xrefs: 00007FF63EC1FBD8
f, xrefs: 00007FF63EC1FF06
}, xrefs: 00007FF63EC1FC21
~, xrefs: 00007FF63EC20005
q, xrefs: 00007FF63EC1FBF0

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 1$3$4$7$8$f$g$g$m$n$p$q$r$s$u${$|$}$~
API String ID: 3215553584-3385196127
Opcode ID: a4fb933015b4370a8789d106c28e4a7b97fb32e8a639dea17fde7982e115794c
Instruction ID: 194d2b66e141250e58479cf1d80d614a8832be2716659c3da2b55badea8ed161
Opcode Fuzzy Hash: a4fb933015b4370a8789d106c28e4a7b97fb32e8a639dea17fde7982e115794c
Instruction Fuzzy Hash: A602AB2364E3C08EE722CA7890557CA7FA1D373304F0A945AD2C44B797D6BE950EDB22

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC2048A, Relevance: 24.2, APIs: 12, Strings: 1, Instructions: 1475sleepCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF63EC2084C
OpenProcessToken.ADVAPI32 ref: 00007FF63EC2085D
LookupPrivilegeValueA.ADVAPI32 ref: 00007FF63EC20888
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF63EC208AB
CloseHandle.KERNEL32 ref: 00007FF63EC208C9
CreateDesktopA.USER32 ref: 00007FF63EC2093C
Sleep.KERNEL32 ref: 00007FF63EC209A8
CloseDesktop.USER32 ref: 00007FF63EC20F5C
GetLastError.KERNEL32 ref: 00007FF63EC20F83
GetLastError.KERNEL32 ref: 00007FF63EC21406
GetLastError.KERNEL32 ref: 00007FF63EC214D8
CloseHandle.KERNEL32 ref: 00007FF63EC215B9

Strings

SeDebugPrivilege, xrefs: 00007FF63EC2087F

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: CloseErrorLast$DesktopHandleProcessToken$AdjustCreateCurrentLookupOpenPrivilegePrivilegesSleepValue
String ID: SeDebugPrivilege
API String ID: 424851636-2896544425
Opcode ID: 70dd4c4aaec2ce1fd2c9a64400d0de6192bb0fecf6f34e628cd92d7b906293ec
Instruction ID: eedad4c2ae2c1fa7dc507c0cdfe088e3f1d163f1dd63e9894e0ba31ac93479a2
Opcode Fuzzy Hash: 70dd4c4aaec2ce1fd2c9a64400d0de6192bb0fecf6f34e628cd92d7b906293ec
Instruction Fuzzy Hash: D5C213236092C08FEB15CE3884A57DE3FE2D332368F296919E754477DBCA2A850ED715

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC22C2F, Relevance: 23.2, APIs: 2, Strings: 13, Instructions: 679COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF63EC23199
GetLastError.KERNEL32 ref: 00007FF63EC234B3

Strings

|, xrefs: 00007FF63EC22DE4
B, xrefs: 00007FF63EC22D7C
[, xrefs: 00007FF63EC22DCD
m, xrefs: 00007FF63EC22DEC
;, xrefs: 00007FF63EC22DFC
w, xrefs: 00007FF63EC22DAD
_, xrefs: 00007FF63EC22D8D
u, xrefs: 00007FF63EC22DF4
v, xrefs: 00007FF63EC22D9D
:, xrefs: 00007FF63EC22E04
K, xrefs: 00007FF63EC22D74
q, xrefs: 00007FF63EC22D95
l, xrefs: 00007FF63EC22DA5

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: ErrorLast
String ID: :$;$B$K$[$_$l$m$q$u$v$w$|
API String ID: 1452528299-116905044
Opcode ID: 0513b9e020c650c038df537f902685702b3668b7bf956292b96d5c65e824962a
Instruction ID: d6cab10637043864c9104e9e3fcfe329b673a8d6aa4020a6a5ba38ba2cd04a30
Opcode Fuzzy Hash: 0513b9e020c650c038df537f902685702b3668b7bf956292b96d5c65e824962a
Instruction Fuzzy Hash: EF52F41364E7C189EB22873C94403DE7FA0D736B48F2D9169D789073A3DA6AC60BD725

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC1DB2C, Relevance: 20.6, APIs: 1, Strings: 12, Instructions: 1136COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF63EC1DF2B

Strings

u, xrefs: 00007FF63EC1E813
s, xrefs: 00007FF63EC1E9B9
, xrefs: 00007FF63EC1DD6C
h, xrefs: 00007FF63EC1DBEA
y, xrefs: 00007FF63EC1DE19
S, xrefs: 00007FF63EC1DEBC
], xrefs: 00007FF63EC1E940
r, xrefs: 00007FF63EC1E7D2
O, xrefs: 00007FF63EC1DEC4
a, xrefs: 00007FF63EC1E7F9
i, xrefs: 00007FF63EC1DDF0
6, xrefs: 00007FF63EC1E94F

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: ErrorLast
String ID: $6$O$S$]$a$h$i$r$s$u$y
API String ID: 1452528299-3945959020
Opcode ID: 15539a1ea54178624e94140e6e54b061f5b9f23d1ee489a3d026fef316606662
Instruction ID: d4163f75736f1eabc0fc01d74bc90aad077f6e73b13912a8e7ea2f8e0d5ada16
Opcode Fuzzy Hash: 15539a1ea54178624e94140e6e54b061f5b9f23d1ee489a3d026fef316606662
Instruction Fuzzy Hash: 3192AF2374F2C09ED722CA7C90902CE7FA1D777708F19A519D6C4477A3C66A860BEB25

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC174C4, Relevance: 20.5, Strings: 16, Instructions: 479COMMON

Download Yara Rule

Strings

u, xrefs: 00007FF63EC17A06
a, xrefs: 00007FF63EC179AE
E, xrefs: 00007FF63EC179F3
g, xrefs: 00007FF63EC17A3E
m, xrefs: 00007FF63EC17A5E
thExecute, xrefs: 00007FF63EC1791C
s, xrefs: 00007FF63EC17A48
i, xrefs: 00007FF63EC17A43
d, xrefs: 00007FF63EC179B9
x, xrefs: 00007FF63EC179F8
k, xrefs: 00007FF63EC179CF
hardWorker.cpp, xrefs: 00007FF63EC17923
c, xrefs: 00007FF63EC17A01
W, xrefs: 00007FF63EC179BE
y, xrefs: 00007FF63EC17A55
C, xrefs: 00007FF63EC179A1

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID: C$E$W$a$c$d$g$hardWorker.cpp$i$k$m$s$thExecute$u$x$y
API String ID: 0-4044612007
Opcode ID: 528565641a5fa59965e7094b39c86091d7e099151dbf63dc0e9e00202449089f
Instruction ID: da231b36a499258c9a06879ba382431ccc6390a4e37ed66917aa034631f76d40
Opcode Fuzzy Hash: 528565641a5fa59965e7094b39c86091d7e099151dbf63dc0e9e00202449089f
Instruction Fuzzy Hash: 9002F22761D1C08FF715CA35A0E96DF7FA2C3B6364F156458E69103393CA2AC60EDB25

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC0AED2, Relevance: 18.9, Strings: 15, Instructions: 161COMMON

Download Yara Rule

Strings

q, xrefs: 00007FF63EC0AF27
I, xrefs: 00007FF63EC0AF49
i, xrefs: 00007FF63EC0AEFC
[, xrefs: 00007FF63EC0AF0F
w, xrefs: 00007FF63EC0AF44
Q, xrefs: 00007FF63EC0AF35
l, xrefs: 00007FF63EC0AF0A
n, xrefs: 00007FF63EC0AF3F
V, xrefs: 00007FF63EC0AEF7
}, xrefs: 00007FF63EC0AF1D
z, xrefs: 00007FF63EC0AF22
v, xrefs: 00007FF63EC0AF3A
u, xrefs: 00007FF63EC0AF01
O, xrefs: 00007FF63EC0AEE6
k, xrefs: 00007FF63EC0AF18

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID: I$O$Q$V$[$i$k$l$n$q$u$v$w$z$}
API String ID: 0-1532506219
Opcode ID: 25f010a9121cdf5fe0438b17a91793d7a998d18be7759f3303dbe55dca6b5570
Instruction ID: 9576c908703423f6dbc276edefb3693aa1a46aba4fabdaf5ed96143dc1d4f8d3
Opcode Fuzzy Hash: 25f010a9121cdf5fe0438b17a91793d7a998d18be7759f3303dbe55dca6b5570
Instruction Fuzzy Hash: C8516F2361E2C08AE711C63D9584B8EAF62C3B3768F28D255D794177E7C26FD90B8B11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC1614C, Relevance: 18.3, APIs: 12, Instructions: 260memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF63EC16217
VariantInit.OLEAUT32 ref: 00007FF63EC16233
VariantInit.OLEAUT32 ref: 00007FF63EC16252
VariantInit.OLEAUT32 ref: 00007FF63EC16270
VariantClear.OLEAUT32 ref: 00007FF63EC162AC
VariantClear.OLEAUT32 ref: 00007FF63EC162B5
VariantClear.OLEAUT32 ref: 00007FF63EC162BB
VariantClear.OLEAUT32 ref: 00007FF63EC162C1
SysAllocString.OLEAUT32 ref: 00007FF63EC162F5
SysFreeString.OLEAUT32 ref: 00007FF63EC16338
SysAllocString.OLEAUT32 ref: 00007FF63EC163A6
SysFreeString.OLEAUT32 ref: 00007FF63EC163F3

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: Variant$ClearInitString$AllocFree
String ID:
API String ID: 1107635823-0
Opcode ID: 5dbce6b5678e906daa497a8fe069cedab797123d3a809188e671a20ac9afd09d
Instruction ID: afa1af70c2c23eec38c1295cb83bce0ad0f8aae8613324c07a70226d495e4c1e
Opcode Fuzzy Hash: 5dbce6b5678e906daa497a8fe069cedab797123d3a809188e671a20ac9afd09d
Instruction Fuzzy Hash: 51B1BF32A05B4686EB24DB65E9103AC23B0FF64B98F044132EE6D87785DF38E589D360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC27CCD, Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 262sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63EC28250: GetTickCount.KERNEL32 ref: 00007FF63EC282AE
Part of subcall function 00007FF63EC28250: UuidCreate.RPCRT4 ref: 00007FF63EC282DB

Sleep.KERNEL32 ref: 00007FF63EC27ECC
htonl.WS2_32 ref: 00007FF63EC2806F

Strings

o, xrefs: 00007FF63EC27DF4
d, xrefs: 00007FF63EC27DE2
x, xrefs: 00007FF63EC27DEB
u, xrefs: 00007FF63EC27DB6
q, xrefs: 00007FF63EC27DB1
%, xrefs: 00007FF63EC27E4A
v, xrefs: 00007FF63EC27E16
y, xrefs: 00007FF63EC27DC9

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: CountCreateSleepTickUuidhtonl
String ID: %$d$o$q$u$v$x$y
API String ID: 3289394829-2334579308
Opcode ID: d322d65621f5a739180624087787dc2bb8428771ec4983662acf44e31363ed38
Instruction ID: 7b5293c18597e7fbdd68a79c577eb30a6885406828b8104bbcb42508ab5236a4
Opcode Fuzzy Hash: d322d65621f5a739180624087787dc2bb8428771ec4983662acf44e31363ed38
Instruction Fuzzy Hash: 0DB1C52360C6C08AD721CB29A4403AEABA1F7B5794F585134FBED87B99CE7CD409DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC0E8EC, Relevance: 14.4, Strings: 11, Instructions: 646COMMON

Download Yara Rule

Strings

j, xrefs: 00007FF63EC0F03A
/, xrefs: 00007FF63EC0F09F
v, xrefs: 00007FF63EC0EF83
n, xrefs: 00007FF63EC0F024
q, xrefs: 00007FF63EC0F059
., xrefs: 00007FF63EC0F097
R, xrefs: 00007FF63EC0EFB0
t, xrefs: 00007FF63EC0F08F
I, xrefs: 00007FF63EC0F01C
], xrefs: 00007FF63EC0F042
{, xrefs: 00007FF63EC0F087

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID: .$/$I$R$]$j$n$q$t$v${
API String ID: 0-3027042243
Opcode ID: e3f05266b6695d7b907c3ace667c789df552f0161a1971962b81a190934c847e
Instruction ID: 7963f061bc8bc52b730e17d7392fcc2a3e1ae0103382330df9ee8087e37c4289
Opcode Fuzzy Hash: e3f05266b6695d7b907c3ace667c789df552f0161a1971962b81a190934c847e
Instruction Fuzzy Hash: 80322C2375E2C14BEB21863891513CE6F92D7B2318F289424D795077E7C96ED60EDB21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC0E192, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 206timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63EC2C784: _invalid_parameter_noinfo.LIBCMT ref: 00007FF63EC2C8A6

Part of subcall function 00007FF63EC2C78C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF63EC2C7E1

GetLocalTime.KERNEL32 ref: 00007FF63EC0E26C
GetCurrentProcessId.KERNEL32 ref: 00007FF63EC0E3CF

Strings

:H, xrefs: 00007FF63EC0E4A8
=, xrefs: 00007FF63EC0E36A
>, xrefs: 00007FF63EC0E284
8, xrefs: 00007FF63EC0E354
n, xrefs: 00007FF63EC0E390
z, xrefs: 00007FF63EC0E381

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: _invalid_parameter_noinfo$CurrentLocalProcessTime
String ID: 8$:H$=$>$n$z
API String ID: 479778610-3277947295
Opcode ID: 24e28aaa322a5534530b53c80a3b68297e011b316e398c9091511e55271d6754
Instruction ID: d03341d1501b3e841ac2ba4e42bc9060e63a50eb627209c39dac0483ddb9eb5b
Opcode Fuzzy Hash: 24e28aaa322a5534530b53c80a3b68297e011b316e398c9091511e55271d6754
Instruction Fuzzy Hash: 8191716360D3C189E7318B29B4517DFBFA0E7A6794F044129EAD847B8ACE2CD149DF21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC144C3, Relevance: 13.2, APIs: 1, Strings: 6, Instructions: 990COMMON

Download Yara Rule

APIs

_Init_thread_header.LIBCMT ref: 00007FF63EC151C5

Strings

t, xrefs: 00007FF63EC150F9
b, xrefs: 00007FF63EC150B9
-, xrefs: 00007FF63EC1512F
x, xrefs: 00007FF63EC15118
m, xrefs: 00007FF63EC150DE
e, xrefs: 00007FF63EC1515B

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: Init_thread_header
String ID: -$b$e$m$t$x
API String ID: 3738618077-2552193739
Opcode ID: 3ce5c1e8c2cf2fa098fabf7009a70737c3dc51f77ee7f6e113e094b2a62fa685
Instruction ID: d1f7cae6531a234c2413429e0bb9663bbc5094e550fd5e4aa0d7ba5247de5e5c
Opcode Fuzzy Hash: 3ce5c1e8c2cf2fa098fabf7009a70737c3dc51f77ee7f6e113e094b2a62fa685
Instruction Fuzzy Hash: D382F323A0E6C18AEB11873C90903CEAFA1D772758F289565D794073A3DA6BD60FD721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC08248, Relevance: 12.7, Strings: 10, Instructions: 171COMMON

Download Yara Rule

Strings

U, xrefs: 00007FF63EC08282
w, xrefs: 00007FF63EC082B7
}, xrefs: 00007FF63EC08298
y, xrefs: 00007FF63EC08287
[, xrefs: 00007FF63EC0825E
r, xrefs: 00007FF63EC08268
e, xrefs: 00007FF63EC082A5
h, xrefs: 00007FF63EC082AA
m, xrefs: 00007FF63EC08263
t, xrefs: 00007FF63EC0827D

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID: U$[$e$h$m$r$t$w$y$}
API String ID: 0-542650763
Opcode ID: 0c01565e325dbcbe6223db191ed4471ad8d579e6a0b63a32935b981ac56cb1b2
Instruction ID: 1cd8e95ecdd73986b445ffd04ec529339f365f5b50b28579aab8cd78212a503c
Opcode Fuzzy Hash: 0c01565e325dbcbe6223db191ed4471ad8d579e6a0b63a32935b981ac56cb1b2
Instruction Fuzzy Hash: 3151F11365E2C08AE711C73D95C47CEAF62D3B2728F28E204E695077E6D26BC60ECB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC3EE18, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 321fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 00007FF63EC3EE87
WriteFile.KERNEL32 ref: 00007FF63EC3F131
WriteFile.KERNEL32 ref: 00007FF63EC3F183
GetLastError.KERNEL32 ref: 00007FF63EC3F2C5
GetLastError.KERNEL32 ref: 00007FF63EC3F2D7

Strings

MZx, xrefs: 00007FF63EC3EE55, 00007FF63EC3EEEC, 00007FF63EC3EFA1, 00007FF63EC3F06A, 00007FF63EC3F1C6, 00007FF63EC3F296

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: ErrorFileLastWrite$Console
String ID: MZx
API String ID: 786612050-2575928145
Opcode ID: 0e3544457a81fbf93e5bb65d93716f6e1bedc45cc0cd8151d53bc768b8010a5f
Instruction ID: b77531c3aba7b7fb8d1c45529ab6affd2ce4faf642241c2e562997e412d95840
Opcode Fuzzy Hash: 0e3544457a81fbf93e5bb65d93716f6e1bedc45cc0cd8151d53bc768b8010a5f
Instruction Fuzzy Hash: 25D11372B08B818AE710CB64D8502ED7BB1FB54788F540536EEAE97B99DE3CD11AD310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC2A284, Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF63EC2A2A0
RtlCaptureContext.KERNEL32 ref: 00007FF63EC2A2CC
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF63EC2A2E6
RtlVirtualUnwind.KERNEL32 ref: 00007FF63EC2A327
IsDebuggerPresent.KERNEL32 ref: 00007FF63EC2A37B
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF63EC2A39C
UnhandledExceptionFilter.KERNEL32 ref: 00007FF63EC2A3A7

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: f983b5067b0f2b30bdd97aa1616adc2b1c5e79f94750c729e5f29479b3610a46
Instruction ID: 80bf7010f1a153e5a4a4b5bbffac8ab04cd4bc61f326c5b3c32e3e5e183d03fe
Opcode Fuzzy Hash: f983b5067b0f2b30bdd97aa1616adc2b1c5e79f94750c729e5f29479b3610a46
Instruction Fuzzy Hash: 4C315E72609B8185EB609F60E8503ED7370FBA4348F44443AEA5E87B99DF38D648DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC279D8, Relevance: 10.2, Strings: 8, Instructions: 181COMMON

Download Yara Rule

Strings

u, xrefs: 00007FF63EC27A1C
L, xrefs: 00007FF63EC27AC0
3333, xrefs: 00007FF63EC27C6D
G, xrefs: 00007FF63EC27A7E
A, xrefs: 00007FF63EC27AB1
F, xrefs: 00007FF63EC27A83
@, xrefs: 00007FF63EC27AB6
C, xrefs: 00007FF63EC27ABB

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID: 3333$@$A$C$F$G$L$u
API String ID: 0-4267255643
Opcode ID: 73dff7867b47ab10b650259e415461b6b4d32505e36f3260bad87e8669f254a6
Instruction ID: d5e6b81a8d909cdc264dadbee57e4c1d0b556a2effa49b88abf24bc46b1e3411
Opcode Fuzzy Hash: 73dff7867b47ab10b650259e415461b6b4d32505e36f3260bad87e8669f254a6
Instruction Fuzzy Hash: 9F71F82360C2C085E7228729B44439FBFA0A7A6758F185065FFC947B86CBBDC548EB21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC0BC62, Relevance: 10.2, Strings: 8, Instructions: 162COMMON

Download Yara Rule

Strings

J, xrefs: 00007FF63EC0BCFC
W, xrefs: 00007FF63EC0BC77
h, xrefs: 00007FF63EC0BCBC
q, xrefs: 00007FF63EC0BC84
}, xrefs: 00007FF63EC0BD01
H, xrefs: 00007FF63EC0BC89
t, xrefs: 00007FF63EC0BCB7
r, xrefs: 00007FF63EC0BCE2

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID: H$J$W$h$q$r$t$}
API String ID: 0-3791407899
Opcode ID: 9aed2382e2ba0e7ad63a2a422e1ebe0d9933e41efbd1733e4be22e9b2d0fc6df
Instruction ID: 9a0e701536716165bfad6a09f9f2e8826104aeddf2d7f959ebf563da61d346c0
Opcode Fuzzy Hash: 9aed2382e2ba0e7ad63a2a422e1ebe0d9933e41efbd1733e4be22e9b2d0fc6df
Instruction Fuzzy Hash: 3151911362E2C08AE751C739948478EBF62D3B3768F28A644E794077A7C56FC50ACB21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC071F6, Relevance: 10.2, Strings: 8, Instructions: 156COMMON

Download Yara Rule

Strings

t, xrefs: 00007FF63EC0722B
L, xrefs: 00007FF63EC0721C
s, xrefs: 00007FF63EC07235
g, xrefs: 00007FF63EC07247
G, xrefs: 00007FF63EC07230
[, xrefs: 00007FF63EC0720C
m, xrefs: 00007FF63EC07211
i, xrefs: 00007FF63EC07242

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID: G$L$[$g$i$m$s$t
API String ID: 0-169899670
Opcode ID: 11ac5371ffa870e4faca0248cf03131fc468df5d6cd52eb90d4d4d9e5d353d9f
Instruction ID: 6b52192647d6c6e5823eeb03869918d01190181771edcc4ba4ea33a395894646
Opcode Fuzzy Hash: 11ac5371ffa870e4faca0248cf03131fc468df5d6cd52eb90d4d4d9e5d353d9f
Instruction Fuzzy Hash: 2251A01772A2C09AFB10863994C478EAF52C3A3728F28A204DB94177E6D62B850F9B51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC359E4, Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF63EC35A5D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF63EC35A75
RtlVirtualUnwind.KERNEL32 ref: 00007FF63EC35AB0
IsDebuggerPresent.KERNEL32 ref: 00007FF63EC35AE9
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF63EC35AF3
UnhandledExceptionFilter.KERNEL32 ref: 00007FF63EC35AFE

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 50b34b393fb9b7757b0067613f9e722e960c043d972149cb9b14dd6ea40172bd
Instruction ID: 47c0fabf46de4b6acbc43ca8e052d7821c7af8ed4b438416ac1f84b60f5a7431
Opcode Fuzzy Hash: 50b34b393fb9b7757b0067613f9e722e960c043d972149cb9b14dd6ea40172bd
Instruction Fuzzy Hash: 17317E36618F8186DB608F25E8502AE73B0FBA8754F500136FAAD83B99DF3CC159DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC073F4, Relevance: 9.0, Strings: 7, Instructions: 220COMMON

Download Yara Rule

Strings

s, xrefs: 00007FF63EC07622
o, xrefs: 00007FF63EC0763B
t, xrefs: 00007FF63EC07618
b, xrefs: 00007FF63EC07613
y, xrefs: 00007FF63EC0761D
9, xrefs: 00007FF63EC07636
{, xrefs: 00007FF63EC07631

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID: 9$b$o$s$t$y${
API String ID: 0-736560757
Opcode ID: 251a74e53f23efd72aa603942f4eb7effd551e4eadd4d008cea0898187d3afe5
Instruction ID: 62bd9ef6089bdfa57c5e5c4f05c6729f88dcdb22a71ecd2f0bb20a12fcc40e71
Opcode Fuzzy Hash: 251a74e53f23efd72aa603942f4eb7effd551e4eadd4d008cea0898187d3afe5
Instruction Fuzzy Hash: 4971F1A379A6908FFB14863AD4B13DBBF91D326724F1AAB19C395033C3C6598658CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC06EEC, Relevance: 7.7, Strings: 6, Instructions: 161COMMON

Download Yara Rule

Strings

S, xrefs: 00007FF63EC06F02
b, xrefs: 00007FF63EC06F0D
j, xrefs: 00007FF63EC06F1C
G, xrefs: 00007FF63EC06F17
m, xrefs: 00007FF63EC06F21
e, xrefs: 00007FF63EC06F12

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID: G$S$b$e$j$m
API String ID: 0-2644272952
Opcode ID: 18027a6baadce9866acccfa7dfa98b205afd85bbf6caf8568a6b751ef114e9c8
Instruction ID: b36c9bcd7d62fed9568d8dce570a5ab6dff2f4434dc3bfe709d0bfebb840c4d6
Opcode Fuzzy Hash: 18027a6baadce9866acccfa7dfa98b205afd85bbf6caf8568a6b751ef114e9c8
Instruction Fuzzy Hash: 2951E42365A2C05AE711CB3885C43CEAF63D7A272CF29E214D695077E6D26BC60FCB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC0C0FC, Relevance: 7.6, Strings: 6, Instructions: 149COMMON

Download Yara Rule

Strings

r, xrefs: 00007FF63EC0C159
L, xrefs: 00007FF63EC0C110
l, xrefs: 00007FF63EC0C14F
|, xrefs: 00007FF63EC0C146
x, xrefs: 00007FF63EC0C15E
], xrefs: 00007FF63EC0C133

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID: L$]$l$r$x$|
API String ID: 0-2173852877
Opcode ID: b77aac4abaf3f98204d1b7f95a3a66f6a1c35ce1022cc6839706aae507d9a818
Instruction ID: 0a129a25f4771b7935de1a461b9fcfe6ffe770646a1acd698aa33119cf4cac2a
Opcode Fuzzy Hash: b77aac4abaf3f98204d1b7f95a3a66f6a1c35ce1022cc6839706aae507d9a818
Instruction Fuzzy Hash: 9F519E2362E2C09AE751C73994C4B8EBF52C7A3758F24E244EB94177A7C66BC50A8B11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC0777A, Relevance: 6.4, Strings: 5, Instructions: 174COMMON

Download Yara Rule

Strings

i, xrefs: 00007FF63EC077C5
], xrefs: 00007FF63EC0778F
N, xrefs: 00007FF63EC077A4
|, xrefs: 00007FF63EC077D3
u, xrefs: 00007FF63EC077EE

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID: N$]$i$u$|
API String ID: 0-306787487
Opcode ID: c75ba58e39de87408c9b2f7577236e2cf3a0bc3655436b331ba9798e8fd9d3a5
Instruction ID: 421e5eaaa581c06fb0e47dc8a28bffb8de974451f7d89358b98fe44d23a4f188
Opcode Fuzzy Hash: c75ba58e39de87408c9b2f7577236e2cf3a0bc3655436b331ba9798e8fd9d3a5
Instruction Fuzzy Hash: 95516F1322E2C09AE711C6399484A8EAF62C7B3768F28E654DB94177A7C16BC50ACF51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC195A8, Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 887COMMON

Download Yara Rule

APIs

_Init_thread_header.LIBCMT ref: 00007FF63EC1A2DA

Strings

@, xrefs: 00007FF63EC1A119
0.0.0.0, xrefs: 00007FF63EC19607, 00007FF63EC1A308

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: Init_thread_header
String ID: 0.0.0.0$@
API String ID: 3738618077-4086448161
Opcode ID: 10443c0507e290efbba5fb0e161bc6cfcda90558624135c68c1676f3c4c44b19
Instruction ID: 94caeab5adafd8bfba54a6def90d6faec51e7f0128dcce0224b4b708ca9e8cac
Opcode Fuzzy Hash: 10443c0507e290efbba5fb0e161bc6cfcda90558624135c68c1676f3c4c44b19
Instruction Fuzzy Hash: 4D8216235092C18FE721CB78C8943DE3FA1D772368F159626D7695B7D7CA29920EC321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC28250, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 357COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00007FF63EC282AE
UuidCreate.RPCRT4 ref: 00007FF63EC282DB

Part of subcall function 00007FF63EC28926: getaddrinfo.WS2_32 ref: 00007FF63EC28963
Part of subcall function 00007FF63EC28926: WSAGetLastError.WS2_32 ref: 00007FF63EC28A54

Strings

., xrefs: 00007FF63EC286C4

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: CountCreateErrorLastTickUuidgetaddrinfo
String ID: .
API String ID: 649965334-248832578
Opcode ID: 51d7d7a1b873e9233772d54583de9425c2a44a9220ee525fc56a18a4e1e50fac
Instruction ID: 49a58692d6102391030d5805e030c6774df9bb5f3e0547e0653aa9fbe58f78f9
Opcode Fuzzy Hash: 51d7d7a1b873e9233772d54583de9425c2a44a9220ee525fc56a18a4e1e50fac
Instruction Fuzzy Hash: DEE1F8336086814AEA21CB25A4503FFB761FBA9784F445235FA9A93789DF3CD449DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC3CEEC, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF63EC3D228

Part of subcall function 00007FF63EC3599C: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF63EC35BF5), ref: 00007FF63EC359A5
Part of subcall function 00007FF63EC3599C: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF63EC35BF5), ref: 00007FF63EC359CA

Strings

C:\Users\user\Desktop\anchorDNS_x64.exe, xrefs: 00007FF63EC3D203
*?, xrefs: 00007FF63EC3D24F

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
String ID: *?$C:\Users\user\Desktop\anchorDNS_x64.exe
API String ID: 4036615347-4254306234
Opcode ID: c9df3f397fa8304feafd434982a4bc6d76a1b4192cfd87788eb276fbb3299915
Instruction ID: 6e11e0fd3e9a90358c3bf6a95e8baf4b7d1d013e675af28e43fb4a997f071b4a
Opcode Fuzzy Hash: c9df3f397fa8304feafd434982a4bc6d76a1b4192cfd87788eb276fbb3299915
Instruction Fuzzy Hash: 74511362B04B5685EF20CFA29C104BD6BB1FB68BD8B454531FE2D87B85EE3CD4499320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC28926, Relevance: 5.1, APIs: 3, Instructions: 593networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 00007FF63EC28963
WSAGetLastError.WS2_32 ref: 00007FF63EC28A54
freeaddrinfo.WS2_32 ref: 00007FF63EC28FB2

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: ErrorLastfreeaddrinfogetaddrinfo
String ID:
API String ID: 1817844550-0
Opcode ID: 44f7346984cd6515759428d1e639b69ff0e5dfb8f6e93bb076f1a20633db3deb
Instruction ID: 474c601deef8591572c6fd1d34443abd381eee697a00f52b18ab55ff9d1c7da1
Opcode Fuzzy Hash: 44f7346984cd6515759428d1e639b69ff0e5dfb8f6e93bb076f1a20633db3deb
Instruction Fuzzy Hash: 092236A3B5E6D18FE7118A38C4903CBBF60E332724F1EA659D7A107393D669C598DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC2F5B0, Relevance: 4.8, APIs: 3, Instructions: 317COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF63EC2F616
memcpy_s.LIBCPMT ref: 00007FF63EC2F641

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 89efa1099f50e7829e98c86f8bf3cc02ee95f86496c297bcc613a316ecd5c7a4
Instruction ID: deab54f74e08c39f956b956474dfb5d1035f74b1ba1e95c571e7709dc41beb9c
Opcode Fuzzy Hash: 89efa1099f50e7829e98c86f8bf3cc02ee95f86496c297bcc613a316ecd5c7a4
Instruction Fuzzy Hash: 86C1D672B182CA87EF24CF19E04466EB7A1F7A4B84F449135EB5AA3744DE3CE845DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC2217C, Relevance: 4.1, Strings: 3, Instructions: 318COMMON

Download Yara Rule

Strings

GET, xrefs: 00007FF63EC22248
200, xrefs: 00007FF63EC2236B
WinHTTP loader/1.0, xrefs: 00007FF63EC221D5

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID: 200$GET$WinHTTP loader/1.0
API String ID: 0-1079223383
Opcode ID: 4e184deaab9a70519047993a2d940f8846fc76a40cf1d86d5a6f7e43759051b7
Instruction ID: f3316b25620d7a9e214038191af2793cecae3b1cea961a1c07737af8ba95e122
Opcode Fuzzy Hash: 4e184deaab9a70519047993a2d940f8846fc76a40cf1d86d5a6f7e43759051b7
Instruction Fuzzy Hash: 8AC1B222F0961686FF18DBB5A4507BD22B0AF74748F145135FE2D97B85EE3CE509A320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC0CE64, Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

u, xrefs: 00007FF63EC0D062
o, xrefs: 00007FF63EC0D05D
/, xrefs: 00007FF63EC0D077

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID: /$o$u
API String ID: 0-955228073
Opcode ID: 10e4b9ce34a57c28bc8cbe426a657756e6018d26716f850741d3e10a9b08a4b7
Instruction ID: 109b91929ffd1ff20e67925c31d8076226cd84704e24b8e0b1efd01bcae38d36
Opcode Fuzzy Hash: 10e4b9ce34a57c28bc8cbe426a657756e6018d26716f850741d3e10a9b08a4b7
Instruction Fuzzy Hash: CD6137A37296E19BFB118B3A94A13DFAF90D332724F19A708DB65073C3C61A8595CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC0B45A, Relevance: 3.9, Strings: 3, Instructions: 187COMMON

Download Yara Rule

Strings

z, xrefs: 00007FF63EC0B629
4, xrefs: 00007FF63EC0B63E
t, xrefs: 00007FF63EC0B624

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID: 4$t$z
API String ID: 0-2937284666
Opcode ID: 0c93368524399d751ecca10392dd4542f800fd49e21a11fd472218aeb3d1732c
Instruction ID: 580c563ad991bd5418280bee502720a6feb4cb02fee76fbfb585c7dfba37a41f
Opcode Fuzzy Hash: 0c93368524399d751ecca10392dd4542f800fd49e21a11fd472218aeb3d1732c
Instruction Fuzzy Hash: 9A61EFA379A6D08FF7068639A4B13CFAF91D372724F09AB09DB95033D3C6198659CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC3BC9C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 248COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF63EC3BD00

Strings

gfffffff, xrefs: 00007FF63EC3BF9D

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfffffff
API String ID: 3215553584-1523873471
Opcode ID: 39d8d324a5ed8ccc1c6ea7aacc02ab180607cb5763201971971ac6820e19807c
Instruction ID: 8bf5e3669f370c8ac197322816a5112b00dc50097661deb9764460053b4944f2
Opcode Fuzzy Hash: 39d8d324a5ed8ccc1c6ea7aacc02ab180607cb5763201971971ac6820e19807c
Instruction Fuzzy Hash: D3917967B097C686EF11CB29D8003BD77A4AB64B80F059032EA6D87395DE3DE90AD711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC3B6E8, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF63EC3B719

Part of subcall function 00007FF63EC3599C: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF63EC35BF5), ref: 00007FF63EC359A5
Part of subcall function 00007FF63EC3599C: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF63EC35BF5), ref: 00007FF63EC359CA

Strings

-, xrefs: 00007FF63EC3B8F4

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
String ID: -
API String ID: 4036615347-2547889144
Opcode ID: 7f26510c5e6554bce16751d4058f303b2fede24bf5a348830ea5ec309e2d6b03
Instruction ID: 8cee87257b46b26c857cb40c2036defdd53c59db159a6175a61246896ec26879
Opcode Fuzzy Hash: 7f26510c5e6554bce16751d4058f303b2fede24bf5a348830ea5ec309e2d6b03
Instruction Fuzzy Hash: 7E81E532A0878585EA649B25990077EB7B1FB657D0F044235FAAD87BD9DF3CEC089720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC3D404, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\anchorDNS_x64.exe, xrefs: 00007FF63EC3D416

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\anchorDNS_x64.exe
API String ID: 0-4132411585
Opcode ID: 1652115602dfb63e67c9851bbdaec33a69702db4e1f3cc669f16178081a43772
Instruction ID: edc7cb47c8d8377ef6d6b64878f7b63ee2604e87617976d912eb8b71b0b9f153
Opcode Fuzzy Hash: 1652115602dfb63e67c9851bbdaec33a69702db4e1f3cc669f16178081a43772
Instruction Fuzzy Hash: 0951E122B0869184F7209B76AC105AE7BB0BB65BD8F144234FEAC87B89CF3CD509D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC23609, Relevance: 3.3, APIs: 1, Instructions: 2086sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FF63EC24370

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 75bb56789affa75da9325a087a0ddfb37c55b33460be0a2db31353ed10f0cc08
Instruction ID: 4c6fcbda49f3782d6066be4b36d6e7720c0ee9dd235b058729df2120575e3f5d
Opcode Fuzzy Hash: 75bb56789affa75da9325a087a0ddfb37c55b33460be0a2db31353ed10f0cc08
Instruction Fuzzy Hash: CD03C02379B2C08EEB31CF7888847CE3FA0E337708F19A559D6940B757C665960AE725

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC1890E, Relevance: 3.3, APIs: 2, Instructions: 796COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63EC19232: WSAGetLastError.WS2_32 ref: 00007FF63EC1929A

GetLastError.KERNEL32 ref: 00007FF63EC189A7
GetLastError.KERNEL32 ref: 00007FF63EC18B56

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 713c048b60c55eecbb66833d9fd3fc9b947a0fa7016a9b51d47dd0bfd0301b45
Instruction ID: 1af3d696da8d38f7d2d0b563df9e9e45f12d3c1875f3eca1e0d9cbcba19888ee
Opcode Fuzzy Hash: 713c048b60c55eecbb66833d9fd3fc9b947a0fa7016a9b51d47dd0bfd0301b45
Instruction Fuzzy Hash: 3942BD63B9B2C19EDB128B7C80902CE3FB1D337B0CB29A459D78547363D52A960BE715

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC42E48, Relevance: 3.2, APIs: 2, Instructions: 232COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF63EC43097
RaiseException.KERNEL32 ref: 00007FF63EC430A8

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: c20f8608ea0ecac529bd971984dccab8c2031a969faf6f7420bb3b580a637607
Instruction ID: 5ef10dca370238926aaae692259a0c3a9b27511cb558b8af9bcdabd9aee91676
Opcode Fuzzy Hash: c20f8608ea0ecac529bd971984dccab8c2031a969faf6f7420bb3b580a637607
Instruction Fuzzy Hash: 16B12877600B858BEB1ACF29C84636C77B0F784B48B158922EA6D877A4CF39E455DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC03912, Relevance: 3.0, APIs: 2, Instructions: 46timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00007FF63EC0393B
SystemTimeToFileTime.KERNEL32 ref: 00007FF63EC0394E

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: Time$FileLocalSystem
String ID:
API String ID: 704252544-0
Opcode ID: bf3cd042b41ec868c10890a1de2338d17c3fadf045592169deca63c2ccae9433
Instruction ID: 939c05eee45d4f91ca808e57acbd523b436ca4a4cc8673167f9ebbe20952074a
Opcode Fuzzy Hash: bf3cd042b41ec868c10890a1de2338d17c3fadf045592169deca63c2ccae9433
Instruction Fuzzy Hash: 73016B62B0978182FE218728A921269B370BF457F07009330ED6D57BD4DF2CE846C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC17C28, Relevance: 1.9, APIs: 1, Instructions: 356COMMON

Download Yara Rule

APIs

_Init_thread_header.LIBCMT ref: 00007FF63EC180AF

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: Init_thread_header
String ID:
API String ID: 3738618077-0
Opcode ID: 335158fa714618bf8d6de331738153b690514691b205b343662470f5cbf59c13
Instruction ID: 4e6c43a9ef021991c4928ada23654bdfeb186516efa79141584dd1ec8ac34ba8
Opcode Fuzzy Hash: 335158fa714618bf8d6de331738153b690514691b205b343662470f5cbf59c13
Instruction Fuzzy Hash: 43E1D423A086818AFB14CB75E4903EE6B61EB62358F005135EA6D977D6CF2DD94ED320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC0A16E, Relevance: 1.5, Strings: 1, Instructions: 291COMMON

Download Yara Rule

Strings

3:<KU, xrefs: 00007FF63EC0A170

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID: 3:<KU
API String ID: 0-2596799183
Opcode ID: 5aa116ce32a1d24f05d0aae60a5d907adc89ad15d712247248ac259edc3f15ae
Instruction ID: 2f34b6147379ed05aeb8524297c1a4882e86b1f23d5176e9efb528ed1b5ae50d
Opcode Fuzzy Hash: 5aa116ce32a1d24f05d0aae60a5d907adc89ad15d712247248ac259edc3f15ae
Instruction Fuzzy Hash: 36A19FA37A76D09FFB018A39C5A17CEAF90D336724F29A709CB60177D3C21A9605DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC03575, Relevance: 1.5, Strings: 1, Instructions: 226COMMON

Download Yara Rule

Strings

7, xrefs: 00007FF63EC03595

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: bd684695b0b9009310375d860dea63871e4bb56076010b7dd2d901ca6ecf7f5b
Instruction ID: 0794c27d7a6a96b3cc9a794747ea586e3aa3dd7e3adbdcfeebb29f71956e7a35
Opcode Fuzzy Hash: bd684695b0b9009310375d860dea63871e4bb56076010b7dd2d901ca6ecf7f5b
Instruction Fuzzy Hash: 1B61EA637AA2804FDB31CA78A0916CB7BE0E37A308F092615F6D547B57C56CDA0BDB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC2E894, Relevance: 1.5, Strings: 1, Instructions: 209COMMON

Download Yara Rule

Strings

0, xrefs: 00007FF63EC2EA63

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: d3cad61f5502d7106a1471d22457d203db06ea8473520b57dc9d58c1c2d2d2a1
Instruction ID: 56270ffc22f89034b7e072d362a4e13121f8dd29b4c88f819d05145a87d7a246
Opcode Fuzzy Hash: d3cad61f5502d7106a1471d22457d203db06ea8473520b57dc9d58c1c2d2d2a1
Instruction Fuzzy Hash: 0371EF15A182038AEEA5BA1540402BD26B0EF78744F847137FD6DA77D5CF2DE84BE325

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC2D00C, Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

0, xrefs: 00007FF63EC2D1A5

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 6d0a94d7c0469c5c6aeef568c5c81d7626709050d9262ba6b699d629f267a2f6
Instruction ID: 380a91b811383bf02b34251b726317943877d2c27dae9a9a7ff0409e4ccfabfe
Opcode Fuzzy Hash: 6d0a94d7c0469c5c6aeef568c5c81d7626709050d9262ba6b699d629f267a2f6
Instruction Fuzzy Hash: 5A61F511A0C242C6FE688A2950203BE1FB19F71754F543531FCA89BB99CE2DE84FB761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC39600, Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF63EC39604

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: e06ef351894c49f49f10d3e365f1dd25fc469adfcf509904f72e1a7b88f780e1
Instruction ID: c364131c51192ad20844f89bf15b2d563a3257ce3d73cfccd9d36d668f29cc0d
Opcode Fuzzy Hash: e06ef351894c49f49f10d3e365f1dd25fc469adfcf509904f72e1a7b88f780e1
Instruction Fuzzy Hash: 5CB09220F17A02C2EA092F126C8221C23B57F68700F958039D01D81320DE2C20AD6B20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC1EBAA, Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e7805e7cd11ea0290a49bbe4ff1756958a9c33e91ea1cf9ce81fb76ab44a9e
Instruction ID: 91746e700569dffbda7f9747e5114abdf2576de6d3bdec2da5ddacfefb6438bc
Opcode Fuzzy Hash: f4e7805e7cd11ea0290a49bbe4ff1756958a9c33e91ea1cf9ce81fb76ab44a9e
Instruction Fuzzy Hash: C9F1D82375A2804AEB10CA38D1947CE6F62D7A6718F28E515DB54073E3DA7BDA0FDB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC1F31E, Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976c2c5f0d80b86eb54c4b415adca4402a94d225a663c7417f28d4740c029039
Instruction ID: d9f6f941d9e8e8eb44d553b66d5cbd929206c855293e6ca3a918df20514c37f2
Opcode Fuzzy Hash: 976c2c5f0d80b86eb54c4b415adca4402a94d225a663c7417f28d4740c029039
Instruction Fuzzy Hash: 11F149137093D18EFB11CA3984943DE2F62EB76358F099125DA585B7D3CA3A9A0FC720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC1D004, Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8299c70641a8df5a701ed7c720cb2b4eabe6ad68e686a92389bed2a30eabf53
Instruction ID: 19d8ee4a336a45859903c8f67f93760cd14731b251a3b759abceefb4d2c128e4
Opcode Fuzzy Hash: f8299c70641a8df5a701ed7c720cb2b4eabe6ad68e686a92389bed2a30eabf53
Instruction Fuzzy Hash: FCD17963B09A918BFB148A35E4613DF7BA1E762320F199625DBA4437C3DF2CE519CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC08E1C, Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6270673994d2d44e56ce4c892c288cb6e2ac712818bb7fd2b09c4627ac11e9
Instruction ID: 7d7c638028403e88b6d57e1e51ae7857d5a32e26f5d852088dd02a4cfb19c2ab
Opcode Fuzzy Hash: 6f6270673994d2d44e56ce4c892c288cb6e2ac712818bb7fd2b09c4627ac11e9
Instruction Fuzzy Hash: 00D1F5B3B9BA914FF7158A39C4B13CB7F90D322734F1A9A198790073D3D2A98659DB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC1B4E4, Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35012a9d2a0d3de121f552b8a21dc0deb257bf598013a262d6ddb06e2d030171
Instruction ID: 73b2a593950cd8adce38ee67892696453148c5a0c840099db129a8dce07f99b1
Opcode Fuzzy Hash: 35012a9d2a0d3de121f552b8a21dc0deb257bf598013a262d6ddb06e2d030171
Instruction Fuzzy Hash: 9AD1D25378B2C19DE7128A3CC5403CD7F21E32276CF5D9A05EB680B7A7C66AD60AD721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC15209, Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d79bf101e1cb1d71bd93de8d60d67037ea81bd114c7ca3ec68f1b25a1872cf92
Instruction ID: c2ce33e375498e9255fa73a639c6146a7812bff822eb122ecae58476bb701c82
Opcode Fuzzy Hash: d79bf101e1cb1d71bd93de8d60d67037ea81bd114c7ca3ec68f1b25a1872cf92
Instruction Fuzzy Hash: B9F1FB23A087C189E732DB74D4443ED2B71EB75788F148236DA6D6B796CF6C914AC321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC07E98, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c57cc95f4931b256efc58b002dee48f865eb4f9e0c2bf45b7a3c8efa1cb09a14
Instruction ID: a4ce8cc879a586477e030b262c6642707a809e8302b834b9aadd7b64b2ddf0ca
Opcode Fuzzy Hash: c57cc95f4931b256efc58b002dee48f865eb4f9e0c2bf45b7a3c8efa1cb09a14
Instruction Fuzzy Hash: 6BB1D2A3F9EA914FE7118A39C4753DBBF90D322734F2AA6198791033D3D2698659DB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC0B68A, Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6bbca805776271225df0ed00b302df016a04f48fcb2d3fdd1bc050fe8820e8
Instruction ID: 3bacbdd51474415d5177fd387a3702d78f795f909a76dc25185eaf515363f0e3
Opcode Fuzzy Hash: ef6bbca805776271225df0ed00b302df016a04f48fcb2d3fdd1bc050fe8820e8
Instruction Fuzzy Hash: 07B1C1A379B6905BFB01863AC5A1BCFBF90D332B24F1EAB098750073D3C22A5655DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC1BF22, Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ee82f0324375bd0286e3819d9379f4f23836b73f508718769443e55e3ba1f4
Instruction ID: 20827e209ebda0bd5824dbfc29fdb49bb3d2c270ae1f5856089586f474b72c11
Opcode Fuzzy Hash: 15ee82f0324375bd0286e3819d9379f4f23836b73f508718769443e55e3ba1f4
Instruction Fuzzy Hash: CFC1B25379B2C09EE702CE78C5403CD6F21E33275CF09AA19EB64077E7C6699A0AD361

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC0C8B2, Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 314c5662dd43dcf9a4efe6e617be60411b449d9ae8df324cc7177bd0b2a8f196
Instruction ID: e46f568baffd9b899a2e70ec89cd71fc044550cf0e121657f140e7089aad2ebb
Opcode Fuzzy Hash: 314c5662dd43dcf9a4efe6e617be60411b449d9ae8df324cc7177bd0b2a8f196
Instruction Fuzzy Hash: 1CA1EEA379B6914FFB018A39C4A13CABF91D326728F1EAB19CB81073D3C2594559DB14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC1C3C2, Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a30570f157cb874c8448727ff115599652c466b19802783eafbe6c7ec458cb
Instruction ID: 676bc02dd73edc6081b5b82b31556145e3d609e8884616eda86505e145f59ea7
Opcode Fuzzy Hash: 14a30570f157cb874c8448727ff115599652c466b19802783eafbe6c7ec458cb
Instruction Fuzzy Hash: 9EB1D16775A2C08EEB108A38C4C53CE2F22D77636DF19D615E664076E7DA6B8A0FC710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC07B16, Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8887a72a06ff1f3cf4d1fff3008ed930b54223551018f895e853e46cafe80a5a
Instruction ID: 159d85863c07fe62976922fc3eaf61443dce3a94ac74ea264b02d107ddb22810
Opcode Fuzzy Hash: 8887a72a06ff1f3cf4d1fff3008ed930b54223551018f895e853e46cafe80a5a
Instruction Fuzzy Hash: C3A1F763B9EA914FEB118A38C4653CBBF50D322738F2A9719C791072C3D3698655DB14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC2FA54, Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48883f57f144b60095104683b0817eab8d4014c728ff544acee589e53995ce7b
Instruction ID: fe059cd466a91e9243402cfc3538a712563c13698c0e78630bd3fceb8f954260
Opcode Fuzzy Hash: 48883f57f144b60095104683b0817eab8d4014c728ff544acee589e53995ce7b
Instruction Fuzzy Hash: 7291F326B186CA46FE294E2590603BD16A0AF70794F142239EE7AF77D4DD3CE50DB720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC0AB96, Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bcced82a9fc39749268dce212708de9f634a4c20f9562305c9dd238256050c3
Instruction ID: 9b527a75eb2a51b17f9a34207017ed9878a42540fe075a84c4fd87bfece5f645
Opcode Fuzzy Hash: 0bcced82a9fc39749268dce212708de9f634a4c20f9562305c9dd238256050c3
Instruction Fuzzy Hash: A291C5A37A66D15BFB108A3AC5A1BCFBF91D332B24F29A708CB10177D3C62A5515DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC06BCC, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4952ae5759933c75596aded85a1ddf277fc04ef67cc9f5e4f6336edddaa2ff89
Instruction ID: 21310f7a883c819ff05095d12b0b31431d067dc9d2d7124d75e35890b1741dbf
Opcode Fuzzy Hash: 4952ae5759933c75596aded85a1ddf277fc04ef67cc9f5e4f6336edddaa2ff89
Instruction Fuzzy Hash: C391A4637AB2915BFB058B39C5A17CFBFA0D322B14F19BA08CB54177E3C12A5506DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC0C5BE, Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56127f76e09d3cf7e3267041b2539f45eac0a4f7b53fb26ef29d6d276238d597
Instruction ID: c49bd54b7ea0331581ec3f8f6f7208b2252910867815ad41b4d7941175aab6ea
Opcode Fuzzy Hash: 56127f76e09d3cf7e3267041b2539f45eac0a4f7b53fb26ef29d6d276238d597
Instruction Fuzzy Hash: D691D2A379A6D08FF7058A3A94B13CFAF91D332724F19A708CB51073D3C66A8659CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC0C2F2, Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2be21167368d0aec7b1aaa393170c09ac45ce613934ddc63d7b13c691d41eac
Instruction ID: 3792c27f7254565f0ab89074d255386481b56e3ca84e0164a46a09f1d8dea5a9
Opcode Fuzzy Hash: e2be21167368d0aec7b1aaa393170c09ac45ce613934ddc63d7b13c691d41eac
Instruction Fuzzy Hash: 3881E6A365A9D08FF7068639C5B13CFAFA1D332724F1AE608CB91073E2C6698955CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC08476, Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e824b1be318276a4f218bc02b5caad35eed48d32f8767ccbfd33c0245edd557
Instruction ID: a1ec6d9a500517f7d4febdfef6afcfd753c929bac11dbaffe0bedff5cf86a8a2
Opcode Fuzzy Hash: 7e824b1be318276a4f218bc02b5caad35eed48d32f8767ccbfd33c0245edd557
Instruction Fuzzy Hash: D981C1A375A2D04BF7058A3990A13CBBF91D322724F1DAA19D7900B3D3C5698959CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC0BE8E, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8338eacb1da919bc0758a0834f03e56040253e081b19d548c583f60c5738d566
Instruction ID: 80fa07068a87eb037b71d97a901f0e9f70c53ccc2519d38e439c7cbefc54f43f
Opcode Fuzzy Hash: 8338eacb1da919bc0758a0834f03e56040253e081b19d548c583f60c5738d566
Instruction Fuzzy Hash: F771BDA379A6D04FEB068A39D4B13DBAF91D332724F1DEA1AC790033C3C6598559CB25

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC08716, Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2361c72efdc7f3a52c7feb93de8ab014e12f34eaa2f409d3711d24c901156cb
Instruction ID: 0f3a5b94d4b968601c077d8e1a22a2cff276e7021821d11d158c574039919b01
Opcode Fuzzy Hash: f2361c72efdc7f3a52c7feb93de8ab014e12f34eaa2f409d3711d24c901156cb
Instruction Fuzzy Hash: AB71B2A37296D18BFB058A3984617CFBF90D372B24F29E618CB50177D3C62A8556CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC066C4, Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697b2aea62219f5656d0463c1d6019ec4f649fa0e743178984f72f014e872501
Instruction ID: ede8b3cde79ee9bfb23c563af45bb3eb752724434d2a48d9c866cfba9e906aea
Opcode Fuzzy Hash: 697b2aea62219f5656d0463c1d6019ec4f649fa0e743178984f72f014e872501
Instruction Fuzzy Hash: D571C45379B2D09AE7128A38C5507CEFFA0E332B48F1DE549C7841B7A3C26B9546DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC1AFAE, Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09150db66445cdb8ba0e68dc58cccf0d7c85025506eec9a1dd7840658f9ab11a
Instruction ID: 1e24531514cbe5d69b33f4b27ac09c9f54d358aa64ffb7f8e4ba52e95339e1f8
Opcode Fuzzy Hash: 09150db66445cdb8ba0e68dc58cccf0d7c85025506eec9a1dd7840658f9ab11a
Instruction Fuzzy Hash: B371F663F083819AFB11DA71D0843EE6B72A736788F149031EB6857786DF29DA4ED350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC039FB, Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff41d978c402d529349cd5407b2f90b1250f9a8a7f3c751a69f93d097a0efe5
Instruction ID: bcdc1e8917d5e0c6bd2e4758d81a9af7f5e9fa9de12b242dbccb94b25d1ad3c9
Opcode Fuzzy Hash: cff41d978c402d529349cd5407b2f90b1250f9a8a7f3c751a69f93d097a0efe5
Instruction Fuzzy Hash: BB71E4236193C147E751CB34D1913EE6BA2E7A2384F449436EB8957786CE7DD50ECB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC0A5F6, Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a64d4fe42c95d8a1600ae97b39fa045c3e51a03c1baf22767e3357bd989eba79
Instruction ID: 6f4e17933ac47084c8a2e9527c58ceb4bf91a7dabc973fe1d8dd811a2bb8739f
Opcode Fuzzy Hash: a64d4fe42c95d8a1600ae97b39fa045c3e51a03c1baf22767e3357bd989eba79
Instruction Fuzzy Hash: 5E61E3A37296D18BFB058A3994A17CFAF91D362B24F29E708CB54173D3C62A8556CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC1CD36, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef4994529661a5766efd0df43838bd9f1a40f01a08a6aae2c8327f8a0e32095a
Instruction ID: fa1d558f22ec37614bbdd2807ed87902c42be24b9a7f9c76252568ff0759272e
Opcode Fuzzy Hash: ef4994529661a5766efd0df43838bd9f1a40f01a08a6aae2c8327f8a0e32095a
Instruction Fuzzy Hash: BF71223260C6C186EB148B65A105BAEABA0EBA57C4F048135FE9C87B85DF7DE849D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC0693C, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f98461015111f786cb5efd91b59de3e5a96522af605e586c029ecc9c820738a5
Instruction ID: de48e62978da9e189172acfc87f2cb5ea90a0977f8e969f7ccd9646639bc9246
Opcode Fuzzy Hash: f98461015111f786cb5efd91b59de3e5a96522af605e586c029ecc9c820738a5
Instruction Fuzzy Hash: 6271F4636292D28AEB119B3D800078EBF50E332B7CF599348CB511B3D3C62B9586CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC09F0A, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c5577041e6ce668c719d831cd7fa6753967c9562d2dd2e7ecab6254b21f170
Instruction ID: ec03a7f81d56ee20d3aa31a9edefedde7473d1e89be959d6833f1e5c690ac89e
Opcode Fuzzy Hash: 33c5577041e6ce668c719d831cd7fa6753967c9562d2dd2e7ecab6254b21f170
Instruction Fuzzy Hash: F661066375B2D29EE7019A39C40078EBF50D336B2CF5DD649CB901B393C56B858ADB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC09CA4, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ebe79e67c4ec8947b93ef81d47635f775218e223c8e059032a373a62c30748c
Instruction ID: 22df5b6705a1c4362dcbfba40c0554c23e8cd62231d41f47d7ecb670bc6ca746
Opcode Fuzzy Hash: 1ebe79e67c4ec8947b93ef81d47635f775218e223c8e059032a373a62c30748c
Instruction Fuzzy Hash: 2461C55762A2D29AEB025A3C850134EBF60E332B7CF59D344CF552B3E2C52B9985CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC08992, Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 094cde2e16e63eed1a97fa0366bcfea01b503ed13a26dbbaaf95698ef19e21f0
Instruction ID: 5864a372ed345d9bf8ddc1c8aeeab1e7e2ce85a29327bfe45ca28babd4addbe6
Opcode Fuzzy Hash: 094cde2e16e63eed1a97fa0366bcfea01b503ed13a26dbbaaf95698ef19e21f0
Instruction Fuzzy Hash: 2D61C56361A1D35AEB025B3D850134FBF60E322B7CF59A344CF562B3A2C53B9986C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC0BA3A, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a2500e24147bc94cf2ba161d99d97905934e842c8028e163fe22d2d9ef5768
Instruction ID: 0f67719982a160e07766b21f47fab3c05a443275888cbfabc237e2678f37621f
Opcode Fuzzy Hash: 11a2500e24147bc94cf2ba161d99d97905934e842c8028e163fe22d2d9ef5768
Instruction Fuzzy Hash: 5451D36379B3D09AE7118A38C450BCEFF50E332B18F1DE659CB941B393C26A8545DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC01094, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 814864bee3f53b4c06bb8eb1701532d171da2eb01eba70b8f1f9e221d3dbd06a
Instruction ID: f913d6f38f32e2a6023a710de6e8548d008e74b5c938e351b8142758e5972409
Opcode Fuzzy Hash: 814864bee3f53b4c06bb8eb1701532d171da2eb01eba70b8f1f9e221d3dbd06a
Instruction Fuzzy Hash: A95125537180D11FFB165A3044A27EFAFE287523D8F1AA030F6A987397CD2AD90D9350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC1F148, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b063f5835d7df482878bd6b6fc98aea5100d92c3071ce995fc2fb080e30ce592
Instruction ID: ca40d8d208a12fcc1473511a755e783b81604c1fb0d75d2c1c28c6eb95242989
Opcode Fuzzy Hash: b063f5835d7df482878bd6b6fc98aea5100d92c3071ce995fc2fb080e30ce592
Instruction Fuzzy Hash: 16414923B083D14AFB05CA7595902EE2B62E766798F049131EF78677C6CF29D94ED310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC2908C, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9dda3d076260c3319880d8bbc1012172f9946e85fa5eeab6500ea4dbf244f5c
Instruction ID: bf8fe14448b5d6936aef26759f3432c9a09441f122812b22ed464a91d99047ce
Opcode Fuzzy Hash: c9dda3d076260c3319880d8bbc1012172f9946e85fa5eeab6500ea4dbf244f5c
Instruction Fuzzy Hash: A131C21372597613BF09483BDD502BBA1E26BD43A0F45E538ED65837E4DD3D88065200

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC1A3AE, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ddab7a796360b66ec20354cd96875d2fe32611bd170d5d19ef14e3db215dfac
Instruction ID: 393830447b20fdc2c5a9e5975a656c7edce8edfb46029001012e17b0ab5faf6f
Opcode Fuzzy Hash: 7ddab7a796360b66ec20354cd96875d2fe32611bd170d5d19ef14e3db215dfac
Instruction Fuzzy Hash: 20418C1364E3C089EB16873C514429A6FA2D332B4CF2DD1A9D7980B363D96AC15BD762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC32754, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8990701b6120a7c83ef5e4eb0131d7695fbb9565f5dd60224c821d488128b677
Instruction ID: b876a627e4a5cdb4e660cf3bd627fa0d90bcf4a73a6f81ef3be385bf2adda7d4
Opcode Fuzzy Hash: 8990701b6120a7c83ef5e4eb0131d7695fbb9565f5dd60224c821d488128b677
Instruction Fuzzy Hash: AD316D33E1C24286FEAD5969CD5497D1272AFA2740E248030F23D81F99CD2EB44EB532

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC42C60, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 784b48e0997eee179a80e101ce4c513229386164b17c0dd4af8a97d850ba0fdd
Instruction ID: ce44e8c98ca594570e4a34c24c4b9212907ce138f004f8c6458b98139160eff1
Opcode Fuzzy Hash: 784b48e0997eee179a80e101ce4c513229386164b17c0dd4af8a97d850ba0fdd
Instruction Fuzzy Hash: 40F068717286558ADB948F2DA84363D77E0F718380F808039E69EC3F44DA3C90649F14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC2A274, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0210d77da61e30b27039753a39a2f2148efb687aa5e96026ff40c58e14571448
Instruction ID: 9b24a751f9a4be5a65438300c12bdb9baf2404c0b953e20413f529872c904e8d
Opcode Fuzzy Hash: 0210d77da61e30b27039753a39a2f2148efb687aa5e96026ff40c58e14571448
Instruction Fuzzy Hash: 0FA00129A18C02D0EA459B00A8600282730FB71750B415032F02E816A49E7CA508E621

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC19232, Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 106networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00007FF63EC1929A
_Init_thread_header.LIBCMT ref: 00007FF63EC193DE

Strings

3, xrefs: 00007FF63EC1931D
/, xrefs: 00007FF63EC19313
k, xrefs: 00007FF63EC1934A
H, xrefs: 00007FF63EC192ED
|, xrefs: 00007FF63EC19309
0, xrefs: 00007FF63EC19318
w, xrefs: 00007FF63EC1930E
p, xrefs: 00007FF63EC1935D
,, xrefs: 00007FF63EC19358
^, xrefs: 00007FF63EC192E2

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: ErrorInit_thread_headerLast
String ID: ,$/$0$3$H$^$k$p$w$|
API String ID: 4025375154-253053246
Opcode ID: 7416f4ff0be6ec7eba57a9f441abc027175377b62e64652e372d29bfff532440
Instruction ID: 7c290d89981e65ff52688f01749282c248a5a44052a6de4431f49751c67cba5f
Opcode Fuzzy Hash: 7416f4ff0be6ec7eba57a9f441abc027175377b62e64652e372d29bfff532440
Instruction Fuzzy Hash: 1151821250E2C188E762C338B49029EAFB087B6344F5811A9F6DE477DACD6DD05CDB36

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC386A4, Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 318COMMONLIBRARYCODE

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF63EC38708

Part of subcall function 00007FF63EC37B74: _GetEstablisherFrame.LIBVCRUNTIME ref: 00007FF63EC37BA9
Part of subcall function 00007FF63EC37B74: __GetUnwindTryBlock.LIBCMT ref: 00007FF63EC37BB7
Part of subcall function 00007FF63EC37B74: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF63EC37BDC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF63EC387E0
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF63EC38A44
_GetEstablisherFrame.LIBVCRUNTIME ref: 00007FF63EC38A95
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF63EC38B55

Strings

csm, xrefs: 00007FF63EC38789
csm, xrefs: 00007FF63EC38722
csm, xrefs: 00007FF63EC38803

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: Frame$BlockEstablisherHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3606184308-393685449
Opcode ID: d75e76c68253bcca0b94597d7b6e8bbe81b92c6df5baad666a6ded16b790c426
Instruction ID: 4fd20ff5e0f491e564f17944171efc350c8b16aa3b5d8c074fdf5f5fe5f67328
Opcode Fuzzy Hash: d75e76c68253bcca0b94597d7b6e8bbe81b92c6df5baad666a6ded16b790c426
Instruction Fuzzy Hash: BCE17E73A08B428AEB209B6598403AE37B0FB65798F100135FE9D97B95CF3CE498D750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC3E260, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 86libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00007FF63EC3E0F5,?,?,00000000,00007FF63EC37784), ref: 00007FF63EC3E2E3
GetLastError.KERNEL32(?,?,00000000,00007FF63EC37784), ref: 00007FF63EC3E2F1
LoadLibraryExW.KERNEL32(?,?,00000000,00007FF63EC37784), ref: 00007FF63EC3E31B
FreeLibrary.KERNEL32(?,?,00000000,00007FF63EC37784), ref: 00007FF63EC3E361
GetProcAddress.KERNEL32(?,?,00000000,00007FF63EC37784), ref: 00007FF63EC3E36D

Strings

MZx, xrefs: 00007FF63EC3E27E, 00007FF63EC3E32C, 00007FF63EC3E34A
api-ms-, xrefs: 00007FF63EC3E303

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: MZx$api-ms-
API String ID: 2559590344-259127448
Opcode ID: 04355ff06001d2d6a683f0a034157a800ff914f5fcb14f6eb95f28767bf62b4d
Instruction ID: f56e3fc5c5d43a5be129dc06c5478ad8303510f00cd8d53d8c025a0b451e07a5
Opcode Fuzzy Hash: 04355ff06001d2d6a683f0a034157a800ff914f5fcb14f6eb95f28767bf62b4d
Instruction Fuzzy Hash: 1531C521B1AB42D5EE52DB12AC106BD63B4BF24B64F5A0535FD3D87390EE3CE4489720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC17AF0, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 82fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63EC160F1: WideCharToMultiByte.KERNEL32 ref: 00007FF63EC1613A

GetModuleFileNameA.KERNEL32 ref: 00007FF63EC17B44
CreateFileA.KERNEL32 ref: 00007FF63EC17BC6
GetFileSize.KERNEL32 ref: 00007FF63EC17BDF
CloseHandle.KERNEL32 ref: 00007FF63EC17BEA

Part of subcall function 00007FF63EC36E78: _invalid_parameter_noinfo.LIBCMT ref: 00007FF63EC36E9D

Strings

g, xrefs: 00007FF63EC17B5B
=, xrefs: 00007FF63EC17B50
w, xrefs: 00007FF63EC17B66

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: File$ByteCharCloseCreateHandleModuleMultiNameSizeWide_invalid_parameter_noinfo
String ID: =$g$w
API String ID: 2869743477-3268570079
Opcode ID: 4a82ca26e9b12c163d29d0ee986f8d2af40302c703be63ebbdc4b3e78d14f6a9
Instruction ID: e103253df0fa3bfe3fa9991a24d49e82368839e280206ffb79ccde9b99518e4a
Opcode Fuzzy Hash: 4a82ca26e9b12c163d29d0ee986f8d2af40302c703be63ebbdc4b3e78d14f6a9
Instruction Fuzzy Hash: 58314B1170C38185F7819735A85436E6AA0ABA6754F049135FAAF87BD2CE3CD44DDB21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC426B0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF63EC426E1
GetLastError.KERNEL32 ref: 00007FF63EC426ED
CloseHandle.KERNEL32 ref: 00007FF63EC42705
CreateFileW.KERNEL32 ref: 00007FF63EC42730
WriteConsoleW.KERNEL32 ref: 00007FF63EC4274F

Strings

CONOUT$, xrefs: 00007FF63EC42711

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: b3995c7a37e6925a60afd43ef683f5ac5acb67d9482e949a7e5944a38cb6630b
Instruction ID: 6e1c5bce46607a278ddd4255b33b8f52f7379718ac9d1981977bb3ff96fcb5cd
Opcode Fuzzy Hash: b3995c7a37e6925a60afd43ef683f5ac5acb67d9482e949a7e5944a38cb6630b
Instruction Fuzzy Hash: CB119331718B4186E7519B12E85472DA6B0FBA8FE4F050235FA2EC7B94CF3CD9588B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC1879C, Relevance: 9.1, APIs: 6, Instructions: 103fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63EC160F1: WideCharToMultiByte.KERNEL32 ref: 00007FF63EC1613A

GetModuleFileNameA.KERNEL32 ref: 00007FF63EC187F1
CreateFileA.KERNEL32 ref: 00007FF63EC188AD
GetFileSize.KERNEL32 ref: 00007FF63EC188C1
SetFilePointer.KERNEL32 ref: 00007FF63EC188D6
SetEndOfFile.KERNEL32 ref: 00007FF63EC188DF
CloseHandle.KERNEL32 ref: 00007FF63EC188E8

Part of subcall function 00007FF63EC36E78: _invalid_parameter_noinfo.LIBCMT ref: 00007FF63EC36E9D

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: File$ByteCharCloseCreateHandleModuleMultiNamePointerSizeWide_invalid_parameter_noinfo
String ID:
API String ID: 3914190426-0
Opcode ID: dceae1f6229362cc64b66fbe57b7f2deff865424649d4b32b4333f0f8ac6b727
Instruction ID: 1165180e57052b3393d37e61913700d21ad0d7748a80a9ccc8d55118f3dab4e8
Opcode Fuzzy Hash: dceae1f6229362cc64b66fbe57b7f2deff865424649d4b32b4333f0f8ac6b727
Instruction Fuzzy Hash: DE412B1360D38146F7519B24A4253AE3FA0ABA6794F088035FA9D477C1CE3DD40DD721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC34A68, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF63EC34A84
GetProcAddress.KERNEL32 ref: 00007FF63EC34A9A
FreeLibrary.KERNEL32 ref: 00007FF63EC34AB7

Strings

CorExitProcess, xrefs: 00007FF63EC34A93
mscoree.dll, xrefs: 00007FF63EC34A7B

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ecd63c3c4316c3c9fbdcfef5bf25d74ee47e5c971f69a65528fc7b8558aba146
Instruction ID: da8a42fa39d90633b9f3933070d4616dea2be693b4c018e50c2243442723a107
Opcode Fuzzy Hash: ecd63c3c4316c3c9fbdcfef5bf25d74ee47e5c971f69a65528fc7b8558aba146
Instruction Fuzzy Hash: 31F03A61B29A0281EB559B20E8943BD2770AFA8744F041436F47FC5760DF2CD49CEB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC3EB3C, Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF63EC3EB7D
GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF63EC3EAFB,?,?,?,00007FF63EC3ADEB), ref: 00007FF63EC3EC3C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF63EC3EAFB,?,?,?,00007FF63EC3ADEB), ref: 00007FF63EC3ECBC

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 07eeae94c06d92b8504f9e987bce4935aa044e86d40c3320ad466e40d74f921d
Instruction ID: 9160500876d24c9e8f2eae717cbf80608b251cfff960f4e16c7688361871ab27
Opcode Fuzzy Hash: 07eeae94c06d92b8504f9e987bce4935aa044e86d40c3320ad466e40d74f921d
Instruction Fuzzy Hash: DD81A122E1875289FB119B659C406FD26B0BF64B98F440136FE2ED3796DE3CA449E730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC29FC0, Relevance: 7.6, APIs: 5, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF63EC2A047
MultiByteToWideChar.KERNEL32 ref: 00007FF63EC2A0C9
SysAllocString.OLEAUT32 ref: 00007FF63EC2A0D6

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: d862167c056b2ad39305bc35e6b04559ab4bed8c119e56702c1ae49f8c288d9f
Instruction ID: a954ed596b09da6e6fec612a6c50f798ac3a36b52b68a0bc938bbc460000a792
Opcode Fuzzy Hash: d862167c056b2ad39305bc35e6b04559ab4bed8c119e56702c1ae49f8c288d9f
Instruction Fuzzy Hash: CD41B221A0868689EF549F3598103BD26B0AF74BB4F146A35F97ECA7D5DE3CE0496320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC347E0, Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF63EC34804
CreateThread.KERNEL32 ref: 00007FF63EC34845
GetLastError.KERNEL32 ref: 00007FF63EC34853
CloseHandle.KERNEL32 ref: 00007FF63EC34870
FreeLibrary.KERNEL32 ref: 00007FF63EC3487F

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 2067211477-0
Opcode ID: e755e38ed2f8e5df5b331195f0aae42cec82dc5444c985b05eb8cf30841258e8
Instruction ID: 1bde31ce87af027e3e2d1e1be8cfda821c74fa85b5a0d45eb63aa57f86abcb06
Opcode Fuzzy Hash: e755e38ed2f8e5df5b331195f0aae42cec82dc5444c985b05eb8cf30841258e8
Instruction Fuzzy Hash: F821A121B0978286EE15DF61A8101BD63B0BFA4B94F084431FE6DC3B55DF3CE408A661

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC42A58, Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF63EC42A80
_set_statfp.LIBCMT ref: 00007FF63EC42A9B
_set_statfp.LIBCMT ref: 00007FF63EC42AB7
_set_statfp.LIBCMT ref: 00007FF63EC42AF3

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 2f5373d1ca46f5c3229c317260ef8bd11ef88d050e705646cdd7aa3137752530
Instruction ID: 8bf2642462eeef8c24c11acb90420a020c7d9a198f25ba25b3048ca167bdadfb
Opcode Fuzzy Hash: 2f5373d1ca46f5c3229c317260ef8bd11ef88d050e705646cdd7aa3137752530
Instruction Fuzzy Hash: 45118222E98A1301F67E1129D45737E25F06F74360F494637FE7E873D68E1C685AA930

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC3B9EC, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF63EC3BA2F

Strings

e+000, xrefs: 00007FF63EC3BAD4
gfff, xrefs: 00007FF63EC3BB51
-, xrefs: 00007FF63EC3BC11

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$e+000$gfff
API String ID: 3215553584-2620144452
Opcode ID: fea700b4ae36ff7c529df643656e834d20fb0c31ee8ce0b254d5c322e6b27136
Instruction ID: bd0aff1ac0d29c792f2a5e3df22ecf0d6b4b7cf3de40c1378e8d2f331616313f
Opcode Fuzzy Hash: fea700b4ae36ff7c529df643656e834d20fb0c31ee8ce0b254d5c322e6b27136
Instruction Fuzzy Hash: 3D611862B187C586EB218F2599413AD77A1EB50B90F488231EBBC87BD9DF3CD849D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC38C68, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(?,?,?,?,00000000,00000000,?,00007FF63EC2B689,?,?,00007FF63EC38B1B), ref: 00007FF63EC38CB4
_CallSETranslator.LIBVCRUNTIME ref: 00007FF63EC38D03

Strings

RCC, xrefs: 00007FF63EC38CD1
MOC, xrefs: 00007FF63EC38CC8

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: ba8a55b228979507f88b3c3f52684b91d840e4bed7c9b4b7db1ce7d12982141e
Instruction ID: df31fcdf317773c3475cab213f4ef51aa9a7644c4fc5589a97c8f516932a3dd9
Opcode Fuzzy Hash: ba8a55b228979507f88b3c3f52684b91d840e4bed7c9b4b7db1ce7d12982141e
Instruction Fuzzy Hash: 7D512737A08B858AEB208F65D8802ED77B0FB64B88F144526EE5957B98DF3CE059D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC3806C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF63EC38094
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF63EC3817C

Strings

csm, xrefs: 00007FF63EC380B6
csm, xrefs: 00007FF63EC381CE

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: c1f9aeab5c56c4da10f37370f3e62ba49f3a1aa23b94188c6bc5adb2cffb70f5
Instruction ID: 6c7fb5aba72e8b39141b6c7eb71f227c1bc0efbd4cfff75c55d2ed173cd85c7a
Opcode Fuzzy Hash: c1f9aeab5c56c4da10f37370f3e62ba49f3a1aa23b94188c6bc5adb2cffb70f5
Instruction Fuzzy Hash: C8516F3390868286EF748B1599442AD77B0FB65B84F144135FAAD87BD6CF3CE458EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC15E96, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67memorywindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF63EC15EDD
LocalAlloc.KERNEL32 ref: 00007FF63EC15F38

Strings

Unknown error 0x%0lX, xrefs: 00007FF63EC15F7D
IDispatch error #%d, xrefs: 00007FF63EC15F6C

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: AllocFormatLocalMessage
String ID: IDispatch error #%d$Unknown error 0x%0lX
API String ID: 3960703613-2934499512
Opcode ID: 693297c9b66ce21f8298f55620efccc22f9a8bf88e228e71242208683c58015a
Instruction ID: 43fc841b9cbc419e81498c1cdba036ab104545fe609bd7ca2583d8729c98da41
Opcode Fuzzy Hash: 693297c9b66ce21f8298f55620efccc22f9a8bf88e228e71242208683c58015a
Instruction Fuzzy Hash: 1C210476B0C64182EF258B65E41437D27B1AFA5B94F544231EA2D83BD1CF3CE84AE360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC383E4, Relevance: 6.2, APIs: 4, Instructions: 202COMMONLIBRARYCODE

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FF63EC38507
__AdjustPointer.LIBCMT ref: 00007FF63EC38552
__AdjustPointer.LIBCMT ref: 00007FF63EC38629

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: fa5bbb738a34b93a05ad879c9e0083a197e3b01216d23d5cd4cd7d0d0e826275
Instruction ID: 0711287271041d1deb03cd77bdca99ef4c8021abc1fcec3cf7820801c96c9267
Opcode Fuzzy Hash: fa5bbb738a34b93a05ad879c9e0083a197e3b01216d23d5cd4cd7d0d0e826275
Instruction Fuzzy Hash: C771D223A0964281FE65DB2199806BD63B0FF74B80F094536FE6D87BC5CE3CE449A760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC16678, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FF63EC166A0
VariantClear.OLEAUT32 ref: 00007FF63EC166A9
VariantClear.OLEAUT32 ref: 00007FF63EC166AF
VariantClear.OLEAUT32 ref: 00007FF63EC166B5

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: ab6e2a0be742cb0bde27c77b28ef8d64c4758e36f59ce557272be3e982f2d718
Instruction ID: 7f32e9bd4c4993e163fa9dba060519f2446dc21144b3f26913228d720d207c35
Opcode Fuzzy Hash: ab6e2a0be742cb0bde27c77b28ef8d64c4758e36f59ce557272be3e982f2d718
Instruction Fuzzy Hash: A8E012336109A8A8D711EF31FC109EC6B24F790768F454133EE5C82554AE34D6DBC310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC3F508, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF63EC3F61F
GetLastError.KERNEL32 ref: 00007FF63EC3F641

Strings

U, xrefs: 00007FF63EC3F5CB

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 8fade4a58e48830b81c384b6c6ba52233c11786accea551678c790b2d95991eb
Instruction ID: af6033b0cdda6755246b39bca7c7af4f569541e0f6a352679254848f746b51ae
Opcode Fuzzy Hash: 8fade4a58e48830b81c384b6c6ba52233c11786accea551678c790b2d95991eb
Instruction Fuzzy Hash: 8041B222B18A8182DB209F25E8443AD67B0FBA8794F904531EE9EC7798EF3CD449D750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC39130, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF63EC39169
LCMapStringW.KERNEL32 ref: 00007FF63EC391F1

Strings

LCMapStringEx, xrefs: 00007FF63EC3915D

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: b0f2c5edf64f2378b63e45fc81fb072509f10715db6d83ca7f2293333b33c2e1
Instruction ID: 6258c1b31a025a4f3c125cb7fd648bf17e820e527cc0c7aeeec6ad0c493437c3
Opcode Fuzzy Hash: b0f2c5edf64f2378b63e45fc81fb072509f10715db6d83ca7f2293333b33c2e1
Instruction Fuzzy Hash: AA112936608B8186D760CB06B8402AEB7B0FBD9B80F544136FAAD93B59DF3CD4448B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC2AE90, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,000000F8,00007FF63EC2A1CF), ref: 00007FF63EC2AED4
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,000000F8,00007FF63EC2A1CF), ref: 00007FF63EC2AF1A

Strings

csm, xrefs: 00007FF63EC2AF07

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0cca6d678f7393a148cf465ca776ec0841094c4d6af28f07bbd8ffb2a00a0908
Instruction ID: 756de27b824bb509980706c77ea5b6a8f06b5df7e000aa2b90319cc34b2e9684
Opcode Fuzzy Hash: 0cca6d678f7393a148cf465ca776ec0841094c4d6af28f07bbd8ffb2a00a0908
Instruction Fuzzy Hash: 2E114F32608B4182EB618F15E44026D77B1FBA8B94F185231EF9D47B68DF3CD556DB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC390CC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF63EC390FD
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF63EC39117

Strings

InitializeCriticalSectionEx, xrefs: 00007FF63EC390F1

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 8c987e7fc56b62dd683d011dab3348d6d6033c655efcd8cecba21263e958bef2
Instruction ID: f27c0072ac9dc85ae91648fd470215d514c8857da24c4fe25fb10dad085ab5ab
Opcode Fuzzy Hash: 8c987e7fc56b62dd683d011dab3348d6d6033c655efcd8cecba21263e958bef2
Instruction Fuzzy Hash: 6CF0BE26B0878181EB059B45B8004ADB330EF58BC0F444032FA3E53B99CF3CD889EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63EC39078, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF63EC390A1
TlsSetValue.KERNEL32(?,?,000000F8,00007FF63EC3984E,?,?,000000F8,00007FF63EC3B195,?,?,?,?,00007FF63EC3A971), ref: 00007FF63EC390B8

Strings

FlsSetValue, xrefs: 00007FF63EC3908E

Memory Dump Source

Source File: 00000000.00000002.199573475.00007FF63EC01000.00000020.00020000.sdmp, Offset: 00007FF63EC00000, based on PE: true

Associated: 00000000.00000002.199569816.00007FF63EC00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199609309.00007FF63EC44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199621632.00007FF63EC52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199625300.00007FF63EC54000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199629425.00007FF63EC56000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635005.00007FF63EC5D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63ec00000_anchorDNS_x64.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 2214c7330c37fb0c43cf6c8910562a881b2b91213e701cb4f8b092eaac3225e3
Instruction ID: 0a647326b4684de278d71b9377d7eeb4b61d2e1e1ed9b1fff066b846d2b93cb0
Opcode Fuzzy Hash: 2214c7330c37fb0c43cf6c8910562a881b2b91213e701cb4f8b092eaac3225e3
Instruction Fuzzy Hash: 33E06561A18642D1EA055B55F8404FD7271AF5C790F485033F93E86799CE3CD89CEB21

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exe PID: 6456 Parent PID: 6376 powershell.exeCOMMON

Executed Functions

Function 00007FFAEEE23CA3, Relevance: 2.0, Strings: 1, Instructions: 763COMMON

Download Yara Rule

Strings

m`_H, xrefs: 00007FFAEEE24060

Memory Dump Source

Source File: 00000006.00000002.232309945.00007FFAEEE20000.00000040.00000001.sdmp, Offset: 00007FFAEEE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffaeee20000_powershell.jbxd

Similarity

API ID:
String ID: m`_H
API String ID: 0-3858478043
Opcode ID: 0815186c7ad790360c8b30871c67800312cf4fb6636fb121feb508ea566d86a6
Instruction ID: f97affbf479ebaa43cb727f620694b6969815e21aa5333325c80e3c4cf57a320
Opcode Fuzzy Hash: 0815186c7ad790360c8b30871c67800312cf4fb6636fb121feb508ea566d86a6
Instruction Fuzzy Hash: D802F631A0CB4A8FEB88EF1CC495AA97BE1FF69300F154179D44DC7296DA64EC42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEEE46BD, Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.232350184.00007FFAEEEE0000.00000040.00000001.sdmp, Offset: 00007FFAEEEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffaeeee0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d29413c37bd416ccbb614067fb7eb5f0ec9daddda95817821967b3187346e018
Instruction ID: 2dbf6ca2d78871f9741a19449ce7ab163a8ae87d90cfa4fb57cb88e811925388
Opcode Fuzzy Hash: d29413c37bd416ccbb614067fb7eb5f0ec9daddda95817821967b3187346e018
Instruction Fuzzy Hash: DBD1287190E7C92FD7569B3998556B57FE0EF53220B0A41FBD0CDC70A3DA589806C392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEEE6910, Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.232350184.00007FFAEEEE0000.00000040.00000001.sdmp, Offset: 00007FFAEEEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffaeeee0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602f2aec9dfd82c127ee7c41bf4a206955505f9d26f2e504c028f5b5589470c7
Instruction ID: a6696d176450d4225ed66903844936b3e5442481a3eeb4e8f00215548d1e3906
Opcode Fuzzy Hash: 602f2aec9dfd82c127ee7c41bf4a206955505f9d26f2e504c028f5b5589470c7
Instruction Fuzzy Hash: 89D16B7290DBCA1FD766EB6898956B57FE0EF03310B0940FED08CCB1A3E9989805C352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEEE3014, Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.232350184.00007FFAEEEE0000.00000040.00000001.sdmp, Offset: 00007FFAEEEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffaeeee0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a399939f2d60501299e77e65304ac63cb4302284ad3e1853f50248d050622fe5
Instruction ID: 5fe1a8c6ace43b3197209184141ccbcbe8b96af394e833436a5888b8c8006ea1
Opcode Fuzzy Hash: a399939f2d60501299e77e65304ac63cb4302284ad3e1853f50248d050622fe5
Instruction Fuzzy Hash: 25C1697190DB8A5FE7A5EB6988956B5BFE1EF46300B1940FED08CC71A3D958AC05C342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEEE30BA, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.232350184.00007FFAEEEE0000.00000040.00000001.sdmp, Offset: 00007FFAEEEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffaeeee0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1e4f04ec4adfc98b431f3868842febbcd8179db22dedd61d468eb9df3b733f
Instruction ID: 07dbeee15674b91aa1ce9a2413440be639d78481e9d2a39916956433a4e2a61a
Opcode Fuzzy Hash: ab1e4f04ec4adfc98b431f3868842febbcd8179db22dedd61d468eb9df3b733f
Instruction Fuzzy Hash: F051C97190DAC65FE7A5DB694495278BBD1EF16300B1980FDC0CDCB2E3DD99AC448742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEE221E8, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.232309945.00007FFAEEE20000.00000040.00000001.sdmp, Offset: 00007FFAEEE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffaeee20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3638d6b76ad5b7731dd8172b59b64784534c56dec3ed987e3d7118dd25656ac
Instruction ID: 4876bca0a380cb7cce15209c86b954c98a6e52c250a7448dcf2fcc9d423ed901
Opcode Fuzzy Hash: d3638d6b76ad5b7731dd8172b59b64784534c56dec3ed987e3d7118dd25656ac
Instruction Fuzzy Hash: 9601847131C9084FD74CEF1CE4A2AB573E1EB99320B5041AED48AC7697DA27B8438785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEE21355, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.232309945.00007FFAEEE20000.00000040.00000001.sdmp, Offset: 00007FFAEEE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffaeee20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5921e71f07582a7c74abfbbba3be25ad186edaa7760d03d5a8c8591150ec97b9
Instruction ID: e196f62a1808101b51382a77f108dc383a73a1d4e31d2a516c248cd52d82db46
Opcode Fuzzy Hash: 5921e71f07582a7c74abfbbba3be25ad186edaa7760d03d5a8c8591150ec97b9
Instruction Fuzzy Hash: 7701677111CB0C4FD744EF0CE451AB6B7E0FB99364F10056DE58AC3651DA36E882CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEE23FC8, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.232309945.00007FFAEEE20000.00000040.00000001.sdmp, Offset: 00007FFAEEE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffaeee20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c1dde451898f706a29055310619955e71ccc2704c66265bb05e3513016209f
Instruction ID: 8eb4a56a4e26158be636937e57820464d6c06f83e2bdd13e117d864d8d93df92
Opcode Fuzzy Hash: b1c1dde451898f706a29055310619955e71ccc2704c66265bb05e3513016209f
Instruction Fuzzy Hash: 8DF0373275C6054F974CAA0CF8435F573D1E789320B40017EE48AC2696E916B8428685

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEEE6BD7, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.232350184.00007FFAEEEE0000.00000040.00000001.sdmp, Offset: 00007FFAEEEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffaeeee0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf86fec42f953c605dfaad6690c9a6f09de4deda7c539eeeb7d58564bd8dc51
Instruction ID: 2a9551122573af0cf040cc20198bab3a6764560b2a01a88d0d492e432d6deaf3
Opcode Fuzzy Hash: 0cf86fec42f953c605dfaad6690c9a6f09de4deda7c539eeeb7d58564bd8dc51
Instruction Fuzzy Hash: 25F0B472A0D6884FE755EBACA8566F9BBD0EF59211F2801BFD04DD3193D81654018752

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	AWS CloudTrail logs, Authentication logs, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report anchorDNS_x64.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Protection of GUI:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: anchorDNS_x64.exe PID: 6344 Parent PID: 5660

General

Chronological Activities

Analysis Process: cmd.exe PID: 6368 Parent PID: 6344

General

Chronological Activities

Function 00007FF63EC042E4, Relevance: 39.9, APIs: 6, Strings: 16, Instructions: 1360
fileCOMMON

Function 00007FF63EC0F1C7, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 307
processCOMMON

Function 00007FF63EC298CC, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 52
libraryloaderCOMMON

Function 00007FF63EC2AB90, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94
COMMON

Function 00007FF63EC34AC4, Relevance: 4.5, APIs: 3, Instructions: 19
COMMONLIBRARYCODE

Function 00007FF63EC392D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19
COMMONLIBRARYCODE

Function 00007FF63EC2AAAC, Relevance: 3.1, APIs: 2, Instructions: 55
COMMON

Function 00007FF63EC349F8, Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE

Function 00007FF63EC3DFD0, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 00007FF63EC3C4D8, Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Function 00007FF63EC3B264, Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Function 00007FF63EC41AF8, Relevance: 1.3, APIs: 1, Instructions: 38
memoryCOMMON