Edit tour

Windows Analysis Report
P2jWhX7B3B.exe

Overview

General Information

Sample name:	P2jWhX7B3B.exe renamed because original name is a hash value
Original sample name:	aa25d7c3077df8436843b7bda71b75a21d26364b433a785b6ef7fee32e685cd6.exe
Analysis ID:	1502381
MD5:	45b0d7e39737d84cda9fe98e63c950a9
SHA1:	2e00d9dca0fb42e29b14141e6e2229f7818bbcf2
SHA256:	aa25d7c3077df8436843b7bda71b75a21d26364b433a785b6ef7fee32e685cd6
Tags:	exe
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

AI detected suspicious sample

Contains functionality to inject code into remote processes

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Machine Learning detection for sample

PE file has nameless sections

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

P2jWhX7B3B.exe (PID: 4928 cmdline: "C:\Users\user\Desktop\P2jWhX7B3B.exe" MD5: 45B0D7E39737D84CDA9FE98E63C950A9)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: P2jWhX7B3B.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Code function: 0_2_00007FF787B721E1 FindFirstFileW,FindClose,	0_2_00007FF787B721E1
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Code function: 0_2_00007FF787B721F5 FindFirstFileW,FindClose,	0_2_00007FF787B721F5
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Code function: 0_2_00007FF787B721CC FindFirstFileW,FindClose,	0_2_00007FF787B721CC
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Code function: 0_2_00007FF787B721D4 FindFirstFileW,FindClose,	0_2_00007FF787B721D4

Source: C:\Users\user\Desktop\P2jWhX7B3B.exe

Code function: 0_2_00007FF787B755C2 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00007FF787B755C2

Source: P2jWhX7B3B.exe	String found in binary or memory: https://enigmaprotector.com/taggant/spv.crl0
Source: P2jWhX7B3B.exe	String found in binary or memory: https://enigmaprotector.com/taggant/user.crl0
Source: P2jWhX7B3B.exe, 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gcc.gnu.org/bugs/):

System Summary

PE file has nameless sections

Source: P2jWhX7B3B.exe	Static PE information: section name:
Source: P2jWhX7B3B.exe	Static PE information: section name:
Source: P2jWhX7B3B.exe	Static PE information: section name:
Source: P2jWhX7B3B.exe	Static PE information: section name:
Source: P2jWhX7B3B.exe	Static PE information: section name:
Source: P2jWhX7B3B.exe	Static PE information: section name:
Source: P2jWhX7B3B.exe	Static PE information: section name:
Source: P2jWhX7B3B.exe	Static PE information: section name:
Source: P2jWhX7B3B.exe	Static PE information: section name:
Source: P2jWhX7B3B.exe	Static PE information: section name:
Source: P2jWhX7B3B.exe	Static PE information: section name:
Source: P2jWhX7B3B.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Code function: 0_2_00007FF787B758B0	0_2_00007FF787B758B0
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Code function: 0_2_00007FF787B7492C	0_2_00007FF787B7492C
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Code function: 0_2_00007FF787B78F52	0_2_00007FF787B78F52
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Code function: 0_2_00007FF787B71E4B	0_2_00007FF787B71E4B
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Code function: 0_2_00007FF787B7A9EA	0_2_00007FF787B7A9EA
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Code function: 0_2_00007FF787B7159A	0_2_00007FF787B7159A
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Code function: 0_2_00007FF787B78972	0_2_00007FF787B78972
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Code function: 0_2_00007FF787B74953	0_2_00007FF787B74953

Source: P2jWhX7B3B.exe

Static PE information: Number of sections : 12 > 10

Source: P2jWhX7B3B.exe

Static PE information: Section: ZLIB complexity 0.9947643119747899

Source: classification engine

Classification label: mal80.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\P2jWhX7B3B.exe

Code function: 0_2_00007FF787B7492C GetEnvironmentVariableW,GetFileAttributesW,GetEnvironmentVariableW,GetFileAttributesW,CreateToolhelp32Snapshot,Process32FirstW,_wcsicmp,Process32NextW,_wcsicmp,

0_2_00007FF787B7492C

Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -45918899--1129030014. Number: 6
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -45918899--1129030014. Number: 5
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -45918899--1129030014. Number: 8
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -45918899--1129030014. Number: 7
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -45918899--1129030014. Number: 9
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -45918899--1129030014. Number: 0
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -45918899--1129030014. Number: 10
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -45918899--1129030014. Number: 2
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -45918899--1129030014. Number: 1
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -45918899--1129030014. Number: 4
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -45918899--1129030014. Number: 3

Source: C:\Users\user\Desktop\P2jWhX7B3B.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\P2jWhX7B3B.exe

File read: C:\Users\user\Desktop\P2jWhX7B3B.exe

Jump to behavior

Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Section loaded: userenv.dll	Jump to behavior

Source: C:\Users\user\Desktop\P2jWhX7B3B.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32

Jump to behavior

Source: P2jWhX7B3B.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: P2jWhX7B3B.exe

Static file information: File size 3659776 > 1048576

Source: P2jWhX7B3B.exe

Static PE information: Raw size of is bigger than: 0x100000 < 0x321600

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\P2jWhX7B3B.exe

Unpacked PE file: 0.2.P2jWhX7B3B.exe.7ff787b70000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:W;Unknown_Section6:EW;Unknown_Section7:EW;Unknown_Section8:EW;Unknown_Section9:EW;Unknown_Section10:EW;Unknown_Section11:EW; vs Unknown_Section0:ER;Unknown_Section1:W;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:R;Unknown_Section5:W;Unknown_Section6:W;Unknown_Section7:W;Unknown_Section8:W;Unknown_Section9:R;Unknown_Section10:EW;Unknown_Section11:EW;

Source: P2jWhX7B3B.exe

Static PE information: real checksum: 0x3960e should be: 0x37e3d5

Source: P2jWhX7B3B.exe	Static PE information: section name:
Source: P2jWhX7B3B.exe	Static PE information: section name:
Source: P2jWhX7B3B.exe	Static PE information: section name:
Source: P2jWhX7B3B.exe	Static PE information: section name:
Source: P2jWhX7B3B.exe	Static PE information: section name:
Source: P2jWhX7B3B.exe	Static PE information: section name:
Source: P2jWhX7B3B.exe	Static PE information: section name:
Source: P2jWhX7B3B.exe	Static PE information: section name:
Source: P2jWhX7B3B.exe	Static PE information: section name:
Source: P2jWhX7B3B.exe	Static PE information: section name:
Source: P2jWhX7B3B.exe	Static PE information: section name:
Source: P2jWhX7B3B.exe	Static PE information: section name:

Source: P2jWhX7B3B.exe	Static PE information: section name: entropy: 7.991448404720813
Source: P2jWhX7B3B.exe	Static PE information: section name: entropy: 7.887538885458545
Source: P2jWhX7B3B.exe	Static PE information: section name: entropy: 7.8223568056302195

Source: C:\Users\user\Desktop\P2jWhX7B3B.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\P2jWhX7B3B.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIECTRL.EXE
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: XENSERVICE.EXE1
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $SANDBOXIERPCSS.EXE
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDBG.EXE
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIESVC.EXE
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXEN
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXEO
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NETSNIFFER.EXE\CUT
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXE
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXED
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXEES$
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXEO
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXES\PICTURES\\)
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXEC
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE%
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSANALYZER.EXE
Source: P2jWhX7B3B.exe, 00000000.00000002.1667669140.0000021CBA2A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE?<
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $BEHAVIORDUMPER.EXED
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CFF EXPLORER.EXE(
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMPORTREC.EXEP
Source: P2jWhX7B3B.exe, 00000000.00000002.1667573301.0000021CBA155000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TCPDUMP.EXE)
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: XENSERVICE.EXEN
Source: P2jWhX7B3B.exe, 00000000.00000002.1667573301.0000021CBA155000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXEC
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .SANDBOXIEDCOMLAUNCH.EXE
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $APIMONITOR-X86.EXEURES\
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $FAKEHTTPSERVER.EXE8
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "PROC_ANALYZER.EXE
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667573301.0000021CBA155000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TCPDUMP.EXE
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMUSRVC.EXEZ
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SNIFF_HIT.EXE
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE\X
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE@
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: XENSERVICE.EXE
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMU-GA.EXEJ
Source: P2jWhX7B3B.exe, 00000000.00000002.1667573301.0000021CBA155000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXEE
Source: P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA301000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA2FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXEB3B.EXE\WINDOWS\INETCACHE\\
Source: P2jWhX7B3B.exe, 00000000.00000002.1667573301.0000021CBA155000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "PROCESSHACKER.EXE
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE"

Source: C:\Users\user\Desktop\P2jWhX7B3B.exe

Window / User API: threadDelayed 422

Jump to behavior

Source: C:\Users\user\Desktop\P2jWhX7B3B.exe

API coverage: 8.2 %

Source: C:\Users\user\Desktop\P2jWhX7B3B.exe TID: 5004

Thread sleep count: 422 > 30

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\P2jWhX7B3B.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Code function: 0_2_00007FF787B721E1 FindFirstFileW,FindClose,	0_2_00007FF787B721E1
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Code function: 0_2_00007FF787B721F5 FindFirstFileW,FindClose,	0_2_00007FF787B721F5
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Code function: 0_2_00007FF787B721CC FindFirstFileW,FindClose,	0_2_00007FF787B721CC
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Code function: 0_2_00007FF787B721D4 FindFirstFileW,FindClose,	0_2_00007FF787B721D4

Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmscsi.exe,
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtools8
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: vmwareVBoxService.exe
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: vmware
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtoolsd.exe
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Hyper-V (guest)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemu-ga.exeJ
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareuser.exeB
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxserviceh
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareuser.exe'
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxtray.exeB
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxtray.exeD
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxservice.exe/
Source: P2jWhX7B3B.exe, 00000000.00000003.1661631025.0000021CBAA6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Exchange ServicevmickvpexchangeHyper-V Heartbeat ServicevmicheartbeatHyper-V Gue
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmsrvc.exe=
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxservice.exeB
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxservice.exe>
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000003.1662019646.0000021CBAA60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Fvmware physical disk helper service
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareuser.exeC
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxservice.exeM
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwaretray.exeB
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxtray.exe)
Source: P2jWhX7B3B.exe, 00000000.00000003.1661631025.0000021CBAA6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l Direct ServicevmicvmsessionHyper-V Time Synchronization ServicevmictimesyncHyp
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmusrvc.exez
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwaretray.exe2
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA2FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Fvmware physical disk helper servicee\windows\inetcache\
Source: P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmmemctl.exev
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwaretray.exe
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000003.1661631025.0000021CBAA6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hutdown ServicevmicshutdownHyper-V Remote Desktop Virtualization ServicevmicrdvH
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxtray.exeb
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VBoxService.exe
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668040510.0000021CBAA5C000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000003.1662036173.0000021CBAA5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .new tab - google chromehyper-v
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668080657.0000021CBAA63000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000003.1662019646.0000021CBAA60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :hyper-v data exchange servicecs)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VMWare
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000003.1661631025.0000021CBAA6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: meW32TimeVolume Shadow CopyVSSHyper-V Volume Shadow Copy RequestorvmicvssHyper
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: #Windows 11 Microsoft Hyper-V Server

Source: C:\Users\user\Desktop\P2jWhX7B3B.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\P2jWhX7B3B.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Users\user\Desktop\P2jWhX7B3B.exe

Process queried: DebugPort

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Code function: 0_2_00007FF787B71131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,_malloc_dbg,strlen,_malloc_dbg,_cexit,	0_2_00007FF787B71131
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Code function: 0_2_00007FF787BA1690 SetUnhandledExceptionFilter,	0_2_00007FF787BA1690
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	Code function: 0_2_00007FF787BA1530 RtlAddVectoredExceptionHandler,	0_2_00007FF787BA1530

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\P2jWhX7B3B.exe

Code function: 0_2_00007FF787B758B0 ExitProcess,CreateMutexA,GetLastError,CreateProcessA,CreateProcessA,VirtualAllocEx,WriteProcessMemory,VirtualProtect,QueueUserAPC,ResumeThread,

0_2_00007FF787B758B0

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	NtProtectVirtualMemory: Indirect: 0x7FF787C3BD37	Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	NtSetInformationThread: Indirect: 0x7FF787BEACC1	Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe	NtProtectVirtualMemory: Indirect: 0x7FF7887890CA	Jump to behavior

Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA415000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000003.1661992608.0000021CBA420000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667924766.0000021CBA423000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: progmanion
Source: P2jWhX7B3B.exe, 00000000.00000002.1668040510.0000021CBAA5C000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000003.1662036173.0000021CBAA5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: program manager chromeB
Source: P2jWhX7B3B.exe, 00000000.00000002.1668040510.0000021CBAA57000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000003.1662036173.0000021CBAA57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shell_traywndxe

Source: C:\Users\user\Desktop\P2jWhX7B3B.exe

Code function: 0_2_00007FF787B82030 GetSystemTimeAsFileTime,

0_2_00007FF787B82030

Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procdump.exe
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procmon.exe
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpview.exe
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wireshark.exe
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: spideragent.exe
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fsaua.exe
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regmon.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	23 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	11 Process Injection	LSASS Memory	331 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	23 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
P2jWhX7B3B.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://enigmaprotector.com/taggant/spv.crl0	0%	Avira URL Cloud	safe
https://gcc.gnu.org/bugs/):	0%	Avira URL Cloud	safe
https://enigmaprotector.com/taggant/user.crl0	0%	Avira URL Cloud	safe
https://enigmaprotector.com/taggant/user.crl0	0%	Virustotal		Browse
https://gcc.gnu.org/bugs/):	0%	Virustotal		Browse
https://enigmaprotector.com/taggant/spv.crl0	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
https://gcc.gnu.org/bugs/):	P2jWhX7B3B.exe, 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://enigmaprotector.com/taggant/spv.crl0	P2jWhX7B3B.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://enigmaprotector.com/taggant/user.crl0	P2jWhX7B3B.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1502381
Start date and time:	2024-09-01 03:16:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	P2jWhX7B3B.exe renamed because original name is a hash value
Original Sample Name:	aa25d7c3077df8436843b7bda71b75a21d26364b433a785b6ef7fee32e685cd6.exe
Detection:	MAL
Classification:	mal80.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.97091124677834
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	P2jWhX7B3B.exe
File size:	3'659'776 bytes
MD5:	45b0d7e39737d84cda9fe98e63c950a9
SHA1:	2e00d9dca0fb42e29b14141e6e2229f7818bbcf2
SHA256:	aa25d7c3077df8436843b7bda71b75a21d26364b433a785b6ef7fee32e685cd6
SHA512:	59791454b5d45fa3bdf1ec610b9d91ede1da70c7758d36be331954b1af20788b2b4d3ab2db993e6a869aa7bb67f42a6b0499bd411c17cc8654c428bc6d959fc8
SSDEEP:	49152:bghim7RwVhwZwwXAXKrDLGijjpLHIU7u4s1F1BkVxcDfagZ7PzYvF9xIjteqgJUL:ZqRVwqEyjjNHIZkref1YvrxIjlngwic
TLSH:	C3063343F62F62DCE145A1F2C6049114DB6B15E13EBE08428F0A839E65D76BAD3CF6C9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................(............l..........@.............................@............`...@...... ........ ...... .....

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14102ed6c
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c1fbf380722f62e9d13f77bc10915a89

Entrypoint Preview

Instruction
jmp 00007F942CBC070Ah
add dl, al
add eax, 00000000h
add byte ptr [eax+51h], dl
push edx
push ebx
push ebp
push esi
push edi
inc ecx
push eax
inc ecx
push ecx
inc ecx
push edx
inc ecx
push ebx
inc ecx
push esp
inc ecx
push ebp
inc ecx
push esi
inc ecx
push edi
dec eax
pushfd
dec eax
sub esp, 00000008h
stmxcsr dword ptr [esp]
call 00007F942CBC0705h
pop ebp
dec eax
sub ebp, 00000033h
dec eax
sub ebp, 0102ED6Ch
dec eax
sub esp, 00000020h
jmp 00007F942CBC0709h
cmp ebp, dword ptr [edi+3Fh]
aad 48h
mov eax, 0102ED6Ch
dec eax
add eax, ebp
dec eax
add eax, 00000084h
dec eax
mov ecx, 0000060Bh
dec eax
mov edx, 5747C0E1h
xor byte ptr [eax], dl
dec eax
inc eax
dec eax
dec ecx
jne 00007F942CBC06F8h
jmp 00007F942CBC0709h
int FDh
cdq
fsubr dword ptr [ecx+686A0868h]
fucom st(1), st(0)
loope 00007F942CBC06E3h
test eax, E0E92060h
loope 00007F942CBC06E3h
test eax, 26A908E0h
and ebx, ebp
loope 00007F942CBC06E3h
loope 00007F942CBC06ABh
and ecx, ecx
loope 00007F942CBC06E3h
loope 00007F942CBC06ABh
push ss
add ebp, dword ptr [ecx+606A20E0h]
in eax, dx
loope 00007F942CBC06E3h
loope 00007F942CBC06ABh
loopne 00007F942CBC070Bh
mov cl, B1h
test eax, CF1D1159h
loope 00007F942CBC06E3h
loope 00007F942CBC06E3h
loope 00007F942CBC06ABh
pop eax
call far 0000h : 00000011h

Data Directories

Name	Virtual Address	Virtual Size
IMAGE_DIRECTORY_ENTRY_EXPORT	0xd15060	0xeb1
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd15f14	0x2e8
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xd16af8	0x28260
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd15040	0x10
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xd15000	0x28
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
0x1000	0x21000	0xee00	82921cc774b08e34ce9392064dbd5d3e	False	0.9947643119747899	data	7.991448404720813	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0x22000	0x2000	0x200	c3c217f77fe21f9174003ad943486cd2	False	0.548828125	data	4.599463481632959	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0x24000	0x5000	0x1800	73b7b7545ec40fb85bd5e2b3e0ea5c34	False	0.9724934895833334	data	7.887538885458545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0x29000	0x4000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0x2d000	0x3000	0xa00	d8ed81182984c1a5d7924b0294037f42	False	0.98125	data	7.8223568056302195	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0x30000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0x31000	0x2000	0x200	8ba7d2582ddefbcc19f091c56880526d	False	0.1796875	data	1.4888998962794857	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0x33000	0x1000	0x200	9cb5b7dae27f64e2678851f34675fb4b	False	0.087890625	data	0.6093502733147627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0x34000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0x35000	0x1000	0x400	8926b2563b3596513c089094eb3b6b60	False	0.8095703125	data	6.615977615533295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0x36000	0xcdc000	0x4a400	6d2624a5290d537eef7cac5b3f198685	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0xd12000	0x322000	0x321600	16c67f7303c6388fd5648e32ca325af7	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	GetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
user32.dll	MessageBoxA
advapi32.dll	RegCloseKey
oleaut32.dll	SysFreeString
gdi32.dll	CreateFontA
shell32.dll	ShellExecuteA
version.dll	GetFileVersionInfoA
ole32.dll	OleInitialize
msvcrt.dll	__C_specific_handler
WININET.dll	InternetCloseHandle

Target ID:	0
Start time:	21:16:55
Start date:	31/08/2024
Path:	C:\Users\user\Desktop\P2jWhX7B3B.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\P2jWhX7B3B.exe"
Imagebase:	0x7ff787b70000
File size:	3'659'776 bytes
MD5 hash:	45B0D7E39737D84CDA9FE98E63C950A9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	24.2%
Total number of Nodes:	1383
Total number of Limit Nodes:	6

Executed Functions

Function 00007FF787B758B0 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 341
memoryinjectionprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00007FF787B758D3
CreateMutexA.KERNEL32 ref: 00007FF787B759A4
GetLastError.KERNEL32 ref: 00007FF787B759AD
CreateProcessA.KERNEL32 ref: 00007FF787B75CB3
VirtualAllocEx.KERNEL32 ref: 00007FF787B75CE3
WriteProcessMemory.KERNEL32 ref: 00007FF787B75CFF
VirtualProtect.KERNEL32 ref: 00007FF787B75D14
QueueUserAPC.KERNEL32 ref: 00007FF787B75D23
ResumeThread.KERNEL32 ref: 00007FF787B75D2C

Strings

@, xrefs: 00007FF787B75CC2

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: Process$CreateVirtual$AllocErrorExitLastMemoryMutexProtectQueueResumeThreadUserWrite
String ID: @
API String ID: 2997260034-2766056989
Opcode ID: f29c2bc2aa2f830e10a775610582b9c2f220351618a3ac35f01bf8f5afd253e8
Instruction ID: 2248eacef03f38b7b45add3931c48a79e519831d6a137752970869cefad7545b
Opcode Fuzzy Hash: f29c2bc2aa2f830e10a775610582b9c2f220351618a3ac35f01bf8f5afd253e8
Instruction Fuzzy Hash: FCE18E32A5828696E761EB19D40076AEF92FF50BC4FA48031DA0B1B791DF7DA946C720

Function 00007FF787B71131 Relevance: 13.6, APIs: 9, Instructions: 120
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FF787B7116E
_amsg_exit.MSVCRT ref: 00007FF787B7118D
_initterm.MSVCRT ref: 00007FF787B711AE
_initterm.MSVCRT ref: 00007FF787B711D3
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF787B71212
_malloc_dbg.MSVCRT ref: 00007FF787B71244
strlen.MSVCRT ref: 00007FF787B7125C
_malloc_dbg.MSVCRT ref: 00007FF787B71268
_cexit.MSVCRT ref: 00007FF787B712E3

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: _initterm_malloc_dbg$ExceptionFilterSleepUnhandled_amsg_exit_cexitstrlen
String ID:
API String ID: 4167734774-0
Opcode ID: 52d2e165cae7533f5d35e06507daed48006d0a113bdaa097266e701ad3bdc6ed
Instruction ID: 504f970cb9768771c03bc88aa311c7794270ce9a380e486e72a53a5c10b599fa
Opcode Fuzzy Hash: 52d2e165cae7533f5d35e06507daed48006d0a113bdaa097266e701ad3bdc6ed
Instruction Fuzzy Hash: B4510231A8964A86F751BF5AD850279ABA2BF44784FA44435DD1F8B391EF2CE443C370

Function 00007FF787B7492C Relevance: 12.8, APIs: 8, Instructions: 753COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5806a9513739e0fcdf13924d4085f4a5603eb7e9f3901940bf64cffec4b02f9
Instruction ID: 99b9a644233c99cbfa70dcc039898cdf6044a3e6d93eef8f119baad86c79d200
Opcode Fuzzy Hash: d5806a9513739e0fcdf13924d4085f4a5603eb7e9f3901940bf64cffec4b02f9
Instruction Fuzzy Hash: 9F72D572A4959686E720EB19C00066DFF92FB50FD8FB88134C61B0B790DE79E957C750

Function 00007FF787B74953 Relevance: 6.6, APIs: 4, Instructions: 597COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: _malloc_dbg$_calloc_dbg_realloc_dbgabort
String ID:
API String ID: 1593204669-0
Opcode ID: 869f8d2a413c0a1fce99c2bfc34eb1bfd3a36a812d16f4bf316466595a5edf2b
Instruction ID: e0fafff3cd75273ade485a895c6ac039c7f23eefadad370a920727fad15174cf
Opcode Fuzzy Hash: 869f8d2a413c0a1fce99c2bfc34eb1bfd3a36a812d16f4bf316466595a5edf2b
Instruction Fuzzy Hash: E252E632A496C686EB10EB18C0007ADFF92FB40B98FA9C134C65B0B791DE79E947C750

Function 00007FF787B8067F Relevance: 12.1, APIs: 8, Instructions: 71
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32 ref: 00007FF787B80691

Part of subcall function 00007FF787B80495: _calloc_dbg.MSVCRT ref: 00007FF787B804C1

GetCurrentThreadId.KERNEL32 ref: 00007FF787B806C9
CreateEventA.KERNEL32 ref: 00007FF787B806DF

Part of subcall function 00007FF787B80541: GetCurrentThreadId.KERNEL32 ref: 00007FF787B80581
Part of subcall function 00007FF787B80541: _ultoa.MSVCRT ref: 00007FF787B80594
Part of subcall function 00007FF787B80541: OutputDebugStringA.KERNEL32 ref: 00007FF787B805CB
Part of subcall function 00007FF787B80541: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF787B805D1

GetCurrentThread.KERNEL32 ref: 00007FF787B80716
DuplicateHandle.KERNEL32 ref: 00007FF787B80745
abort.MSVCRT ref: 00007FF787B8074F
GetThreadPriority.KERNEL32 ref: 00007FF787B80758
TlsSetValue.KERNEL32 ref: 00007FF787B80781

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: Thread$Current$Valueabort$CreateDebugDuplicateEventHandleOutputPriorityString_calloc_dbg_ultoa
String ID:
API String ID: 3003713025-0
Opcode ID: b07612aac89c5a200896f588b6e774118e018158538594add5f6ee2ffae56069
Instruction ID: a050d8bbddc85b0a5d3eb8504c046b91b8d3ddc2ee407307eaafe9d79811c9c5
Opcode Fuzzy Hash: b07612aac89c5a200896f588b6e774118e018158538594add5f6ee2ffae56069
Instruction Fuzzy Hash: 1831B53594975186EB51BF35A801369BAB2FF04BD4FA84239C92E43394EF3CD442C720

Function 00007FF787B7C16F Relevance: 7.6, APIs: 5, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_calloc_dbg.MSVCRT ref: 00007FF787B7C1F2
abort.MSVCRT(?,?,00000000,?,00007FF787B715BC), ref: 00007FF787B7C1FF
_malloc_dbg.MSVCRT ref: 00007FF787B7C27F

Part of subcall function 00007FF787B7FED8: GetCurrentThreadId.KERNEL32 ref: 00007FF787B7FE10

_realloc_dbg.MSVCRT ref: 00007FF787B7C22A
_malloc_dbg.MSVCRT ref: 00007FF787B7C29B

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: _malloc_dbg$CurrentThread_calloc_dbg_realloc_dbgabort
String ID:
API String ID: 4037631172-0
Opcode ID: c3c8b89245bc2a4d2558b95bde91a770513fa25e560faf1ffa902b861b91d2fa
Instruction ID: afc047553101b423d6845373d318b639a54d013c603acc62f297333935439887
Opcode Fuzzy Hash: c3c8b89245bc2a4d2558b95bde91a770513fa25e560faf1ffa902b861b91d2fa
Instruction Fuzzy Hash: 5B418331B86A0655EA45FF19D8041A9AB56BF44BC4FE88439DD0F0B795EE3CE847C320

Function 00007FF787B81223 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 00007FF787B812D8

Strings

once %p is %d, xrefs: 00007FF787B812CE

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: fprintf
String ID: once %p is %d
API String ID: 383729395-95064319
Opcode ID: 13121847336affd19084199a4a3428cbcd27a1516d3c3a149cac98008e80f6c7
Instruction ID: ade0361dc8246237568abaa3f99e5e68cc81a4009843f2a74106a5c52d7f8d1d
Opcode Fuzzy Hash: 13121847336affd19084199a4a3428cbcd27a1516d3c3a149cac98008e80f6c7
Instruction Fuzzy Hash: 0A115071A99A0AC5E610BF25A400579BB66BB45BC0FE48138DE5F47795DE3CD443C720

Non-executed Functions

Function 00007FF787B755C2 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 208
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF787B7C16F: _calloc_dbg.MSVCRT ref: 00007FF787B7C1F2
Part of subcall function 00007FF787B7C16F: abort.MSVCRT(?,?,00000000,?,00007FF787B715BC), ref: 00007FF787B7C1FF
Part of subcall function 00007FF787B7C16F: _malloc_dbg.MSVCRT ref: 00007FF787B7C27F

Part of subcall function 00007FF787B7C16F: _realloc_dbg.MSVCRT ref: 00007FF787B7C22A
Part of subcall function 00007FF787B7C16F: _malloc_dbg.MSVCRT ref: 00007FF787B7C29B

InternetOpenW.WININET ref: 00007FF787B756C6
InternetOpenUrlW.WININET ref: 00007FF787B756F1
InternetCloseHandle.WININET ref: 00007FF787B75717
InternetReadFile.WININET ref: 00007FF787B75797
InternetCloseHandle.WININET ref: 00007FF787B7586A
InternetCloseHandle.WININET ref: 00007FF787B75871
GetLastError.KERNEL32 ref: 00007FF787B7587A
InternetCloseHandle.WININET ref: 00007FF787B7588E
InternetCloseHandle.WININET ref: 00007FF787B75895

Strings

vector::_M_range_insert, xrefs: 00007FF787B757BB

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: Internet$CloseHandle$Open_malloc_dbg$ErrorFileLastRead_calloc_dbg_realloc_dbgabort
String ID: vector::_M_range_insert
API String ID: 264723552-1989829942
Opcode ID: ac57245cf8a0e9345151f9a68c03df2d9206af70787a331661c67726fabd53dc
Instruction ID: 1cd79dea1b594bd6474bdd9e8065465f07bb7d7697da6cda6fa384f850004ba0
Opcode Fuzzy Hash: ac57245cf8a0e9345151f9a68c03df2d9206af70787a331661c67726fabd53dc
Instruction Fuzzy Hash: 74810832B5968686EB50EB1A940426AEB92FF44BD4FA48135DE1F0BBD4DE3CE543C710

Function 00007FF787B7A9EA Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 292
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strncoll.MSVCRT ref: 00007FF787B7AA34
strlen.MSVCRT ref: 00007FF787B7AAA3
strlen.MSVCRT ref: 00007FF787B7AC68
strlen.MSVCRT ref: 00007FF787B7ACAD

Strings

_GLOBAL_, xrefs: 00007FF787B7AA28

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: strlen$_strncoll
String ID: _GLOBAL_
API String ID: 3979851410-770460502
Opcode ID: 2ba1fd3b5ce6628ed1eeb05d67322191957712e789b1a67369b739d9ce4267aa
Instruction ID: c3b18a44dfe00b44d74f6f1a80dc4cc9698a9a7ace9284a0a841b3f9b3194982
Opcode Fuzzy Hash: 2ba1fd3b5ce6628ed1eeb05d67322191957712e789b1a67369b739d9ce4267aa
Instruction Fuzzy Hash: A8C1C272A487819BF7A0AB7898503ED7BA2FB047C8FA44135DA5E0BB85DF389153D710

Function 00007FF787B7159A Relevance: 5.0, APIs: 3, Instructions: 548memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF787B7C16F: _calloc_dbg.MSVCRT ref: 00007FF787B7C1F2
Part of subcall function 00007FF787B7C16F: abort.MSVCRT(?,?,00000000,?,00007FF787B715BC), ref: 00007FF787B7C1FF
Part of subcall function 00007FF787B7C16F: _malloc_dbg.MSVCRT ref: 00007FF787B7C27F

Part of subcall function 00007FF787B7C16F: _realloc_dbg.MSVCRT ref: 00007FF787B7C22A
Part of subcall function 00007FF787B7C16F: _malloc_dbg.MSVCRT ref: 00007FF787B7C29B

VirtualProtect.KERNEL32 ref: 00007FF787B71CBC
VirtualProtect.KERNEL32 ref: 00007FF787B71CDD
FlushInstructionCache.KERNEL32 ref: 00007FF787B71CF2

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: ProtectVirtual_malloc_dbg$CacheFlushInstruction_calloc_dbg_realloc_dbgabort
String ID:
API String ID: 4203908447-0
Opcode ID: c07fb5fc05791a2d652626555140e2fc09cf288231f221f5d88f58047e82db52
Instruction ID: 076ae050d5610ef7ee268dc47214101a464449e68aa3c32f8b83efa35301a32c
Opcode Fuzzy Hash: c07fb5fc05791a2d652626555140e2fc09cf288231f221f5d88f58047e82db52
Instruction Fuzzy Hash: 7E32A732A5829A46E761AB18D400669FFA7FB91B80FF9C131D54B1B781DF78EC42C721

Function 00007FF787B721CC Relevance: 3.0, APIs: 2, Instructions: 22fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF787B7BEA8: RtlCaptureContext.KERNEL32 ref: 00007FF787B7BF37
Part of subcall function 00007FF787B7BEA8: RtlUnwindEx.KERNEL32 ref: 00007FF787B7BF5C
Part of subcall function 00007FF787B7BEA8: abort.MSVCRT ref: 00007FF787B7BF62

FindFirstFileW.KERNEL32 ref: 00007FF787B72204
FindClose.KERNEL32 ref: 00007FF787B72215

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: Find$CaptureCloseContextFileFirstUnwindabort
String ID:
API String ID: 1173583122-0
Opcode ID: 647e7baf44c448dc3457adaf65a318fe10b0967cea75eac01cdfa436d7f6e220
Instruction ID: 27f9b5631989883374072c14661d9dc96b676e994fc16d7c224238f89aa8084a
Opcode Fuzzy Hash: 647e7baf44c448dc3457adaf65a318fe10b0967cea75eac01cdfa436d7f6e220
Instruction Fuzzy Hash: A5E03071EC940286EE55B779981837885A27B457E0FE40330D93F467D1ED1C9146C220

Function 00007FF787B721D4 Relevance: 3.0, APIs: 2, Instructions: 21fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF787B7BEA8: RtlCaptureContext.KERNEL32 ref: 00007FF787B7BF37
Part of subcall function 00007FF787B7BEA8: RtlUnwindEx.KERNEL32 ref: 00007FF787B7BF5C
Part of subcall function 00007FF787B7BEA8: abort.MSVCRT ref: 00007FF787B7BF62

FindFirstFileW.KERNEL32 ref: 00007FF787B72204
FindClose.KERNEL32 ref: 00007FF787B72215

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: Find$CaptureCloseContextFileFirstUnwindabort
String ID:
API String ID: 1173583122-0
Opcode ID: afa6338318a13f34c045cc96ae51508306a54df5c43521dea14304c708018e1b
Instruction ID: cbad093c3a666c9b13911c2df589065307ee45219995492099f3ec0eae241c11
Opcode Fuzzy Hash: afa6338318a13f34c045cc96ae51508306a54df5c43521dea14304c708018e1b
Instruction Fuzzy Hash: 94E06D62EC900286EE54B739A81837886A2BB89BF0FE40330D93F463D1ED2C9106C220

Function 00007FF787B721E1 Relevance: 3.0, APIs: 2, Instructions: 18fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF787B7BEA8: RtlCaptureContext.KERNEL32 ref: 00007FF787B7BF37
Part of subcall function 00007FF787B7BEA8: RtlUnwindEx.KERNEL32 ref: 00007FF787B7BF5C
Part of subcall function 00007FF787B7BEA8: abort.MSVCRT ref: 00007FF787B7BF62

FindFirstFileW.KERNEL32 ref: 00007FF787B72204
FindClose.KERNEL32 ref: 00007FF787B72215

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: Find$CaptureCloseContextFileFirstUnwindabort
String ID:
API String ID: 1173583122-0
Opcode ID: 24413b3b2bf8a5b7bc884de38493e337da70a3cc35f1d380b6d62bb285e2711d
Instruction ID: 3971b5a07537467f129a5306a13f13a00fb1d9664104c42e715a2b65060ec6f3
Opcode Fuzzy Hash: 24413b3b2bf8a5b7bc884de38493e337da70a3cc35f1d380b6d62bb285e2711d
Instruction Fuzzy Hash: 83E04F62E8940686EE557739A41837896A1BB99BB4FE40330D93F463D1ED2CD1068610

Function 00007FF787B721F5 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 00007FF787B72204
FindClose.KERNEL32 ref: 00007FF787B72215

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f9efa8c71b7c1bbc280a19ed6a234bfa44ba186f5dd84e4442255837bbb5284b
Instruction ID: f4bbaf2f881a2f66f6b1b18f3a01f6b11b9e0a1defb9ba4b8cc3d7881a97d605
Opcode Fuzzy Hash: f9efa8c71b7c1bbc280a19ed6a234bfa44ba186f5dd84e4442255837bbb5284b
Instruction Fuzzy Hash: 90D05E76E4940582EF617769E41833896B1BB547B4FE10330D53F822E0ED2CC24A8610

Function 00007FF787B78F52 Relevance: 2.7, Strings: 2, Instructions: 208COMMON

Download Yara Rule

Strings

std, xrefs: 00007FF787B7912E
string literal, xrefs: 00007FF787B79054

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID:
String ID: std$string literal
API String ID: 0-2980153874
Opcode ID: 462b6f8ad10999ab4834bc5d7bfa6675132a51d44ed354cb7906300ad11d44d0
Instruction ID: d092be73de1527a53ab86204d299298b171d7b4331505ff3aaa9b47b8ebcefb8
Opcode Fuzzy Hash: 462b6f8ad10999ab4834bc5d7bfa6675132a51d44ed354cb7906300ad11d44d0
Instruction Fuzzy Hash: A071C471E8864246FA64BA2D58452799E93BF61BC4FB88030C90F4F7C5DE2CE953C360

Function 00007FF787B71E4B Relevance: 1.8, APIs: 1, Instructions: 267COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF787B71E11: GetModuleFileNameA.KERNEL32 ref: 00007FF787B71E2D

Part of subcall function 00007FF787B7C16F: _calloc_dbg.MSVCRT ref: 00007FF787B7C1F2
Part of subcall function 00007FF787B7C16F: abort.MSVCRT(?,?,00000000,?,00007FF787B715BC), ref: 00007FF787B7C1FF
Part of subcall function 00007FF787B7C16F: _malloc_dbg.MSVCRT ref: 00007FF787B7C27F

Part of subcall function 00007FF787B7C16F: _realloc_dbg.MSVCRT ref: 00007FF787B7C22A
Part of subcall function 00007FF787B7C16F: _malloc_dbg.MSVCRT ref: 00007FF787B7C29B

ShellExecuteA.SHELL32 ref: 00007FF787B7219A

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: _malloc_dbg$ExecuteFileModuleNameShell_calloc_dbg_realloc_dbgabort
String ID:
API String ID: 1988290971-0
Opcode ID: a86590a0b7bafda85bdafc32e0af200c94065561f631facfc687c2863a597ae3
Instruction ID: 89c15677ed2db8179d69d9aa8c11649f374ea06ef373f219c1fc9ce3815ad2a6
Opcode Fuzzy Hash: a86590a0b7bafda85bdafc32e0af200c94065561f631facfc687c2863a597ae3
Instruction Fuzzy Hash: F0B18572A8C18656E761AB19D4007B9EFA3BB91BC0FF59031D64B0B681DF7CA946C321

Function 00007FF787B82030 Relevance: 1.5, APIs: 1, Instructions: 14timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF787B82039

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 23804876058cb07679221c2903a1f25c786b03e55c65da52d24e59a27cdc965a
Instruction ID: c1aa169b2ec1ba24b03909281e9adab8b404fef9a7b0f8cfbdbcad9ace250bfd
Opcode Fuzzy Hash: 23804876058cb07679221c2903a1f25c786b03e55c65da52d24e59a27cdc965a
Instruction Fuzzy Hash: 82D05EAAF485448BDB20DB11E445016F763EBD83D9B848121EE4E02728DF3CD667CF00

Function 00007FF787B78972 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6a0131952158cd29b16643e9dd3944d8be7e52d71a24d3c29fe6db7b6efafa
Instruction ID: f3290afaca55c6972348ff9781860b46dab97591f2748a0f158d268e3650d08a
Opcode Fuzzy Hash: ba6a0131952158cd29b16643e9dd3944d8be7e52d71a24d3c29fe6db7b6efafa
Instruction Fuzzy Hash: 9AD15271A8964246F7A4AA2D54D16799E93BF91BC0FF88435CA4F0F7C5DE2CE843C260

Function 00007FF787BA1530 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9eaba8913b5bb4ed26cfb2b649061c2a1b33fcda3960d05608301218ce0582
Instruction ID: 25d4b9067e50105163630cff3e7e96997a8f4822d04180d83608a57d00b81eb9
Opcode Fuzzy Hash: af9eaba8913b5bb4ed26cfb2b649061c2a1b33fcda3960d05608301218ce0582
Instruction Fuzzy Hash: A43179A7DCE7C55EE7536A690C2906CAFA2ABB2A0479D407BC786432D3FC4D5905C322

Function 00007FF787BA1690 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 881578eabfbfffa7946b0a06e234dd643742ef944514ef788b83b882e2c7e22b
Instruction ID: c87f3b875b4ec10da070ca4047325f46ad64a836bb366e9118a83e75eb78e0d7
Opcode Fuzzy Hash: 881578eabfbfffa7946b0a06e234dd643742ef944514ef788b83b882e2c7e22b
Instruction Fuzzy Hash: C3E01297EDFEC946F2D3755D0C6D06CEEF3AA7251075D40B6CA89C6293EC0A2C068221

Function 00007FF787B7BC85 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

abort.MSVCRT(?,?,?,?,00000060,basic_string::_M_create,?,?,?,?,?,00007FF787B90DD5), ref: 00007FF787B7BE05
RtlUnwindEx.KERNEL32 ref: 00007FF787B7BE4C

Strings

basic_string::_M_create, xrefs: 00007FF787B7BC8D
CCG!, xrefs: 00007FF787B7BCC9
CCG!, xrefs: 00007FF787B7BDAA
CCG , xrefs: 00007FF787B7BD54
CCG", xrefs: 00007FF787B7BD20

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: Unwindabort
String ID: CCG $CCG!$CCG!$CCG"$basic_string::_M_create
API String ID: 2187188232-955483099
Opcode ID: bb328c6d7bdc18e29d892f8a8d7bde922b9d00a321234a47f533d7c8067adc48
Instruction ID: 4378688f237dc0190b964bbe1dda754c654e6398648bd72c40a46d9a7c6b45b7
Opcode Fuzzy Hash: bb328c6d7bdc18e29d892f8a8d7bde922b9d00a321234a47f533d7c8067adc48
Instruction Fuzzy Hash: 98518172608B4082D7609B59E48026AB7B5F748BD8F704536EF8E47B98DF3DD892C740

Function 00007FF787B7B1B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 00007FF787B7B25D
VirtualProtect.KERNEL32 ref: 00007FF787B7B2C5
GetLastError.KERNEL32 ref: 00007FF787B7B2CF

Strings

Mingw-w64 runtime failure:, xrefs: 00007FF787B7B17B
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF787B7B272
Unknown pseudo relocation protocol version %d., xrefs: 00007FF787B7B1B9
VirtualProtect failed with code 0x%x, xrefs: 00007FF787B7B2D5
Address %p has no image-section, xrefs: 00007FF787B7B215

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuery
String ID: Unknown pseudo relocation protocol version %d.$ VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 637304234-2693646698
Opcode ID: a13c80a3f8a784a93fa63c766381f3e7d7b49ac7c979711c887c2b3400285ffe
Instruction ID: 7011b995d6a75a68307fd0ae26071a0182ce530566e64a2e2e04de5ba45752db
Opcode Fuzzy Hash: a13c80a3f8a784a93fa63c766381f3e7d7b49ac7c979711c887c2b3400285ffe
Instruction Fuzzy Hash: E331D431B4AA0646EA11BF16E84017AEB63FF45B88FA48131DD1E4B354EE3CE447C760

Function 00007FF787B82DEF Relevance: 10.6, APIs: 7, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_calloc_dbg.MSVCRT ref: 00007FF787B82E24
CreateSemaphoreA.KERNEL32 ref: 00007FF787B82E63
CreateSemaphoreA.KERNEL32 ref: 00007FF787B82E79
??3@YAXPEAX@Z.MSVCRT ref: 00007FF787B82EAE
RtlInitializeCriticalSection.NTDLL ref: 00007FF787B82ECA
RtlInitializeCriticalSection.NTDLL ref: 00007FF787B82ED0
RtlInitializeCriticalSection.NTDLL ref: 00007FF787B82ED6

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: CriticalInitializeSection$CreateSemaphore$??3@_calloc_dbg
String ID:
API String ID: 278339251-0
Opcode ID: ae1ebbd7d4b93f9417cc936a3a3e91b734c9fec0f231fa7f8469244b8c77df05
Instruction ID: ac7d2ecf0b701c590bd0e14d524a7c2d529fdc9565ddfdc99786f326b9dff2c4
Opcode Fuzzy Hash: ae1ebbd7d4b93f9417cc936a3a3e91b734c9fec0f231fa7f8469244b8c77df05
Instruction Fuzzy Hash: CD21D63170565286FB68AF79E4103B96A92BF547C5F64813ACD5E477C4DF3C9482C310

Function 00007FF787B7A3F9 Relevance: 10.2, APIs: 8, Instructions: 250
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.MSVCRT ref: 00007FF787B7A418
strcmp.MSVCRT ref: 00007FF787B7A53E
strcmp.MSVCRT ref: 00007FF787B7A56B
strcmp.MSVCRT ref: 00007FF787B7A590
strcmp.MSVCRT ref: 00007FF787B7A5A3
strcmp.MSVCRT ref: 00007FF787B7A646
strcmp.MSVCRT ref: 00007FF787B7A659
strcmp.MSVCRT ref: 00007FF787B7A774

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: strcmp
String ID:
API String ID: 1004003707-0
Opcode ID: e84a4818de6d43e8536a5cedc54a3aed15e8386d73b1d9f88bbb9d8051837f3e
Instruction ID: 83a42f9e324a37d9f09b5f11b54a43a80a7b5d857f2b2c2f7078ea808b8465a1
Opcode Fuzzy Hash: e84a4818de6d43e8536a5cedc54a3aed15e8386d73b1d9f88bbb9d8051837f3e
Instruction Fuzzy Hash: A7915961ECC24647FAA4BA6D58112B9AA937F42BC0EF44031DD0F5E7C6ED1DE943E220

Function 00007FF787B7FED8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF787B7FDC9: _malloc_dbg.MSVCRT ref: 00007FF787B7FD71
Part of subcall function 00007FF787B7FDC9: ??3@YAXPEAX@Z.MSVCRT ref: 00007FF787B7FDB7

GetCurrentThreadId.KERNEL32 ref: 00007FF787B7FE10
GetCurrentThreadId.KERNEL32 ref: 00007FF787B7FE28

Strings

basic_string::_M_create, xrefs: 00007FF787B7FDE0

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: CurrentThread$??3@_malloc_dbg
String ID: basic_string::_M_create
API String ID: 581562805-3122258987
Opcode ID: 2bb92cf42e08eff2ff2dc53a9ef9ef7fa01df6db059675f466c958cb4e0d5d2e
Instruction ID: 33be181cfd4882e623f40610d6c46dbadd41337e82f938816c4e0adb1bdc113b
Opcode Fuzzy Hash: 2bb92cf42e08eff2ff2dc53a9ef9ef7fa01df6db059675f466c958cb4e0d5d2e
Instruction Fuzzy Hash: 2E318231E4920A8FFB657A299400339A993BF44795FB48435DA1B4A2C5DE3CE883C375

Function 00007FF787B80541 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF787B80581
_ultoa.MSVCRT ref: 00007FF787B80594
OutputDebugStringA.KERNEL32 ref: 00007FF787B805CB
abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF787B805D1

Strings

Error cleaning up spin_keys for thread , xrefs: 00007FF787B8056C

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: CurrentDebugOutputStringThread_ultoaabort
String ID: Error cleaning up spin_keys for thread
API String ID: 4191895893-2906507043
Opcode ID: 669e65e7f646c585453ca3f79ac09e731d9ed4effe2c1cdd6e2cdc8eff3b0697
Instruction ID: f951b67899ed90b64987dbf88181335a5e9772f9b184c9ba4397d5df525b1372
Opcode Fuzzy Hash: 669e65e7f646c585453ca3f79ac09e731d9ed4effe2c1cdd6e2cdc8eff3b0697
Instruction Fuzzy Hash: 2C11CE22B4DA0680FB61A724E4543BA9EA2FB453E5FE40334DA6F162D4CE3CD947C321

Function 00007FF787B82F43 Relevance: 7.7, APIs: 5, Instructions: 181synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF787B82F95
ResetEvent.KERNEL32 ref: 00007FF787B83006
WaitForSingleObject.KERNEL32 ref: 00007FF787B8303F
WaitForSingleObject.KERNEL32 ref: 00007FF787B830EF
WaitForSingleObject.KERNEL32 ref: 00007FF787B83167

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: ObjectSingleWait$EventReset
String ID:
API String ID: 466820088-0
Opcode ID: a8e70bd7e119e29efdc805e4ea505b3ed105fc23f5571b86f251c967555772e6
Instruction ID: 2370d3964d47e2b7a805c706369c77e862fc7705fcc77286c10e2aa812ab831c
Opcode Fuzzy Hash: a8e70bd7e119e29efdc805e4ea505b3ed105fc23f5571b86f251c967555772e6
Instruction Fuzzy Hash: 86510531E8820345FAB5759A88853BEC8837F49BC0FB8403ED95F835D2DD7CA886D221

Function 00007FF787B82BB0 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

RtlAcquirePebLock.NTDLL ref: 00007FF787B82BC8
RtlLeaveCriticalSection.NTDLL ref: 00007FF787B82BEC
RtlLeaveCriticalSection.NTDLL ref: 00007FF787B82BFF

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: CriticalLeaveSection$AcquireLock
String ID:
API String ID: 602743569-0
Opcode ID: cd66c8ce581074a56e4715f6c9639c605397ae0235ab7073a0f9d5544064c705
Instruction ID: dc75a7e5dc5887b437b2bbf0fe3ff9e33947db959109b9ab1573641789a5c973
Opcode Fuzzy Hash: cd66c8ce581074a56e4715f6c9639c605397ae0235ab7073a0f9d5544064c705
Instruction Fuzzy Hash: 6501D431F4921686E715AF9B6D91738DA52BF99BE2FA88134CD0F82780DD3CA483C200

Function 00007FF787B7B2FB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 165memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00007FF787BA0078,00000000,?,?,?,00007FF787BA0070,00007FF787B71208), ref: 00007FF787B7B552

Strings

Unknown pseudo relocation bit size %d., xrefs: 00007FF787B7B47B
Unknown pseudo relocation protocol version %d., xrefs: 00007FF787B7B3F2
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF787B7B4ED

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 544645111-1286557213
Opcode ID: 76b1fae69b79e615bf985ecfb9ee2fc66f485c8c679d56e2f472951ba7ad3302
Instruction ID: 6c9d84ff124a7ed6a882aee4c4d09fa9d627c465993bc1714a527bb7eb5b4c04
Opcode Fuzzy Hash: 76b1fae69b79e615bf985ecfb9ee2fc66f485c8c679d56e2f472951ba7ad3302
Instruction Fuzzy Hash: C5619271B8850687EB20AB19D54177AAB62BF407D8FA44131DA1E4B7D5DE3CE583CB20

Function 00007FF787B7AE21 Relevance: 6.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 00007FF787B7AE83
strlen.MSVCRT ref: 00007FF787B7AED1
??3@YAXPEAX@Z.MSVCRT ref: 00007FF787B7AEEC
??3@YAXPEAX@Z.MSVCRT ref: 00007FF787B7AEF6

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: ??3@$strlen
String ID:
API String ID: 4288758904-0
Opcode ID: 80384a1e9eb043a2554e420854658e9430b5bb7048745b7244e076016ca942ee
Instruction ID: 0f0b37a993cc75f9015b82c55980329e62674679c6bb8d35685586ce53433ebb
Opcode Fuzzy Hash: 80384a1e9eb043a2554e420854658e9430b5bb7048745b7244e076016ca942ee
Instruction Fuzzy Hash: D421E271A8D6528BEAE5BA1D5540679E952BF007D0FB44130EE8F4EBC4DF2CA443E620

Function 00007FF787B7F950 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF787B7F9CB
IsDBCSLeadByteEx.KERNEL32 ref: 00007FF787B7F9E6
MultiByteToWideChar.KERNEL32 ref: 00007FF787B7FA3A
_errno.MSVCRT ref: 00007FF787B7FA44

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: Byte$CharMultiWide$Lead_errno
String ID:
API String ID: 2766522060-0
Opcode ID: 3daecbf2e4752a949092cbb4212e443bd48329abac674dce0de80a1b29d1dfbc
Instruction ID: b08f0a8858eec179849787b0ce135e77c7024b19200c5cf99e048eb28a7d5900
Opcode Fuzzy Hash: 3daecbf2e4752a949092cbb4212e443bd48329abac674dce0de80a1b29d1dfbc
Instruction Fuzzy Hash: 5231F772A4C2854FE7306B29A440369EE62BB457C8FA45131DA8A4B7C5DB3CD547CB14

Function 00007FF787B80CFD Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF787B80D12

Part of subcall function 00007FF787B8067F: TlsGetValue.KERNEL32 ref: 00007FF787B80691
Part of subcall function 00007FF787B8067F: GetCurrentThreadId.KERNEL32 ref: 00007FF787B806C9
Part of subcall function 00007FF787B8067F: CreateEventA.KERNEL32 ref: 00007FF787B806DF
Part of subcall function 00007FF787B8067F: GetCurrentThread.KERNEL32 ref: 00007FF787B80716
Part of subcall function 00007FF787B8067F: DuplicateHandle.KERNEL32 ref: 00007FF787B80745
Part of subcall function 00007FF787B8067F: abort.MSVCRT ref: 00007FF787B8074F
Part of subcall function 00007FF787B8067F: GetThreadPriority.KERNEL32 ref: 00007FF787B80758
Part of subcall function 00007FF787B8067F: TlsSetValue.KERNEL32 ref: 00007FF787B80781

_realloc_dbg.MSVCRT ref: 00007FF787B80D47
_realloc_dbg.MSVCRT ref: 00007FF787B80D5B
SetLastError.KERNEL32 ref: 00007FF787B80DC5

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: Thread$CurrentErrorLastValue_realloc_dbg$CreateDuplicateEventHandlePriorityabort
String ID:
API String ID: 276713024-0
Opcode ID: f3401903f7e515f5ed7579b8af0a55e9d8dfb76e46882395f8414405495ecd27
Instruction ID: fdee396c06e460140b1798daa7dc34fd7939707415978d22ca7c3ee3c5fe5e72
Opcode Fuzzy Hash: f3401903f7e515f5ed7579b8af0a55e9d8dfb76e46882395f8414405495ecd27
Instruction Fuzzy Hash: 7D21A1327456859AEB09EF3E98846ACAB93FB48BD4F944534DE1A47345EE3CE482C350

Function 00007FF787B8130F Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF787B8067F: TlsGetValue.KERNEL32 ref: 00007FF787B80691
Part of subcall function 00007FF787B8067F: GetCurrentThreadId.KERNEL32 ref: 00007FF787B806C9
Part of subcall function 00007FF787B8067F: CreateEventA.KERNEL32 ref: 00007FF787B806DF
Part of subcall function 00007FF787B8067F: GetCurrentThread.KERNEL32 ref: 00007FF787B80716
Part of subcall function 00007FF787B8067F: DuplicateHandle.KERNEL32 ref: 00007FF787B80745
Part of subcall function 00007FF787B8067F: abort.MSVCRT ref: 00007FF787B8074F
Part of subcall function 00007FF787B8067F: GetThreadPriority.KERNEL32 ref: 00007FF787B80758
Part of subcall function 00007FF787B8067F: TlsSetValue.KERNEL32 ref: 00007FF787B80781

longjmp.MSVCRT ref: 00007FF787B81342
TlsGetValue.KERNEL32 ref: 00007FF787B8134E
TlsSetValue.KERNEL32 ref: 00007FF787B813CD
_endthreadex.MSVCRT ref: 00007FF787B813D5

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: Value$Thread$Current$CreateDuplicateEventHandlePriority_endthreadexabortlongjmp
String ID:
API String ID: 843818611-0
Opcode ID: 6204a6c491151568083560572d8fa4b87c9cef2b8e9d574bd77a1ebca2c6a721
Instruction ID: 4d54b8d6acc4b2c60f4ba799615882e21bc2976cbdb93d5dc9fd5af3bffc54d0
Opcode Fuzzy Hash: 6204a6c491151568083560572d8fa4b87c9cef2b8e9d574bd77a1ebca2c6a721
Instruction Fuzzy Hash: F521317595A64585FB55BF22D414338BBA2FF48B94FA94039C90F47354EF3CA846C360

Function 00007FF787B8319B Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

RtlAcquirePebLock.NTDLL ref: 00007FF787B831CA
RtlLeaveCriticalSection.NTDLL ref: 00007FF787B831DF
RtlAcquirePebLock.NTDLL ref: 00007FF787B831FD
RtlLeaveCriticalSection.NTDLL ref: 00007FF787B8320A

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: AcquireCriticalLeaveLockSection
String ID:
API String ID: 1584331419-0
Opcode ID: c4819ef3cc784ac1fab3b226f1b2a17a67e287d5b2bc9a429561919b8490c2db
Instruction ID: f3fc01c5981f962c63e1e06ff968e7c1180ff3af6f89a85bd64259ccf30914fa
Opcode Fuzzy Hash: c4819ef3cc784ac1fab3b226f1b2a17a67e287d5b2bc9a429561919b8490c2db
Instruction Fuzzy Hash: 3801A233F462554ADA16EF5BBC0052AAB60BB98BD0F540135EE0A47351CE3CD892CBC0

Function 00007FF787B7B5B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00007FF787B7B676
signal.MSVCRT ref: 00007FF787B7B68B

Strings

CCG , xrefs: 00007FF787B7B5D6

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: 61dc30c445af4839d008fff5af293256ad5fcbe135ead48f4e86def2fbe10760
Instruction ID: 71ef562af95b46bc5969bb6dcdc0daaed06eebd63fe67501e0be2b7ed71ea970
Opcode Fuzzy Hash: 61dc30c445af4839d008fff5af293256ad5fcbe135ead48f4e86def2fbe10760
Instruction Fuzzy Hash: 7B214A71E891064BFA643519444037AD983BF453ACFB4C936CA0FCA2D0DD5DE883CA21

Function 00007FF787B803D2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 00007FF787B8043C
fprintf.MSVCRT ref: 00007FF787B8045B

Strings

%p not found?!?!, xrefs: 00007FF787B80451

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: ??3@fprintf
String ID: %p not found?!?!
API String ID: 4236183796-11085004
Opcode ID: 3d118f093288ef335176b8b2f41bad582a04bc912a6cc49a7415ee6ddb0e5998
Instruction ID: e252bc4a0f7271f2239c2ccaf16f2fa6f0c7cca4129e34c5deff1fe32679fb35
Opcode Fuzzy Hash: 3d118f093288ef335176b8b2f41bad582a04bc912a6cc49a7415ee6ddb0e5998
Instruction Fuzzy Hash: EB114F31ACE61681F925BB55E5111B49A62FF08BC4FEC0439DD2F0A395EE3CA883C260

Function 00007FF787B7FF2F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF787B7FDC9: _malloc_dbg.MSVCRT ref: 00007FF787B7FD71
Part of subcall function 00007FF787B7FDC9: ??3@YAXPEAX@Z.MSVCRT ref: 00007FF787B7FDB7

GetCurrentThreadId.KERNEL32 ref: 00007FF787B7FF5A
SetEvent.KERNEL32 ref: 00007FF787B7FF8F

Strings

basic_string::_M_create, xrefs: 00007FF787B7FF2F

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: ??3@CurrentEventThread_malloc_dbg
String ID: basic_string::_M_create
API String ID: 3602570239-3122258987
Opcode ID: 9b0731d52f42667028767ec104d0081a9df3961425e38e3d3f587fa9626590ee
Instruction ID: 5a8992cd4bd73aca161037dddb97096480db5ed9c8f0c4dc908bd9d26d97e6fe
Opcode Fuzzy Hash: 9b0731d52f42667028767ec104d0081a9df3961425e38e3d3f587fa9626590ee
Instruction Fuzzy Hash: 1B018432A461198FEB55AE3D9804369AAD2FB05754FA84531D91ACE1C8DE3CD883C725

Function 00007FF787B7B060 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF787B7B11A

Strings

Unknown error, xrefs: 00007FF787B7B077
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF787B7B10D

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 8f2869a0bec3eb6bdb8dd31dffd9e975c7f56a5bf17c4dbe48e23d3e77dad6a0
Instruction ID: ab5178587ddd18d3dad6424969c3dc517cb5b326643eb7181bfbbc28f2604657
Opcode Fuzzy Hash: 8f2869a0bec3eb6bdb8dd31dffd9e975c7f56a5bf17c4dbe48e23d3e77dad6a0
Instruction Fuzzy Hash: E9115166848E8482D6119F2CE0413EAB371FF9A39AF605726EBC91B264DF39D157CB00

Function 00007FF787B7B097 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF787B7B11A

Strings

Argument domain error (DOMAIN), xrefs: 00007FF787B7B097
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF787B7B10D

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 6560deb312eab8fbef0511967d52465796192eadc400bd600f759e29496c9926
Instruction ID: 05bc69b58a2cb045de473dcc41204de5f475ac07abdf75a0fecb0b142ef6e5c5
Opcode Fuzzy Hash: 6560deb312eab8fbef0511967d52465796192eadc400bd600f759e29496c9926
Instruction Fuzzy Hash: B8F0FF66848F8482D211DF1CA4002ABB771FF9A789F605326EBC92A564DF29D553C710

Function 00007FF787B7B0A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF787B7B11A

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF787B7B10D
Overflow range error (OVERFLOW), xrefs: 00007FF787B7B0A0

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: dc1c1972e6ed6f9f01668daa75542991bb63cfbe85ca8f13c73e9dc3af1e8904
Instruction ID: 33b786e12bd54385b0fdde7892880796f9e0129ba4fc7cce6d5a64e21c2c87ce
Opcode Fuzzy Hash: dc1c1972e6ed6f9f01668daa75542991bb63cfbe85ca8f13c73e9dc3af1e8904
Instruction Fuzzy Hash: 56F0FF66848F8482D211DF1CA4002ABB771FF9A789F605326EBC92A564DF29D553C714

Function 00007FF787B7B0A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF787B7B11A

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF787B7B10D
Partial loss of significance (PLOSS), xrefs: 00007FF787B7B0A9

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 3d9f7c9cfb58e8d76470f6d04f124dcd037a48f21f6d66412afe0f5f34f06697
Instruction ID: 4d72d4a2046447e62b296a129dac1e55ccd360a7a890ca8fbde63d63d962c7e7
Opcode Fuzzy Hash: 3d9f7c9cfb58e8d76470f6d04f124dcd037a48f21f6d66412afe0f5f34f06697
Instruction Fuzzy Hash: 2FF0FF66848F8482D211DF1CA4002ABB771FF9A789F705326EBC92A564DF29D553C714

Function 00007FF787B7B0B2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF787B7B11A

Strings

Total loss of significance (TLOSS), xrefs: 00007FF787B7B0B2
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF787B7B10D

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 2a7b6e017ee675360d2da71c6383766dc1d5a924261e03a1081518193884f3eb
Instruction ID: b47c80163307a22f5b737e8f68b958164bea4e91f9c25773607bf217912b7f74
Opcode Fuzzy Hash: 2a7b6e017ee675360d2da71c6383766dc1d5a924261e03a1081518193884f3eb
Instruction Fuzzy Hash: 62F0FF66848F8882D211DF1CA4002ABB771FF9E789F605326EBC92A564DF29D553C750

Function 00007FF787B7B0BB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF787B7B11A

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF787B7B10D
The result is too small to be represented (UNDERFLOW), xrefs: 00007FF787B7B0BB

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 8a625faa8e70e326f375ef6abd37a4a19dbc90db46e8753d07aa9d3c24fe187b
Instruction ID: 3d02620871547c11e5ba2050fb6656868964a23a0d0f449bd5bb7e23d3af430f
Opcode Fuzzy Hash: 8a625faa8e70e326f375ef6abd37a4a19dbc90db46e8753d07aa9d3c24fe187b
Instruction Fuzzy Hash: 2FF0FF66848F8482D211DF1CA4002ABB771FF9A789F605326EBC92A564DF29D553C710

Function 00007FF787B7B0C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF787B7B11A

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF787B7B10D
Argument singularity (SIGN), xrefs: 00007FF787B7B0C4

Memory Dump Source

Source File: 00000000.00000002.1668256085.00007FF787B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF787B70000, based on PE: true

Associated: 00000000.00000002.1668244261.00007FF787B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668274805.00007FF787B92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668288119.00007FF787B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668313339.00007FF787BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668324665.00007FF787BA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF787F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788083000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788536000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668338582.00007FF788885000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff787b70000_P2jWhX7B3B.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 652e02f30b91cc5c583a8b4add902bb54138a908352b6fd9808f5400c3f79f5b
Instruction ID: 63f205e1d317002ea8482d6a6d350d6d384fa91a4712fbee61451adbd006c579
Opcode Fuzzy Hash: 652e02f30b91cc5c583a8b4add902bb54138a908352b6fd9808f5400c3f79f5b
Instruction Fuzzy Hash: A8F01D66808F8482D211DF2CE4002ABB771FF9E789F605326EFC92A624DF29D153C700

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report P2jWhX7B3B.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: P2jWhX7B3B.exePID: 4928, Parent PID: 2580

General

Chronological Activities

Disassembly

Analysis Process: P2jWhX7B3B.exePID: 4928, Parent PID: 2580COMMON

Execution Graph

Graph

Executed Functions

Function 00007FF787B758B0 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 341memoryinjectionprocessCOMMON

Control-flow Graph

Windows Analysis Report
P2jWhX7B3B.exe

Function 00007FF787B758B0 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 341
memoryinjectionprocessCOMMON

Function 00007FF787B71131 Relevance: 13.6, APIs: 9, Instructions: 120
sleepstringCOMMON

Function 00007FF787B8067F Relevance: 12.1, APIs: 8, Instructions: 71
threadCOMMON

Function 00007FF787B7C16F Relevance: 7.6, APIs: 5, Instructions: 108
COMMON

Function 00007FF787B81223 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61
COMMON

Function 00007FF787B755C2 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 208
networkfileCOMMON

Function 00007FF787B7A9EA Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 292
stringCOMMON

Function 00007FF787B7BC85 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 127
COMMON

Function 00007FF787B7B1B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91
memoryCOMMON

Function 00007FF787B82DEF Relevance: 10.6, APIs: 7, Instructions: 73
COMMON

Function 00007FF787B7A3F9 Relevance: 10.2, APIs: 8, Instructions: 250
stringCOMMON

Function 00007FF787B7FED8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
threadCOMMON

Function 00007FF787B80541 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
threadCOMMON