Edit tour

Windows Analysis Report
LGvZDRRknR.exe

Overview

General Information

Sample name:	LGvZDRRknR.exe renamed because original name is a hash value
Original sample name:	ad56dd8d6a82960c2e4272b12fdffc0f4044eea525b319a488eec30ec74b1d19.exe
Analysis ID:	1592726
MD5:	5577aedd686307dcc768a7a1aefe8bb7
SHA1:	3169e70a2eba65e56b6d13ad329beb2b2e3c794b
SHA256:	ad56dd8d6a82960c2e4272b12fdffc0f4044eea525b319a488eec30ec74b1d19
Tags:	encrypthub-orgexeuser-JAMESWT_MHT
Infos:

Detection

RHADAMANTHYS

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected RHADAMANTHYS Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking mutex)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found evasive API chain checking for process token information

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

LGvZDRRknR.exe (PID: 4608 cmdline: "C:\Users\user\Desktop\LGvZDRRknR.exe" MD5: 5577AEDD686307DCC768A7A1AEFE8BB7)

svchost.exe (PID: 3428 cmdline: "C:\Windows\System32\svchost.exe" MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.	Sandworm	https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/ https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

Threatname: Rhadamanthys

{"C2 url": "https://154.216.20.224:9773/a36090f1390c7cab81330/1a7qev84.1gopp"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000000.00000003.1459418313.0000019E4D980000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000002.00000002.1504542898.00000166CD6D1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000002.00000003.1464387974.00000166CD3B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000002.00000003.1470244839.00000166CF8A0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000003.1462053955.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000002.00000003.1468650559.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000003.1463700898.0000019E4FE70000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: LGvZDRRknR.exe PID: 4608	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: svchost.exe PID: 3428	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.LGvZDRRknR.exe.19e4fe70000.5.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.3.svchost.exe.166cf8a0000.5.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.3.svchost.exe.166cf8a0000.5.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.3.LGvZDRRknR.exe.19e4fe70000.5.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.3.LGvZDRRknR.exe.19e4fb90000.4.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.3.svchost.exe.166cf5c0000.4.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.3.LGvZDRRknR.exe.19e4fb90000.4.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.3.svchost.exe.166cf5c0000.4.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 3 entries

Sigma Signatures

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\LGvZDRRknR.exe", ParentImage: C:\Users\user\Desktop\LGvZDRRknR.exe, ParentProcessId: 4608, ParentProcessName: LGvZDRRknR.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 3428, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\LGvZDRRknR.exe", ParentImage: C:\Users\user\Desktop\LGvZDRRknR.exe, ParentProcessId: 4608, ParentProcessName: LGvZDRRknR.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 3428, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T13:25:33.633491+0100	2854802	1	Domain Observed Used for C2 Detected	154.216.20.224	9773	192.168.2.8	49706	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: LGvZDRRknR.exe

Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://154.216.20.224:9773/a36090f1390c7cab81330/1a7qev84.1gopp"}

Multi AV Scanner detection for submitted file

Source: LGvZDRRknR.exe	Virustotal: Detection: 65%			Perma Link
Source: LGvZDRRknR.exe	ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: LGvZDRRknR.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: kernel32.pdbUGP source: LGvZDRRknR.exe, 00000000.00000003.1461246981.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1461316537.0000019E4FC50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1467073108.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1467573874.00000166CF680000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: LGvZDRRknR.exe, 00000000.00000003.1463700898.0000019E4FE70000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1462053955.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1470244839.00000166CF8A0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1468650559.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: LGvZDRRknR.exe, 00000000.00000003.1460366361.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1460527686.0000019E4FD80000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1466417114.00000166CF7B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1465545200.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: LGvZDRRknR.exe, 00000000.00000003.1461246981.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1461316537.0000019E4FC50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1467073108.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1467573874.00000166CF680000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: LGvZDRRknR.exe, 00000000.00000003.1460366361.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1460527686.0000019E4FD80000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1466417114.00000166CF7B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1465545200.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: LGvZDRRknR.exe, 00000000.00000003.1463700898.0000019E4FE70000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1462053955.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1470244839.00000166CF8A0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1468650559.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_2_00007FF65325BF40 FindFirstFileExW,

0_2_00007FF65325BF40

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_3_0000019E4DBB5BC8 GetLogicalDriveStringsW,QueryDosDeviceW,

0_3_0000019E4DBB5BC8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.20.224:9773 -> 192.168.2.8:49706

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://154.216.20.224:9773/a36090f1390c7cab81330/1a7qev84.1gopp

Source: global traffic

TCP traffic: 192.168.2.8:49706 -> 154.216.20.224:9773

Source: Joe Sandbox View

ASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo

Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224

Source: svchost.exe, 00000002.00000002.1503153583.0000000A0271B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://154.216.20.224:9773/a36090f1390c7cab81330/1a7qev84.1gopp
Source: svchost.exe, 00000002.00000003.1490275504.00000166CD5A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-query
Source: svchost.exe, 00000002.00000003.1490275504.00000166CD5A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-queryMachineGuidSOFTWARE

Source: LGvZDRRknR.exe, 00000000.00000003.1463700898.0000019E4FE70000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_498be3ad-d

Source: LGvZDRRknR.exe, 00000000.00000003.1463700898.0000019E4FE70000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_7e4d83f0-5

Source: Yara match	File source: 0.3.LGvZDRRknR.exe.19e4fe70000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.166cf8a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.166cf8a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LGvZDRRknR.exe.19e4fe70000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LGvZDRRknR.exe.19e4fb90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.166cf5c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LGvZDRRknR.exe.19e4fb90000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.166cf5c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1470244839.00000166CF8A0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1462053955.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1468650559.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1463700898.0000019E4FE70000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LGvZDRRknR.exe PID: 4608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3428, type: MEMORYSTR

Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB5FA0 NtQueryInformationProcess,	0_3_0000019E4DBB5FA0
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB8AE0 NtQuerySystemInformation,malloc,NtQuerySystemInformation,K32GetProcessImageFileNameW,	0_3_0000019E4DBB8AE0
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB64C0 NtQuerySystemInformation,NtQuerySystemInformation,GetTokenInformation,CloseHandle,CloseHandle,	0_3_0000019E4DBB64C0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D5FA0 NtQueryInformationProcess,	2_2_00000166CD6D5FA0

Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_00007FF653263908	0_3_00007FF653263908
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB51BC	0_3_0000019E4DBB51BC
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB69D8	0_3_0000019E4DBB69D8
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB1500	0_3_0000019E4DBB1500
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB2F00	0_3_0000019E4DBB2F00
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBE4EA	0_3_0000019E4DBBE4EA
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB9B4C	0_3_0000019E4DBB9B4C
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB9E98	0_3_0000019E4DBB9E98
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB7FE8	0_3_0000019E4DBB7FE8
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBB43C	0_3_0000019E4DBBB43C
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB442C	0_3_0000019E4DBB442C
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBC5E8D	0_3_0000019E4DBC5E8D
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF65325A4E0	0_2_00007FF65325A4E0
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF653257528	0_2_00007FF653257528
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF65325BD34	0_2_00007FF65325BD34
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF65325773C	0_2_00007FF65325773C
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF65325BF40	0_2_00007FF65325BF40
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF653261F88	0_2_00007FF653261F88
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF65325FFD8	0_2_00007FF65325FFD8
Source: C:\Windows\System32\svchost.exe	Code function: 2_3_00000166CD370998	2_3_00000166CD370998
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D69D8	2_2_00000166CD6D69D8
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D51BC	2_2_00000166CD6D51BC
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D7FE8	2_2_00000166CD6D7FE8
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D9E98	2_2_00000166CD6D9E98
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D442C	2_2_00000166CD6D442C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6DB43C	2_2_00000166CD6DB43C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6DE4EA	2_2_00000166CD6DE4EA
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D1500	2_2_00000166CD6D1500
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D2F00	2_2_00000166CD6D2F00
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D9B4C	2_2_00000166CD6D9B4C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6E93F8	2_2_00000166CD6E93F8
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6E4A85	2_2_00000166CD6E4A85
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6EA77E	2_2_00000166CD6EA77E

Source: LGvZDRRknR.exe	Binary or memory string: OriginalFilename vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000003.1460527686.0000019E4FF06000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000003.1460366361.0000019E4FD08000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000003.1461246981.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000003.1461246981.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000003.1462053955.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKernelbase.dllj% vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000003.1463700898.0000019E50105000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKernelbase.dllj% vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000003.1461316537.0000019E4FC50000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000000.1449310718.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCFF Explorer.exe: vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000003.1461316537.0000019E4FD0B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe	Binary or memory string: OriginalFilenameCFF Explorer.exe: vs LGvZDRRknR.exe

Source: LGvZDRRknR.exe	Binary or memory string: FaI O k.h.o.vBP.tV.R.u_t_X_Pt G-~ qoUy_Wc_k_P v
Source: LGvZDRRknR.exe	Binary or memory string: u.C.Ji.rDd_qU q q.q p d.L$_vX v_k: i_fMly.JPf.3 X_tFT.O_k_a_C H f<) F.yc: E_r_P.h P R_qY K.R.y w,v S q O L F j}.ZJ.b_J zF p.L7 KLJ.R_g_a.Q@.a_N.QAD NC nB k a< s_t w c_sQ_e z.i.Q.v.2.7.n[.t_rX.9_lqY/}V W a:F_l nYo R.k x_B Q W.M.b.S_wkM.9.7.s4 K{F_j_L- f_l0 J.SL5Y$_Q.U.s.RL f w.Q.HT.W.Tta0 t TTgz G sk f.9.Fh.K cIlA_Mx.e G.P_y_r_t.c t.a.6_u.FaI O k.h.o.vBP.tV.R.u_t_X_Pt G-~ qoUy_Wc_k_P v.1_q_w_J_xmbg<_r_p.Z`n.x

Source: classification engine

Classification label: mal88.troj.evad.winEXE@3/0@0/1

Source: C:\Windows\System32\svchost.exe

Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-40bf6037-4e6f-965ae0-f901919f7387}

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LGvZDRRknR.exe	Virustotal: Detection: 65%
Source: LGvZDRRknR.exe	ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\LGvZDRRknR.exe "C:\Users\user\Desktop\LGvZDRRknR.exe"
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wudfplatform.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior

Source: LGvZDRRknR.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: LGvZDRRknR.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: LGvZDRRknR.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: LGvZDRRknR.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: LGvZDRRknR.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: LGvZDRRknR.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: LGvZDRRknR.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: LGvZDRRknR.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: LGvZDRRknR.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: kernel32.pdbUGP source: LGvZDRRknR.exe, 00000000.00000003.1461246981.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1461316537.0000019E4FC50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1467073108.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1467573874.00000166CF680000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: LGvZDRRknR.exe, 00000000.00000003.1463700898.0000019E4FE70000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1462053955.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1470244839.00000166CF8A0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1468650559.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: LGvZDRRknR.exe, 00000000.00000003.1460366361.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1460527686.0000019E4FD80000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1466417114.00000166CF7B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1465545200.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: LGvZDRRknR.exe, 00000000.00000003.1461246981.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1461316537.0000019E4FC50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1467073108.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1467573874.00000166CF680000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: LGvZDRRknR.exe, 00000000.00000003.1460366361.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1460527686.0000019E4FD80000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1466417114.00000166CF7B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1465545200.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: LGvZDRRknR.exe, 00000000.00000003.1463700898.0000019E4FE70000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1462053955.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1470244839.00000166CF8A0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1468650559.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp

Source: LGvZDRRknR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: LGvZDRRknR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: LGvZDRRknR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: LGvZDRRknR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: LGvZDRRknR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: LGvZDRRknR.exe	Static PE information: section name: .textbss
Source: LGvZDRRknR.exe	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_00007FF653263864 push cs; ret	0_3_00007FF6532638C3
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_00007FF653268250 pushad ; iretd	0_3_00007FF653268256
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_00007FF65326815E push edi; ret	0_3_00007FF653268164
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_00007FF65326833E push esi; ret	0_3_00007FF653268345
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_00007FF65326853E push eax; retf	0_3_00007FF653268541
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_00007FF653263822 push cs; ret	0_3_00007FF6532638C3
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD19C push esi; retf	0_3_0000019E4DBBD1A3
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD194 push esi; retf	0_3_0000019E4DBBD19B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD18C push esi; retf	0_3_0000019E4DBBD193
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD16C push ebp; retf	0_3_0000019E4DBBD18B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD1DC push ebp; retf	0_3_0000019E4DBBD1FB
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD1D4 push ebp; retf	0_3_0000019E4DBBD1DB
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD1B4 push ebp; retf	0_3_0000019E4DBBD1C3
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD1AC push esi; retf	0_3_0000019E4DBBD1B3
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD1A4 push esi; retf	0_3_0000019E4DBBD1AB
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD11C push ebp; retf	0_3_0000019E4DBBD12B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD114 push ebp; retf	0_3_0000019E4DBBD11B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD10C push ebp; retf	0_3_0000019E4DBBD16B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD0E4 push ebp; retf	0_3_0000019E4DBBD10B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD15C push ebp; retf	0_3_0000019E4DBBD16B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD14C push esi; retf	0_3_0000019E4DBBD15B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD144 push ebp; retf	0_3_0000019E4DBBD14B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD12C push ebp; retf	0_3_0000019E4DBBD13B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD09A push ebp; retf	0_3_0000019E4DBBD09B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD084 push edi; retf	0_3_0000019E4DBBD093
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBC0684 push ebp; retf	0_3_0000019E4DBC068B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD26C pushfd ; retf	0_3_0000019E4DBBD2A2
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD264 pushfd ; retf	0_3_0000019E4DBBD2CA
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD0DC push ebp; retf	0_3_0000019E4DBBD0E3
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD0CC push esi; retf	0_3_0000019E4DBBD0DB
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB3CC4 push E8000098h; ret	0_3_0000019E4DBB3CC9

Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\System32\svchost.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_2-4068

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: LGvZDRRknR.exe	Binary or memory string: ORIGINALFILENAMECFF EXPLORER.EXE:
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: LGvZDRRknR.exe	Binary or memory string: CFF EXPLORER.EXE
Source: LGvZDRRknR.exe	Binary or memory string: INTERNALNAMECFF EXPLORER.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDBG.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXP64.EXETCPVIEW.EXETCPVIEW64.EXEPROCMON.EXEPROCMON64.EXEVMMAP.EXEVMMAP64.EXEPORTMON.EXEPROCESSLASSO.EXEWIRESHARK.EXEFIDDLER EVERYWHERE.EXEFIDDLER.EXEIDA.EXEIDA64.EXEIMMUNITYDEBUGGER.EXEWINDUMP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEPROCESSHACKER.EXEIDAQ64.EXEAUTORUNS.EXEDUMPCAP.EXEDE4DOT.EXEHOOKEXPLORER.EXEILSPY.EXELORDPE.EXEDNSPY.EXEPETOOLS.EXEAUTORUNSC.EXERESOURCEHACKER.EXEFILEMON.EXEREGMON.EXEWINDANR.EXEWINDBG.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDANR.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000166CD6E711B sldt word ptr [esi]

2_2_00000166CD6E711B

Source: C:\Windows\System32\svchost.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_2-4089

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_2_00007FF65325BF40 FindFirstFileExW,

0_2_00007FF65325BF40

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_3_0000019E4DBB5BC8 GetLogicalDriveStringsW,QueryDosDeviceW,

0_3_0000019E4DBB5BC8

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_3_0000019E4DBB573C GetSystemInfo,

0_3_0000019E4DBB573C

Source: svchost.exe, 00000002.00000003.1468650559.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: svchost.exe, 00000002.00000002.1503548284.00000166CD413000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1503582315.00000166CD45D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000002.00000003.1468650559.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: svchost.exe, 00000002.00000002.1503548284.00000166CD413000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_2_00007FF65325B6E8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF65325B6E8

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_2_00007FF653257108 GetProcessHeap,HeapAlloc,HeapFree,VirtualFree,HeapFree,

0_2_00007FF653257108

Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF6532580D8 SetUnhandledExceptionFilter,	0_2_00007FF6532580D8
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF653262520 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF653262520
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF65325B6E8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF65325B6E8
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF653257EF4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF653257EF4

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"

Jump to behavior

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_2_00007FF653261DD0 cpuid

0_2_00007FF653261DD0

Source: C:\Windows\System32\svchost.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_2_00007FF653257DCC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF653257DCC

Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OllyDbg.exe
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpview.exe
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Wireshark.exe
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lordpe.exe
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Procmon.exe
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: autoruns.exe
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regmon.exe

Stealing of Sensitive Information

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1459418313.0000019E4D980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1504542898.00000166CD6D1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1464387974.00000166CD3B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1459418313.0000019E4D980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1504542898.00000166CD6D1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1464387974.00000166CD3B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	2 Virtualization/Sandbox Evasion	21 Input Capture	1 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
LGvZDRRknR.exe	65%	Virustotal		Browse
LGvZDRRknR.exe	32%	ReversingLabs	Win64.Trojan.Rhadamanthys

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://154.216.20.224:9773/a36090f1390c7cab81330/1a7qev84.1gopp	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://154.216.20.224:9773/a36090f1390c7cab81330/1a7qev84.1gopp	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://cloudflare-dns.com/dns-query	svchost.exe, 00000002.00000003.1490275504.00000166CD5A5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cloudflare-dns.com/dns-queryMachineGuidSOFTWARE	svchost.exe, 00000002.00000003.1490275504.00000166CD5A5000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.216.20.224	unknown	Seychelles		135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592726
Start date and time:	2025-01-16 13:24:25 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LGvZDRRknR.exe renamed because original name is a hash value
Original Sample Name:	ad56dd8d6a82960c2e4272b12fdffc0f4044eea525b319a488eec30ec74b1d19.exe
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@3/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 81% Number of executed functions: 56 Number of non-executed functions: 32
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
154.216.20.224	MsmxWY8nj7.exe	Get hash	malicious	RHADAMANTHYS	Browse
	rFUdi0G5rK.exe	Get hash	malicious	RHADAMANTHYS	Browse
	hsefawdrthg.exe	Get hash	malicious	RHADAMANTHYS	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SKHT-ASShenzhenKatherineHengTechnologyInformationCo	P87unxnF4t4DSrTt43.exe	Get hash	malicious	Remcos	Browse	154.216.16.38
	new.bat	Get hash	malicious	Unknown	Browse	154.216.17.175
	https://caringforyousupport.com.au/Receipt536354.php	Get hash	malicious	WinSearchAbuse	Browse	154.216.17.175
	https://9817157365.com/	Get hash	malicious	Unknown	Browse	160.202.168.107
	plugmancrypted.exe	Get hash	malicious	Remcos	Browse	154.216.16.38
	1E3Vcm2yrA.exe	Get hash	malicious	RHADAMANTHYS	Browse	154.216.18.169
	icivfhp7cR.exe	Get hash	malicious	GhostRat	Browse	45.207.211.42
	6.elf	Get hash	malicious	Unknown	Browse	154.211.34.18
	wind.mpsl.elf	Get hash	malicious	Mirai	Browse	154.216.16.103
	wind.arm.elf	Get hash	malicious	Mirai	Browse	154.216.16.103

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.104074500107275
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LGvZDRRknR.exe
File size:	458'752 bytes
MD5:	5577aedd686307dcc768a7a1aefe8bb7
SHA1:	3169e70a2eba65e56b6d13ad329beb2b2e3c794b
SHA256:	ad56dd8d6a82960c2e4272b12fdffc0f4044eea525b319a488eec30ec74b1d19
SHA512:	c36f7d1f5c6e9e7af10a671e8c1f469371dcb2bf3e6e3c1214ef518d3e8285928275d9bd693d496cd3796af89b863a4dd6e03b6760a1ad8d56a653eadb9a34df
SSDEEP:	6144:FpOJNiES3OsC1hgZ7Mj3mshfV1dC405xnBRaF1Tpnypgza8oC6gspgyLoO:FxEECvgZ7Mj3mshfrdC425Hi11ZfA
TLSH:	B6A44A8DB67B4DE6C5DA96FB80758280F1036C90B051C62AE69D9423EDD32D28FD1B3D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................................8...................................................x.......x.F.....x.......Rich...........

File Icon


Icon Hash:	100109193979390f

Static PE Info

General

Entrypoint:	0x140007b68
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x645F7B5E [Sat May 13 11:58:22 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	7982162fc07c5c56d2743590bfe85e5c

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F0524F80FA0h
dec eax
add esp, 28h
jmp 00007F0524F80BBFh
int3
int3
dec eax
sub esp, 28h
call 00007F0524F81520h
test eax, eax
je 00007F0524F80D63h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F0524F80D47h
dec eax
cmp ecx, eax
je 00007F0524F80D56h
xor eax, eax
dec eax
cmpxchg dword ptr [00075310h], ecx
jne 00007F0524F80D30h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F0524F80D39h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [000752FBh]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [000752EBh], al
call 00007F0524F81327h
call 00007F0524F81FD2h
test al, al
jne 00007F0524F80D46h
xor al, al
jmp 00007F0524F80D56h
call 00007F0524F83AE9h
test al, al
jne 00007F0524F80D4Bh
xor ecx, ecx
call 00007F0524F81FE2h
jmp 00007F0524F80D2Ch
mov al, bl
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [000752B0h], 00000000h
mov ebx, ecx
jne 00007F0524F80DA9h
cmp ecx, 01h
jnbe 00007F0524F80DACh
call 00007F0524F81486h
test eax, eax
je 00007F0524F80D6Ah
test ebx, ebx
jne 00007F0524F80D66h
dec eax
lea ecx, dword ptr [0007529Ah]
call 00007F0524F80E06h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x72970	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x81000	0x14e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x7f000	0xd8c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x83000	0x2754	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x71970	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x71990	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x23000	0x220	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11bd0	0x11c00	75b411fdd2335dc974ee48a373125c2f	False	0.5500385123239436	data	6.39234273254032	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.textbss	0x13000	0x10000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x23000	0x500a8	0x50200	ddfdcf558d032e04e29038497520b5de	False	0.6559727232839313	COM executable for DOS	5.526075047112614	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x74000	0xa088	0x9000	d5e5654f6d41ad894530404258a9a3e7	False	0.20570203993055555	data	4.063815026736459	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x7f000	0xd8c	0xe00	0559f6ed0bebb86dd2d46ff8f7a216a4	False	0.47572544642857145	data	4.853838093653359	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x80000	0xf4	0x200	892ee00c2b30bc0d55f14c1db9a574e2	False	0.298828125	data	1.9622243236400891	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x81000	0x14e0	0x1600	69fed712ec0f2f072c0af9917eb9fbf8	False	0.2801846590909091	data	3.9222000644747492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x83000	0x2754	0x2800	77b69bb1067abb8f717ee3a14a964833	False	0.1509765625	data	5.430302131953574	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x810f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.2619606003752345
RT_GROUP_ICON	0x82198	0x14	data	English	United States	1.1
RT_VERSION	0x821b0	0x32c	data	English	United States	0.4445812807881773

Imports

DLL

Import

KERNEL32.dll

CloseHandle, HeapAlloc, HeapFree, GetProcessHeap, WaitForSingleObject, CreateEventW, WriteConsoleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, RtlUnwindEx, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameW, GetCurrentProcess, ExitProcess, TerminateProcess, GetModuleHandleExW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, LCMapStringW, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, CreateFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-16T13:25:33.633491+0100	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	154.216.20.224	9773	192.168.2.8	49706	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 13:25:32.923044920 CET	49706	9773	192.168.2.8	154.216.20.224
Jan 16, 2025 13:25:32.927851915 CET	9773	49706	154.216.20.224	192.168.2.8
Jan 16, 2025 13:25:32.927949905 CET	49706	9773	192.168.2.8	154.216.20.224
Jan 16, 2025 13:25:32.928080082 CET	49706	9773	192.168.2.8	154.216.20.224
Jan 16, 2025 13:25:32.932835102 CET	9773	49706	154.216.20.224	192.168.2.8
Jan 16, 2025 13:25:33.588218927 CET	9773	49706	154.216.20.224	192.168.2.8
Jan 16, 2025 13:25:33.628691912 CET	49706	9773	192.168.2.8	154.216.20.224
Jan 16, 2025 13:25:33.633491039 CET	9773	49706	154.216.20.224	192.168.2.8
Jan 16, 2025 13:25:33.832959890 CET	9773	49706	154.216.20.224	192.168.2.8
Jan 16, 2025 13:25:33.875536919 CET	49706	9773	192.168.2.8	154.216.20.224
Jan 16, 2025 13:25:33.876720905 CET	49706	9773	192.168.2.8	154.216.20.224
Jan 16, 2025 13:25:33.881545067 CET	9773	49706	154.216.20.224	192.168.2.8
Jan 16, 2025 13:25:34.077810049 CET	9773	49706	154.216.20.224	192.168.2.8
Jan 16, 2025 13:25:34.077858925 CET	9773	49706	154.216.20.224	192.168.2.8
Jan 16, 2025 13:25:34.077904940 CET	49706	9773	192.168.2.8	154.216.20.224
Jan 16, 2025 13:25:34.077965021 CET	49706	9773	192.168.2.8	154.216.20.224
Jan 16, 2025 13:25:34.078155041 CET	49706	9773	192.168.2.8	154.216.20.224
Jan 16, 2025 13:25:34.082725048 CET	9773	49706	154.216.20.224	192.168.2.8
Jan 16, 2025 13:25:34.082928896 CET	9773	49706	154.216.20.224	192.168.2.8

Target ID:	0
Start time:	07:25:27
Start date:	16/01/2025
Path:	C:\Users\user\Desktop\LGvZDRRknR.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\LGvZDRRknR.exe"
Imagebase:	0x7ff653250000
File size:	458'752 bytes
MD5 hash:	5577AEDD686307DCC768A7A1AEFE8BB7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000000.00000003.1459418313.0000019E4D980000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.1462053955.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.1463700898.0000019E4FE70000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:25:29
Start date:	16/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\svchost.exe"
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000002.00000002.1504542898.00000166CD6D1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000002.00000003.1464387974.00000166CD3B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000003.1470244839.00000166CF8A0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000003.1468650559.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	35.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.7%
Total number of Nodes:	886
Total number of Limit Nodes:	9

Executed Functions

Function 00007FF653257108 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 89
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF653257129
HeapAlloc.KERNEL32 ref: 00007FF65325719B

Part of subcall function 00007FF653257268: HeapAlloc.KERNEL32(?,?,00000001,00007FF6532571C9), ref: 00007FF65325728C

HeapFree.KERNEL32 ref: 00007FF6532571F4
VirtualFree.KERNELBASE ref: 00007FF653257230
HeapFree.KERNEL32 ref: 00007FF65325723A

Strings

@MwvjmsssuXdXof|-Oijay8RtZoaKmRSqYEfJR95U8ooEWGNL2yghtGrf1pDTEdEHybyCpYmNtya0OXgJFO2YMIWgFzMb5hOIsb71LurFHqz|rTdaWW|VFn-TqXuCwXFZO6MScUyzkKjjTJPEvdCpCcHon4tRviUUaTRTEZGL9lZfSq19qUkY-6-5jINvihEFHkBNynR|UPNWLa35Ff9xIj-jep0HTbiM3xaO73j454k4P|0SrTQVmav7a7I8zcx5sSQ, xrefs: 00007FF65325713F

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: Heap$Free$Alloc$ProcessVirtual
String ID: @MwvjmsssuXdXof|-Oijay8RtZoaKmRSqYEfJR95U8ooEWGNL2yghtGrf1pDTEdEHybyCpYmNtya0OXgJFO2YMIWgFzMb5hOIsb71LurFHqz|rTdaWW|VFn-TqXuCwXFZO6MScUyzkKjjTJPEvdCpCcHon4tRviUUaTRTEZGL9lZfSq19qUkY-6-5jINvihEFHkBNynR|UPNWLa35Ff9xIj-jep0HTbiM3xaO73j454k4P|0SrTQVmav7a7I8zcx5sSQ
API String ID: 3808331028-4183760664
Opcode ID: ffec2f7ca3fda931088bd7f6c107aab2ba0ee423a3ec41db2acfc84ea1e83538
Instruction ID: 831d0deb9e2a29bcb6ceca912fdf037997edc79439264bf28c7fbfb2dbeb1a16
Opcode Fuzzy Hash: ffec2f7ca3fda931088bd7f6c107aab2ba0ee423a3ec41db2acfc84ea1e83538
Instruction Fuzzy Hash: 6A411932715F4199EB10CF65E9812AC73A6FB48F88F488436DA4CA7B18DF38D616C380

Function 0000019E4DBB64C0 Relevance: 7.8, APIs: 5, Instructions: 253nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0000019E4DBB6534
NtQuerySystemInformation.NTDLL ref: 0000019E4DBB655B

Part of subcall function 0000019E4DBB5FA0: NtQueryInformationProcess.NTDLL ref: 0000019E4DBB600F

GetTokenInformation.KERNELBASE ref: 0000019E4DBB666B
CloseHandle.KERNELBASE ref: 0000019E4DBB667F
CloseHandle.KERNELBASE ref: 0000019E4DBB6690

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID: Information$Query$CloseHandleSystem$ProcessToken
String ID:
API String ID: 2024103940-0
Opcode ID: c3f3c76c8b2be0d7d44dc3ee33c48ea8b0372aa6c5604e5390e5033e47f04c12
Instruction ID: 39884f0567f69306464a44efc432e3976b398e54d39d35a98f6c75c19cf7ffdc
Opcode Fuzzy Hash: c3f3c76c8b2be0d7d44dc3ee33c48ea8b0372aa6c5604e5390e5033e47f04c12
Instruction Fuzzy Hash: CE71C430B18A098FEB94EF68D8657EE73D5FB94340F400529E847CB591EE36EC958782

Function 0000019E4DBB573C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE ref: 0000019E4DBB5782

Strings

@, xrefs: 0000019E4DBB57D4
0, xrefs: 0000019E4DBB5754

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID: 0$@
API String ID: 31276548-1545510068
Opcode ID: a88bb02aead4fe52cd93ba064d7017a54b9761c38897babe54b5f79178871d7e
Instruction ID: 3c15993ea5da76fecd4b0f72ecf19e06a82fd4218e15fe3e4b668554569f740a
Opcode Fuzzy Hash: a88bb02aead4fe52cd93ba064d7017a54b9761c38897babe54b5f79178871d7e
Instruction Fuzzy Hash: 2931D53021CF4C8FEB55EB18DCA97AAB3D1F7D4340F548A2AE04AC7580DA65E8848783

Function 0000019E4DBB8AE0 Relevance: 4.6, APIs: 3, Instructions: 137nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0000019E4DBB8B38
malloc.MSVCRT ref: 0000019E4DBB8B41
NtQuerySystemInformation.NTDLL ref: 0000019E4DBB8B65

Part of subcall function 0000019E4DBB5FA0: NtQueryInformationProcess.NTDLL ref: 0000019E4DBB600F

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID: InformationQuery$System$Processmalloc
String ID:
API String ID: 1267391693-0
Opcode ID: 0766fc6635dd31053b727816442fefa633829422fb4b59d36c68c8cec887e78a
Instruction ID: 63ca2f3b294360867881963ebc0280f59078d6695799f89e7a8ff23b119b5866
Opcode Fuzzy Hash: 0766fc6635dd31053b727816442fefa633829422fb4b59d36c68c8cec887e78a
Instruction Fuzzy Hash: CE31BB7130CA084FEB68F77CDC697B933C5E795311F004029D94AC7592EE25EC438686

Function 0000019E4DBB5BC8 Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNELBASE ref: 0000019E4DBB5C1A
QueryDosDeviceW.KERNELBASE ref: 0000019E4DBB5C43

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID: DeviceDriveLogicalQueryStrings
String ID:
API String ID: 3173366581-0
Opcode ID: 44ebf3bb3f659db2baf1671957d6035b84d40f7447c0330e21c1dfb288bbfcca
Instruction ID: 7a13413384b10a75cfb42bc04418c5d776b29f9dbc0d1671f2afb37a75cf371b
Opcode Fuzzy Hash: 44ebf3bb3f659db2baf1671957d6035b84d40f7447c0330e21c1dfb288bbfcca
Instruction Fuzzy Hash: 07318271518A488BEB61DB14D898BFA73E2FB94301F40451AE48AC7190EF79ED84C783

Function 0000019E4DBB51BC Relevance: 1.6, APIs: 1, Instructions: 310COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0000019E4DBB52AE

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: b6ed53fab85cf22cf76427c2e966a0a197060846b061c1a52c71d60efdb2ca86
Instruction ID: 2d9b16b1744fbbbb1d473814ce276a27e06ee94c0be8d77a09f26d50396622bc
Opcode Fuzzy Hash: b6ed53fab85cf22cf76427c2e966a0a197060846b061c1a52c71d60efdb2ca86
Instruction Fuzzy Hash: 6A9169316089484BE76CDF28C8A93F977D1F785305F18822ED4DBCB682DA76E5478782

Function 0000019E4DBB5FA0 Relevance: 1.6, APIs: 1, Instructions: 54nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0000019E4DBB600F

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: aedaa32b066cd7baad790dc79b89f0f0aa25ff69fa0ea66035def9c6c87aec9e
Instruction ID: 0e7aaecfcaf4aee8fc1d9cb5347997e3540e7fefdfdb9c197362bd4da14489ce
Opcode Fuzzy Hash: aedaa32b066cd7baad790dc79b89f0f0aa25ff69fa0ea66035def9c6c87aec9e
Instruction Fuzzy Hash: 75018430628A094FEB45EB78D8A4BE677E4F755300F404929A49ACB991EF36E941CB41

Function 0000019E4DBB7E1C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 188registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE ref: 0000019E4DBB7EA5
RegCreateKeyExW.KERNELBASE ref: 0000019E4DBB7EDD
RegQueryValueExW.KERNELBASE ref: 0000019E4DBB7F3A
RegSetValueExW.KERNELBASE ref: 0000019E4DBB7FA0
RegCloseKey.KERNELBASE ref: 0000019E4DBB7FBA

Strings

@, xrefs: 0000019E4DBB7F93
@, xrefs: 0000019E4DBB7F2D

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID: Value$CloseCreateOpenQuery
String ID: @$@
API String ID: 980562271-149943524
Opcode ID: 62d38529be31c1c4406cadae21aaf7dda888b7df0d9feabcaf499976726d02fa
Instruction ID: 1de93828a0f7ef89887aaa9cd744f16fd8aff3260389f1384328bb1befdf0121
Opcode Fuzzy Hash: 62d38529be31c1c4406cadae21aaf7dda888b7df0d9feabcaf499976726d02fa
Instruction Fuzzy Hash: 62518131608B4C4FE754EF68D8996ABB7D1FB94301F404A2EE48AC3651DF75E8458B82

Function 0000019E4DBB5CF4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 212fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 0000019E4DBB5D36
ReadFile.KERNELBASE ref: 0000019E4DBB5D88
SetFilePointer.KERNELBASE ref: 0000019E4DBB5E29
ReadFile.KERNELBASE ref: 0000019E4DBB5EA3

Strings

PE, xrefs: 0000019E4DBB5DB9
MZ, xrefs: 0000019E4DBB5D96

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID: File$Read$CreatePointer
String ID: MZ$PE
API String ID: 4132024448-1102611028
Opcode ID: ed02993aad010b8f0ed0d0dc1b69872bc261ae90b3cbae546a6cddcfd68a01dd
Instruction ID: 222d303221fb5e77a9bfdee0ea3f4b4040d22447329e993cdb0972e50da16512
Opcode Fuzzy Hash: ed02993aad010b8f0ed0d0dc1b69872bc261ae90b3cbae546a6cddcfd68a01dd
Instruction Fuzzy Hash: 7561D930A189484FEB74EF18D8987A9BBD2F798301F508519E48EC79D5DB39ED818783

Function 00007FF6532634D4 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00007FF65326353B

Part of subcall function 00007FF6532630F0: VirtualAlloc.KERNELBASE ref: 00007FF653263143
Part of subcall function 00007FF6532630F0: VirtualFree.KERNELBASE ref: 00007FF6532633AB

VirtualAlloc.KERNELBASE ref: 00007FF653263599
VirtualProtect.KERNELBASE ref: 00007FF653263603
VirtualFree.KERNELBASE ref: 00007FF653263645

Strings

,, xrefs: 00007FF65326357A

Memory Dump Source

Source File: 00000000.00000003.1459624139.00007FF653263000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF653263000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ff653263000_LGvZDRRknR.jbxd

Similarity

API ID: Virtual$Alloc$Free$Protect
String ID: ,
API String ID: 1004437363-3772416878
Opcode ID: 8a57ff5ef109ebab1fcadb133502250ce132c3a796e799e615fc61f91456b295
Instruction ID: 1ddbeb74addc145dd50a19706e3d02927c8c7f5d82d741bc622f0ca9ba827dd5
Opcode Fuzzy Hash: 8a57ff5ef109ebab1fcadb133502250ce132c3a796e799e615fc61f91456b295
Instruction Fuzzy Hash: 3951A03061CE095BDB94EF5CD886669B7E1FF88710F14422EE98ED3255DE74E8428BC2

Function 00007FF6532634D4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00007FF65326353B

Part of subcall function 00007FF6532630F0: VirtualAlloc.KERNELBASE ref: 00007FF653263143
Part of subcall function 00007FF6532630F0: VirtualFree.KERNELBASE ref: 00007FF6532633AB

VirtualAlloc.KERNELBASE ref: 00007FF653263599
VirtualProtect.KERNELBASE ref: 00007FF653263603
VirtualFree.KERNELBASE ref: 00007FF653263645

Strings

,, xrefs: 00007FF65326357A

Memory Dump Source

Source File: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: Virtual$Alloc$Free$Protect
String ID: ,
API String ID: 1004437363-3772416878
Opcode ID: 8a57ff5ef109ebab1fcadb133502250ce132c3a796e799e615fc61f91456b295
Instruction ID: 25287e939a82960ef8f02a8934ce06c50721c5bb372b7d9d3b2f5f546af8e079
Opcode Fuzzy Hash: 8a57ff5ef109ebab1fcadb133502250ce132c3a796e799e615fc61f91456b295
Instruction Fuzzy Hash: 3541B232725A8197DB508F61E60166EB7A1FB48BC8F588035EF8967B58DF3CE456CB00

Function 00007FF6532579F4 Relevance: 7.6, APIs: 5, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF653257A03

Part of subcall function 00007FF653257BB8: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF653257BDA

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF653257A18
__scrt_release_startup_lock.LIBCMT ref: 00007FF653257A86
__scrt_get_show_window_mode.LIBCMT ref: 00007FF653257AD9
__scrt_is_managed_app.LIBCMT ref: 00007FF653257AFC

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock
String ID:
API String ID: 4144305933-0
Opcode ID: 239fa3bebcd99b01550fb1fc86b179cf929df85b8219cbec58508aef85af2048
Instruction ID: 687eb320b68b6f1775f89332d787bec9a70de1241638d31b7c319cb3270c11a5
Opcode Fuzzy Hash: 239fa3bebcd99b01550fb1fc86b179cf929df85b8219cbec58508aef85af2048
Instruction Fuzzy Hash: 62317E21EACE4745FA54AB6896933B92293AF41F44F4C4035E60DFF6DBCE6DAB048341

Function 00007FF65325E6A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF65325E6E1
LCMapStringEx.KERNELBASE ref: 00007FF65325E735
LCMapStringW.KERNEL32 ref: 00007FF65325E769

Strings

LCMapStringEx, xrefs: 00007FF65325E6C4, 00007FF65325E6D5

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: String$try_get_function
String ID: LCMapStringEx
API String ID: 1203122356-3893581201
Opcode ID: af8085b891c7a8c85f404577558a79ae226ce3317dbad8c3cde87e2ea14cdc23
Instruction ID: 4df8992adaaa3b1c095ed5796103caeb4ee48184e814eec827d89436def6c84a
Opcode Fuzzy Hash: af8085b891c7a8c85f404577558a79ae226ce3317dbad8c3cde87e2ea14cdc23
Instruction Fuzzy Hash: D0116D3661CB8086D760CB06F5502AAB7A5FBC8F80F084136EE8DA7B19CF3CD5008B40

Function 0000019E4DBB9218 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0000019E4DBB9301
CloseHandle.KERNELBASE ref: 0000019E4DBB93D4
free.MSVCRT ref: 0000019E4DBB93F0

Strings

,, xrefs: 0000019E4DBB9279

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID: free$CloseHandle
String ID: ,
API String ID: 4080011421-3772416878
Opcode ID: 19bd0e1f4c380038fc96e62ce33c6398c15e8ead9e9bc0b200304ba1120fbf6f
Instruction ID: 107528cce1ccdf9c794d0e840e92064fe36603e129cad2c6944bf87191d671b1
Opcode Fuzzy Hash: 19bd0e1f4c380038fc96e62ce33c6398c15e8ead9e9bc0b200304ba1120fbf6f
Instruction Fuzzy Hash: 1751F93060CB094FEB54EB68D895BEAB7E1FB85310F00452DE48AC7682DF75E881CB91

Function 00007FF653256DEC Relevance: 4.5, APIs: 3, Instructions: 31
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventW.KERNEL32 ref: 00007FF653256E03
WaitForSingleObject.KERNEL32 ref: 00007FF653256E19
CloseHandle.KERNELBASE ref: 00007FF653256E4B

Part of subcall function 00007FF653257268: HeapAlloc.KERNEL32(?,?,00000001,00007FF6532571C9), ref: 00007FF65325728C

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: AllocCloseCreateEventHandleHeapObjectSingleWait
String ID:
API String ID: 783827187-0
Opcode ID: 644ddf22212b834a51ea26004649eb9547d4a257742e84c31f5b786d9dd8d01a
Instruction ID: 683292cd43996575d24c3237050432d4d7e5ff710f8249dd32c19d6e2ea8d9b9
Opcode Fuzzy Hash: 644ddf22212b834a51ea26004649eb9547d4a257742e84c31f5b786d9dd8d01a
Instruction Fuzzy Hash: DBF06815F29F4252EB089B66F65257A2292BF48F80F4C9034DE0DFBB54DE3CD5508740

Function 00007FF65325A1B0 Relevance: 4.5, APIs: 3, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF65325A1AF), ref: 00007FF65325A1D9
TerminateProcess.KERNEL32(?,?,?,00007FF65325A1AF), ref: 00007FF65325A1E4
ExitProcess.KERNEL32 ref: 00007FF65325A1F3

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8abf4a66fd6ec3af08326f29549bedd682d7d032cbb87afc8a756cf6b92e9c95
Instruction ID: 130dc118427620dcd036c35cf87c8929bc011e039a8f1442c717e367f2c21b38
Opcode Fuzzy Hash: 8abf4a66fd6ec3af08326f29549bedd682d7d032cbb87afc8a756cf6b92e9c95
Instruction Fuzzy Hash: 0BE04F20B24B4182EA146B619E973792393BF88F51F088438C90EF6366CE7DE5488741

Function 0000019E4DBB771C Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 371COMMON

Download Yara Rule

Strings

NJI@, xrefs: 0000019E4DBB7759

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID:
String ID: NJI@
API String ID: 0-1894075864
Opcode ID: d45665fd503c042bbd1cddf3e76509b083df421fb529cf4e6337dc35805fb2d8
Instruction ID: f5ea887e4bf55f32ecc88af26e278d0e0e7ef854e44250aceea9847d17774d4e
Opcode Fuzzy Hash: d45665fd503c042bbd1cddf3e76509b083df421fb529cf4e6337dc35805fb2d8
Instruction Fuzzy Hash: A0E12A7051C7D48BD775DB29D8A53EBBBE0EB89702F00492EE8CAC2291DB349545CB83

Function 00007FF65325C8E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32 ref: 00007FF65325C922

Strings

, xrefs: 00007FF65325C967

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 3f71224608e4c15853494aec550443e5827c5ec106aa102962dece8a9ab28ad8
Instruction ID: 951dcfe4a6d93cfcf4e89fcae17ab361c1dd84edd9a89f64302fef2631e387ee
Opcode Fuzzy Hash: 3f71224608e4c15853494aec550443e5827c5ec106aa102962dece8a9ab28ad8
Instruction Fuzzy Hash: AD51E832A2DAD186E720CF24D1853AD7BA1F748F44F584135D68DABA89DF3CD645CB80

Function 00007FF65325E48C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF65325E4AF

Strings

AppPolicyGetProcessTerminationMethod, xrefs: 00007FF65325E495, 00007FF65325E4A8

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: try_get_function
String ID: AppPolicyGetProcessTerminationMethod
API String ID: 2742660187-2031265017
Opcode ID: 6263c985e4631a55b9a67bd19f886454219f1b2fdfa876558e5a5be93dbd6e19
Instruction ID: 3dc867c132a5fc4cdda4b756d63a6425db13fde77eb789e4c63cd8f33019482e
Opcode Fuzzy Hash: 6263c985e4631a55b9a67bd19f886454219f1b2fdfa876558e5a5be93dbd6e19
Instruction Fuzzy Hash: 4BE04F51E29D1691FE1447A1A9621F01256AF08BB0F4C4331DA3CBF3D49E2CA9948300

Function 0000019E4DBB8234 Relevance: 3.4, APIs: 2, Instructions: 392fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNELBASE ref: 0000019E4DBB84D7
MapViewOfFile.KERNELBASE ref: 0000019E4DBB84FC

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID: File$CreateMappingView
String ID:
API String ID: 3452162329-0
Opcode ID: c601f1478ab9137d9275349cd9da242e2fbd05faee214597b51a1edf8909ebdf
Instruction ID: 28b3121dc24c396d5eb30ac77a6d5ea255746709d9552efb1ec8894abca8e0f9
Opcode Fuzzy Hash: c601f1478ab9137d9275349cd9da242e2fbd05faee214597b51a1edf8909ebdf
Instruction Fuzzy Hash: C5C1D630618B084FEB59EF28D8957EA77D1FB94300F50462EE48AC7696EF35E8428781

Function 0000019E4DBB8624 Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 308COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 0000019E4DBB882E

Strings

!RHY, xrefs: 0000019E4DBB8719

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: !RHY
API String ID: 2962429428-2095432132
Opcode ID: 5659b273bb457ee165c724c5c9c0f327e16e2d5a38eceb2e111579f9ff9e501c
Instruction ID: 07966c51a86383cc8553d8ac7c0b8ea62ad2c497c26bff3eefeb4e4276168a70
Opcode Fuzzy Hash: 5659b273bb457ee165c724c5c9c0f327e16e2d5a38eceb2e111579f9ff9e501c
Instruction Fuzzy Hash: C5A19235118B498FEB69EF29C8A57EA77E1FB95304F04051DE8C6CB592EB31E881C742

Function 00007FF65325CDBC Relevance: 3.2, APIs: 2, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF65325C7D0: GetOEMCP.KERNEL32(?,?,?,?,?,?,FFFFFFFD,00007FF65325CAF4,?,?,?,?,00000000,?,?,00007FF65325CD92), ref: 00007FF65325C7FA

IsValidCodePage.KERNEL32(?,00000000,?,?,00000000,00000001,?,00007FF65325CBA7,?,?,?,?,00000000,?,?,00007FF65325CD92), ref: 00007FF65325CE27
GetCPInfo.KERNEL32(?,00000000,?,?,00000000,00000001,?,00007FF65325CBA7,?,?,?,?,00000000,?,?,00007FF65325CD92), ref: 00007FF65325CE73

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 8a3f489a8328c28afbf6ceda6e6246556f8b933230f98b1c11e8daba2fcfd524
Instruction ID: 76514061b4c798a9076a6b564935e8ab56152cf0877466b3f9b73f6227f54044
Opcode Fuzzy Hash: 8a3f489a8328c28afbf6ceda6e6246556f8b933230f98b1c11e8daba2fcfd524
Instruction Fuzzy Hash: BE811663A2DA9296F7258F25D61217977A3AB40F40F4C4036D68EFB698EE3CE641C700

Function 0000019E4DBB973C Relevance: 3.1, APIs: 2, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000019E4DBBC3FC: RtlAddFunctionTable.KERNEL32 ref: 0000019E4DBBC429

Part of subcall function 0000019E4DBBC440: VirtualFree.KERNELBASE(?,?,?,?,?,?,?,0000019E4DBB97CF), ref: 0000019E4DBBC4D8

SetErrorMode.KERNELBASE ref: 0000019E4DBB9834
VirtualProtect.KERNELBASE ref: 0000019E4DBB9852

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID: Virtual$ErrorFreeFunctionModeProtectTable
String ID:
API String ID: 3431440644-0
Opcode ID: c558a3bee63eb8d82cfee7bb6036631f102c00f5edc4b5b2d839b26d2bc08f01
Instruction ID: 48b9964f4e9cecdf783d00345bf302a7590b4b67c172ee0476dff5ceb0f7c505
Opcode Fuzzy Hash: c558a3bee63eb8d82cfee7bb6036631f102c00f5edc4b5b2d839b26d2bc08f01
Instruction Fuzzy Hash: A631A630218A484BEF45FB29D8A5BE973D5FB95340F500519F44ACB697DE25E980C782

Function 0000019E4DBB4888 Relevance: 3.1, APIs: 2, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE ref: 0000019E4DBB48BF
GetTokenInformation.KERNELBASE ref: 0000019E4DBB4900

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 0588b5df070fd58e483b9259e8b7792c754254eeb870b8f27a2360e8991485ad
Instruction ID: 85ff034cfca8023b5d6441a1fb07e81db32d1ffba678769067c7bcbb2d91680b
Opcode Fuzzy Hash: 0588b5df070fd58e483b9259e8b7792c754254eeb870b8f27a2360e8991485ad
Instruction Fuzzy Hash: B2118630208A498FDB44EF64D8D8A6AB7E2FBD4306F14492DE5C6C7268DF34E945CB42

Function 00007FF653257910 Relevance: 3.1, APIs: 2, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_set_fmode.LIBCMT ref: 00007FF653257927
_RTC_Initialize.LIBCMT ref: 00007FF653257948

Part of subcall function 00007FF653259B20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF653259B52

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: Initialize_invalid_parameter_noinfo_set_fmode
String ID:
API String ID: 3548387204-0
Opcode ID: f1733bcbe296f5e8f0a18ef71bd53c77051ff89a7b50ea6f0b86fdeadd363ee0
Instruction ID: 3952cca5bfd3a6bf3191b44e41a5fe3469b4f993db0725d448558b9df9fbe806
Opcode Fuzzy Hash: f1733bcbe296f5e8f0a18ef71bd53c77051ff89a7b50ea6f0b86fdeadd363ee0
Instruction Fuzzy Hash: 8A119D10EE8A4341FA0573B946972B822834F55B40F4C0474E60DFE2DBEE2CBB4147A2

Function 00007FF65325B9DC Relevance: 3.0, APIs: 2, Instructions: 19
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF65325DB68,?,?,?,00007FF65325DBAB,?,?,?,00007FF65325E100,?,?,?,00007FF65325E033), ref: 00007FF65325B9F2
GetLastError.KERNEL32(?,?,?,00007FF65325DB68,?,?,?,00007FF65325DBAB,?,?,?,00007FF65325E100,?,?,?,00007FF65325E033), ref: 00007FF65325BA04

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: c1b03068c222eda05010605960278460d8367b9c334bb969e5d38d61d6c62628
Instruction ID: e01eac42e75a955abd6734672d9c3af84b61686b56f596542779fe16bf299d9b
Opcode Fuzzy Hash: c1b03068c222eda05010605960278460d8367b9c334bb969e5d38d61d6c62628
Instruction Fuzzy Hash: 2EE08C10E29D0342FF19ABF29A0727816D37F55F41F0C4030C90DFA256EE2CA5814381

Function 00007FF6532630F0 Relevance: 2.7, APIs: 2, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00007FF653263143
VirtualFree.KERNELBASE ref: 00007FF6532633AB

Memory Dump Source

Source File: 00000000.00000003.1459624139.00007FF653263000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF653263000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ff653263000_LGvZDRRknR.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: abb3666d5f0e7e3691c5e241d5b349d303e7c196ced747a2022f8ae30c0d6593
Instruction ID: 32a600ee22e90c925f1c2977e337a2de58638fcf1dffde85eeec62883512b08e
Opcode Fuzzy Hash: abb3666d5f0e7e3691c5e241d5b349d303e7c196ced747a2022f8ae30c0d6593
Instruction Fuzzy Hash: 0091A27061CB818FD3A0CB58C585A2ABBE1FF89708F58096DF5C9E7291DB35E9409B06

Function 00007FF6532630F0 Relevance: 2.7, APIs: 2, Instructions: 169
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00007FF653263143
VirtualFree.KERNELBASE ref: 00007FF6532633AB

Memory Dump Source

Source File: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: abb3666d5f0e7e3691c5e241d5b349d303e7c196ced747a2022f8ae30c0d6593
Instruction ID: 13fd1aed22e76028b3a354959b57157765621674625b35a7db0b4b1e76ee5132
Opcode Fuzzy Hash: abb3666d5f0e7e3691c5e241d5b349d303e7c196ced747a2022f8ae30c0d6593
Instruction Fuzzy Hash: AA81C47252CA818BD360CB19E58162ABBB1FB89B48F180125F7CAD7B58DF3DD9509F00

Function 0000019E4DBB8C08 Relevance: 1.7, APIs: 1, Instructions: 157processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 0000019E4DBB8CE8

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2cfda130ca864b08787e99a1628f67eedfe46d1a9f14ab55541b67a143a70abc
Instruction ID: a2ee4c3b95c01dde7d0503dacff9e6fcbf9e505cf472e5e10c4b38dd3e07aee4
Opcode Fuzzy Hash: 2cfda130ca864b08787e99a1628f67eedfe46d1a9f14ab55541b67a143a70abc
Instruction Fuzzy Hash: 6251A370608B088FF7A5DF29C8993EAB7E5FB94301F40092EA18AC7560DB35D540CB06

Function 00007FF65325A0F4 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF65325A113

Part of subcall function 00007FF65325A1FC: GetModuleHandleExW.KERNEL32 ref: 00007FF65325A218
Part of subcall function 00007FF65325A1FC: GetProcAddress.KERNEL32 ref: 00007FF65325A22E
Part of subcall function 00007FF65325A1FC: FreeLibrary.KERNEL32 ref: 00007FF65325A24B

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 436df6279ab1ad4208babf28b275d30338b82d574ca1079f460148a5cab02ddc
Instruction ID: 821eb7017e83bc374983f81e008a4b61981efc8498166ab9a559141837e60920
Opcode Fuzzy Hash: 436df6279ab1ad4208babf28b275d30338b82d574ca1079f460148a5cab02ddc
Instruction Fuzzy Hash: 9E214131A24B01C9EB518F64D5462AC36E1EB48B08F488536D61DA6B89EF38DA85CB80

Function 00007FF65325D510 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF65325D53B

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e9b6c901bd1bfc25192b9065b744bd2d6ffe4659ed36b92da970d31d47d2e5a5
Instruction ID: 6d508443fc73c327d793b4d117255169438254a85c539923fb9bd59d1e6bf7d9
Opcode Fuzzy Hash: e9b6c901bd1bfc25192b9065b744bd2d6ffe4659ed36b92da970d31d47d2e5a5
Instruction Fuzzy Hash: BC116D32938E8292F3109F14A64216963A6FF80F44F5D0534E65DFB6AACE3CFA118B00

Function 0000019E4DBBC54C Relevance: 1.5, APIs: 1, Instructions: 47libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 0000019E4DBBC5A3

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0ef85e6c49b167f6fa9e03bb0202aec9cadee554545795ea33251ab7e92968d2
Instruction ID: 8359ca55a058ac12445a5f734b4795de5d823166e03fbd45b0a7122eaaf3582a
Opcode Fuzzy Hash: 0ef85e6c49b167f6fa9e03bb0202aec9cadee554545795ea33251ab7e92968d2
Instruction Fuzzy Hash: 1F01C830324A084FEB54EB39C4567FA73D5F755305F50446AA48EC7182EA25D984C742

Function 0000019E4DBBC3FC Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

RtlAddFunctionTable.KERNEL32 ref: 0000019E4DBBC429

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID: FunctionTable
String ID:
API String ID: 1252446317-0
Opcode ID: 36ebb8551405ab402fb9baea8a3cc074c161fc2652fbf5a3c18d23fc79acd59a
Instruction ID: 15f8fd5b7751e02467d013b4f6c044c09437479e3d9da04708722429da8e2635
Opcode Fuzzy Hash: 36ebb8551405ab402fb9baea8a3cc074c161fc2652fbf5a3c18d23fc79acd59a
Instruction Fuzzy Hash: B3E012342114055BEB68DA2DC81D3E036D0E798316FA042799800CA691DB7AD5D7CA51

Function 00007FF65325F104 Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF653260C00: DeleteCriticalSection.KERNEL32 ref: 00007FF653260C72

DeleteCriticalSection.KERNEL32 ref: 00007FF65325F135

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: CriticalDeleteSection
String ID:
API String ID: 166494926-0
Opcode ID: 7bcac3c0ea3a519472b539998a5f002ef6a9cfb3e342372b578a8f479b40e683
Instruction ID: 9776357b65f308b099219f253c13073284cfa6864edcf2c5ba2ee942f8203e04
Opcode Fuzzy Hash: 7bcac3c0ea3a519472b539998a5f002ef6a9cfb3e342372b578a8f479b40e683
Instruction Fuzzy Hash: 8BF0C965E3CD0A91FB10ABAAEA977781262FF98F44F080132C90EF66568E2CE4548355

Function 0000019E4DBB50CC Relevance: 1.4, APIs: 1, Instructions: 125COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 0000019E4DBB50F1

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID: calloc
String ID:
API String ID: 2635317215-0
Opcode ID: 121c78d1b2291ac724d62adec3f01ff2ea2d670a96f5b98f5ad1c622ad2bd052
Instruction ID: a66c77041a84c18dd7e1995494e39e7ead7817234318315b049201956b30c5f7
Opcode Fuzzy Hash: 121c78d1b2291ac724d62adec3f01ff2ea2d670a96f5b98f5ad1c622ad2bd052
Instruction Fuzzy Hash: D3315A30618D580BF71D873C497E3F17BC1E7DA321F18916DE99ACB693DC1688878282

Function 0000019E4DBBC440 Relevance: 1.4, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?,?,?,?,?,0000019E4DBB97CF), ref: 0000019E4DBBC4D8

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: d45755ac3fc1b299357fa248614e5cf9831b05787f0c9c72564af89a9d49d463
Instruction ID: cd3b5fa64bc58aae13e93af466b72c9e5ab9750b17e12b6447646a16044c8e30
Opcode Fuzzy Hash: d45755ac3fc1b299357fa248614e5cf9831b05787f0c9c72564af89a9d49d463
Instruction Fuzzy Hash: 3631A130218A094FEB99EF29D4A5BB273E1FB58301F104169D85EC76A6DA34E981CB80

Function 0000019E4DBB3BC8 Relevance: 1.3, APIs: 1, Instructions: 90stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNELBASE ref: 0000019E4DBB3BF0

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: c6a7c236d73697e4ca57ed050e55d544e6cacc2476fd745c83e7f6659eda1179
Instruction ID: 0e843b42938c8856cda52ad80b61942837e7c04b8211a1a53852f4f343956583
Opcode Fuzzy Hash: c6a7c236d73697e4ca57ed050e55d544e6cacc2476fd745c83e7f6659eda1179
Instruction Fuzzy Hash: 0F21B630714E084FFBA5EB78EC697E67AD5EB94300F4482659007C76BAEE35D8418740

Function 00007FF65325B964 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF65325B5B1,?,?,?,00007FF65325AC99,?,?,?,?,00007FF65325A2FC), ref: 00007FF65325B9B9

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 2fa2389c0e6e9327576ae7230ec2cc57d74a542498994a459ab26bdb30104447
Instruction ID: 9a61fd5de17d0f6f7609276e05635af863fe7a9d328494d08fe50f9dfa118a75
Opcode Fuzzy Hash: 2fa2389c0e6e9327576ae7230ec2cc57d74a542498994a459ab26bdb30104447
Instruction Fuzzy Hash: 91F06D10B29E0385FE5556A69B533B942835F4AF81F0C0431C90EFE3C9EF2CE6818710

Non-executed Functions

Function 00007FF653257EF4 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF653257F10
RtlCaptureContext.KERNEL32 ref: 00007FF653257F3D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF653257F57
RtlVirtualUnwind.KERNEL32 ref: 00007FF653257F98
IsDebuggerPresent.KERNEL32 ref: 00007FF653257FEC
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF65325800D
UnhandledExceptionFilter.KERNEL32 ref: 00007FF653258018

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 866be03042ca6db609d6d6c9d9f612a5714b5306a720e10fa52876f15e66aca7
Instruction ID: 64284104b5c817488e90907c1a91205810c39decb9265a297c11cf1b38323083
Opcode Fuzzy Hash: 866be03042ca6db609d6d6c9d9f612a5714b5306a720e10fa52876f15e66aca7
Instruction Fuzzy Hash: 08317072618F8185EB608F64E8413ED3365FB84B44F48443ADB8EA7B98DF78C648C700

Function 00007FF65325B6E8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF65325B761
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF65325B779
RtlVirtualUnwind.KERNEL32 ref: 00007FF65325B7B4
IsDebuggerPresent.KERNEL32 ref: 00007FF65325B7ED
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF65325B7F7
UnhandledExceptionFilter.KERNEL32 ref: 00007FF65325B802

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 92314791a8202e474ce6d4a06551fc34d1176fb1df1a7637a0ecde0531b1dbdc
Instruction ID: 7a22d3ea3498e72ef6f079d7ef3b72307b6898b21ee2af3d9b1c900a9e4a19c7
Opcode Fuzzy Hash: 92314791a8202e474ce6d4a06551fc34d1176fb1df1a7637a0ecde0531b1dbdc
Instruction Fuzzy Hash: 6A319332628F8185DB20CF24E8412AE73A5FB85B54F580135EA8DA7B59DF3CC545CB00

Function 00007FF65325FFD8 Relevance: 7.8, APIs: 5, Instructions: 321fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 00007FF653260047
WriteFile.KERNEL32 ref: 00007FF6532602F1
WriteFile.KERNEL32 ref: 00007FF653260343
GetLastError.KERNEL32 ref: 00007FF653260485
GetLastError.KERNEL32 ref: 00007FF653260497

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: ErrorFileLastWrite$Console
String ID:
API String ID: 786612050-0
Opcode ID: db6ca6b514bfe6baef9fddffd6db4cfc884628c61a9ff2263a5caefbfa7906c6
Instruction ID: 00a1400ba73aa9a154ed989904f24fbc877f400eb4119a45d933499317272c5d
Opcode Fuzzy Hash: db6ca6b514bfe6baef9fddffd6db4cfc884628c61a9ff2263a5caefbfa7906c6
Instruction Fuzzy Hash: 78D1E222B2CE819AE710CB64D6461ED7772FF45B98F588136CE4EA7B89DE38D116C301

Function 0000019E4DBB69D8 Relevance: 3.7, Strings: 2, Instructions: 1185COMMON

Download Yara Rule

Strings

,, xrefs: 0000019E4DBB72E6
,, xrefs: 0000019E4DBB6D5D

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID: InformationProcessQuery
String ID: ,$,
API String ID: 1778838933-220654547
Opcode ID: 4c387455b2af8135f36f68a1ca485273673d810924601f1bbfd7e8c304cd2754
Instruction ID: adc1b9077186616b94bf9fc39063a96888c1f77cb9c71b8ba7fb60103536c90b
Opcode Fuzzy Hash: 4c387455b2af8135f36f68a1ca485273673d810924601f1bbfd7e8c304cd2754
Instruction Fuzzy Hash: F1929430618B088FEB64EF28C8A57DA77E1FB98300F50452DD49AC7696DF35E895CB81

Function 00007FF65325BD34 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF65325BD64

Part of subcall function 00007FF65325B91C: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF65325B8F9), ref: 00007FF65325B925
Part of subcall function 00007FF65325B91C: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF65325B8F9), ref: 00007FF65325B94A

Strings

*?, xrefs: 00007FF65325BD8B

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
String ID: *?
API String ID: 4036615347-2564092906
Opcode ID: 51477899b79fb47b87869779adb4ace668866ceb80847e12acdeea9d772a1225
Instruction ID: 2d45d591d171c857792ee19d181d8de5c6fa7faff4102c69695a63768b390d43
Opcode Fuzzy Hash: 51477899b79fb47b87869779adb4ace668866ceb80847e12acdeea9d772a1225
Instruction Fuzzy Hash: F051C162B25A5585EB14CFA29A024B927A2FB49FD8B484531EE0DFBB89DE3CD1418340

Function 00007FF653261F88 Relevance: 1.7, APIs: 1, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF6532621D7

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: 0ceb5e61b71821e81b188c088855a588cd171ed6931056397d73a61dc39e5b5f
Instruction ID: 27463a89846b9947a225c5f2377b40377630705ff329ec0f19ecfd45ca9136bc
Opcode Fuzzy Hash: 0ceb5e61b71821e81b188c088855a588cd171ed6931056397d73a61dc39e5b5f
Instruction Fuzzy Hash: 0B814B77614B888BEB14CF2AC98626C37A1F784F88F198926DB5D97B65CF39D411CB00

Function 00007FF65325BF40 Relevance: 1.6, APIs: 1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6836701275aafd8b1cabdcc40aa850f7b4da2566d228798606ea532f21202f1a
Instruction ID: 45d9b0616ecc893ae20b8d16f1e15b174bd441c3c45ae36cb608e73780ca4d5c
Opcode Fuzzy Hash: 6836701275aafd8b1cabdcc40aa850f7b4da2566d228798606ea532f21202f1a
Instruction Fuzzy Hash: 7F51C722B28A9144F7209BB1AA011AD7BA2AB41FD4F184134EE5CFBB9DDF3CD601C700

Function 00007FF653263908 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

+Y0+, xrefs: 00007FF65326399B

Memory Dump Source

Source File: 00000000.00000003.1459624139.00007FF653263000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF653263000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ff653263000_LGvZDRRknR.jbxd

Similarity

API ID:
String ID: +Y0+
API String ID: 0-1189096879
Opcode ID: 218b495827ca7c54a9fc59e174d4ab4579c6e9ea616ffb3175963a6b010a9a00
Instruction ID: 3788f091c7b6694e8cad421b94a094097fcbc1f4bfba89376f48ae93237fdbde
Opcode Fuzzy Hash: 218b495827ca7c54a9fc59e174d4ab4579c6e9ea616ffb3175963a6b010a9a00
Instruction Fuzzy Hash: 0221782541CAC68ED7178B7085662F1BFA1EF2B72474D42EEC8C5BF4A3CE14A589CB41

Function 0000019E4DBB1500 Relevance: .7, Instructions: 737COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592b38f4438cea4cf337e753e2db7cefb672f16d4af3ebf565df486e865be0ee
Instruction ID: 76603bc4b733aded9489053e41ee8eb6321210030e03ee1a28c38b70461a60f4
Opcode Fuzzy Hash: 592b38f4438cea4cf337e753e2db7cefb672f16d4af3ebf565df486e865be0ee
Instruction Fuzzy Hash: 002201301182954AFB2DCE28C4B53F13BC1EB16784F38225DC9D7CBACBD61AA5878761

Function 0000019E4DBB2F00 Relevance: .7, Instructions: 735COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7508843e0d615cd037e1ec8aa7846b8b8c4448116137d463d462d581942205d
Instruction ID: 8a45a52a3980911b5cb360f717eb43a67fefb6cca24dd72dae3da2747caa81c8
Opcode Fuzzy Hash: f7508843e0d615cd037e1ec8aa7846b8b8c4448116137d463d462d581942205d
Instruction Fuzzy Hash: C6124B2075892407EF1D952CDDAA3B832C2E7C6706F34523DDDC7CAACAE825A5D385C6

Function 0000019E4DBC5E8D Relevance: .7, Instructions: 723COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBC3000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBC3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbc3000_LGvZDRRknR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abbb85bda6a6d3dd5ee5953f0580abf93674f5719b56cdfbae0f4718f3bb060b
Instruction ID: 32a44c4091090ffcb6cf0e92511f7bea4697fbdbad84ee94a5247b92ddc364c2
Opcode Fuzzy Hash: abbb85bda6a6d3dd5ee5953f0580abf93674f5719b56cdfbae0f4718f3bb060b
Instruction Fuzzy Hash: 6F6247A284E7C29FD7138B344CBA584BFB06E2320475D85DFC4C18B4E3E249A59AD767

Function 0000019E4DBBE4EA Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 797df2cedfabb869314ed1f4ac931f8eeee31d501798fc51958b84dd5215fa50
Instruction ID: a9edff38569c239547680cd4b98cac7132156d30e163517e359a0179e1e5ef7c
Opcode Fuzzy Hash: 797df2cedfabb869314ed1f4ac931f8eeee31d501798fc51958b84dd5215fa50
Instruction Fuzzy Hash: 270202B540E3C19FD3438B7498666A27FB0AF57228F1E44DBD0C0CF4A3E25A595AC762

Function 0000019E4DBB442C Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9261f8b8e9694e0a8479e5c14b2830bf4b544d366d584ad6239926d060a962b8
Instruction ID: 980fe433f8eb76d7935feb81cd8dbc6a291f20ea77343861bcc520dbc82773ce
Opcode Fuzzy Hash: 9261f8b8e9694e0a8479e5c14b2830bf4b544d366d584ad6239926d060a962b8
Instruction Fuzzy Hash: 03919371A6C7444BD35CCE188C861BAB3D5F7C6615F14993DF9CBC3302EA71A9078A8A

Function 0000019E4DBB9B4C Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 356e6471059c677381a8d4f160265ca8de49ce574f383b9f47665d3e9aff44bf
Instruction ID: f72e7b10c243f617fd9bf4b4581bcf636e84827b92a6312fecc6b958b814ba92
Opcode Fuzzy Hash: 356e6471059c677381a8d4f160265ca8de49ce574f383b9f47665d3e9aff44bf
Instruction Fuzzy Hash: 0AA18FB26687448BD35CDE1CDC826B6B3D5FB8A319F14457DE4CBC3202DA34E8478A86

Function 0000019E4DBB7FE8 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c62674bb4faf6148342de82c0aadfe89672515f6c39a02a5ebf49a255dd0d18c
Instruction ID: bcd0223f86995ea7c8ea9efa7c08d07a440c7e83bebd5bae5b28f61108a09bc8
Opcode Fuzzy Hash: c62674bb4faf6148342de82c0aadfe89672515f6c39a02a5ebf49a255dd0d18c
Instruction Fuzzy Hash: 36614A3011CE884FEB19E728C4AA7EBB7D1FB95340F54465DE0CACB6C3C92A9546C782

Function 00007FF653257528 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa43ce0f4feb11b20e95fdff20379b252657e24bcece3fde911b7ad23ea21cec
Instruction ID: e7e467b3db4c2e040106c7a1df812751d6a63955f5cff1f15a3f9bb294d71f58
Opcode Fuzzy Hash: fa43ce0f4feb11b20e95fdff20379b252657e24bcece3fde911b7ad23ea21cec
Instruction Fuzzy Hash: 1951D2233241E05FC31DCB3D5865AAC7FE0E346745748816EEBEAD7B86CA28C525CB60

Function 0000019E4DBB9E98 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442b0520738e8f0b26db511281fac152362a0c0e853cfc2e2b038376264e2d07
Instruction ID: cd1eaad17ff46548b806e77bda3982e560b6c9821c5c5ac747b47450a3ba3b52
Opcode Fuzzy Hash: 442b0520738e8f0b26db511281fac152362a0c0e853cfc2e2b038376264e2d07
Instruction Fuzzy Hash: 1241EB30714A494FEB4DDB2C88D46947BD1EBAA350B4442A9EC85CF387C955E9C5C3D1

Function 0000019E4DBBB43C Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019E4DBB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_19e4dbb1000_LGvZDRRknR.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ba9de3489d05dab766f769ae025e8c9fb5e1c683365a82b08a93de145879e4
Instruction ID: 668d97596fb688b458b3e77dcb2c48bd7480450eaf31062bedef48e698cf145d
Opcode Fuzzy Hash: 92ba9de3489d05dab766f769ae025e8c9fb5e1c683365a82b08a93de145879e4
Instruction Fuzzy Hash: 43418D1521DAC59EC70ACF6C4490495FFB0EBAA100B0C93DEE8D9CB747C504EA5AC7B6

Function 00007FF65325A4E0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 935d9796c0ab89579dd41d7d8fd556ea29ca1a6acacaf12adb6291f02dc1edf0
Instruction ID: 7ba9b62e001825d782e5f4e080af07865a48edb732a947ed96752f39260fffc0
Opcode Fuzzy Hash: 935d9796c0ab89579dd41d7d8fd556ea29ca1a6acacaf12adb6291f02dc1edf0
Instruction Fuzzy Hash: 7441C422724E5582EF14CF2ADA165A973A2EB48FD4B4D9032DE0DE7B68DF3CD5428300

Function 00007FF65325773C Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47a6a44aff934139ad9a1fb715060cbbe27b3874ad12273d2e667d4a4a246391
Instruction ID: 9f82436b26ad94ff40c0db870f9a62c230ba06fa0173cb4a0ada3cbe1e7d95cb
Opcode Fuzzy Hash: 47a6a44aff934139ad9a1fb715060cbbe27b3874ad12273d2e667d4a4a246391
Instruction Fuzzy Hash: 6C41D9A36181F00AD369C739946567DBFE0E38A742B48C26AE7F6D3641DA2DC154DF20

Function 00007FF653261DD0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1206e746778deb0b5de4a473d980ed55b3792267bf1f78954bf82af1fd3547f
Instruction ID: 65f9683c466587398bd6de6f515f9f2c4864a80a0a61c1f6a7b48b3f7791481d
Opcode Fuzzy Hash: e1206e746778deb0b5de4a473d980ed55b3792267bf1f78954bf82af1fd3547f
Instruction Fuzzy Hash: A0F068B27286569ADB988F2DA543A2977D1E7087C0F548079D59DD3F04DA7DD0508F04

Function 00007FF6532580D8 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed1fe4e2c1d85120937412dfebf78693a02543a8d43fa79386b8869577f883b1
Instruction ID: a71ee4055e153e7248c5cabfa7cb374f74e6c3f57a231a8f3762bcea854fedd8
Opcode Fuzzy Hash: ed1fe4e2c1d85120937412dfebf78693a02543a8d43fa79386b8869577f883b1
Instruction Fuzzy Hash: 3EA00223A3CD02E0E6058B40EA530712332FB50B00B484035C14EF58649F7CA588C340

Function 00007FF6532591A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF653259452,?,?,?,00007FF65325914C,?,?,?,?,00007FF653258E75), ref: 00007FF653259225
GetLastError.KERNEL32(?,?,?,00007FF653259452,?,?,?,00007FF65325914C,?,?,?,?,00007FF653258E75), ref: 00007FF653259233
LoadLibraryExW.KERNEL32(?,?,?,00007FF653259452,?,?,?,00007FF65325914C,?,?,?,?,00007FF653258E75), ref: 00007FF65325925D
FreeLibrary.KERNEL32(?,?,?,00007FF653259452,?,?,?,00007FF65325914C,?,?,?,?,00007FF653258E75), ref: 00007FF6532592A3
GetProcAddress.KERNEL32(?,?,?,00007FF653259452,?,?,?,00007FF65325914C,?,?,?,?,00007FF653258E75), ref: 00007FF6532592AF

Strings

api-ms-, xrefs: 00007FF653259245

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: f9fb28405466ef4016bc7bb57987e5a93f308f2527159685e7e75f0347abac11
Instruction ID: f36032eace3090aa25d0f3c9b7c8c3f012f6b23ae044bbde1f7dc37315a1524c
Opcode Fuzzy Hash: f9fb28405466ef4016bc7bb57987e5a93f308f2527159685e7e75f0347abac11
Instruction Fuzzy Hash: 3B31F221A2AE4291EE559B42AA0267533A6BF44F60F5D0531DD1DFE788EF3CE5418B40

Function 00007FF6532618CC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6532618FD
GetLastError.KERNEL32 ref: 00007FF653261909
CloseHandle.KERNEL32 ref: 00007FF653261921
CreateFileW.KERNEL32 ref: 00007FF65326194C
WriteConsoleW.KERNEL32 ref: 00007FF65326196B

Strings

CONOUT$, xrefs: 00007FF65326192D

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5d446efe2059f588e9a3296a00c0336dd5d25f3d25fac0b3af3c51d241e68a46
Instruction ID: 0f164160996b4891af1f11c949da8b2252510f2550055c9c1524a434e75873cc
Opcode Fuzzy Hash: 5d446efe2059f588e9a3296a00c0336dd5d25f3d25fac0b3af3c51d241e68a46
Instruction Fuzzy Hash: 7511B221B38E4186E7508B52E94532972A2FF89FE4F084234EA5EF7794CF7CE9058780

Function 00007FF65325A1FC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF65325A218
GetProcAddress.KERNEL32 ref: 00007FF65325A22E
FreeLibrary.KERNEL32 ref: 00007FF65325A24B

Strings

mscoree.dll, xrefs: 00007FF65325A20F
CorExitProcess, xrefs: 00007FF65325A227

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 01ca4526c88355b9b1f6946c4f365fa24010f7a3ceb21ed50fe90abc5e3517f0
Instruction ID: 5668c73ad0d27f326958c78b30c33c3d10e6ecf5661b4cefc845f24e65a45b70
Opcode Fuzzy Hash: 01ca4526c88355b9b1f6946c4f365fa24010f7a3ceb21ed50fe90abc5e3517f0
Instruction Fuzzy Hash: B2F03A61A39E4281EF455BA1E99737523A2BF98F40F081035DA0FF9664DF2CD9988340

Function 00007FF653260924 Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF653260965
GetConsoleMode.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,00007FF6532608E3,00000000,?,?,00007FF65325EF5F), ref: 00007FF653260A24
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,00007FF6532608E3,00000000,?,?,00007FF65325EF5F), ref: 00007FF653260AA4

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 2be76bcc92df5ae9a3329793aca91963b5f7aff2d06561b4b645f706b756bfa7
Instruction ID: 377fa83b1e26bd37810abfebdb5252710de181025c284c2dc8e1e02f951dcd88
Opcode Fuzzy Hash: 2be76bcc92df5ae9a3329793aca91963b5f7aff2d06561b4b645f706b756bfa7
Instruction Fuzzy Hash: 0A81C322E3CE0289F7119B658A422BD67A2FF44F88F488135DA0EB7695DF3CA845D311

Function 00007FF653261BE8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF653261C10
_set_statfp.LIBCMT ref: 00007FF653261C2B
_set_statfp.LIBCMT ref: 00007FF653261C47
_set_statfp.LIBCMT ref: 00007FF653261C83

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 5006eb681c1d5e6c7ed446ee17145382bca7f67e533f98b29691425f0cf6c75b
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 8F119E26E7CF0301FB68112AE6673BD11526F94B70F1C4634EB6EB62E68E5CB8515202

Function 00007FF6532606C8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6532607DF
GetLastError.KERNEL32 ref: 00007FF653260801

Strings

U, xrefs: 00007FF65326078B

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a7ac60822bc52288c5270a9a85706b470334829171d2d6c6223cbcbffff8a2df
Instruction ID: 30f802a5d2c07739cb4cad1b84133cc3180a0f3a42ef7dbda72812cfeaa18400
Opcode Fuzzy Hash: a7ac60822bc52288c5270a9a85706b470334829171d2d6c6223cbcbffff8a2df
Instruction Fuzzy Hash: FB41C322B28E8181DB20CF25E9457A96762FB88B94F488131EE4DE7798EF3CD441CB41

Function 00007FF65325E644 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF65325E675
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,00007FF65325D348), ref: 00007FF65325E68F

Strings

InitializeCriticalSectionEx, xrefs: 00007FF65325E669

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: dee8c7aa1d8ce8e20d5a6dfa27ce82712c084cbdc08799914ad139a6b63f43ca
Instruction ID: 5f51be4da750a092c7da3f5e12ea289d3868355fcd30f8d623b5729636a1374f
Opcode Fuzzy Hash: dee8c7aa1d8ce8e20d5a6dfa27ce82712c084cbdc08799914ad139a6b63f43ca
Instruction Fuzzy Hash: BEF0BE25B2CE9181EB249B92F2420A86262BF48FD0F4C8035EA5DBBB48CE3CD945C740

Function 00007FF65325E5F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF65325E619
TlsSetValue.KERNEL32(?,?,?,00007FF65325B59E,?,?,?,00007FF65325AC99,?,?,?,?,00007FF65325A2FC), ref: 00007FF65325E630

Strings

FlsSetValue, xrefs: 00007FF65325E606

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 1443a623ed21db9c1c0bd5b21d1cc3025a8c61b90c04f35ad347f77abda517e1
Instruction ID: 981e71cb900c30172ce72ed92ee58d279c8f3a0b493f09773c8793578065365f
Opcode Fuzzy Hash: 1443a623ed21db9c1c0bd5b21d1cc3025a8c61b90c04f35ad347f77abda517e1
Instruction Fuzzy Hash: DAE03061A38E4281EB548B51E6520B92223BF48F80F4C8032DA5DBB298DE3CD945C751

Function 00007FF653256E5C Relevance: 5.2, APIs: 4, Instructions: 165memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6532572D8: HeapAlloc.KERNEL32(00040000,?,?,00007FF653256EAB), ref: 00007FF65325732B
Part of subcall function 00007FF6532572D8: HeapFree.KERNEL32(?,?,00007FF653256EAB), ref: 00007FF6532574AC

HeapAlloc.KERNEL32 ref: 00007FF653256EC9
HeapAlloc.KERNEL32 ref: 00007FF653256FE0
HeapAlloc.KERNEL32 ref: 00007FF65325702B
HeapFree.KERNEL32 ref: 00007FF653257069

Memory Dump Source

Source File: 00000000.00000002.1468485954.00007FF653251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF653250000, based on PE: true

Associated: 00000000.00000002.1468196852.00007FF653250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468585796.00007FF653263000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468615374.00007FF653273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468866600.00007FF6532C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469639738.00007FF6532CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469760352.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff653250000_LGvZDRRknR.jbxd

Similarity

API ID: Heap$Alloc$Free
String ID:
API String ID: 1549400367-0
Opcode ID: ad2362557f1295e22485544cf376c64369ea1ad66f337a03f247e43dcff48300
Instruction ID: 3d5f22a6b60fdbbb0bcb5f7fe4a539d25dcf6ac442726ea71d638d1f538a5fc7
Opcode Fuzzy Hash: ad2362557f1295e22485544cf376c64369ea1ad66f337a03f247e43dcff48300
Instruction Fuzzy Hash: 2F510362B39E6252EB158B25D2527793792EB10F80F0C9435DE1EFBB89EE3DD6458300

Analysis Process: svchost.exePID: 3428, Parent PID: 5676COMMON

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	149
Total number of Limit Nodes:	2

Executed Functions

Function 00000166CD6D69D8 Relevance: 16.9, APIs: 7, Strings: 2, Instructions: 1185
librarytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00000166CD6D76F1

Part of subcall function 00000166CD6D5FA0: NtQueryInformationProcess.NTDLL ref: 00000166CD6D600F

LoadLibraryExW.KERNELBASE ref: 00000166CD6D6BC0
GetTokenInformation.KERNELBASE ref: 00000166CD6D712E
GetTokenInformation.KERNELBASE ref: 00000166CD6D7186
CreateTimerQueueTimer.KERNELBASE ref: 00000166CD6D74EA
free.MSVCRT ref: 00000166CD6D750F
CloseHandle.KERNELBASE ref: 00000166CD6D7540

Strings

,, xrefs: 00000166CD6D72E6
,, xrefs: 00000166CD6D6D5D

Memory Dump Source

Source File: 00000002.00000002.1504542898.00000166CD6D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000166CD6D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_166cd6d1000_svchost.jbxd

Yara matches

Similarity

API ID: Information$TimerTokenfree$CloseCreateHandleLibraryLoadProcessQueryQueue
String ID: ,$,
API String ID: 1885258845-220654547
Opcode ID: 4c387455b2af8135f36f68a1ca485273673d810924601f1bbfd7e8c304cd2754
Instruction ID: 32b5c778ea3ce7db9fa77a90e82b8386c259cb012fb78accd01e831370ca21ec
Opcode Fuzzy Hash: 4c387455b2af8135f36f68a1ca485273673d810924601f1bbfd7e8c304cd2754
Instruction Fuzzy Hash: 88926F31618F488FE764EF6AD8957EAB3D1FBA8300F104529D48AC3292DF75D855CB82

Function 00000166CD6D51BC Relevance: 1.6, APIs: 1, Instructions: 310
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00000166CD6D52AE

Memory Dump Source

Source File: 00000002.00000002.1504542898.00000166CD6D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000166CD6D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_166cd6d1000_svchost.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: b6ed53fab85cf22cf76427c2e966a0a197060846b061c1a52c71d60efdb2ca86
Instruction ID: 957e4aa9b99b8ba2d4be0f6ce039797e7d96012bfe87db7d64a34720bc943e50
Opcode Fuzzy Hash: b6ed53fab85cf22cf76427c2e966a0a197060846b061c1a52c71d60efdb2ca86
Instruction Fuzzy Hash: 15915832608D484BE76CDB2A9C853F977D1F796305F24822ED4CBC6682EA7AD507C781

Function 00000166CD6D5FA0 Relevance: 1.6, APIs: 1, Instructions: 54
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 00000166CD6D600F

Memory Dump Source

Source File: 00000002.00000002.1504542898.00000166CD6D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000166CD6D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_166cd6d1000_svchost.jbxd

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: aedaa32b066cd7baad790dc79b89f0f0aa25ff69fa0ea66035def9c6c87aec9e
Instruction ID: 8aaf511abd44e63a6d80a28a35ef7c961259fb304502482fae9d39680af46a5e
Opcode Fuzzy Hash: aedaa32b066cd7baad790dc79b89f0f0aa25ff69fa0ea66035def9c6c87aec9e
Instruction Fuzzy Hash: 5A018F31228E094FEB49EB7AAC90BA673E4F765304F204929D49AC35A1EF7AC505CB41

Function 00000166CD6D6174 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 318
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000166CD6D4F54: malloc.MSVCRT ref: 00000166CD6D4FEF

free.MSVCRT ref: 00000166CD6D6490

Strings

CeP, xrefs: 00000166CD6D62F4
,, xrefs: 00000166CD6D6231
,, xrefs: 00000166CD6D6224

Memory Dump Source

Source File: 00000002.00000002.1504542898.00000166CD6D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000166CD6D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_166cd6d1000_svchost.jbxd

Yara matches

Similarity

API ID: freemalloc
String ID: CeP$,$,
API String ID: 3061335427-2996039724
Opcode ID: e353c29c0b88583718f6329c71bf4d43162d928d93945ef273b572fc5238f9b0
Instruction ID: ac52f4e5d506c8081b41b8a0c2878a6300bbe14026837b7fc54a5e13e904831e
Opcode Fuzzy Hash: e353c29c0b88583718f6329c71bf4d43162d928d93945ef273b572fc5238f9b0
Instruction Fuzzy Hash: A0A17931618E088BDB58EF6AE8957E973D1FB98310F20851DE4CAC3296DE35D846C781

Function 00000166CD3704E0 Relevance: 4.8, APIs: 3, Instructions: 252fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00000166CD3700FC: VirtualFree.KERNELBASE ref: 00000166CD3703B7

VirtualFree.KERNELBASE ref: 00000166CD37064D
MapViewOfFile.KERNELBASE ref: 00000166CD370686
CloseHandle.KERNELBASE ref: 00000166CD3706E1

Memory Dump Source

Source File: 00000002.00000003.1464529656.00000166CD370000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000166CD370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_166cd370000_svchost.jbxd

Similarity

API ID: FreeVirtual$CloseFileHandleView
String ID:
API String ID: 867161474-0
Opcode ID: 891408fe0d1448a39d4c9211b5b17748033e0253f96817e96866cc630ca6b417
Instruction ID: 1aa28bf52addce392effc3f1bbf440451a498781f41fa4c81590a8c43acbe4de
Opcode Fuzzy Hash: 891408fe0d1448a39d4c9211b5b17748033e0253f96817e96866cc630ca6b417
Instruction Fuzzy Hash: 41716331608F099FD758AB28D9957AAB3E1FB95310F51462EE48EC3281DB75EC42C7C2

Function 00000166CD6D771C Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 371
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

NJI@, xrefs: 00000166CD6D7759

Memory Dump Source

Source File: 00000002.00000002.1504542898.00000166CD6D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000166CD6D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_166cd6d1000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: NJI@
API String ID: 0-1894075864
Opcode ID: d45665fd503c042bbd1cddf3e76509b083df421fb529cf4e6337dc35805fb2d8
Instruction ID: 6862643f3849acd7f1b58efc354166136803a32b9aa12f85142cca4c26653310
Opcode Fuzzy Hash: d45665fd503c042bbd1cddf3e76509b083df421fb529cf4e6337dc35805fb2d8
Instruction Fuzzy Hash: 1AE16C7151CBD48BD3759F2A98913EBBBE1FB99302F10492EE4CAC2281DB749501CB83

Function 00000166CD6D8974 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00000166CD6D8AD6

Strings

!RHY, xrefs: 00000166CD6D89D3

Memory Dump Source

Source File: 00000002.00000002.1504542898.00000166CD6D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000166CD6D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_166cd6d1000_svchost.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: !RHY
API String ID: 621844428-2095432132
Opcode ID: 2866ae3145b7b2e8b7e50758e3c18dccd0790ead28cb59ab9252b37ae8079d46
Instruction ID: 0c8cb59c360accf2510e8a8efad59f513a7e877549a74c985f1e6afdafa22472
Opcode Fuzzy Hash: 2866ae3145b7b2e8b7e50758e3c18dccd0790ead28cb59ab9252b37ae8079d46
Instruction Fuzzy Hash: FB41A331208F484FEB54EF69D889BDAB7E0EBA4300F144569EC8AC7242DF75D805CB92

Function 00000166CD6D973C Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000166CD6DC440: VirtualFree.KERNELBASE(?,?,?,?,?,?,?,00000166CD6D97CF), ref: 00000166CD6DC4D8

SetErrorMode.KERNELBASE ref: 00000166CD6D9834

Memory Dump Source

Source File: 00000002.00000002.1504542898.00000166CD6D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000166CD6D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_166cd6d1000_svchost.jbxd

Yara matches

Similarity

API ID: ErrorFreeModeVirtual
String ID:
API String ID: 3123725612-0
Opcode ID: c558a3bee63eb8d82cfee7bb6036631f102c00f5edc4b5b2d839b26d2bc08f01
Instruction ID: 3052c6c4fb9a9bf01af82893c8d25f9196ac6b1cf7acb0b85d46e92023200910
Opcode Fuzzy Hash: c558a3bee63eb8d82cfee7bb6036631f102c00f5edc4b5b2d839b26d2bc08f01
Instruction Fuzzy Hash: B8317432218E484BEB54FB6BEC85BE973D5FBA8304F600519F48AC7192DE29D941C781

Function 00000166CD6D6758 Relevance: 1.6, APIs: 1, Instructions: 98
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateTimerQueueTimer.KERNELBASE ref: 00000166CD6D6836

Memory Dump Source

Source File: 00000002.00000002.1504542898.00000166CD6D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000166CD6D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_166cd6d1000_svchost.jbxd

Yara matches

Similarity

API ID: Timer$CreateQueue
String ID:
API String ID: 3971536239-0
Opcode ID: be435db6b7ad7525147855a81f15317f39cb1624dd000f31126bb55325e5aa6a
Instruction ID: e1448120521b79ee009ea212f1e2be8796ff970f5ea846443475362de449bb3e
Opcode Fuzzy Hash: be435db6b7ad7525147855a81f15317f39cb1624dd000f31126bb55325e5aa6a
Instruction Fuzzy Hash: 8A31C431314E0D5FEB48EBABD895BE2B3E5FB68310F204518D489C3641CB72E850C781

Function 00000166CD6D4AE0 Relevance: 1.6, APIs: 1, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000166CD6D4B59

Memory Dump Source

Source File: 00000002.00000002.1504542898.00000166CD6D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000166CD6D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_166cd6d1000_svchost.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2720f2c82129b4cf1e9cdd73d7b21f18690d3eabbfb2c3e4d773bbe3f80b722c
Instruction ID: 5db84a6d9de98112c59e3a8e9b821fc9fe00fc9f78e7f9b70ebd96f07e5b6a5c
Opcode Fuzzy Hash: 2720f2c82129b4cf1e9cdd73d7b21f18690d3eabbfb2c3e4d773bbe3f80b722c
Instruction Fuzzy Hash: A211C032128E484BE769AB3BAC153E672D0F7B5308F60416DD0CAC21D2EA29D906C752

Function 00000166CD6DC54C Relevance: 1.5, APIs: 1, Instructions: 47
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000166CD6DC5A3

Memory Dump Source

Source File: 00000002.00000002.1504542898.00000166CD6D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000166CD6D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_166cd6d1000_svchost.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0ef85e6c49b167f6fa9e03bb0202aec9cadee554545795ea33251ab7e92968d2
Instruction ID: f4b1028c85b12096d5e54763a9eeec2749755ee8672ff95ab838ef1bfa62e115
Opcode Fuzzy Hash: 0ef85e6c49b167f6fa9e03bb0202aec9cadee554545795ea33251ab7e92968d2
Instruction Fuzzy Hash: F6016832224E0C4FE754EB2BD8457FA72D5F7A8305F60456AA4CBC2191EB35D944C752

Function 00000166CD3700FC Relevance: 1.5, APIs: 1, Instructions: 203COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE ref: 00000166CD3703B7

Memory Dump Source

Source File: 00000002.00000003.1464529656.00000166CD370000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000166CD370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_166cd370000_svchost.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: abb3666d5f0e7e3691c5e241d5b349d303e7c196ced747a2022f8ae30c0d6593
Instruction ID: 48a2fddda10e46656035d476ccc9c0da6c38c4f862434033783d382e17061ead
Opcode Fuzzy Hash: abb3666d5f0e7e3691c5e241d5b349d303e7c196ced747a2022f8ae30c0d6593
Instruction Fuzzy Hash: 62919E71218B809FE3A0CB18C581B6ABBF0FB9A348F54096DF5C9D7291D73AD841DB06

Function 00000166CD6D4F54 Relevance: 1.4, APIs: 1, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00000166CD6D4FEF

Memory Dump Source

Source File: 00000002.00000002.1504542898.00000166CD6D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000166CD6D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_166cd6d1000_svchost.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 90cd778a792e42c64db594db91f27ad2126318ab58eecec55435c6b2a2086037
Instruction ID: 5a47a3a94f7e6e962a1008e3c8fa53819c2a7f6d5d0e936fff337724179d708b
Opcode Fuzzy Hash: 90cd778a792e42c64db594db91f27ad2126318ab58eecec55435c6b2a2086037
Instruction Fuzzy Hash: 0C413E32118E194BD71C9B1FEC866F577D1FB92711F28812ED8D7C3556E921A803C6D2

Function 00000166CD6D50CC Relevance: 1.4, APIs: 1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00000166CD6D51A9

Memory Dump Source

Source File: 00000002.00000002.1504542898.00000166CD6D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000166CD6D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_166cd6d1000_svchost.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 121c78d1b2291ac724d62adec3f01ff2ea2d670a96f5b98f5ad1c622ad2bd052
Instruction ID: ceb7e8fb658c9a14726510409e09c159d3075d70bc39973c96fc60c32fd929d2
Opcode Fuzzy Hash: 121c78d1b2291ac724d62adec3f01ff2ea2d670a96f5b98f5ad1c622ad2bd052
Instruction Fuzzy Hash: 6F312531618D580BF72D462E5D6A3B17BC1E7EB321F28416EE8DAC6692DC168857C281

Function 00000166CD6DC440 Relevance: 1.4, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(?,?,?,?,?,?,?,00000166CD6D97CF), ref: 00000166CD6DC4D8

Memory Dump Source

Source File: 00000002.00000002.1504542898.00000166CD6D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000166CD6D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_166cd6d1000_svchost.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: d45755ac3fc1b299357fa248614e5cf9831b05787f0c9c72564af89a9d49d463
Instruction ID: 677da1ef4b8784c832f21b1dda23f0088f8ea4b07a3880f0c90c40849826ef2d
Opcode Fuzzy Hash: d45755ac3fc1b299357fa248614e5cf9831b05787f0c9c72564af89a9d49d463
Instruction Fuzzy Hash: BA31B431218E094FEB58EF5AD894BB273D1FB6C305F11416AD84EC32A6DE34D841CB80

Function 00000166CD6D6024 Relevance: 1.4, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE ref: 00000166CD6D6161

Memory Dump Source

Source File: 00000002.00000002.1504542898.00000166CD6D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000166CD6D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_166cd6d1000_svchost.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 24982d73c66e1a4d078db24c6322379e549b9d86f2eea88fe5e7b398dafb8cc5
Instruction ID: 20126067ec8f23d6d10d1559e08d6bffc9ccf78c62a6bcaed53cd1d90050a0ed
Opcode Fuzzy Hash: 24982d73c66e1a4d078db24c6322379e549b9d86f2eea88fe5e7b398dafb8cc5
Instruction Fuzzy Hash: 8541AF31508A488FDB45EF29D880BE5B7E1FBA8300F144679E8CACB246CB359541CB52

Function 00000166CD6D3BC8 Relevance: 1.3, APIs: 1, Instructions: 90
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcmpiW.KERNELBASE ref: 00000166CD6D3BF0

Memory Dump Source

Source File: 00000002.00000002.1504542898.00000166CD6D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000166CD6D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_166cd6d1000_svchost.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: c6a7c236d73697e4ca57ed050e55d544e6cacc2476fd745c83e7f6659eda1179
Instruction ID: 00bb524ba526294ff6d3bd0482806ce4b9c5be56942ec75c78b76a8ffd4996b2
Opcode Fuzzy Hash: c6a7c236d73697e4ca57ed050e55d544e6cacc2476fd745c83e7f6659eda1179
Instruction Fuzzy Hash: D021B632710D084FFBA4EB3BBC457EA36D6EBA5301F5442659047C35BAEE358801CB40

Function 00000166CD6D1B7C Relevance: 1.3, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

calloc.MSVCRT(?,?,?,?,?,?,?,?,00000000,00000166CD6D1ECB), ref: 00000166CD6D1BAF

Memory Dump Source

Source File: 00000002.00000002.1504542898.00000166CD6D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000166CD6D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_166cd6d1000_svchost.jbxd

Yara matches

Similarity

API ID: calloc
String ID:
API String ID: 2635317215-0
Opcode ID: 418f43b1e00efb7115a884b72c32553d8d6b497a6a4eddd5ee5fb9b938cd136f
Instruction ID: 193c65bbe96de1d669949d0a92818df1f8621e4c9d9d4dc11169b11221af55ed
Opcode Fuzzy Hash: 418f43b1e00efb7115a884b72c32553d8d6b497a6a4eddd5ee5fb9b938cd136f
Instruction Fuzzy Hash: 63F05E31214D094FF795AB3AAC9876536D5EBA8301F6400769809C62A0EF79CC85C710

Non-executed Functions

Function 00000166CD6E711B Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1504542898.00000166CD6E3000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000166CD6E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_166cd6e3000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e2935da237788fdda34a38a73a3239899df38739b7cce9c324f361412e95d3
Instruction ID: 73dd2af59e96965b237b2c413222c7ab2db1d96429eba91700558766ae972c43
Opcode Fuzzy Hash: 65e2935da237788fdda34a38a73a3239899df38739b7cce9c324f361412e95d3
Instruction Fuzzy Hash: C431AA8284EBD25FC72397751C7A49AFF706D2324075D89CFC4C28A8E3E2486199C7A7

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LGvZDRRknR.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Rhadamanthys

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
LGvZDRRknR.exe

Function 00007FF653257108 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 89
memoryCOMMON

Function 00007FF6532634D4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125
memoryCOMMON

Function 00007FF6532579F4 Relevance: 7.6, APIs: 5, Instructions: 94
COMMON

Function 00007FF65325E6A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50
COMMON

Function 00007FF653256DEC Relevance: 4.5, APIs: 3, Instructions: 31
synchronizationCOMMON

Function 00007FF65325A1B0 Relevance: 4.5, APIs: 3, Instructions: 19
COMMON

Function 00007FF65325C8E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 125
COMMON

Function 00007FF65325E48C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19
COMMON

Function 00007FF65325CDBC Relevance: 3.2, APIs: 2, Instructions: 194
COMMON

Function 00007FF653257910 Relevance: 3.1, APIs: 2, Instructions: 55
COMMON

Function 00007FF65325B9DC Relevance: 3.0, APIs: 2, Instructions: 19
memoryCOMMONLIBRARYCODE

Function 00007FF6532630F0 Relevance: 2.7, APIs: 2, Instructions: 169
memoryCOMMON

Function 00007FF65325A0F4 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Function 00007FF65325D510 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 00007FF65325F104 Relevance: 1.5, APIs: 1, Instructions: 21
COMMON