Edit tour

Windows Analysis Report
awg.exe

Overview

General Information

Sample name:	awg.exe
Analysis ID:	1532545
MD5:	6f6e6d9de9a73f3d631647fc7d11896a
SHA1:	cb3d2905dab453fabfbdc45b8ad29ae949976bbc
SHA256:	83e87f0785fcff3c76b18178cb0dad18693e5de192eec095c3eeb15c97f9c0b4
Tags:	exeuser-Bacn
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to communicate with device drivers

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

awg.exe (PID: 6840 cmdline: "C:\Users\user\Desktop\awg.exe" MD5: 6F6E6D9DE9A73F3D631647FC7D11896A)

conhost.exe (PID: 4040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Code function: 0_2_00007FF73D406C50: fwrite,fwrite,strchr,fwrite,fputc,fflush,strlen,strchr,strcmp,strtoll,_errno,_errno,_errno,_errno,_errno,calloc,free,fclose,_errno,fwrite,DeviceIoControl,_errno,_errno,free,CloseHandle,

0_2_00007FF73D406C50

Source: C:\Users\user\Desktop\awg.exe	Code function: 0_2_00007FF73D404C30	0_2_00007FF73D404C30
Source: C:\Users\user\Desktop\awg.exe	Code function: 0_2_00007FF73D406C50	0_2_00007FF73D406C50
Source: C:\Users\user\Desktop\awg.exe	Code function: 0_2_00007FF73D402710	0_2_00007FF73D402710
Source: C:\Users\user\Desktop\awg.exe	Code function: 0_2_00007FF73D4052A0	0_2_00007FF73D4052A0
Source: C:\Users\user\Desktop\awg.exe	Code function: 0_2_00007FF73D3F511B	0_2_00007FF73D3F511B
Source: C:\Users\user\Desktop\awg.exe	Code function: 0_2_00007FF73D406750	0_2_00007FF73D406750
Source: C:\Users\user\Desktop\awg.exe	Code function: 0_2_00007FF73D4047B0	0_2_00007FF73D4047B0
Source: C:\Users\user\Desktop\awg.exe	Code function: 0_2_00007FF73D4029D0	0_2_00007FF73D4029D0

Source: C:\Users\user\Desktop\awg.exe

Code function: String function: 00007FF73D40C760 appears 47 times

Source: awg.exe, 00000000.00000000.1747520957.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewg.exe4 vs awg.exe
Source: awg.exe	Binary or memory string: OriginalFilenamewg.exe4 vs awg.exe

Source: classification engine

Classification label: mal48.winEXE@2/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4040:120:WilError_03

Source: awg.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\awg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: awg.exe

Virustotal: Detection: 12%

Source: awg.exe	String found in binary or memory: You may pass `--help' to any of these subcommands to view usage.
Source: awg.exe	String found in binary or memory: You may pass `--help' to any of these subcommands to view usage.
Source: awg.exe	String found in binary or memory: --help
Source: awg.exe	String found in binary or memory: --help
Source: awg.exe	String found in binary or memory: You may pass `--help' to any of these subcommands to view usage.
Source: awg.exe	String found in binary or memory: You may pass `--help' to any of these subcommands to view usage.
Source: awg.exe	String found in binary or memory: You may pass `--help' to any of these subcommands to view usage.
Source: awg.exe	String found in binary or memory: You may pass `--help' to any of these subcommands to view usage.
Source: awg.exe	String found in binary or memory: --help
Source: awg.exe	String found in binary or memory: --help
Source: awg.exe	String found in binary or memory: interfaces%s%c-h--helphelpUsage: %s %s { <interface> \| all \| interfaces } [public-key \| private-key \| listen-port \| fwmark \| peers \| preshared-keys \| endpoints \| allowed-ips \| latest-handshakes \| transfer \| persistent-keepalive \| dump]
Source: awg.exe	String found in binary or memory: interfaces%s%c-h--helphelpUsage: %s %s { <interface> \| all \| interfaces } [public-key \| private-key \| listen-port \| fwmark \| peers \| preshared-keys \| endpoints \| allowed-ips \| latest-handshakes \| transfer \| persistent-keepalive \| dump]

Source: unknown	Process created: C:\Users\user\Desktop\awg.exe "C:\Users\user\Desktop\awg.exe"
Source: C:\Users\user\Desktop\awg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\awg.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\awg.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\awg.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: awg.exe

Static PE information: certificate valid

Source: awg.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: awg.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: awg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: awg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: awg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: awg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: awg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: awg.exe

Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\awg.exe

API coverage: 5.2 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\awg.exe	Code function: 0_2_00007FF73D404C30 SetupDiGetClassDevsExW,SetupDiEnumDeviceInfo,GetLastError,GetLastError,SetupDiEnumDeviceInfo,WideCharToMultiByte,malloc,WideCharToMultiByte,strlen,free,realloc,memcpy,_errno,free,SetupDiEnumDeviceInfo,GetLastError,calloc,free,SetupDiDestroyDeviceInfoList,FindFirstFileA,memcpy,FindNextFileA,memcmp,strlen,realloc,_errno,_errno,_errno,_errno,_errno,FindClose,_errno,_errno,_errno,free,		0_2_00007FF73D404C30
Source: C:\Users\user\Desktop\awg.exe	Code function: 0_2_00007FF73D406500 FindFirstFileA,FindNextFileA,strcmp,FindNextFileA,FindClose,strcmp,		0_2_00007FF73D406500

Source: awg.exe, 00000000.00000003.1748799407.000002B0ADB9D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\awg.exe

Code function: 0_2_00007FF73D3F1160 Sleep,Sleep,_initterm,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,malloc,strlen,malloc,memcpy,_cexit,

0_2_00007FF73D3F1160

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
awg.exe	8%	ReversingLabs	Win64.Trojan.Generic
awg.exe	12%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	0%	URL Reputation	safe
https://git.zx2c4.com/wireguard-tools/	0%	Virustotal		Browse
https://www.wireguard.com/D	1%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	awg.exe	false	URL Reputation: safe	unknown
https://git.zx2c4.com/wireguard-tools/	awg.exe	false	0%, Virustotal, Browse	unknown
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	awg.exe	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	awg.exe	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	awg.exe	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	awg.exe	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	awg.exe	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	awg.exe	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	awg.exe	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	awg.exe	false	URL Reputation: safe	unknown
https://www.wireguard.com/D	awg.exe	false	1%, Virustotal, Browse	unknown
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	awg.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532545
Start date and time:	2024-10-13 16:31:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	awg.exe
Detection:	MAL
Classification:	mal48.winEXE@2/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 7 Number of non-executed functions: 42
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.431183509532422
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	awg.exe
File size:	150'680 bytes
MD5:	6f6e6d9de9a73f3d631647fc7d11896a
SHA1:	cb3d2905dab453fabfbdc45b8ad29ae949976bbc
SHA256:	83e87f0785fcff3c76b18178cb0dad18693e5de192eec095c3eeb15c97f9c0b4
SHA512:	a02120a8fb7b278fc4f69ab97e826fb4180d9974b6d1d6c00123e5829eaecb3b07c60bb981197e236b4bebf9c5ab87291fff4a8d3da72869077300e768676990
SSDEEP:	3072:9i/PHaRDZTTCRqsTyLTzjaVqCtohz6y71BWIalU7N:AnYTeTyLTzjaVqCGhz9JalU7N
TLSH:	FBE30B0BE9C262D4C5A7C5B42359F233B972F86D7B35B6DB576592302930FD0AE38A40
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...q4.f.........."..........\......P..........@.....................................#....`........................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140001350
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66C63471 [Wed Aug 21 18:39:45 2024 UTC]
TLS Callbacks:	0x40001530, 0x1, 0x400015b0, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	7def3fbd02e6f4f0081aae7641a547b5

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	31/08/2023 01:00:00 31/08/2026 00:59:59
Subject Chain	CN=Privacy Technologies OU, O=Privacy Technologies OU, S=Harjumaa, C=EE
Version:	3
Thumbprint MD5:	AD1BCBF19AE2F91BB114D33B85359E56
Thumbprint SHA-1:	141D90A1BA8F61863FBEDDF7DD1D66C1D1E0B128
Thumbprint SHA-256:	A08EA2A7A257AD690B988446951E9DEF2986A2F3F546B6F0902805330F3B6B48
Serial:	00D0461B529F67189D43744E9CEFE172AE

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [0001BCC5h]
mov dword ptr [eax], 00000000h
call 00007FB284F92E3Fh
nop
nop
nop
dec eax
add esp, 28h
ret
nop
dec eax
sub esp, 28h
call 00007FB284F93C6Ch
xor ecx, ecx
dec eax
cmp eax, 01h
sbb ecx, ecx
mov eax, ecx
dec eax
add esp, 28h
ret
nop dword ptr [eax+eax+00000000h]
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push esi
dec eax
sub esp, 20h
call 00007FB284F93D7Bh
dec eax
lea esi, dword ptr [0002026Fh]
inc ecx
mov eax, 00000401h
dec eax
mov ecx, esi
dec eax
mov edx, eax
call 00007FB284FAE563h
dec eax
mov eax, esi
dec eax
add esp, 20h
pop esi
ret
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [0001FC25h]
dec eax
mov eax, dword ptr [eax]
dec eax
test eax, eax
je 00007FB284F93070h
nop word ptr [eax+eax+00000000h]
call dword ptr [00028C12h]
dec eax
mov eax, dword ptr [0001FC03h]
dec eax
lea ecx, dword ptr [eax+08h]
dec eax
mov dword ptr [0001FBF8h], ecx
dec eax
mov eax, dword ptr [eax+08h]
dec eax
test eax, eax
jne 00007FB284F93021h
dec eax
add esp, 28h
ret
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1f498	0x12c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x8a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x29000	0x624	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x21e00	0x2e98	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2d000	0x100	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1d0a0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1d7c8	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1f9d8	0x410	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x1f178	0x80	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1bdbb	0x1be00	a2f8af44e5261edede4c11db7822d285	False	0.47768357623318386	data	6.270110420481931	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1d000	0x3de4	0x3e00	eb2a314aeac41242d97743149ac491a1	False	0.36869959677419356	PEX Binary Archive	5.352877407751686	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x21000	0x774d	0x600	5dde4bc96fe9eb6055bb627ecb1654b9	False	0.13671875	data	1.2805865374318068	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x29000	0x624	0x800	6ddbf780ddd31e303f6d02d0d161dc25	False	0.43212890625	data	4.09793289405079	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.00cfg	0x2a000	0x10	0x200	9f36838304c57bf8e644a22f2e9696e3	False	0.04296875	data	0.1458906856521067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x2b000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2c000	0x8a8	0xa00	ca19f5e959e7ee14e8fe4f565105c50e	False	0.386328125	data	4.235704734464346	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2d000	0x100	0x200	592a4e63dd7e08e0a1e5d8997aa84a71	False	0.40625	data	3.0614071490397508	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x2c4d0	0x3d4	data			0.4816326530612245
RT_MANIFEST	0x2c0a0	0x42f	XML 1.0 document, ASCII text			0.43137254901960786

Imports

DLL	Import
ntdll.dll	RtlGetNtVersionNumbers
api-ms-win-crt-convert-l1-1-0.dll	mbrtowc, strtoll, strtoul, strtoull, wcrtomb, wcstombs
api-ms-win-crt-environment-l1-1-0.dll	__p__environ, __p__wenviron, _putenv, getenv
api-ms-win-crt-filesystem-l1-1-0.dll	_fstat64, _lock_file, _unlock_file
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, calloc, free, malloc, realloc
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr, _fdopen
api-ms-win-crt-private-l1-1-0.dll	__C_specific_handler, memcmp, memcpy, strchr, strrchr
api-ms-win-crt-runtime-l1-1-0.dll	__p___argc, __p___argv, __p___wargv, _cexit, _configure_narrow_argv, _configure_wide_argv, _crt_at_quick_exit, _crt_atexit, _errno, _exit, _initialize_narrow_environment, _initialize_wide_environment, _initterm, _set_app_type, _set_invalid_parameter_handler, abort, exit, perror, signal, strerror
api-ms-win-crt-stdio-l1-1-0.dll	__acrt_iob_func, __p__commode, __p__fmode, __stdio_common_vfprintf, __stdio_common_vfwprintf, _fileno, _isatty, _open_osfhandle, fclose, feof, ferror, fflush, fgetc, fopen, fputc, fputs, fread, ftell, fwrite, getc, putchar, puts
api-ms-win-crt-string-l1-1-0.dll	_strdup, _stricmp, _strnicmp, memset, strcmp, strcspn, strlen, strncmp, strncpy, wcslen
api-ms-win-crt-time-l1-1-0.dll	__daylight, __timezone, __tzname, _time64, _tzset
api-ms-win-crt-utility-l1-1-0.dll	qsort
KERNEL32.dll	CloseHandle, CreateFileA, CreateFileW, DeleteCriticalSection, DeviceIoControl, EnterCriticalSection, FindClose, FindFirstFileA, FindNextFileA, FormatMessageW, FreeLibrary, GetConsoleMode, GetLastError, GetProcAddress, GetStdHandle, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LocalAlloc, LocalFree, RaiseException, SetConsoleMode, SetDefaultDllDirectories, SetDllDirectoryA, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WideCharToMultiByte
api-ms-win-crt-locale-l1-1-0.dll	localeconv

Target ID:	0
Start time:	10:32:04
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\awg.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\awg.exe"
Imagebase:	0x7ff73d3f0000
File size:	150'680 bytes
MD5 hash:	6F6E6D9DE9A73F3D631647FC7D11896A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:32:04
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17.4%
Total number of Nodes:	1782
Total number of Limit Nodes:	11

Executed Functions

Function 00007FF73D404C30 Relevance: 61.6, APIs: 30, Strings: 5, Instructions: 340
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetupDiGetClassDevsExW.SETUPAPI ref: 00007FF73D404C98
GetLastError.KERNEL32 ref: 00007FF73D404D00
SetupDiEnumDeviceInfo.SETUPAPI ref: 00007FF73D404D28
WideCharToMultiByte.KERNEL32 ref: 00007FF73D404DB2
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D404DCB
WideCharToMultiByte.KERNEL32 ref: 00007FF73D404DFF
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D404E41
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D404E7A
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D404E9F
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF73D404EC4
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D404EE6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D404F01
GetLastError.KERNEL32 ref: 00007FF73D404F47
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D404F5A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D404F8C
SetupDiDestroyDeviceInfoList.SETUPAPI ref: 00007FF73D404F9E
FindFirstFileA.KERNELBASE ref: 00007FF73D404FC9
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF73D405018

Part of subcall function 00007FF73D4051D0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D405229
Part of subcall function 00007FF73D4051D0: calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D405252
Part of subcall function 00007FF73D4051D0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D405265
Part of subcall function 00007FF73D4051D0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D405279

FindNextFileA.KERNELBASE ref: 00007FF73D40505E
memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF73D405078
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D405084
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D4050C4
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D4050DB
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D40511A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D405122
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D405150
FindClose.KERNELBASE ref: 00007FF73D40515F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D405172
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D405177
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D405181

Strings

SWD\WireGuard, xrefs: 00007FF73D404C63
\\.\pipe\*, xrefs: 00007FF73D404FBA
0, xrefs: 00007FF73D404D6F
ROOT\WIREGUARD, xrefs: 00007FF73D404C6A
ProtectedPrefix\Administrators\AmneziaWG\, xrefs: 00007FF73D404FEF, 00007FF73D405034, 00007FF73D405104

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: _errno$free$FindSetup$ByteCharDeviceErrorFileInfoLastMultiWidecallocmemcpyreallocstrlen$ClassCloseDestroyDevsEnumFirstListNext_strdupmallocmemcmpstrcmp
String ID: 0$ProtectedPrefix\Administrators\AmneziaWG\$ROOT\WIREGUARD$SWD\WireGuard$\\.\pipe\*
API String ID: 511970441-1465563367
Opcode ID: 31473880f6ee27ced1abcb7dbae51acad2ab8800172729fbd3af9c349e15b66e
Instruction ID: ba43aecad17dd14afbd484d0f82693128c6138fda2b43111788989c69b8226dd
Opcode Fuzzy Hash: 31473880f6ee27ced1abcb7dbae51acad2ab8800172729fbd3af9c349e15b66e
Instruction Fuzzy Hash: 65E19661A0C68AA5E720ABA1B8003BAE3A0FF84794FD54131DE4D57794FF3CE545E721

Function 00007FF73D3F1160 Relevance: 13.6, APIs: 9, Instructions: 121
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF73D3F1366), ref: 00007FF73D3F11A5
_initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF73D3F1366), ref: 00007FF73D3F120F
SetUnhandledExceptionFilter.KERNEL32(?,?,?,00007FF73D3F1366), ref: 00007FF73D3F124E
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF73D3F1366), ref: 00007FF73D3F1265
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73D3F1366), ref: 00007FF73D3F127E
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF73D3F1366), ref: 00007FF73D3F12A4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73D3F1366), ref: 00007FF73D3F12B0
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF73D3F1366), ref: 00007FF73D3F12C3
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF73D3F1366), ref: 00007FF73D3F132D

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled_cexit_initterm_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 3415622771-0
Opcode ID: 2acc55856a8ff17b4a32b5b16622e15da31847f96dffeee44c128cb4905c5a3c
Instruction ID: adb938749099c7b6dc0c4dce8f0d0aa53741afc5293e86505959579e68392c09
Opcode Fuzzy Hash: 2acc55856a8ff17b4a32b5b16622e15da31847f96dffeee44c128cb4905c5a3c
Instruction Fuzzy Hash: 9D515D35A0E64EE1FA10BB95E9503B9E3A4AF84780F858035DD0D477A1FF3DE849A321

Function 00007FF73D3F7A60 Relevance: 108.9, APIs: 40, Strings: 22, Instructions: 420
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF73D411A28,00000000,?,00007FF73D3F1315,?,?,?,00007FF73D3F1366), ref: 00007FF73D3F7AA1
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF73D411A28,00000000,?,00007FF73D3F1315,?,?,?,00007FF73D3F1366), ref: 00007FF73D3F7AB8
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF73D411A28,00000000,?,00007FF73D3F1315,?,?,?,00007FF73D3F1366), ref: 00007FF73D3F7ACF
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF73D411A28,00000000,?,00007FF73D3F1315,?,?,?,00007FF73D3F1366), ref: 00007FF73D3F7AE6
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF73D411A28,00000000,?,00007FF73D3F1315,?,?,?,00007FF73D3F1366), ref: 00007FF73D3F7AF9
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF73D411A28,00000000,?,00007FF73D3F1315,?,?,?,00007FF73D3F1366), ref: 00007FF73D3F7B0C
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00007FF73D411A28,00000000,?,00007FF73D3F1315,?,?,?,00007FF73D3F1366), ref: 00007FF73D3F7B1A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF73D411A28,00000000,?,00007FF73D3F1315,?,?,?,00007FF73D3F1366), ref: 00007FF73D3F7B58
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF73D411A28,00000000,?,00007FF73D3F1315,?,?,?,00007FF73D3F1366), ref: 00007FF73D3F7B6F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF73D411A28,00000000,?,00007FF73D3F1315,?,?,?,00007FF73D3F1366), ref: 00007FF73D3F7B86
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF73D411A28,00000000,?,00007FF73D3F1315,?,?,?,00007FF73D3F1366), ref: 00007FF73D3F7B9D
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF73D411A28,00000000,?,00007FF73D3F1315,?,?,?,00007FF73D3F1366), ref: 00007FF73D3F7BB4
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF73D411A28,00000000,?,00007FF73D3F1315,?,?,?,00007FF73D3F1366), ref: 00007FF73D3F7BCB
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF73D411A28,00000000,?,00007FF73D3F1315,?,?,?,00007FF73D3F1366), ref: 00007FF73D3F7BE2
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF73D411A28,00000000,?,00007FF73D3F1315,?,?,?,00007FF73D3F1366), ref: 00007FF73D3F7BF9
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF73D411A28,00000000,?,00007FF73D3F1315,?,?,?,00007FF73D3F1366), ref: 00007FF73D3F7C10
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00007FF73D411A28,00000000,?,00007FF73D3F1315,?,?,?,00007FF73D3F1366), ref: 00007FF73D3F7C29
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,00007FF73D3F1315,?,?,?,00007FF73D3F1366), ref: 00007FF73D3F7C42
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF73D411A28), ref: 00007FF73D409FD9

Strings

showconf, xrefs: 00007FF73D3F7B65
setconf, xrefs: 00007FF73D3F7B93
Unable to access interface, xrefs: 00007FF73D40A3E2
--version, xrefs: 00007FF73D3F7AAE
Unable to access interface %s: %s, xrefs: 00007FF73D40A12E
interfaces, xrefs: 00007FF73D40A031
Unable to list interfaces, xrefs: 00007FF73D40A3CF
all, xrefs: 00007FF73D40A01A
1.0.20210914, xrefs: 00007FF73D3F7C53
--help, xrefs: 00007FF73D3F7AEF, 00007FF73D40A064
addconf, xrefs: 00007FF73D3F7BAA
pubkey, xrefs: 00007FF73D3F7C06
syncconf, xrefs: 00007FF73D3F7BC1
%s%c, xrefs: 00007FF73D40A2CD
help, xrefs: 00007FF73D3F7B02, 00007FF73D40A07B
Usage: %s %s { <interface> | all | interfaces } [public-key | private-key | listen-port | fwmark | peers | preshared-keys | endpoints | allowed-ips | latest-handshakes | transfer | persistent-keepalive | dump], xrefs: 00007FF73D409FED, 00007FF73D40A334
genpsk, xrefs: 00007FF73D3F7BEF
version, xrefs: 00007FF73D3F7AC5
show, xrefs: 00007FF73D3F7B4E
Invalid subcommand: `%s', xrefs: 00007FF73D3F7C2E
set, xrefs: 00007FF73D3F7B7C
genkey, xrefs: 00007FF73D3F7BD8

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: strcmp$__acrt_iob_func
String ID: %s%c$--help$--version$1.0.20210914$Invalid subcommand: `%s'$Unable to access interface$Unable to access interface %s: %s$Unable to list interfaces$Usage: %s %s { <interface> | all | interfaces } [public-key | private-key | listen-port | fwmark | peers | preshared-keys | endpoints | allowed-ips | latest-handshakes | transfer | persistent-keepalive | dump]$addconf$all$genkey$genpsk$help$interfaces$pubkey$set$setconf$show$showconf$syncconf$version
API String ID: 3287873120-3346360338
Opcode ID: 425a805aaf9ca79d0f9ae727ace8f52ef78ef8c212661f9117abc5f6e5af4b47
Instruction ID: d0a774da6a6dc66f624a14662aa47c2b46b366771f6eaaacb4d3b83b75571b9c
Opcode Fuzzy Hash: 425a805aaf9ca79d0f9ae727ace8f52ef78ef8c212661f9117abc5f6e5af4b47
Instruction Fuzzy Hash: 1FF17E61A0D60FB1FE54BBA599512B9D255AF85B80FC64035DD0E07392FF3CE849B322

Function 00007FF73D3F7F70 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 65
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetDllDirectoryA.KERNEL32 ref: 00007FF73D3F7F7F
SetDefaultDllDirectories.KERNEL32 ref: 00007FF73D3F7F92
WSAStartup.WS2_32 ref: 00007FF73D3F7FD8
GetStdHandle.KERNEL32 ref: 00007FF73D3F7FE3
GetConsoleMode.KERNELBASE ref: 00007FF73D3F7FFA
SetConsoleMode.KERNELBASE ref: 00007FF73D3F800E
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FF73D3F801F
_putenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FF73D3F8030
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D3F803F

Strings

WG_COLOR_MODE, xrefs: 00007FF73D3F8018
WG_COLOR_MODE=never, xrefs: 00007FF73D3F8029

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: ConsoleMode$DefaultDirectoriesDirectoryHandleStartup_putenvabortgetenv
String ID: WG_COLOR_MODE$WG_COLOR_MODE=never
API String ID: 3093664080-2833094913
Opcode ID: e45e11e632cb985923e5a64231e6f49c1478fe8ce4ee1d6e3cd999cc31cb6142
Instruction ID: 90e4c1b3327a6a978cb69ea938b0dbc1d150680ee471aac21e96adbf5c41c64d
Opcode Fuzzy Hash: e45e11e632cb985923e5a64231e6f49c1478fe8ce4ee1d6e3cd999cc31cb6142
Instruction Fuzzy Hash: A7216221A1D64BA2FA14B7A0A8442B5E350EF40790FC58234D92E465D5FF3CE949E662

Function 00007FF73D3F7320 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 199
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RaiseException.KERNEL32 ref: 00007FF73D3F73A4
GetProcAddress.KERNEL32 ref: 00007FF73D3F749A
GetLastError.KERNEL32 ref: 00007FF73D3F74A8
RaiseException.KERNEL32 ref: 00007FF73D3F74F5
LoadLibraryA.KERNEL32 ref: 00007FF73D3F756E
LocalAlloc.KERNEL32 ref: 00007FF73D3F759C
FreeLibrary.KERNEL32 ref: 00007FF73D3F75BF
GetLastError.KERNEL32 ref: 00007FF73D3F75CA
RaiseException.KERNEL32 ref: 00007FF73D3F7617

Strings

H, xrefs: 00007FF73D3F7357

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibrary$AddressAllocFreeLoadLocalProc
String ID: H
API String ID: 3084743264-2852464175
Opcode ID: 90b053017ffec4ce6a6f1ed652612b8d3b6ef2b5775a48bc0b3869dd8a1c870d
Instruction ID: 6563d9e6166c878e27721a827daca9b25ffb30ff62c546f39a04a65d97b1fcb5
Opcode Fuzzy Hash: 90b053017ffec4ce6a6f1ed652612b8d3b6ef2b5775a48bc0b3869dd8a1c870d
Instruction Fuzzy Hash: 92916C61A0EB4AE2EA259F55E404269F7A4FF48B94F944039DE4D037A4FF3CE845DB20

Function 00007FF73D3F8060 Relevance: 3.0, APIs: 2, Instructions: 13
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExA.KERNELBASE ref: 00007FF73D3F8075
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D3F8080

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: LibraryLoadabort
String ID:
API String ID: 1242288263-0
Opcode ID: 661839867e1041109797e0a1672cef716d4d4810185ca33d6b7e997b6c7c655d
Instruction ID: 3d6502083f56052dbd41d3d2b0ebc177714361f83e88e2c3a169258fc4bc1f1f
Opcode Fuzzy Hash: 661839867e1041109797e0a1672cef716d4d4810185ca33d6b7e997b6c7c655d
Instruction Fuzzy Hash: D2D0C960F1E51BE0EE6C77E24981275C2D5EFD8B50FC94439C90D81280FF2DA8E567A2

Function 00007FF73D3F13D0 Relevance: 1.5, APIs: 1, Instructions: 15
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSACleanup.WS2_32 ref: 00007FF73D3F13F0

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: Cleanup
String ID:
API String ID: 99945797-0
Opcode ID: 7b552054284c38ac1c15fad1896c7acfb6fe327355bbe05baee0f83a3ac46483
Instruction ID: 01b1da32ddfcd21204c3bdd9a434e343c4ec6547312ea5ad7f7371bcdb78a83c
Opcode Fuzzy Hash: 7b552054284c38ac1c15fad1896c7acfb6fe327355bbe05baee0f83a3ac46483
Instruction Fuzzy Hash: A8E09A25E0EB4E90EE05AB45E880264ABA0FB58BC9F994435CD0C03764EF3CE4499320

Non-executed Functions

Function 00007FF73D4052A0 Relevance: 160.3, APIs: 75, Strings: 16, Instructions: 1052stringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73D406500: strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D4065E6

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D4052F3
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D405335
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D40534E

Part of subcall function 00007FF73D3F7E90: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D3F7EC8
Part of subcall function 00007FF73D3F7E90: fgetc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F7EE3
Part of subcall function 00007FF73D3F7E90: realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D3F7F0F

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D4053B1
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF73D4053D1
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D40541A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D405431
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D405448
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D40545F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D405476
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D40548D
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D4054A4
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D4054BB
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D4054D2
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D4054E9
strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF73D40551A
DeviceIoControl.KERNEL32 ref: 00007FF73D405EE5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D405EEF
GetLastError.KERNEL32 ref: 00007FF73D405EF4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D405F09
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D405F16
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D405F24
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D405F4A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D405F59
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D405F74
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D406058
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D40606C
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D40607C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D406086
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D4064AF

Part of subcall function 00007FF73D406620: CreateFileA.KERNEL32 ref: 00007FF73D406691
Part of subcall function 00007FF73D406620: CloseHandle.KERNEL32 ref: 00007FF73D4066DB
Part of subcall function 00007FF73D406620: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D4066E1

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D406464
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D406470
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D40647C
CloseHandle.KERNEL32 ref: 00007FF73D406484

Strings

get=1, xrefs: 00007FF73D405320
last_handshake_time_sec, xrefs: 00007FF73D405486
public_key, xrefs: 00007FF73D405413, 00007FF73D405664
persistent_keepalive_interval, xrefs: 00007FF73D405458
jmin, xrefs: 00007FF73D4055AC
last_handshake_time_nsec, xrefs: 00007FF73D40549D
allowed_ip, xrefs: 00007FF73D40546F
fwmark, xrefs: 00007FF73D40557E
private_key, xrefs: 00007FF73D405550
rx_bytes, xrefs: 00007FF73D4054B4
endpoint, xrefs: 00007FF73D405441
tx_bytes, xrefs: 00007FF73D4054CB
errno, xrefs: 00007FF73D4054E2
preshared_key, xrefs: 00007FF73D40542A
jmax, xrefs: 00007FF73D4055C3
listen_port, xrefs: 00007FF73D405567

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: strcmp$_errno$free$CloseHandlecallocmalloc$ControlCreateDeviceErrorFileLastfclosefgetcfwritereallocstrchrstrlenstrncpystrtoull
String ID: allowed_ip$endpoint$errno$fwmark$get=1$jmax$jmin$last_handshake_time_nsec$last_handshake_time_sec$listen_port$persistent_keepalive_interval$preshared_key$private_key$public_key$rx_bytes$tx_bytes
API String ID: 3180145613-1152024618
Opcode ID: f2384b0f748638761373d3e95b6cc435cda671c88fef00f4ea05c32897f33708
Instruction ID: 29568c8f462aa310baad1547b767b9dcc301058dd3363e0b9b6d8fa291650a3b
Opcode Fuzzy Hash: f2384b0f748638761373d3e95b6cc435cda671c88fef00f4ea05c32897f33708
Instruction Fuzzy Hash: 79A2C461A0C68A66FB25ABB5D41037AE790EF41784F858035DE8E477C6FF6CE441D322

Function 00007FF73D406C50 Relevance: 85.3, APIs: 25, Strings: 23, Instructions: 1280stringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73D406500: strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D4065E6

fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D406CFB
fputc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D4077EF
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D4077F7
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D40783F
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF73D40785F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D40788E
strtoll.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF73D4078C3
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D4078F4
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D407903
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D407BDF

Part of subcall function 00007FF73D406620: CreateFileA.KERNEL32 ref: 00007FF73D406691
Part of subcall function 00007FF73D406620: CloseHandle.KERNEL32 ref: 00007FF73D4066DB
Part of subcall function 00007FF73D406620: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D4066E1

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D407912
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D408044
DeviceIoControl.KERNEL32 ref: 00007FF73D408304
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D40830C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D408324
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D40832F
CloseHandle.KERNEL32 ref: 00007FF73D408337

Strings

h1=%u, xrefs: 00007FF73D40810E
listen_port=%u, xrefs: 00007FF73D407FF4
jmax=%u, xrefs: 00007FF73D4080A0
s2=%u, xrefs: 00007FF73D4080EA
preshared_key=%s, xrefs: 00007FF73D407600
replace_allowed_ips=true, xrefs: 00007FF73D4076EE
h3=%u, xrefs: 00007FF73D408156
persistent_keepalive_interval=%u, xrefs: 00007FF73D4076D0
jc=%u, xrefs: 00007FF73D40805C
s1=%u, xrefs: 00007FF73D4080C5
endpoint=%s:%s, xrefs: 00007FF73D40769F
endpoint=[%s]:%s, xrefs: 00007FF73D407693
set=1, xrefs: 00007FF73D406CE6
remove=true, xrefs: 00007FF73D406E0B
replace_peers=true, xrefs: 00007FF73D40802F
allowed_ip=%s/%d, xrefs: 00007FF73D406DBA
errno, xrefs: 00007FF73D40780E
h4=%u, xrefs: 00007FF73D406D80
fwmark=%u, xrefs: 00007FF73D408015
jmin=%u, xrefs: 00007FF73D40807E
public_key=%s, xrefs: 00007FF73D406DA4
h2=%u, xrefs: 00007FF73D408132
private_key=%s, xrefs: 00007FF73D407FCD

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: _errno$CloseHandlefreefwritestrcmp$ControlCreateDeviceFilefflushfputcstrchrstrlenstrtoll
String ID: allowed_ip=%s/%d$endpoint=%s:%s$endpoint=[%s]:%s$errno$fwmark=%u$h1=%u$h2=%u$h3=%u$h4=%u$jc=%u$jmax=%u$jmin=%u$listen_port=%u$persistent_keepalive_interval=%u$preshared_key=%s$private_key=%s$public_key=%s$remove=true$replace_allowed_ips=true$replace_peers=true$s1=%u$s2=%u$set=1
API String ID: 1938545729-429151333
Opcode ID: 46033bbdbb12580742b975681dc404ebebb6623472df7e5de5a8ec3383a453aa
Instruction ID: 7115c4aa28c7d9b89a476e2735b88ea18645335d02110358c708413d26649d45
Opcode Fuzzy Hash: 46033bbdbb12580742b975681dc404ebebb6623472df7e5de5a8ec3383a453aa
Instruction Fuzzy Hash: C0B22D2AE2D7866AF713667594112F4E208AFA73C4F41D333FD8831996FF29E1129325

Function 00007FF73D406750 Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 283stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D4067E6
SetupDiGetClassDevsExW.SETUPAPI ref: 00007FF73D406838
SetupDiEnumDeviceInfo.SETUPAPI ref: 00007FF73D4068B1
WideCharToMultiByte.KERNEL32 ref: 00007FF73D406949
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D40695C
WideCharToMultiByte.KERNEL32 ref: 00007FF73D406988
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D4069A2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D4069AD

Strings

SWD\WireGuard, xrefs: 00007FF73D406803
ROOT\WIREGUARD, xrefs: 00007FF73D40680A
0, xrefs: 00007FF73D40690A

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: ByteCharMultiSetupWidestrcmp$ClassDeviceDevsEnumInfofreemalloc
String ID: 0$ROOT\WIREGUARD$SWD\WireGuard
API String ID: 1764286838-714841229
Opcode ID: 8b8b90365d9b1aafbd2efaaea433ded22b5284b1b836c6ee8cbd49cd1f499580
Instruction ID: 0d54c06f68db669064b3cfd97c1569f5cd15c0cf8cfb60bb44fc055e399c0249
Opcode Fuzzy Hash: 8b8b90365d9b1aafbd2efaaea433ded22b5284b1b836c6ee8cbd49cd1f499580
Instruction Fuzzy Hash: 56C10A61A0C68A96FB60AB91A41437AE3A0FF84B94F854135DE8E477D0FF3CE045D721

Function 00007FF73D406500 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 82filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32 ref: 00007FF73D406574
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D4065A6
FindNextFileA.KERNEL32 ref: 00007FF73D4065B9
FindClose.KERNEL32 ref: 00007FF73D4065C3
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D4065E6

Strings

\\.\pipe\*, xrefs: 00007FF73D406568
ProtectedPrefix\Administrators\AmneziaWG\%s, xrefs: 00007FF73D406551

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: Find$Filestrcmp$CloseFirstNext
String ID: ProtectedPrefix\Administrators\AmneziaWG\%s$\\.\pipe\*
API String ID: 4053930958-3389193308
Opcode ID: 22559c77d11a2a5e2de079b75b1fc88c09c696fec0a9997df009f1b1a1fe3dfe
Instruction ID: 1bb254666b0e33cfd4fc026b2b7f371c3674997910c645530f9645f5d355e066
Opcode Fuzzy Hash: 22559c77d11a2a5e2de079b75b1fc88c09c696fec0a9997df009f1b1a1fe3dfe
Instruction Fuzzy Hash: 2F312721B1C55E73FA20ABA1A8003BAD250AF40B94FCA0131DD6F476D4FF2CD506A322

Function 00007FF73D4029D0 Relevance: 3.0, APIs: 1, Instructions: 1773stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D402A3E

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 5dd260e9e9f61ea4c082116c183498da0b4d9d79da5d0d54ee2918f9c6c739ba
Instruction ID: 9b56fa7993857bf3cec36a2dfe489c7c0eaabfed17e8bf0c4e2a502c953784e2
Opcode Fuzzy Hash: 5dd260e9e9f61ea4c082116c183498da0b4d9d79da5d0d54ee2918f9c6c739ba
Instruction Fuzzy Hash: 34E2D167D3E7821BE3035739EC126A4EA185FF32C5F44D326ED9171D92FB29A2934218

Function 00007FF73D3F511B Relevance: 2.3, APIs: 1, Instructions: 1088COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe63e039fb2d688b7a630c3388aa5a7583706e297051cf3f2ce90f746a0748fa
Instruction ID: da86f0698bb577b2ffbb324890eb47eb523322f117c658c9677074abe31f30d7
Opcode Fuzzy Hash: fe63e039fb2d688b7a630c3388aa5a7583706e297051cf3f2ce90f746a0748fa
Instruction Fuzzy Hash: 6A925D32A0E64DD6EB65AA65E4003BAE798FF817C4F904139ED4E43B95EF3CE8419710

Function 00007FF73D4047B0 Relevance: 1.3, APIs: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D4047C4

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 8d613b5a3ecefce5f5308531ac254ee5f92421bf27feff88c4495142be5149bf
Instruction ID: a8ac0ddb9f408f6eaabd425eea385aaa47ea65d624cfee6ad3f7e0fc7c7a5064
Opcode Fuzzy Hash: 8d613b5a3ecefce5f5308531ac254ee5f92421bf27feff88c4495142be5149bf
Instruction Fuzzy Hash: ED21492363C0E742E72E86356C106BAEB81DB56372B45A330EE6B06AC0C62886049711

Function 00007FF73D402710 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eefc4ba55b07cd2e39966fa5283efa252d32a8eb71e88bbe99fec4c6e413f74a
Instruction ID: dec2d44780866f5cb8c3c62881a64657b23c8f7164deb21b97b18b3ba8472fa4
Opcode Fuzzy Hash: eefc4ba55b07cd2e39966fa5283efa252d32a8eb71e88bbe99fec4c6e413f74a
Instruction Fuzzy Hash: EC51F597E39BD586F313173CAC03BB4E724ABA63C6F425320EEC445D96E62A8347D214

Function 00007FF73D3F83B0 Relevance: 65.0, APIs: 27, Strings: 10, Instructions: 229stringfileCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D3F83D2
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FF73D3F83E1
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D3F83F8
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF73D3F840F
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F8429
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D3F8446
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF73D3F8497
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D3F84D4
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F84DE
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F84F9
strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF73D3F850B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D3F8650
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F865A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D3F8669
strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D3F8671
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D3F8715
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F871F
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF73D3F8747
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D3F8758

Strings

Unable to find matching brace of endpoint: `%s', xrefs: 00007FF73D3F868B
infinity, xrefs: 00007FF73D3F83EE
WG_ENDPOINT_RESOLUTION_RETRIES, xrefs: 00007FF73D3F83DA
%s: `%s', xrefs: 00007FF73D3F86AA
Neither IPv4 nor IPv6 address found: `%s', xrefs: 00007FF73D3F8725
%s: `%s'. Trying again in %.2f seconds..., xrefs: 00007FF73D3F85EF
Unable to parse WG_ENDPOINT_RESOLUTION_RETRIES: `%s', xrefs: 00007FF73D3F842F
Unable to parse empty endpoint, xrefs: 00007FF73D3F84E4
Unable to find port of endpoint: `%s', xrefs: 00007FF73D3F8644
strdup, xrefs: 00007FF73D3F86BE

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: __acrt_iob_funcfree$_errno_strdupexitfwritegetenvmemcpystrchrstrcmpstrerrorstrrchrstrtoul
String ID: %s: `%s'$%s: `%s'. Trying again in %.2f seconds...$Neither IPv4 nor IPv6 address found: `%s'$Unable to find matching brace of endpoint: `%s'$Unable to find port of endpoint: `%s'$Unable to parse WG_ENDPOINT_RESOLUTION_RETRIES: `%s'$Unable to parse empty endpoint$WG_ENDPOINT_RESOLUTION_RETRIES$infinity$strdup
API String ID: 970331252-1639880925
Opcode ID: d670e78b44053a8970aa87013cebc9dff53a2daa68784ce55a47aa369ed3b4c4
Instruction ID: 800a616bde01355c9e30083b2fa55e1cf62b4340802984be0a217429d2ceaf16
Opcode Fuzzy Hash: d670e78b44053a8970aa87013cebc9dff53a2daa68784ce55a47aa369ed3b4c4
Instruction Fuzzy Hash: 1391A051A0D64EE2FE18BBA198143B9D254EF85790FC14139EE4E067D2FF3CE855A322

Function 00007FF73D40BBB0 Relevance: 54.5, APIs: 10, Strings: 21, Instructions: 280stringCOMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D40BF28

Part of subcall function 00007FF73D4052A0: calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D4052F3
Part of subcall function 00007FF73D4052A0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D405335
Part of subcall function 00007FF73D4052A0: strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D40534E
Part of subcall function 00007FF73D4052A0: strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D4053B1
Part of subcall function 00007FF73D4052A0: strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF73D4053D1
Part of subcall function 00007FF73D4052A0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D40541A
Part of subcall function 00007FF73D4052A0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D405431
Part of subcall function 00007FF73D4052A0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D405448
Part of subcall function 00007FF73D4052A0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D40545F

puts.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D40BBFB
putchar.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D40BCAA
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF73D40BE53

Part of subcall function 00007FF73D40C0F0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D40C116

perror.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D40C0A3

Strings

H4 = %u, xrefs: 00007FF73D40BC99
H1 = %u, xrefs: 00007FF73D40C01B
Unable to access interface, xrefs: 00007FF73D40C09C
H3 = %u, xrefs: 00007FF73D40C05B
PersistentKeepalive = %u, xrefs: 00007FF73D40BE8B
S2 = %u, xrefs: 00007FF73D40BFFB
PresharedKey = %s, xrefs: 00007FF73D40BD0C
FwMark = 0x%x, xrefs: 00007FF73D40BC26
[Interface], xrefs: 00007FF73D40BBF4
Jmax = %u, xrefs: 00007FF73D40BFB9
AllowedIPs = , xrefs: 00007FF73D40BD29
Endpoint = %s:%s, xrefs: 00007FF73D40BE64
[Peer]PublicKey = %s, xrefs: 00007FF73D40BCEC
Jmin = %u, xrefs: 00007FF73D40BF9B
Endpoint = [%s]:%s, xrefs: 00007FF73D40BE58
S1 = %u, xrefs: 00007FF73D40BFDA
Jc = %u, xrefs: 00007FF73D40BF7D
H2 = %u, xrefs: 00007FF73D40C03B
ListenPort = %u, xrefs: 00007FF73D40BC10
%s/%d, xrefs: 00007FF73D40BCD0
PrivateKey = %s, xrefs: 00007FF73D40BF5C

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: strcmp$__acrt_iob_funcstrchr$callocfwriteperrorputcharputsstrlenstrncpy
String ID: %s/%d$AllowedIPs = $Endpoint = %s:%s$Endpoint = [%s]:%s$FwMark = 0x%x$H1 = %u$H2 = %u$H3 = %u$H4 = %u$Jc = %u$Jmax = %u$Jmin = %u$ListenPort = %u$PersistentKeepalive = %u$PresharedKey = %s$PrivateKey = %s$S1 = %u$S2 = %u$Unable to access interface$[Interface]$[Peer]PublicKey = %s
API String ID: 2189207758-3787348828
Opcode ID: dfbf7fe93071cc97e3f495807336d0028547e7f3f1906d4feaf296d50ef190cd
Instruction ID: 93444f7c3b326da958b0615c6a8ed0c8087c9239acf37b94fcd5d5fccc9030db
Opcode Fuzzy Hash: dfbf7fe93071cc97e3f495807336d0028547e7f3f1906d4feaf296d50ef190cd
Instruction Fuzzy Hash: 47D18C21A0C64AA1FA65BB91D4403BAE361AF40748FC2C031EE4D566D6FF3CE845E762

Function 00007FF73D3F8770 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 221stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D3F878F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D3F880A
strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D3F882A
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D3F8856
strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D3F8868
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D3F889D
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF73D3F88BE
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF73D3F894C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D3F8A2C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D3F8A3D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D3F8AAA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D3F8AB4
perror.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D3F8AD3
perror.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D3F8AE1

Strings

Unable to parse IP address: `%s', xrefs: 00007FF73D3F8A8D
Warning: AllowedIP has nonzero host part: %s/%s, xrefs: 00007FF73D3F87DE
AllowedIP is not in the correct format: `%s', xrefs: 00007FF73D3F8A6B
strdup, xrefs: 00007FF73D3F8ACC
calloc, xrefs: 00007FF73D3F8ADA

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: free$_strdupperrorstrcspn$callocstrchrstrtoul
String ID: AllowedIP is not in the correct format: `%s'$Unable to parse IP address: `%s'$Warning: AllowedIP has nonzero host part: %s/%s$calloc$strdup
API String ID: 3019466392-3341623562
Opcode ID: b47652f795d037d1c5cd60effb3e3d9ab8b9abaae243694418b2b71e70b33719
Instruction ID: 7701c4b0dd6122cf993bdc6a052b782c353d1b94530f7b909083c2c71fef79d2
Opcode Fuzzy Hash: b47652f795d037d1c5cd60effb3e3d9ab8b9abaae243694418b2b71e70b33719
Instruction Fuzzy Hash: 10811362A0E24EE1EE58B79198142BAE654EF81794FC54538DE4E073D1FF3CE811E321

Function 00007FF73D3F7D20 Relevance: 40.3, APIs: 1, Strings: 22, Instructions: 66fileCOMMON

Download Yara Rule

APIs

fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,00007FFE1FFAFCF0,000002B0ADB976D8,00007FF73D3F7C4C,?,00007FF73D3F1315,?,?,?,00007FF73D3F1366), ref: 00007FF73D3F7D51

Strings

Change the current configuration, add peers, remove peers, or change peers, xrefs: 00007FF73D3F7D96
showconf, xrefs: 00007FF73D3F7D76
setconf, xrefs: 00007FF73D3F7DA8
%s: %s, xrefs: 00007FF73D3F7D56
Appends a configuration file to a WireGuard interface, xrefs: 00007FF73D3F7DC8
Generates a new preshared key and writes it to stdout, xrefs: 00007FF73D3F7E13
Available subcommands:, xrefs: 00007FF73D3F7D3C
Shows the current configuration of a given WireGuard interface, for use with `setconf', xrefs: 00007FF73D3F7D7D
addconf, xrefs: 00007FF73D3F7DC1
pubkey, xrefs: 00007FF73D3F7E25
syncconf, xrefs: 00007FF73D3F7DDA
Synchronizes a configuration file to a WireGuard interface, xrefs: 00007FF73D3F7DE1
Usage: %s <cmd> [<args>], xrefs: 00007FF73D3F7D30
Shows the current configuration and device information, xrefs: 00007FF73D3F7D64
Applies a configuration file to a WireGuard interface, xrefs: 00007FF73D3F7DAF
genpsk, xrefs: 00007FF73D3F7E0C
show, xrefs: 00007FF73D3F7D5D
Reads a private key from stdin and writes a public key to stdout, xrefs: 00007FF73D3F7E2C
Generates a new private key and writes it to stdout, xrefs: 00007FF73D3F7DFA
set, xrefs: 00007FF73D3F7D8F
genkey, xrefs: 00007FF73D3F7DF3
You may pass `--help' to any of these subcommands to view usage., xrefs: 00007FF73D3F7E3E

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: fwrite
String ID: %s: %s$Appends a configuration file to a WireGuard interface$Applies a configuration file to a WireGuard interface$Available subcommands:$Change the current configuration, add peers, remove peers, or change peers$Generates a new preshared key and writes it to stdout$Generates a new private key and writes it to stdout$Reads a private key from stdin and writes a public key to stdout$Shows the current configuration and device information$Shows the current configuration of a given WireGuard interface, for use with `setconf'$Synchronizes a configuration file to a WireGuard interface$Usage: %s <cmd> [<args>]$You may pass `--help' to any of these subcommands to view usage.$addconf$genkey$genpsk$pubkey$set$setconf$show$showconf$syncconf
API String ID: 3559309478-316989557
Opcode ID: ec3c38715fe2dad7355cb0636f5737f70661bde6b3fd5a32ac1da1ccc7394f0f
Instruction ID: 607a73bc1e5bb097dc020e89b394ab404fc0be15ecd0a938131fd4c892a12de5
Opcode Fuzzy Hash: ec3c38715fe2dad7355cb0636f5737f70661bde6b3fd5a32ac1da1ccc7394f0f
Instruction Fuzzy Hash: A331A590A2D55FB0EA10FBD1AD409F4E32A5F55BC4FC14033EC0D17A55AF7CA64AA362

Function 00007FF73D40ACB0 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 331stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73D40C140: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73D40A1A8), ref: 00007FF73D40C186

Part of subcall function 00007FF73D40C140: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73D40A1A8), ref: 00007FF73D40C1BD
Part of subcall function 00007FF73D40C140: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73D40A1A8), ref: 00007FF73D40C1D0
Part of subcall function 00007FF73D40C140: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73D40A1A8), ref: 00007FF73D40C1DE
Part of subcall function 00007FF73D40C140: _fileno.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73D40A1A8), ref: 00007FF73D40C1E7
Part of subcall function 00007FF73D40C140: _isatty.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73D40A1A8), ref: 00007FF73D40C1EE
Part of subcall function 00007FF73D40C140: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73D40A1A8), ref: 00007FF73D40C331

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FF73D40AD1A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D40AD35
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D40AEA4
qsort.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF73D40AEE6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D40AFBA
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FF73D40B037
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D40B052
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF73D40B0DC
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D40B1BF

Strings

Now, xrefs: 00007FF73D40B0FC
never, xrefs: 00007FF73D40AD2B, 00007FF73D40B04B
(none), xrefs: 00007FF73D40B0C3
WG_HIDE_KEYS, xrefs: 00007FF73D40AD13, 00007FF73D40B030
ago, xrefs: 00007FF73D40B1B8
%s sent, xrefs: 00007FF73D40B21C
every , xrefs: 00007FF73D40B250
(hidden), xrefs: 00007FF73D40AD1F, 00007FF73D40B03C, 00007FF73D40B057
%s received, , xrefs: 00007FF73D40B1FD

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: strcmp$__acrt_iob_funcfreegetenv$_fileno_isatty_time64callocqsortstrncpy
String ID: ago$%s received, $%s sent$(hidden)$(none)$Now$WG_HIDE_KEYS$every $never
API String ID: 215390385-2913925316
Opcode ID: c33cc269365d38d8657cd7691dfa003362f079c905a89ee779b475fbf269c0e8
Instruction ID: 039a928dd058362d028a61d5f9a1c11c117f2df56fa9760ac099579ea6fb8cda
Opcode Fuzzy Hash: c33cc269365d38d8657cd7691dfa003362f079c905a89ee779b475fbf269c0e8
Instruction Fuzzy Hash: 19F17B21A0C64AB1EA15FBA5D8413B9E362BF54B84FC68135DE0D07291FF3CE549E362

Function 00007FF73D3F8BE0 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 105fileCOMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F8C5F
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F8C91
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F8CAC
ferror.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F8CB6
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D3F8CBF
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F8CE6
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F8D0F
feof.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F8D21
perror.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D3F8D53
perror.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D3F8D63

Strings

getc, xrefs: 00007FF73D3F8D5C
Found trailing character in key file: `%c', xrefs: 00007FF73D3F8C65
Invalid length key in key file, xrefs: 00007FF73D3F8C97
fopen, xrefs: 00007FF73D3F8D4C
Key is not the correct length or format: `%s', xrefs: 00007FF73D3F8CEC

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: __acrt_iob_func$perror$_errnofclosefeofferrorfwrite
String ID: Found trailing character in key file: `%c'$Invalid length key in key file$Key is not the correct length or format: `%s'$fopen$getc
API String ID: 544416479-2653762025
Opcode ID: d23dc7c9aefdbbaf91b2a68ca54087207bd722f27c52376c0b2cb0d8abe4d8cc
Instruction ID: 48a606467a81904208b105f0ccd58ae26f7990e7f804b674c1d3776b5ee76cf7
Opcode Fuzzy Hash: d23dc7c9aefdbbaf91b2a68ca54087207bd722f27c52376c0b2cb0d8abe4d8cc
Instruction Fuzzy Hash: E241C261E0E60FE2FE14B7A194103F9D251AF95780FC54235EE0D076D2FF6CA995A322

Function 00007FF73D40C140 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 133stringCOMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73D40A1A8), ref: 00007FF73D40C186
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73D40A1A8), ref: 00007FF73D40C1BD
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73D40A1A8), ref: 00007FF73D40C1D0
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73D40A1A8), ref: 00007FF73D40C1DE
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73D40A1A8), ref: 00007FF73D40C1E7
_isatty.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73D40A1A8), ref: 00007FF73D40C1EE
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73D40A1A8), ref: 00007FF73D40C331

Strings

WG_COLOR_MODE, xrefs: 00007FF73D40C19F
never, xrefs: 00007FF73D40C1C6
always, xrefs: 00007FF73D40C1B3

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: __acrt_iob_funcstrcmp$_fileno_isattyfree
String ID: WG_COLOR_MODE$always$never
API String ID: 4211838187-4035333732
Opcode ID: 1508d377326ef1b0d0d0f2cb77dc06fe719fef41b60a7bfd94025024ec44bd8c
Instruction ID: b941c574f59bfcbc763aa66e6367757ba8c4ab2a41c092486d3fc6328df7113d
Opcode Fuzzy Hash: 1508d377326ef1b0d0d0f2cb77dc06fe719fef41b60a7bfd94025024ec44bd8c
Instruction Fuzzy Hash: 4B51C221E0C64AE1FA20B7E5A50037AE6819F447D0FCA8135EE0E17BD5FF2CE445A622

Function 00007FF73D40B840 Relevance: 21.2, APIs: 2, Strings: 10, Instructions: 181COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73D40B2A0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,00007FF73D40A65D), ref: 00007FF73D40B2C6

puts.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,?,00000000,?,00000001,00000000,?,00007FF73D40AC7A), ref: 00007FF73D40B981

Strings

(none), xrefs: 00007FF73D40BA70, 00007FF73D40BA8C
%u, xrefs: 00007FF73D40BACC
%llu%llu, xrefs: 00007FF73D40BAB0
%llu, xrefs: 00007FF73D40BA9C
%s/%u%c, xrefs: 00007FF73D40B9BF
(none), xrefs: 00007FF73D40B86F, 00007FF73D40BA1C
%u, xrefs: 00007FF73D40B8D0
off, xrefs: 00007FF73D40B97A, 00007FF73D40B9D0
%s, xrefs: 00007FF73D40B860, 00007FF73D40B892, 00007FF73D40B8BA, 00007FF73D40B99B
0x%x, xrefs: 00007FF73D40B96C

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: __acrt_iob_funcputs
String ID: %llu$%llu%llu$%s$%s/%u%c$%u$%u$(none)$(none)$0x%x$off
API String ID: 3278495061-353294181
Opcode ID: 7cd881c02aacaf1ffa50f974b3051d297a03e9a7fe656e3bd32015d6670265b1
Instruction ID: de40d541045dec6e62cdfc2659d21540cba02e6c14db88f9b4c90a2e75928e07
Opcode Fuzzy Hash: 7cd881c02aacaf1ffa50f974b3051d297a03e9a7fe656e3bd32015d6670265b1
Instruction Fuzzy Hash: CA81D011A0C55FB2EA22B791A5456BFE361AF80788FC28031DE5D06692FF3CE445E366

Function 00007FF73D4083D0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D4083E1
fread.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D4083FA
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D408422
getc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D408427
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D408459
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D408477
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D408498
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D4084A9
puts.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D408507

Strings

%s: Key is not the correct length or format, xrefs: 00007FF73D4084B6
%s: Trailing characters found after key, xrefs: 00007FF73D408466
Usage: %s %s, xrefs: 00007FF73D408487

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: __acrt_iob_func$_errnofreadgetcputs
String ID: %s: Key is not the correct length or format$%s: Trailing characters found after key$Usage: %s %s
API String ID: 3310308791-906102049
Opcode ID: d130606250bc12114dbc84f79be8272d9b3c075edf7276302a9e7231e4c0fdb9
Instruction ID: da5fb43a76bb0c713147c3544e81196fb2610f6f7a1449a6a2ef27774a9fbc5e
Opcode Fuzzy Hash: d130606250bc12114dbc84f79be8272d9b3c075edf7276302a9e7231e4c0fdb9
Instruction Fuzzy Hash: 0731D720A0C61FA2EE14B7D1A9102B9D350AF89794FC24035DE0D173D5FF2CE545EB22

Function 00007FF73D404B00 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 62filestringCOMMON

Download Yara Rule

APIs

_fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF73D404B1E
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D404B4C
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D404B67
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D404B89
puts.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D404BB9
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D404BC7
perror.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D404BF4

Strings

Warning: writing to world accessible file.Consider setting the umask to 077 and trying again., xrefs: 00007FF73D404B52
getrandom, xrefs: 00007FF73D404BED
genkey, xrefs: 00007FF73D404B82

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: __acrt_iob_func$_fstat64fwriteperrorputsstrcmp
String ID: Warning: writing to world accessible file.Consider setting the umask to 077 and trying again.$genkey$getrandom
API String ID: 3840213802-2404912750
Opcode ID: 8354eefa0a16a462890dc4f54c070698f85da530be23ccf39a2af45e46c74903
Instruction ID: 7e1233afb19afe70f1b934324e8ac34965d61e1acba3323ea79c6ba507c73438
Opcode Fuzzy Hash: 8354eefa0a16a462890dc4f54c070698f85da530be23ccf39a2af45e46c74903
Instruction Fuzzy Hash: 8B21AE61E0C51BA1EA60B7E0A4113B9E360AF85744FC24131EE8E476C2FF1CE945A722

Function 00007FF73D3F48D0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 391COMMON

Download Yara Rule

APIs

fputc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73D3F3354), ref: 00007FF73D3F4B29

Strings

., xrefs: 00007FF73D3F4A44

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: fputc
String ID: .
API String ID: 1992160199-248832578
Opcode ID: 286ecad110a6c2e765709354b6d0600fcc9d5dbb54b1899054fe519846916996
Instruction ID: 3cb9ec64433044024bd25bec9c37368b37986b1db89bfa2cba4230e7a2e65748
Opcode Fuzzy Hash: 286ecad110a6c2e765709354b6d0600fcc9d5dbb54b1899054fe519846916996
Instruction Fuzzy Hash: 53F18632A0E24ED7FB749A65E0507BAF7A5EB14740F805139DB9A46A81EB3CFC40E710

Function 00007FF73D3F8090 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85filestringCOMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F80F0
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D3F80FE
strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D3F8106
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F8112
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F812D
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F81A0

Strings

%s: `%s', xrefs: 00007FF73D3F8180
Neither IPv4 nor IPv6 address found: `%s', xrefs: 00007FF73D3F81A6
Unable to parse empty port, xrefs: 00007FF73D3F8118

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: __acrt_iob_func$_errnofwritestrerror
String ID: %s: `%s'$Neither IPv4 nor IPv6 address found: `%s'$Unable to parse empty port
API String ID: 1250853250-3403716657
Opcode ID: 848df00da17942d2cbffea1b9b796cec72083165688fec3fd741c08586944590
Instruction ID: bd3bc85f88b9f51048afe7c14b4abe2baee41404c64824cc43143968eb1c0191
Opcode Fuzzy Hash: 848df00da17942d2cbffea1b9b796cec72083165688fec3fd741c08586944590
Instruction Fuzzy Hash: 5031D36190D65EA1FA286B95D8056F9E364EF84B90FC00239EE0E03791FF3CD896E711

Function 00007FF73D406620 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FF73D406691
CloseHandle.KERNEL32 ref: 00007FF73D4066DB
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D4066E1
LocalFree.KERNEL32 ref: 00007FF73D406710
_open_osfhandle.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D406722
_fdopen.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF73D406736
CloseHandle.KERNEL32 ref: 00007FF73D406741

Strings

\\.\pipe\ProtectedPrefix\Administrators\AmneziaWG\%s, xrefs: 00007FF73D406653

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: CloseHandle$CreateFileFreeLocal_errno_fdopen_open_osfhandle
String ID: \\.\pipe\ProtectedPrefix\Administrators\AmneziaWG\%s
API String ID: 3829360951-2032867026
Opcode ID: 609dd99b710ee281472abad51e746a1d3f438d953befdd37ac575b8669ccf256
Instruction ID: 37fcf14d782defb37064df9ee6066820361770c9e9469ca9e38be2009ea0c286
Opcode Fuzzy Hash: 609dd99b710ee281472abad51e746a1d3f438d953befdd37ac575b8669ccf256
Instruction Fuzzy Hash: 64319331A1C64A92F710ABA1E81436AE360FB80B90F954231ED5E03AD4EF7CD449EB11

Function 00007FF73D3F1970 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,?,?,00007FF73D40F100,00007FF73D40F100,?,?,00007FF73D3F0000,?,00007FF73D3F1761), ref: 00007FF73D3F1A33
VirtualProtect.KERNEL32(?,?,?,?,00007FF73D40F100,00007FF73D40F100,?,?,00007FF73D3F0000,?,00007FF73D3F1761), ref: 00007FF73D3F1A97
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,00007FF73D40F100,00007FF73D40F100,?,?,00007FF73D3F0000,?,00007FF73D3F1761), ref: 00007FF73D3F1AB0
GetLastError.KERNEL32(?,?,?,?,00007FF73D40F100,00007FF73D40F100,?,?,00007FF73D3F0000,?,00007FF73D3F1761), ref: 00007FF73D3F1AF3

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF73D3F1AE7
Address %p has no image-section, xrefs: 00007FF73D3F1AC4
VirtualProtect failed with code 0x%x, xrefs: 00007FF73D3F1AF9

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuerymemcpy
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 2595394609-2123141913
Opcode ID: 329e3502598422498331ca800828cfac293d4b7ca7d2047c57ac6f5dc12973c9
Instruction ID: 51085ef84c047627449ca8d0929cc9b3dc7de71bd6a729ba68e4c7f7d9440cad
Opcode Fuzzy Hash: 329e3502598422498331ca800828cfac293d4b7ca7d2047c57ac6f5dc12973c9
Instruction Fuzzy Hash: 4F417272A0D64EE1EE51AB81E4446B9E764EF85BC0F954139CE0E43790EF3CE949E360

Function 00007FF73D3F8260 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filestringCOMMON

Download Yara Rule

APIs

strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF73D3F8288
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F82A8
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F82C3
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F82DC
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D3F82FC

Strings

Unable to parse %s: `%s', xrefs: 00007FF73D3F82E2
Unable to parse empty string, xrefs: 00007FF73D3F82AE

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: __acrt_iob_func$exitfwritestrtoul
String ID: Unable to parse %s: `%s'$Unable to parse empty string
API String ID: 3518195109-1204588140
Opcode ID: 084ae46b2a106989ba7d161fb11436114f07e247c82b8266f42d46fade1ed4dc
Instruction ID: 4031f2d4a77dd13dd1869b5d46920ffefa131ad2b5ac6487673d234f8a054205
Opcode Fuzzy Hash: 084ae46b2a106989ba7d161fb11436114f07e247c82b8266f42d46fade1ed4dc
Instruction Fuzzy Hash: AA012252E0D64EB1FA1837E298107F9D6109F85BD4F954034EE0D077C2FF2CA981A322

Function 00007FF73D3F8310 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51filestringCOMMON

Download Yara Rule

APIs

strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF73D3F8338
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F8350
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F836B
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F8384
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D3F83A4

Strings

Unable to parse %s: `%s', xrefs: 00007FF73D3F838A
Unable to parse empty string, xrefs: 00007FF73D3F8356

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: __acrt_iob_func$exitfwritestrtoul
String ID: Unable to parse %s: `%s'$Unable to parse empty string
API String ID: 3518195109-1204588140
Opcode ID: 20f55168c9e1cafef60a3f54506447fc30e4767f4c82249152f32503b660bd5d
Instruction ID: 8346c8a28dd8fbb52fe2c051908087bcaecce1b667937a28aab22c8090b9472d
Opcode Fuzzy Hash: 20f55168c9e1cafef60a3f54506447fc30e4767f4c82249152f32503b660bd5d
Instruction Fuzzy Hash: AD014561A0D50EA1FB1437E298107BCD2109F85BD4F850035EE0D073D2FF2CD941A721

Function 00007FF73D3F42B0 Relevance: 10.9, APIs: 7, Instructions: 351COMMON

Download Yara Rule

APIs

fputc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00007FF73D3F40F7,?,?,?,00000000,?,00007FF73D3F3CF4), ref: 00007FF73D3F44FD
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00007FF73D3F40F7,?,?,?,00000000,?,00007FF73D3F3CF4), ref: 00007FF73D3F4510
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00007FF73D3F40F7,?,?,?,00000000,?,00007FF73D3F3CF4), ref: 00007FF73D3F4579

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: fputc
String ID:
API String ID: 1992160199-0
Opcode ID: 5bba3542e24a611a4f92aaeab2b7d090de676ce5aa7ce851e9f60a12db06b999
Instruction ID: 663961bb74eeb9e901b119928cdecc854bb863763f87c00a9e0d770428e51227
Opcode Fuzzy Hash: 5bba3542e24a611a4f92aaeab2b7d090de676ce5aa7ce851e9f60a12db06b999
Instruction Fuzzy Hash: 54E15132A0E24EDAFB34AA65E19477AF6D9EB44740F844139CB5E46AD1EB3CFC409710

Function 00007FF73D3F3970 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D3F3A90
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D3F3B21
fputc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F3B99
fputc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F3BEB
fputc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F3C39

Strings

0, xrefs: 00007FF73D3F3B41

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: fputc$memset
String ID: 0
API String ID: 2944404495-4108050209
Opcode ID: 6b1aa06cdb067662631725c16fa8d76b0ea062e6b8605673a3d7a709e557d23e
Instruction ID: bd8a1130f4d47d1f16688c6fd277cd2548ce26b2895a133ec18d8de5195ca45c
Opcode Fuzzy Hash: 6b1aa06cdb067662631725c16fa8d76b0ea062e6b8605673a3d7a709e557d23e
Instruction Fuzzy Hash: FD812623E1D18ED2FF756E96E1507B9E6D5AB00744F845138CE6A467C1EB3CEC80A322

Function 00007FF73D3F4750 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF73D3F4776
mbrtowc.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF73D3F4794
wcrtomb.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF73D3F47E6
fputc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F4840

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: fputclocaleconvmbrtowcwcrtomb
String ID:
API String ID: 2968283867-0
Opcode ID: 235c412fda74ae61bdd71f298d7962477191b91c1e6b2450e50ed2c30e0ca071
Instruction ID: b3d4d0bbed3a41360d15d6c049f3b7d45e3a384106846a5d461bc86575dfe60f
Opcode Fuzzy Hash: 235c412fda74ae61bdd71f298d7962477191b91c1e6b2450e50ed2c30e0ca071
Instruction Fuzzy Hash: BE41C922E0D189D6F7346AB6E0813BAF3A4EB14754F504539DF6E42BC1EB3CE8819760

Function 00007FF73D3F2264 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF73D3F2278
TlsGetValue.KERNEL32 ref: 00007FF73D3F22AF
GetLastError.KERNEL32 ref: 00007FF73D3F22B4
LeaveCriticalSection.KERNEL32 ref: 00007FF73D3F2372
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D3F2394
DeleteCriticalSection.KERNEL32 ref: 00007FF73D3F23BD

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
String ID:
API String ID: 3326252324-0
Opcode ID: b76accf9d40db69406eacac63beeb41308df90d6d1e8b85d71d203678686b37b
Instruction ID: bc013bd319b4c36ff1b5884cf3daa81660d80c50452f2516ad2e253019626cbb
Opcode Fuzzy Hash: b76accf9d40db69406eacac63beeb41308df90d6d1e8b85d71d203678686b37b
Instruction Fuzzy Hash: 9D21C425A0D54EF1FA55B7819545378D3547F40B90FD60035CD0D87AA0FF7CAA45A721

Function 00007FF73D4051D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D405229
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D405252
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D405265
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D405279

Strings

ProtectedPrefix\Administrators\AmneziaWG\, xrefs: 00007FF73D4051D1

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: _strdupcallocfreestrcmp
String ID: ProtectedPrefix\Administrators\AmneziaWG\
API String ID: 2774336195-4145502227
Opcode ID: f932b3720a53e748a99dc318476a627693a2e5fe5c5a817614beeb5cd88f76ec
Instruction ID: 1bbf8468d189e367f0434e2e5955696f18918b69828e09d2f5b7b6e5bed7416d
Opcode Fuzzy Hash: f932b3720a53e748a99dc318476a627693a2e5fe5c5a817614beeb5cd88f76ec
Instruction Fuzzy Hash: 751133B2B0D949A0FB546A9691403BDD292DF94BC0F8AC030CE0C4B7C5FF2CD442A712

Function 00007FF73D3F8B40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45stringCOMMON

Download Yara Rule

APIs

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D3F8B5A
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F8B7A
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF73D3F8BAB

Strings

Persistent keepalive interval is neither 0/off nor 1-65535: `%s', xrefs: 00007FF73D3F8B80
off, xrefs: 00007FF73D3F8B50

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: __acrt_iob_func_stricmpstrtoul
String ID: Persistent keepalive interval is neither 0/off nor 1-65535: `%s'$off
API String ID: 483165431-115456495
Opcode ID: 58f9759bb7702ee6b753b2c487eb7ec93fcfa4a7233e9373641f08d8f6f00e22
Instruction ID: aacdf09a036fa6e6b6ad7597076fc53d5bfda0a3dbb966d52536ed8c9d0ec46b
Opcode Fuzzy Hash: 58f9759bb7702ee6b753b2c487eb7ec93fcfa4a7233e9373641f08d8f6f00e22
Instruction Fuzzy Hash: A4010092B0C24EA0FB146BB1D8003B9EB949F45BD4F844139CE0D862D4FF6CD952A321

Function 00007FF73D3F3380 Relevance: 7.6, APIs: 5, Instructions: 128COMMON

Download Yara Rule

APIs

wcrtomb.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF73D3F33A4
fputc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F3412
wcrtomb.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF73D3F3452
fputc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F34B9
fputc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F34FB

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: fputc$wcrtomb
String ID:
API String ID: 497632989-0
Opcode ID: d77316cdf160907d198d9005216d24f7fcaf5127487dc38de47bfba6be12ab5c
Instruction ID: 5e4dc49c95acd8aa1416bd29dd6dfdc365f257d6997a5031318f66dc4f465eb2
Opcode Fuzzy Hash: d77316cdf160907d198d9005216d24f7fcaf5127487dc38de47bfba6be12ab5c
Instruction Fuzzy Hash: 3141A232E0D54ED6EA35AA46E1506BAF7A5EB04754F844139DF4F426C1EB3CE840D711

Function 00007FF73D40B370 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 57stringCOMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(00000001,00000000,00007FF73D40B094), ref: 00007FF73D40B393
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,00007FF73D40A1A8), ref: 00007FF73D40B3FF
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF73D40A1A8), ref: 00007FF73D40B420

Strings

[%s]:%s, xrefs: 00007FF73D40B42F
%s:%s, xrefs: 00007FF73D40B428, 00007FF73D40B43C

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: memsetstrchrstrncpy
String ID: %s:%s$[%s]:%s
API String ID: 2090624546-3707195743
Opcode ID: 8875882216fdc86b0b74de7071c875222618e46d658b11f39b6586c8d9b5fbbb
Instruction ID: d58a4d19ff432f8bc069aaa48ce8801044bc31e8d0244906c107892d9b372469
Opcode Fuzzy Hash: 8875882216fdc86b0b74de7071c875222618e46d658b11f39b6586c8d9b5fbbb
Instruction Fuzzy Hash: 6821B631B0C65AA1FB21BB90E8042F5E2A0FB84384FC14136DD8D536D5EF3CD519A721

Function 00007FF73D3F3EC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 132stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D3F3F50

Strings

+, xrefs: 00007FF73D3F3FB5

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: strlen
String ID: +
API String ID: 39653677-2126386893
Opcode ID: dda78be2265a4093b9bc9960568dedb70fe805fcbb581ab24825183a18f80e67
Instruction ID: 746e2d6781cc6471c2d9da018c2683e8fe3f28f486a85dd92ebab106624169fa
Opcode Fuzzy Hash: dda78be2265a4093b9bc9960568dedb70fe805fcbb581ab24825183a18f80e67
Instruction Fuzzy Hash: 0251E963A0D24EDBEB349A65E0406BEF7A4EB01750F44413CDB9947AC1EB3CE9049B11

Function 00007FF73D3F1BE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

CCG , xrefs: 00007FF73D3F1BF7

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: b87f54ebd02da3a61d33f90cba9ef3fff45637c8e6b297c20bd2be89c3e5ebab
Instruction ID: d2f4d909c8dfa20e4814d5b83ef88be4156c7bc26b92a8b67cfb8ba209f44a42
Opcode Fuzzy Hash: b87f54ebd02da3a61d33f90cba9ef3fff45637c8e6b297c20bd2be89c3e5ebab
Instruction Fuzzy Hash: 2821DD31E0F60EE1FE656694A5403F9D196AF843A0FA58539DD0D472C4FF3CAC8AA231

Function 00007FF73D3F8D70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D3F8D7A
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D3F8D8B
perror.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D3F8DED

Strings

calloc, xrefs: 00007FF73D3F8DE6

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: callocperrorstrlen
String ID: calloc
API String ID: 2253307862-2635317215
Opcode ID: 6103a812be84079c912508d359eb4f0285a0525434ae842cfe8ebe732e570ab2
Instruction ID: 9731d40fd5c02ba6ccc1f02bb29505ed1f73e4038b519eb2ce9ab36fd5920ce4
Opcode Fuzzy Hash: 6103a812be84079c912508d359eb4f0285a0525434ae842cfe8ebe732e570ab2
Instruction Fuzzy Hash: 49F0DB55B0F25EE2FE29669565107FAD5459FA0340F898234EE0D067C1FF2C9D94A260

Function 00007FF73D3F6860 Relevance: 6.4, APIs: 5, Instructions: 141COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FF73D3F6901
LeaveCriticalSection.KERNEL32 ref: 00007FF73D3F693A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D3F69AD
LeaveCriticalSection.KERNEL32 ref: 00007FF73D3F69D6

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: CriticalLeaveSection$free
String ID:
API String ID: 2017658852-0
Opcode ID: dad2cc61c5960f0da9df35849d2976f6285ea7e62c2d1c923a156c1c73eb05a5
Instruction ID: 3a3a589b540a63b810ba40311bf885f5e19b2688088f7ae8e850b78905cd102d
Opcode Fuzzy Hash: dad2cc61c5960f0da9df35849d2976f6285ea7e62c2d1c923a156c1c73eb05a5
Instruction Fuzzy Hash: 4B518121A4EA4EE0FE54BB95D9453B6E398AF54B84F994039CD0D473A1FF3CE840A260

Function 00007FF73D3F3660 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D3F3714

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: c638daa76f6221497d0727d3ee4cea762bed7065c1711a96793fc20d26fecf89
Instruction ID: 04983376135d8901272ec6383d4daeb69790dcb3f9ff4263fee9976b94058fd0
Opcode Fuzzy Hash: c638daa76f6221497d0727d3ee4cea762bed7065c1711a96793fc20d26fecf89
Instruction Fuzzy Hash: 90910672E0D24ED7FB349A9AD5407BAF695EB04790F448139CB9A43B80EB3CF8459711

Function 00007FF73D3F6AB0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D3F6B1D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73D3F6C23
LeaveCriticalSection.KERNEL32 ref: 00007FF73D3F6C57

Strings

, xrefs: 00007FF73D3F6AFD

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: CriticalLeaveSectionfreememset
String ID:
API String ID: 1662925646-3916222277
Opcode ID: 01c0cf66fa5b899311e6542b3090b6c4a67ae0483516fd3d326a7d848c4e6651
Instruction ID: 810a328ffe9a6752d767610d1696d67f3f52aa91578134dd9c9e79d6dd4decf8
Opcode Fuzzy Hash: 01c0cf66fa5b899311e6542b3090b6c4a67ae0483516fd3d326a7d848c4e6651
Instruction Fuzzy Hash: 92411462A4E64DE2EE24AF9594501BCE351EB447A4F818235CA5F423D0FF3CED86D210

Function 00007FF73D3F1650 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73D3F1247), ref: 00007FF73D3F17C9

Strings

Unknown pseudo relocation bit size %d., xrefs: 00007FF73D3F194B
Unknown pseudo relocation protocol version %d., xrefs: 00007FF73D3F195B

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: 089e299b17ca76b65b31de90546e56fae2357db5356189ae7f47250a00160afa
Instruction ID: 9e863992f60f4ce4a7e5509e7875a4eb00bd9f81724d5407fa05f4e80aa8a536
Opcode Fuzzy Hash: 089e299b17ca76b65b31de90546e56fae2357db5356189ae7f47250a00160afa
Instruction Fuzzy Hash: 61519F21E0D54EE6EF10ABA1EC407B4E769AB14B94F954135C91D03B94EF3CE98EE720

Function 00007FF73D3F15D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73D3F1600

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF73D3F161D
Unknown error, xrefs: 00007FF73D3F15F4

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: __acrt_iob_func
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 711238415-3474627141
Opcode ID: 70f69d78bf8fee29de9953d37dc0df2b334942f215bcb2d18fe886ace857c9c3
Instruction ID: 454d1a94e11071c158c4bc6d0ace5e6e6a4279718ca419c444e2e6548bf5cb91
Opcode Fuzzy Hash: 70f69d78bf8fee29de9953d37dc0df2b334942f215bcb2d18fe886ace857c9c3
Instruction Fuzzy Hash: F1F0C811E0DA4DD2D610AB68A9410B9E320EF593D0F819235DE4E57551EF2CE5869310

Function 00007FF73D3F2E67 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18stringCOMMON

Download Yara Rule

APIs

strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73D3F2E69
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D3F31D1

Strings

(null), xrefs: 00007FF73D3F2E71

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: strerrorstrlen
String ID: (null)
API String ID: 960536887-3941151225
Opcode ID: 0b05897515035d7ba616b04ae10d89e7851345c5bc408184d683faca3e5a79e1
Instruction ID: 67815a32647d31f0b59c388cc206a08c4bb0e1d9ebfd37fcee8f55bbad8f0af8
Opcode Fuzzy Hash: 0b05897515035d7ba616b04ae10d89e7851345c5bc408184d683faca3e5a79e1
Instruction Fuzzy Hash: AEE01A10F0F20EE5EE04B6A054010F9E1555F85380FDC4439ED0D02286FF3CE804A162

Function 00007FF73D3F22FE Relevance: 5.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF73D3F2312
TlsGetValue.KERNEL32 ref: 00007FF73D3F234B
GetLastError.KERNEL32 ref: 00007FF73D3F2350
LeaveCriticalSection.KERNEL32 ref: 00007FF73D3F23CC

Memory Dump Source

Source File: 00000000.00000002.1749224314.00007FF73D3F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D3F0000, based on PE: true

Associated: 00000000.00000002.1749209464.00007FF73D3F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749254622.00007FF73D40D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749277310.00007FF73D411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749314209.00007FF73D419000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749349349.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73d3f0000_awg.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 08af56dec14cee726e5e9c565d7400ea4c10c1628f34bf4d55a560529916973e
Instruction ID: b2488e66e3ea9ef8b78ec047e51ff19306ff0ef2408735173d61f247121974e5
Opcode Fuzzy Hash: 08af56dec14cee726e5e9c565d7400ea4c10c1628f34bf4d55a560529916973e
Instruction Fuzzy Hash: 76012565B0D64EE1FA05BB81E944178D3647F04B90FD50035CD0D87660FF3CEE85A220

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: awg.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: awg.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: awg.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: awg.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: awg.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: awg.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: awg.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: awg.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: awg.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: awg.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: awg.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: awg.exe	String found in binary or memory: https://git.zx2c4.com/wireguard-tools/
Source: awg.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: awg.exe	String found in binary or memory: https://www.wireguard.com/D

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report awg.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: awg.exePID: 6840, Parent PID: 2580

General

Chronological Activities

Analysis Process: conhost.exePID: 4040, Parent PID: 6840

General

Chronological Activities

Disassembly

Analysis Process: awg.exePID: 6840, Parent PID: 2580COMMON

Execution Graph

Graph

Executed Functions

Function 00007FF73D404C30 Relevance: 61.6, APIs: 30, Strings: 5, Instructions: 340filestringCOMMON

Control-flow Graph

Windows Analysis Report
awg.exe

Function 00007FF73D404C30 Relevance: 61.6, APIs: 30, Strings: 5, Instructions: 340
filestringCOMMON

Function 00007FF73D3F1160 Relevance: 13.6, APIs: 9, Instructions: 121
sleepstringCOMMON

Function 00007FF73D3F7A60 Relevance: 108.9, APIs: 40, Strings: 22, Instructions: 420
stringCOMMON

Function 00007FF73D3F7F70 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 65
networkCOMMON

Function 00007FF73D3F7320 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 199
librarymemoryloaderCOMMON

Function 00007FF73D3F8060 Relevance: 3.0, APIs: 2, Instructions: 13
libraryCOMMON

Function 00007FF73D3F13D0 Relevance: 1.5, APIs: 1, Instructions: 15
networkCOMMON