Edit tour

Windows Analysis Report
YUoxuUri8M.dll

Overview

General Information

Sample Name:	YUoxuUri8M.dll
Original Sample Name:	c26ce932f3609ecd710a3a1ca7f7b96f1b103a11b49a86e9423e03664eaabd40.dll
Analysis ID:	1344807
MD5:	88bb86494cb9411a9692f9c8e67ed32c
SHA1:	82f8060575de96dc4edc4f7b02ec31ba7637fa03
SHA256:	c26ce932f3609ecd710a3a1ca7f7b96f1b103a11b49a86e9423e03664eaabd40
Tags:	dllransomware
Infos:

Detection

Qilin

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Qilin Ransomware

Antivirus / Scanner detection for submitted sample

Found Tor onion address

Contains functionalty to change the wallpaper

Found PSEXEC tool (often used for remote process execution)

Deletes shadow drive data (may be related to ransomware)

Contains functionality to clear event logs

May use bcdedit to modify the Windows boot settings

Uses 32bit PE files

Yara signature match

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Yara detected PsExec sysinternal tool

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4108 cmdline: loaddll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6020 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 732 cmdline: rundll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6604 cmdline: rundll32.exe C:\Users\user\Desktop\YUoxuUri8M.dll,DllMain MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AgendaCrypt, Qilin	Ransomware written in Go.	No Attribution	https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/ https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/new-golang-ransomware-agenda-customizes-attacks/IOCs-blog-New%20Golang%20Ransomware%20Agenda%20Customizes%20Attacks.txt https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html https://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.agendacrypt

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
YUoxuUri8M.dll	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
YUoxuUri8M.dll	INDICATOR_SUSPICOUS_EXE_References_VEEAM	Detects executables containing many references to VEEAM. Observed in ransomware	unknown	0x15c37f:$s1: veeamnfssvc 0x15c681:$s1: veeamnfssvc 0x15c38f:$s9: veeamtransportsvc 0x15c6ac:$s9: veeamtransportsvc 0x15c691:$s10: veeamdeploymentservice

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
Process Memory Space: loaddll32.exe PID: 4108	JoeSecurity_Qilin	Yara detected Qilin Ransomware	Joe Security
Process Memory Space: loaddll32.exe PID: 4108	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
Process Memory Space: rundll32.exe PID: 6604	JoeSecurity_Qilin	Yara detected Qilin Ransomware	Joe Security
Process Memory Space: rundll32.exe PID: 6604	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
Process Memory Space: rundll32.exe PID: 732	JoeSecurity_Qilin	Yara detected Qilin Ransomware	Joe Security
Process Memory Space: rundll32.exe PID: 732	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.rundll32.exe.6cc0f946.2.unpack	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
0.2.loaddll32.exe.6ced8bbe.1.raw.unpack	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
3.2.rundll32.exe.6cc48bbe.1.raw.unpack	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
4.2.rundll32.exe.6cc0f946.1.unpack	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
0.2.loaddll32.exe.6ce9f946.2.unpack	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
0.2.loaddll32.exe.6ce9f946.2.raw.unpack	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
3.2.rundll32.exe.6cc0f946.2.raw.unpack	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
4.2.rundll32.exe.6cc48bbe.2.raw.unpack	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
4.2.rundll32.exe.6cc0f946.1.raw.unpack	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
3.2.rundll32.exe.6ca50000.0.unpack	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
3.2.rundll32.exe.6ca50000.0.unpack	INDICATOR_SUSPICOUS_EXE_References_VEEAM	Detects executables containing many references to VEEAM. Observed in ransomware	unknown	0x15c37f:$s1: veeamnfssvc 0x15c681:$s1: veeamnfssvc 0x15c38f:$s9: veeamtransportsvc 0x15c6ac:$s9: veeamtransportsvc 0x15c691:$s10: veeamdeploymentservice
0.2.loaddll32.exe.6cce0000.0.unpack	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
0.2.loaddll32.exe.6cce0000.0.unpack	INDICATOR_SUSPICOUS_EXE_References_VEEAM	Detects executables containing many references to VEEAM. Observed in ransomware	unknown	0x15c37f:$s1: veeamnfssvc 0x15c681:$s1: veeamnfssvc 0x15c38f:$s9: veeamtransportsvc 0x15c6ac:$s9: veeamtransportsvc 0x15c691:$s10: veeamdeploymentservice
4.2.rundll32.exe.6ca50000.0.unpack	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
4.2.rundll32.exe.6ca50000.0.unpack	INDICATOR_SUSPICOUS_EXE_References_VEEAM	Detects executables containing many references to VEEAM. Observed in ransomware	unknown	0x15c37f:$s1: veeamnfssvc 0x15c681:$s1: veeamnfssvc 0x15c38f:$s9: veeamtransportsvc 0x15c6ac:$s9: veeamtransportsvc 0x15c691:$s10: veeamdeploymentservice
Click to see the 10 entries

Binary or memory string: { "public_rsa_pem": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy5Bq0JhzTUuX8U9S66N4\nwb/vrE0ZPJDps80bF9R2n2875dWVToGkl8+GUTApoz1Mhaf+YF1OBd4h3cB53ZRB\ntbiOgt3onHpDXxf4ZJ+6RXZGJs7dSQ5nI2Kxtbw2TyhTcjcosBROYaDaZxOK6xJ/\ni5qW+n0/d2va

Source: YUoxuUri8M.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: YUoxuUri8M.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\a\1\s\psexec\exe\Win32\Release\psexec.pdb source: loaddll32.exe, loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, YUoxuUri8M.dll
Source:	Binary string: D:\a\1\s\psexec\svc\Win32\Release\psexesvc.pdb source: loaddll32.exe, loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, YUoxuUri8M.dll

Spreading

Found PSEXEC tool (often used for remote process execution)

Source: loaddll32.exe	String found in binary or memory: PsExec executes a program on a remote system, where remotely executed console
Source: loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: PsExec executes a program on a remote system, where remotely executed console
Source: rundll32.exe	String found in binary or memory: PsExec executes a program on a remote system, where remotely executed console
Source: rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: PsExec executes a program on a remote system, where remotely executed console
Source: rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: PsExec executes a program on a remote system, where remotely executed console
Source: YUoxuUri8M.dll	String found in binary or memory: PsExec executes a program on a remote system, where remotely executed console

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDD1390 CloseHandle,memset,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree,HeapFree,		0_2_6CDD1390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB41390 CloseHandle,memset,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree,HeapFree,		3_2_6CB41390

Source: C:\Windows\System32\loaddll32.exe	Code function: 4x nop then push ebp		0_2_6CD02FA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then push ebp		3_2_6CA72FA0

Networking

Found Tor onion address

Source: loaddll32.exe, 00000000.00000002.1685944141.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "note": "-- Qilin \r\r\n\r\r\nYour network/system was encrypted. \r\r\nEncrypted files have new extension. \r\r\n\r\r\n-- Compromising and sensitive data \r\r\n\r\r\nWe have downloaded compromising and sensitive data from you system/network \r\r\nIf you refuse to communicate with us and we do not come to an agreement, your data will be published. \r\r\nData includes: \r\r\n- Employees personal data, CVs, DL , SSN. \r\r\n- Complete network map including credentials for local and remote services. \r\r\n- Financial information including clients data, bills, budgets, annual reports, bank statements. \r\r\n- Complete datagrams/schemas/drawings for manufacturing in solidworks format \r\r\n- And more... \r\r\n\r\r\n-- Warning \r\r\n\r\r\n1) If you modify files - our decrypt software won't able to recover data \r\r\n2) If you use third party software - you can damage/modify files (see item 1) \r\r\n3) You need cipher key / our decrypt software to restore you files. \r\r\n4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. \r\r\n\r\r\n-- Recovery \r\r\n\r\r\n1) Download tor browser: https://www.torproject.org/download/ \r\r\n2) Go to domain \r\r\n3) Enter credentials-- Credentials \r\n\r\nExtension: feGDg5BHWw \r\nDomain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion \r\nlogin: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 \r\npassword:",
Source: loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: "note": "-- Qilin \r\r\n\r\r\nYour network/system was encrypted. \r\r\nEncrypted files have new extension. \r\r\n\r\r\n-- Compromising and sensitive data \r\r\n\r\r\nWe have downloaded compromising and sensitive data from you system/network \r\r\nIf you refuse to communicate with us and we do not come to an agreement, your data will be published. \r\r\nData includes: \r\r\n- Employees personal data, CVs, DL , SSN. \r\r\n- Complete network map including credentials for local and remote services. \r\r\n- Financial information including clients data, bills, budgets, annual reports, bank statements. \r\r\n- Complete datagrams/schemas/drawings for manufacturing in solidworks format \r\r\n- And more... \r\r\n\r\r\n-- Warning \r\r\n\r\r\n1) If you modify files - our decrypt software won't able to recover data \r\r\n2) If you use third party software - you can damage/modify files (see item 1) \r\r\n3) You need cipher key / our decrypt software to restore you files. \r\r\n4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. \r\r\n\r\r\n-- Recovery \r\r\n\r\r\n1) Download tor browser: https://www.torproject.org/download/ \r\r\n2) Go to domain \r\r\n3) Enter credentials-- Credentials \r\n\r\nExtension: feGDg5BHWw \r\nDomain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion \r\nlogin: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 \r\npassword:",
Source: rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: "note": "-- Qilin \r\r\n\r\r\nYour network/system was encrypted. \r\r\nEncrypted files have new extension. \r\r\n\r\r\n-- Compromising and sensitive data \r\r\n\r\r\nWe have downloaded compromising and sensitive data from you system/network \r\r\nIf you refuse to communicate with us and we do not come to an agreement, your data will be published. \r\r\nData includes: \r\r\n- Employees personal data, CVs, DL , SSN. \r\r\n- Complete network map including credentials for local and remote services. \r\r\n- Financial information including clients data, bills, budgets, annual reports, bank statements. \r\r\n- Complete datagrams/schemas/drawings for manufacturing in solidworks format \r\r\n- And more... \r\r\n\r\r\n-- Warning \r\r\n\r\r\n1) If you modify files - our decrypt software won't able to recover data \r\r\n2) If you use third party software - you can damage/modify files (see item 1) \r\r\n3) You need cipher key / our decrypt software to restore you files. \r\r\n4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. \r\r\n\r\r\n-- Recovery \r\r\n\r\r\n1) Download tor browser: https://www.torproject.org/download/ \r\r\n2) Go to domain \r\r\n3) Enter credentials-- Credentials \r\n\r\nExtension: feGDg5BHWw \r\nDomain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion \r\nlogin: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 \r\npassword:",
Source: rundll32.exe, 00000003.00000002.1656357725.00000000007DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "note": "-- Qilin \r\r\n\r\r\nYour network/system was encrypted. \r\r\nEncrypted files have new extension. \r\r\n\r\r\n-- Compromising and sensitive data \r\r\n\r\r\nWe have downloaded compromising and sensitive data from you system/network \r\r\nIf you refuse to communicate with us and we do not come to an agreement, your data will be published. \r\r\nData includes: \r\r\n- Employees personal data, CVs, DL , SSN. \r\r\n- Complete network map including credentials for local and remote services. \r\r\n- Financial information including clients data, bills, budgets, annual reports, bank statements. \r\r\n- Complete datagrams/schemas/drawings for manufacturing in solidworks format \r\r\n- And more... \r\r\n\r\r\n-- Warning \r\r\n\r\r\n1) If you modify files - our decrypt software won't able to recover data \r\r\n2) If you use third party software - you can damage/modify files (see item 1) \r\r\n3) You need cipher key / our decrypt software to restore you files. \r\r\n4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. \r\r\n\r\r\n-- Recovery \r\r\n\r\r\n1) Download tor browser: https://www.torproject.org/download/ \r\r\n2) Go to domain \r\r\n3) Enter credentials-- Credentials \r\n\r\nExtension: feGDg5BHWw \r\nDomain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion \r\nlogin: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 \r\npassword:",
Source: rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: "note": "-- Qilin \r\r\n\r\r\nYour network/system was encrypted. \r\r\nEncrypted files have new extension. \r\r\n\r\r\n-- Compromising and sensitive data \r\r\n\r\r\nWe have downloaded compromising and sensitive data from you system/network \r\r\nIf you refuse to communicate with us and we do not come to an agreement, your data will be published. \r\r\nData includes: \r\r\n- Employees personal data, CVs, DL , SSN. \r\r\n- Complete network map including credentials for local and remote services. \r\r\n- Financial information including clients data, bills, budgets, annual reports, bank statements. \r\r\n- Complete datagrams/schemas/drawings for manufacturing in solidworks format \r\r\n- And more... \r\r\n\r\r\n-- Warning \r\r\n\r\r\n1) If you modify files - our decrypt software won't able to recover data \r\r\n2) If you use third party software - you can damage/modify files (see item 1) \r\r\n3) You need cipher key / our decrypt software to restore you files. \r\r\n4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. \r\r\n\r\r\n-- Recovery \r\r\n\r\r\n1) Download tor browser: https://www.torproject.org/download/ \r\r\n2) Go to domain \r\r\n3) Enter credentials-- Credentials \r\n\r\nExtension: feGDg5BHWw \r\nDomain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion \r\nlogin: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 \r\npassword:",
Source: rundll32.exe, 00000004.00000002.1656388663.000000000314A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "note": "-- Qilin \r\r\n\r\r\nYour network/system was encrypted. \r\r\nEncrypted files have new extension. \r\r\n\r\r\n-- Compromising and sensitive data \r\r\n\r\r\nWe have downloaded compromising and sensitive data from you system/network \r\r\nIf you refuse to communicate with us and we do not come to an agreement, your data will be published. \r\r\nData includes: \r\r\n- Employees personal data, CVs, DL , SSN. \r\r\n- Complete network map including credentials for local and remote services. \r\r\n- Financial information including clients data, bills, budgets, annual reports, bank statements. \r\r\n- Complete datagrams/schemas/drawings for manufacturing in solidworks format \r\r\n- And more... \r\r\n\r\r\n-- Warning \r\r\n\r\r\n1) If you modify files - our decrypt software won't able to recover data \r\r\n2) If you use third party software - you can damage/modify files (see item 1) \r\r\n3) You need cipher key / our decrypt software to restore you files. \r\r\n4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. \r\r\n\r\r\n-- Recovery \r\r\n\r\r\n1) Download tor browser: https://www.torproject.org/download/ \r\r\n2) Go to domain \r\r\n3) Enter credentials-- Credentials \r\n\r\nExtension: feGDg5BHWw \r\nDomain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion \r\nlogin: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 \r\npassword:",
Source: YUoxuUri8M.dll	String found in binary or memory: "note": "-- Qilin \r\r\n\r\r\nYour network/system was encrypted. \r\r\nEncrypted files have new extension. \r\r\n\r\r\n-- Compromising and sensitive data \r\r\n\r\r\nWe have downloaded compromising and sensitive data from you system/network \r\r\nIf you refuse to communicate with us and we do not come to an agreement, your data will be published. \r\r\nData includes: \r\r\n- Employees personal data, CVs, DL , SSN. \r\r\n- Complete network map including credentials for local and remote services. \r\r\n- Financial information including clients data, bills, budgets, annual reports, bank statements. \r\r\n- Complete datagrams/schemas/drawings for manufacturing in solidworks format \r\r\n- And more... \r\r\n\r\r\n-- Warning \r\r\n\r\r\n1) If you modify files - our decrypt software won't able to recover data \r\r\n2) If you use third party software - you can damage/modify files (see item 1) \r\r\n3) You need cipher key / our decrypt software to restore you files. \r\r\n4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. \r\r\n\r\r\n-- Recovery \r\r\n\r\r\n1) Download tor browser: https://www.torproject.org/download/ \r\r\n2) Go to domain \r\r\n3) Enter credentials-- Credentials \r\n\r\nExtension: feGDg5BHWw \r\nDomain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion \r\nlogin: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 \r\npassword:",

Source: Yara match	File source: YUoxuUri8M.dll, type: SAMPLE
Source: Yara match	File source: 3.2.rundll32.exe.6cc0f946.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6ced8bbe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6cc48bbe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6cc0f946.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6ce9f946.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6ce9f946.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6cc0f946.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6cc48bbe.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6cc0f946.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6ca50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6cce0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6ca50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 732, type: MEMORYSTR

Source: loaddll32.exe, rundll32.exe	String found in binary or memory: http://www.microsoft.co
Source: YUoxuUri8M.dll	String found in binary or memory: https://github.com/swsnr/gethostname.rs/issues
Source: loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, YUoxuUri8M.dll	String found in binary or memory: https://www.sysinternals.com0
Source: rundll32.exe, 00000004.00000002.1656388663.000000000314A000.00000004.00000020.00020000.00000000.sdmp, YUoxuUri8M.dll	String found in binary or memory: https://www.torproject.org/download/

Spam, unwanted Advertisements and Ransom Demands

Yara detected Qilin Ransomware

Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 732, type: MEMORYSTR

Contains functionalty to change the wallpaper

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CE28390 CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,SystemParametersInfoW,HeapFree,GetLastError,HeapFree,HeapFree,		0_2_6CE28390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB98390 CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,SystemParametersInfoW,HeapFree,GetLastError,HeapFree,HeapFree,		3_2_6CB98390

Deletes shadow drive data (may be related to ransomware)

Source: loaddll32.exe	Binary or memory string: cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
Source: loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
Source: loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: l"cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
Source: rundll32.exe	Binary or memory string: cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
Source: rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
Source: rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: l"cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
Source: rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
Source: rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: l"cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
Source: YUoxuUri8M.dll	Binary or memory string: cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
Source: YUoxuUri8M.dll	Binary or memory string: "cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted

Contains functionality to clear event logs

Source: C:\Windows\System32\loaddll32.exe	Code function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"[WARNING] Cannot clean event logs[INFO] Event logs purger process spawned.		0_2_6CE1F560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"[WARNING] Cannot clean event logs[INFO] Event logs purger process spawned.		3_2_6CB8F560

System Summary

Malicious sample detected (through community Yara rule)

Source: YUoxuUri8M.dll, type: SAMPLE	Matched rule: Detects executables containing many references to VEEAM. Observed in ransomware Author: unknown
Source: 3.2.rundll32.exe.6ca50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing many references to VEEAM. Observed in ransomware Author: unknown
Source: 0.2.loaddll32.exe.6cce0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing many references to VEEAM. Observed in ransomware Author: unknown
Source: 4.2.rundll32.exe.6ca50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing many references to VEEAM. Observed in ransomware Author: unknown

Source: YUoxuUri8M.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: YUoxuUri8M.dll, type: SAMPLE	Matched rule: INDICATOR_SUSPICOUS_EXE_References_VEEAM description = Detects executables containing many references to VEEAM. Observed in ransomware
Source: 3.2.rundll32.exe.6ca50000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICOUS_EXE_References_VEEAM description = Detects executables containing many references to VEEAM. Observed in ransomware
Source: 0.2.loaddll32.exe.6cce0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICOUS_EXE_References_VEEAM description = Detects executables containing many references to VEEAM. Observed in ransomware
Source: 4.2.rundll32.exe.6ca50000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICOUS_EXE_References_VEEAM description = Detects executables containing many references to VEEAM. Observed in ransomware

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCEFCD0	0_2_6CCEFCD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD1288B	0_2_6CD1288B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCFCC90	0_2_6CCFCC90
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDFDCA0	0_2_6CDFDCA0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD20C40	0_2_6CD20C40
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCE1C30	0_2_6CCE1C30
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD06DBB	0_2_6CD06DBB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD13DAF	0_2_6CD13DAF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCE3D70	0_2_6CCE3D70
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD3AED0	0_2_6CD3AED0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCF3EC0	0_2_6CCF3EC0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD3FE90	0_2_6CD3FE90
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDA0E91	0_2_6CDA0E91
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCFDE84	0_2_6CCFDE84
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDA1EB0	0_2_6CDA1EB0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD36EA0	0_2_6CD36EA0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD0CE70	0_2_6CD0CE70
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CE2DE50	0_2_6CE2DE50
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCECFF0	0_2_6CCECFF0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCE3FB0	0_2_6CCE3FB0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDA4F40	0_2_6CDA4F40
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD00F3E	0_2_6CD00F3E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCE3880	0_2_6CCE3880
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD0A8A0	0_2_6CD0A8A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD1A8A0	0_2_6CD1A8A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDE5810	0_2_6CDE5810
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD20801	0_2_6CD20801
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCF5821	0_2_6CCF5821
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD3B9A0	0_2_6CD3B9A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD08910	0_2_6CD08910
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD18AD0	0_2_6CD18AD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDE7AD0	0_2_6CDE7AD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCE3AC0	0_2_6CCE3AC0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD1FAB0	0_2_6CD1FAB0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCEBA40	0_2_6CCEBA40
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD38A60	0_2_6CD38A60
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CE2BB10	0_2_6CE2BB10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDE5B20	0_2_6CDE5B20
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDA14FE	0_2_6CDA14FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCF64A0	0_2_6CCF64A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCFF440	0_2_6CCFF440
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDA55B0	0_2_6CDA55B0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD1F6F0	0_2_6CD1F6F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDEB640	0_2_6CDEB640
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD21670	0_2_6CD21670
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCF57F0	0_2_6CCF57F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD04790	0_2_6CD04790
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDCA0C0	0_2_6CDCA0C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCFD0E0	0_2_6CCFD0E0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDC2090	0_2_6CDC2090
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD22080	0_2_6CD22080
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD1F0A0	0_2_6CD1F0A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD2C0A0	0_2_6CD2C0A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCE50B0	0_2_6CCE50B0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCF7040	0_2_6CCF7040
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD1B03B	0_2_6CD1B03B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD95020	0_2_6CD95020
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD13154	0_2_6CD13154
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD18130	0_2_6CD18130
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDA2130	0_2_6CDA2130
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD1D125	0_2_6CD1D125
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD3F260	0_2_6CD3F260
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD383E0	0_2_6CD383E0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDF53E0	0_2_6CDF53E0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDF23A0	0_2_6CDF23A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD08310	0_2_6CD08310
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD39300	0_2_6CD39300
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCF8310	0_2_6CCF8310
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA8288B	3_2_6CA8288B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB6DCA0	3_2_6CB6DCA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA6CC90	3_2_6CA6CC90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA5FCD0	3_2_6CA5FCD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA51C30	3_2_6CA51C30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA90C40	3_2_6CA90C40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA83DAF	3_2_6CA83DAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA76DBB	3_2_6CA76DBB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA53D70	3_2_6CA53D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB11EB0	3_2_6CB11EB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CAA6EA0	3_2_6CAA6EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB10E91	3_2_6CB10E91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA6DE84	3_2_6CA6DE84
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CAAFE90	3_2_6CAAFE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA63EC0	3_2_6CA63EC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CAAAED0	3_2_6CAAAED0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA7CE70	3_2_6CA7CE70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB9DE50	3_2_6CB9DE50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA53FB0	3_2_6CA53FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA5CFF0	3_2_6CA5CFF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA70F3E	3_2_6CA70F3E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB14F40	3_2_6CB14F40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA7A8A0	3_2_6CA7A8A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA8A8A0	3_2_6CA8A8A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA53880	3_2_6CA53880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB55810	3_2_6CB55810
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA90801	3_2_6CA90801
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA6581B	3_2_6CA6581B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CAAB9A0	3_2_6CAAB9A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA78910	3_2_6CA78910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA8FAB0	3_2_6CA8FAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB57AD0	3_2_6CB57AD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA53AC0	3_2_6CA53AC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CAA8A60	3_2_6CAA8A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA5BA40	3_2_6CA5BA40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB55B20	3_2_6CB55B20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB9BB10	3_2_6CB9BB10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA664A0	3_2_6CA664A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB114FE	3_2_6CB114FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA6F440	3_2_6CA6F440
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB155B0	3_2_6CB155B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB10570	3_2_6CB10570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA8F6F0	3_2_6CA8F6F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA91670	3_2_6CA91670
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB5B640	3_2_6CB5B640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA74790	3_2_6CA74790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA657F0	3_2_6CA657F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA8F0A0	3_2_6CA8F0A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA9C0A0	3_2_6CA9C0A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA550B0	3_2_6CA550B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB32090	3_2_6CB32090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA6D0E0	3_2_6CA6D0E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB3A0C0	3_2_6CB3A0C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB05020	3_2_6CB05020
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA8B03B	3_2_6CA8B03B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA67040	3_2_6CA67040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB12130	3_2_6CB12130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA8D125	3_2_6CA8D125
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA88130	3_2_6CA88130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA83154	3_2_6CA83154
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CAAF260	3_2_6CAAF260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB623A0	3_2_6CB623A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CAA83E0	3_2_6CAA83E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB653E0	3_2_6CB653E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CAA9300	3_2_6CAA9300
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA68310	3_2_6CA68310
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA78310	3_2_6CA78310

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6CCF9A00 appears 74 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6CCF9900 appears 98 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6CD21390 appears 40 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6CCF9C20 appears 85 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6CCFB140 appears 39 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CA69C20 appears 88 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CA91390 appears 40 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CA6B140 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CA69A00 appears 69 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CA69900 appears 92 times

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CDD1950 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,NtWriteFile,WaitForSingleObject,

0_2_6CDD1950

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CDD0E50: DeviceIoControl,GetLastError,CloseHandle,GetProcessHeap,HeapAlloc,memcpy,HeapFree,

0_2_6CDD0E50

Source: YUoxuUri8M.dll	Binary or memory string: OriginalFilenamepsexec.cH vs YUoxuUri8M.dll
Source: YUoxuUri8M.dll	Binary or memory string: OriginalFilenamepsexesvc.exeH vs YUoxuUri8M.dll

Source: YUoxuUri8M.dll	ReversingLabs: Detection: 68%
Source: YUoxuUri8M.dll	Virustotal: Detection: 69%

Source: YUoxuUri8M.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YUoxuUri8M.dll,DllMain
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YUoxuUri8M.dll,DllMain	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CE28210 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLastError,GetLastError,CloseHandle,		0_2_6CE28210
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB98210 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLastError,GetLastError,CloseHandle,		3_2_6CB98210

Source: YUoxuUri8M.dll	Binary string: Sysinternals RocksRtlNtStatusToDosErrorntdll.dllRtlInitUnicodeStringNtOpenFileNtFsControlFile\Device\Srv2\Device\LanmanServerSeTcbPrivilege"%s" %sNetIsServiceAccountnetapi32.dll_SA_{262E99C9-6160-4871-ACEC-4E61736B6F21}NT AUTHORITYNT SERVICECreateRestrictedTokenwinsta0Winlogondefaultwinsta0\winlogonwinsta0\defaultWow64DisableWow64FsRedirectionKernel32.dll%s.exe%%systemroot%%\PSEXEC-%s-%08X.key%systemroot%failed to readsecure: %d
Source: YUoxuUri8M.dll	Binary string: Sysinternals RocksRtlNtStatusToDosErrorntdll.dllRtlInitUnicodeStringNtOpenFileNtFsControlFile\Device\LanmanRedirector\%s\ipc$Use PsKill to terminate the remotely running program.

Source: classification engine

Classification label: mal92.rans.spre.evad.winDLL@8/0@0/0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CDEACE0 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,

0_2_6CDEACE0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CD05D04 GlobalMemoryStatusEx,GetPerformanceInfo,GetDiskFreeSpaceExW,

0_2_6CD05D04

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YUoxuUri8M.dll,DllMain

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_03

Source: loaddll32.exe	String found in binary or memory: /usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/num-bigint-dig-0.8.1/src/algorithms/add.rs
Source: loaddll32.exe	String found in binary or memory: %s -install to install the service
Source: rundll32.exe	String found in binary or memory: /usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/num-bigint-dig-0.8.1/src/algorithms/add.rs
Source: rundll32.exe	String found in binary or memory: %s -install to install the service

Source: YUoxuUri8M.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: YUoxuUri8M.dll

Static file information: File size 2845184 > 1048576

Source: YUoxuUri8M.dll	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x159400
Source: YUoxuUri8M.dll	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x127800

Source: YUoxuUri8M.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\a\1\s\psexec\exe\Win32\Release\psexec.pdb source: loaddll32.exe, loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, YUoxuUri8M.dll
Source:	Binary string: D:\a\1\s\psexec\svc\Win32\Release\psexesvc.pdb source: loaddll32.exe, loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, YUoxuUri8M.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CE2F980 push dword ptr [eax+04h]; ret	0_2_6CE2F9AF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD00A63 push 016CE41Ch; iretd	0_2_6CD00A6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB9F980 push dword ptr [eax+04h]; ret	3_2_6CB9F9AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA70A63 push 016CBB1Ch; iretd	3_2_6CA70A6C

Source: YUoxuUri8M.dll

Static PE information: section name: .eh_fram

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CCE1400 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_6CCE1400

Source: YUoxuUri8M.dll

Binary or memory string: /set {current} safeboot networkrunasBCDEdit.exeerror creating cstringsaferunner-main/src/tools.rs

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 0.5 %

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CD0DDE7 HeapAlloc,GetProcessHeap,HeapAlloc,memcpy,HeapFree,HeapFree,GetSystemInfo,memcmp,HeapFree,memcpy,GetProcessHeap,HeapAlloc,AcquireSRWLockExclusive,HeapAlloc,memcpy,memcpy,

0_2_6CD0DDE7

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDD1390 CloseHandle,memset,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree,HeapFree,		0_2_6CDD1390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB41390 CloseHandle,memset,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree,HeapFree,		3_2_6CB41390

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CCE1400 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_6CCE1400

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CCEFCD0 GetProcessHeap,HeapAlloc,RtlAllocateHeap,memcpy,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,memcpy,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,memcpy,HeapFree,HeapFree,HeapFree,memcpy,memcpy,memcpy,HeapFree,memcpy,HeapFree,memcpy,memcpy,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,

0_2_6CCEFCD0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll",#1

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CD40C90 cpuid

0_2_6CD40C90

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CE16B20 GetUserNameW,GetLastError,GetProcessHeap,HeapAlloc,GetUserNameW,GetLastError,GetProcessHeap,HeapAlloc,memcpy,HeapFree,HeapFree,

0_2_6CE16B20

Source: Yara match	File source: YUoxuUri8M.dll, type: SAMPLE
Source: Yara match	File source: 3.2.rundll32.exe.6cc0f946.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6ced8bbe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6cc48bbe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6cc0f946.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6ce9f946.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6ce9f946.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6cc0f946.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6cc48bbe.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6cc0f946.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6ca50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6cce0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6ca50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 732, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	2 Command and Scripting Interpreter	1 Bootkit	1 Access Token Manipulation	1 Access Token Manipulation	OS Credential Dumping	1 Security Software Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	1 Defacement	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	1 Service Execution	Boot or Logon Initialization Scripts	11 Process Injection	11 Process Injection	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Proxy	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	1 Native API	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 System Owner/User Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Bootkit	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Indicator Removal	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
YUoxuUri8M.dll	68%	ReversingLabs	Win32.Trojan.Generic
YUoxuUri8M.dll	100%	Avira	TR/Ransom.xmbad
YUoxuUri8M.dll	69%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://www.microsoft.co	0%	Avira URL Cloud	safe
https://www.sysinternals.com0	0%	Avira URL Cloud	safe
http://www.microsoft.co	1%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.torproject.org/download/	rundll32.exe, 00000004.00000002.1656388663.000000000314A000.00000004.00000020.00020000.00000000.sdmp, YUoxuUri8M.dll	false		high
https://www.sysinternals.com0	loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, YUoxuUri8M.dll	false	Avira URL Cloud: safe	unknown
http://www.microsoft.co	loaddll32.exe, rundll32.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/swsnr/gethostname.rs/issues	YUoxuUri8M.dll	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1344807
Start date and time:	2023-11-19 19:11:05 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	YUoxuUri8M.dll renamed because original name is a hash value
Original Sample Name:	c26ce932f3609ecd710a3a1ca7f7b96f1b103a11b49a86e9423e03664eaabd40.dll
Detection:	MAL
Classification:	mal92.rans.spre.evad.winDLL@8/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 81% Number of executed functions: 17 Number of non-executed functions: 203
Cookbook Comments:	Found application associated with file extension: .dll Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

File type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.815416502528244
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	YUoxuUri8M.dll
File size:	2'845'184 bytes
MD5:	88bb86494cb9411a9692f9c8e67ed32c
SHA1:	82f8060575de96dc4edc4f7b02ec31ba7637fa03
SHA256:	c26ce932f3609ecd710a3a1ca7f7b96f1b103a11b49a86e9423e03664eaabd40
SHA512:	670acd30005be75bbced78a505b4f0ded7f39cb4f4d55f9b09f31964d20bebb62908d40da4c9a103c87e83f4b31e0435ffd9ec78ee7a585c216e5551e0c67ebb
SSDEEP:	49152:MxmXXxQjiQspGXtwB0pnkF7TosNjLSq6Pq3Ecv9dsiPTg3pg:DQeQVmB0pni7TosNKq6adsi
TLSH:	36D5BF06FD439A79C5BF1470247EB379AD399C240525CEA7D7C88DB0BA2E7412D8872E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...".Vd...........#...#.....f+...............................................+.......+...@... .......................*.L..

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100013b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6456B622 [Sat May 6 20:18:42 2023 UTC]
TLS Callbacks:	0x100f9450, 0x1014ee30, 0x1014ede0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f846e17badb830abe49083e4c5bb1447

Entrypoint Preview

Instruction
sub esp, 0Ch
mov dword ptr [102AB18Ch], 00000000h
mov ecx, dword ptr [esp+18h]
mov edx, dword ptr [esp+14h]
mov eax, dword ptr [esp+10h]
call 00007F8264CDFD67h
add esp, 0Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
lea esi, dword ptr [esi+00h]
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], 102AB000h
mov dword ptr [esp+04h], eax
call 00007F8264E2D6DEh
add esp, 1Ch
ret
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 1015C000h
call dword ptr [102AD6C4h]
sub esp, 04h
test eax, eax
je 00007F8264CDFF85h
mov ebx, eax
mov dword ptr [esp], 1015C000h
call dword ptr [102AD720h]
mov edi, dword ptr [102AD6D0h]
sub esp, 04h
mov dword ptr [102AB010h], eax
mov dword ptr [esp+04h], 1015C013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 1015C029h
mov dword ptr [esp], ebx
call edi
mov dword ptr [1015B000h], eax
sub esp, 08h
test esi, esi
je 00007F8264CDFF23h
mov dword ptr [esp+04h], 102AB014h
mov dword ptr [esp], 10284000h
call esi
mov dword ptr [eax+eax], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2ac000	0x4c	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2ad000	0x1bc8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2b1000	0xd30c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x283618	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2ad510	0x380	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x15932c	0x159400	False	0.5236807566980449	data	6.51300791744888	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x15b000	0x118	0x200	False	0.208984375	data	1.5302315334928558	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x15c000	0x127744	0x127800	False	0.5858267898688664	data	6.897829471292023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.eh_fram	0x284000	0x26118	0x26200	False	0.3621734118852459	data	5.130901619963026	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x2ab000	0x1bc	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x2ac000	0x4c	0x200	False	0.140625	data	0.8918205656738996	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0x2ad000	0x1bc8	0x1c00	False	0.35044642857142855	data	5.149053093278306	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x2af000	0x34	0x200	False	0.076171875	data	0.3320250245953951	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x2b0000	0x8	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x2b1000	0xd30c	0xd400	False	0.6353368219339622	data	6.597160861109742	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
IPHLPAPI.DLL	FreeMibTable, GetAdaptersAddresses, GetIfEntry2, GetIfTable2
KERNEL32.dll	CreateSemaphoreW, DeleteCriticalSection, EnterCriticalSection, InitializeCriticalSection, LeaveCriticalSection, ReleaseSemaphore, VirtualProtect, VirtualQuery
msvcrt.dll	_amsg_exit, _initterm, _iob, _lock, _unlock, abort, calloc, free, fwrite, malloc, memcmp, memcpy, memmove, memset, realloc, strlen, strncmp, vfprintf
ntdll.dll	NtReadFile, NtWriteFile
PSAPI.DLL	EnumProcesses, GetModuleFileNameExW, GetPerformanceInfo, GetProcessImageFileNameW
advapi32.dll	AdjustTokenPrivileges, ChangeServiceConfigW, ControlService, CopySid, EnumDependentServicesW, EnumServicesStatusW, GetLengthSid, GetTokenInformation, GetUserNameW, IsValidSid, LookupAccountSidW, LookupPrivilegeValueA, OpenProcessToken, OpenSCManagerW, OpenServiceW, QueryServiceStatusEx, RegCloseKey, RegOpenKeyExA, RegOpenKeyExW, RegSetValueExA, RegSetValueExW, SystemFunction036
bcrypt.dll	BCryptGenRandom
kernel32.dll	AcquireSRWLockExclusive, AcquireSRWLockShared, CancelIo, CloseHandle, CompareStringOrdinal, CreateDirectoryW, CreateEventW, CreateFileMappingA, CreateFileW, CreateMutexA, CreateNamedPipeW, CreateProcessW, CreateThread, CreateToolhelp32Snapshot, DeleteFileW, DeviceIoControl, DuplicateHandle, ExitProcess, FindClose, FindFirstFileW, FindNextFileW, FormatMessageW, FreeEnvironmentStringsW, FreeLibrary, GetCommandLineW, GetComputerNameExW, GetConsoleMode, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetDiskFreeSpaceExW, GetDriveTypeW, GetEnvironmentStringsW, GetEnvironmentVariableW, GetExitCodeProcess, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFullPathNameW, GetLastError, GetLogicalDrives, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetOverlappedResult, GetProcAddress, GetProcessHeap, GetProcessIoCounters, GetProcessTimes, GetStdHandle, GetSystemDirectoryW, GetSystemInfo, GetSystemTimeAsFileTime, GetSystemTimes, GetTempPathW, GetTickCount64, GetVolumeInformationW, GetWindowsDirectoryW, GlobalMemoryStatusEx, HeapAlloc, HeapFree, HeapReAlloc, InitOnceBeginInitialize, InitOnceComplete, IsWow64Process, LoadLibraryA, MapViewOfFile, Module32FirstW, Module32NextW, MoveFileExW, MultiByteToWideChar, OpenProcess, QueryPerformanceCounter, QueryPerformanceFrequency, ReadFile, ReadFileEx, ReleaseMutex, ReleaseSRWLockExclusive, ReleaseSRWLockShared, RtlCaptureContext, SetFileAttributesW, SetFileInformationByHandle, SetLastError, SetThreadStackGuarantee, Sleep, SleepConditionVariableSRW, SleepEx, SwitchToThread, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnmapViewOfFile, WaitForMultipleObjects, WaitForSingleObject, WaitForSingleObjectEx, WakeAllConditionVariable, WakeConditionVariable, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, WriteConsoleW, WriteFileEx
netapi32.dll	NetApiBufferFree, NetShareEnum, NetUserEnum, NetUserGetInfo, NetUserGetLocalGroups, NetUserSetInfo
ntdll.dll	NtCreateFile, NtQuerySystemInformation, RtlNtStatusToDosError
ole32.dll	CoCreateInstance, CoInitializeEx, CoInitializeSecurity, CoSetProxyBlanket, CoUninitialize
oleaut32.dll	GetErrorInfo, SysAllocString, SysFreeString, SysStringLen, VariantClear
pdh.dll	PdhAddEnglishCounterW, PdhCloseQuery, PdhCollectQueryData, PdhGetFormattedCounterValue, PdhOpenQueryA, PdhRemoveCounter
powrprof.dll	CallNtPowerInformation
rstrtmgr.dll	RmEndSession, RmGetList, RmRegisterResources, RmStartSession
secur32.dll	LsaEnumerateLogonSessions, LsaFreeReturnBuffer, LsaGetLogonSessionData
shell32.dll	ShellExecuteA
user32.dll	ExitWindowsEx, SystemParametersInfoW
ws2_32.dll	WSACleanup, WSAGetLastError, WSAStartup, freeaddrinfo, getaddrinfo

Exports

Name	Ordinal	Address
DllMain	1	0x10032630

Target ID:	0
Start time:	19:11:54
Start date:	19/11/2023
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll"
Imagebase:	0x560000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PsExec, Description: Yara detected PsExec sysinternal tool, Source: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:11:54
Start date:	19/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	19:11:54
Start date:	19/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	19:11:54
Start date:	19/11/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\YUoxuUri8M.dll,DllMain
Imagebase:	0xb90000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PsExec, Description: Yara detected PsExec sysinternal tool, Source: 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	19:11:54
Start date:	19/11/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll",#1
Imagebase:	0xb90000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PsExec, Description: Yara detected PsExec sysinternal tool, Source: 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.2%
Total number of Nodes:	901
Total number of Limit Nodes:	23

Executed Functions

Function 6CCEFCD0 Relevance: 101.0, APIs: 63, Strings: 3, Instructions: 1963memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CCEFD12
HeapAlloc.KERNEL32(?,00000000,?), ref: 6CCEFD24
memcpy.MSVCRT ref: 6CCEFD50
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCEFD86
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCEFE21
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCF2624
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCF29C3
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCF29E8
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCF2A6A

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 6CCEFE41
internal error: entered unreachable code/usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/serde_json-1.0.82/src/de.rs, xrefs: 6CCF29FA
public_rsa_pempassword_hashdirectory_black_listfile_black_listfile_pattern_black_listprocess_black_listwin_services_black_listaccountsstepskipfastnpcompany_idnotestruct EncryptorEmbedConfigurationstruct EncryptorEmbedConfiguration with 15 elements, xrefs: 6CCF1A8A

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocProcessmemcpy
String ID: called `Result::unwrap()` on an `Err` value$internal error: entered unreachable code/usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/serde_json-1.0.82/src/de.rs$public_rsa_pempassword_hashdirectory_black_listfile_black_listfile_pattern_black_listprocess_black_listwin_services_black_listaccountsstepskipfastnpcompany_idnotestruct EncryptorEmbedConfigurationstruct EncryptorEmbedConfiguration with 15 elements
API String ID: 3951801138-850514084
Opcode ID: 47e86aeae3eda66b31069cfa3b66f888e6024ace4dec32fd2499a7a6d12b213c
Instruction ID: 9955302fc67fd438882e34c326b6ad41d90b30b169c33899989e37dcec61b08f
Opcode Fuzzy Hash: 47e86aeae3eda66b31069cfa3b66f888e6024ace4dec32fd2499a7a6d12b213c
Instruction Fuzzy Hash: 57133771909381CFD7B1CF18C454B9ABBF1BF89348F14891EE4A967650EB70A94ACB43

Uniqueness

Uniqueness Score: -1.00%

Function 6CD1288B Relevance: 28.0, APIs: 6, Strings: 12, Instructions: 952
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD12980

Strings

bl!, xrefs: 6CD14BB0
gj, xrefs: 6CD13D19
`cl%, xrefs: 6CD14ADC
cl, xrefs: 6CD14C3D, 6CD154B0, 6CD14C44, 6CD154B7
pathsipsexcludeno-efno-ffno-dfno-procno-servicessafeno-wallpaperspawnedpropagatepropagated-processdebugno-deletetimer, xrefs: 6CD12A1A
no-extension, xrefs: 6CD129FD
H]l2, xrefs: 6CD129A8
, xrefs: 6CD14761
no-destructno-zerono-domainno-network[INFO] AESNI support detected! Using AES-CTR mode, xrefs: 6CD12BC0
PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs, xrefs: 6CD13B22, 6CD14AFD, 6CD14BD1, 6CD14C27, 6CD1549A
WC, xrefs: 6CD129C7
9A, xrefs: 6CD128D0

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: $H]l2$PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs$WC$`cl%$gj$no-destructno-zerono-domainno-network[INFO] AESNI support detected! Using AES-CTR mode$no-extension$pathsipsexcludeno-efno-ffno-dfno-procno-servicessafeno-wallpaperspawnedpropagatepropagated-processdebugno-deletetimer$9A$bl!$cl
API String ID: 3298025750-1113567611
Opcode ID: e1b1ec1f66baf25380caebb9c266e7a0298b76c717545e1aec6ba42500f42715
Instruction ID: 540c481a45b0297362e00932ab0d6aa6ddd30f603e302fd09a2a7ec1fe0151d7
Opcode Fuzzy Hash: e1b1ec1f66baf25380caebb9c266e7a0298b76c717545e1aec6ba42500f42715
Instruction Fuzzy Hash: E6A258B180D3808AD371CF24D894BEBBBE4AFD5308F148A1DE5C857691EB759548CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 6CD12F9C Relevance: 21.3, APIs: 6, Strings: 8, Instructions: 334
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD12FC6

Strings

0Vl, xrefs: 6CD12CBA
pathsipsexcludeno-efno-ffno-dfno-procno-servicessafeno-wallpaperspawnedpropagatepropagated-processdebugno-deletetimer, xrefs: 6CD12A1A
no-extension, xrefs: 6CD129FD
H]l2, xrefs: 6CD129A8
no-destructno-zerono-domainno-network[INFO] AESNI support detected! Using AES-CTR mode, xrefs: 6CD12BC0
T_l, xrefs: 6CD12DF0, 6CD12DF7
PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs, xrefs: 6CD12DDA
WC, xrefs: 6CD129C7

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: 0Vl$H]l2$PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs$T_l$WC$no-destructno-zerono-domainno-network[INFO] AESNI support detected! Using AES-CTR mode$no-extension$pathsipsexcludeno-efno-ffno-dfno-procno-servicessafeno-wallpaperspawnedpropagatepropagated-processdebugno-deletetimer
API String ID: 3298025750-612161213
Opcode ID: b6254ff8482053a064af1aa7732086deeb38ff531a9c590fcf28386c6c678324
Instruction ID: 7b083e35aeb16c9e43e9219c69d965f6da94c1fba052739cbbc62bea51d35959
Opcode Fuzzy Hash: b6254ff8482053a064af1aa7732086deeb38ff531a9c590fcf28386c6c678324
Instruction Fuzzy Hash: 60C1A3B194D340AFD320DB10EC85FAFB2F8AB8570CF50491CF6549AA61E776D5088B63

Uniqueness

Uniqueness Score: -1.00%

Function 6CDC4A60 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 338
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,6CDC5267,?,?,?), ref: 6CDC4A98
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?), ref: 6CDC4B3F
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 6CDC4B4F
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?), ref: 6CDC4B67
memcpy.MSVCRT ref: 6CDC4C7B

Strings

lock count overflow in reentrant mutexlibrary\std\src\sync\remutex.rs, xrefs: 6CDC4BAE
cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs, xrefs: 6CDC4B98

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ExclusiveFreeHeapLock$AcquireReleasememcpy
String ID: cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs$lock count overflow in reentrant mutexlibrary\std\src\sync\remutex.rs
API String ID: 1574103879-1937734220
Opcode ID: abd77417ed307c93f96c537fa8b8ae1f8910a2b0db406062d1007848512cdd79
Instruction ID: 2bccbfdf8dd68c94beb725a277657f4d1b2cb992c92a931d84107f9fac918fe7
Opcode Fuzzy Hash: abd77417ed307c93f96c537fa8b8ae1f8910a2b0db406062d1007848512cdd79
Instruction Fuzzy Hash: F3C1B1B1E00649DFCB00DF55C880AAEB7B9FF45308F148559E859ABB21E731E945CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CD12C50 Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 142
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD12C77
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD12D4D
HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,?,?,?,?,?,6CF8B0E0,00000000,?), ref: 6CD12D7E
HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,?,?,?,?,?,6CF8B0E0,00000000,?), ref: 6CD12DA6

Strings

0Vl, xrefs: 6CD12CBA
T_l, xrefs: 6CD12DF0, 6CD12DF7
PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs, xrefs: 6CD12DDA

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: 0Vl$PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs$T_l
API String ID: 3298025750-1666152087
Opcode ID: 2e1f1c550e771ee57bbe4fe0061f70ce8d3e7da19009f162090634a577727028
Instruction ID: 671bf15c1e09cdebb9964c1be0f3d7f99631dedc64ae50e4f5d676b7129ae33f
Opcode Fuzzy Hash: 2e1f1c550e771ee57bbe4fe0061f70ce8d3e7da19009f162090634a577727028
Instruction Fuzzy Hash: 15513BB164D340DBE7608F55D48979AB7F1BF85308F244A2DE2A987A70DB71D508CB42

Uniqueness

Uniqueness Score: -1.00%

Function 6CCEEBA0 Relevance: 10.1, APIs: 8, Instructions: 132
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapReAlloc.KERNEL32(6CF8B0E0,00000000,?,00000008,00000008,?), ref: 6CCEEBDC
HeapAlloc.KERNEL32(00000000,00000000,00000008,00000008,?), ref: 6CCEEC12
GetProcessHeap.KERNEL32(00000008,?), ref: 6CCEEC56
HeapAlloc.KERNEL32(?,00000000,?,00000008,?), ref: 6CCEEC74
memcpy.MSVCRT ref: 6CCEEC97
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,?,00000000,?,00000008,?), ref: 6CCEECAB
GetProcessHeap.KERNEL32(00000008,?), ref: 6CCEECB5
HeapAlloc.KERNEL32(00000000,00000000,?,00000008,?), ref: 6CCEECD5

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Alloc$Process$Freememcpy
String ID:
API String ID: 4102440617-0
Opcode ID: 99d770f75089fffb0e278910f4bee980386273a3f82251ea31eb23052ebe862d
Instruction ID: 7e684c4923916c5228efa7199efbf04caddc00e26a819eac3ab6047b78e98d55
Opcode Fuzzy Hash: 99d770f75089fffb0e278910f4bee980386273a3f82251ea31eb23052ebe862d
Instruction Fuzzy Hash: 1A41C170B453429BEB04DFAAC880B6A77F6BB8E344F24812DE9158BB51FB74D844C791

Uniqueness

Uniqueness Score: -1.00%

Function 6CCF023A Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 132memoryCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 6CCF0242
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000), ref: 6CCF0C18
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000), ref: 6CCF0C44
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCF0CA6

Strings

file_black_listfile_pattern_black_listprocess_black_listwin_services_black_listaccountsstepskipfastnpcompany_idnotestruct EncryptorEmbedConfigurationstruct EncryptorEmbedConfiguration with 15 elements, xrefs: 6CCF023C, 6CCF2260

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap$memcmp
String ID: file_black_listfile_pattern_black_listprocess_black_listwin_services_black_listaccountsstepskipfastnpcompany_idnotestruct EncryptorEmbedConfigurationstruct EncryptorEmbedConfiguration with 15 elements
API String ID: 4130495867-3114836061
Opcode ID: bede497265389862ee12876b29f9c6036dbde0679aa61bcc8d5f795aaa9253f6
Instruction ID: e8b8f33bf8ab76a664baf9fe4e1fa2f89080c42f0631c7705308ad01d060af13
Opcode Fuzzy Hash: bede497265389862ee12876b29f9c6036dbde0679aa61bcc8d5f795aaa9253f6
Instruction Fuzzy Hash: 52516B309093818FD3A0CF14C450B9ABBF1BF85748F24592CE8A99B750E771E989DB83

Uniqueness

Uniqueness Score: -1.00%

Function 6CCEF810 Relevance: 6.4, APIs: 5, Instructions: 190
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCEF947
HeapFree.KERNEL32(6CF8B0E0,00000000,00000004), ref: 6CCEF960
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCEFA57

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: eb5a961865b816765a38a782a0576275b3229f29760058f13062fd4e54fc115d
Instruction ID: 1bd0f2c9a39b697b2c137eec7372e4c881ce078bc3c4b3322f203c0acaefb327
Opcode Fuzzy Hash: eb5a961865b816765a38a782a0576275b3229f29760058f13062fd4e54fc115d
Instruction Fuzzy Hash: 0A71ACB1E00219DFCB10CF99E880BAEFBB2FF8A308F254119D4146B750E771A985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CCF02B6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,00000000), ref: 6CCF0C18
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000), ref: 6CCF0C44
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCF0CA6

Strings

process_black_listwin_services_black_listaccountsstepskipfastnpcompany_idnotestruct EncryptorEmbedConfigurationstruct EncryptorEmbedConfiguration with 15 elements, xrefs: 6CCF2251

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: process_black_listwin_services_black_listaccountsstepskipfastnpcompany_idnotestruct EncryptorEmbedConfigurationstruct EncryptorEmbedConfiguration with 15 elements
API String ID: 3298025750-986806953
Opcode ID: 8b89b891a112d112139063bebfd89c5e8dc6af3969b5b369d0ac6a5d15cfbe15
Instruction ID: 5c0d55e05e9b1d571c7aa81905911a123525641f7b9de57c5832b206111b946b
Opcode Fuzzy Hash: 8b89b891a112d112139063bebfd89c5e8dc6af3969b5b369d0ac6a5d15cfbe15
Instruction Fuzzy Hash: 5C517B709093818FD3A0CF18C450B9AB7F1FF85748F145A1DE8A99B750E771E989DB82

Uniqueness

Uniqueness Score: -1.00%

Function 6CD125A9 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A, xrefs: 6CD12825
H]l2, xrefs: 6CD12814

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: H]l2$A
API String ID: 3298025750-158417659
Opcode ID: fad1ab6e5d2c8945ec2105b4a8be9ffe17f07e327995ce3e88fd29f32b3103c3
Instruction ID: 594be4e6724059ccbdc6112d0c6f0ce709b017117d656cf3c357c66398b1e36d
Opcode Fuzzy Hash: fad1ab6e5d2c8945ec2105b4a8be9ffe17f07e327995ce3e88fd29f32b3103c3
Instruction Fuzzy Hash: DD51FBB140C3C0CAE7219F24D45979BBBE4AF96308F14495CE5C80B792D7BA9548CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 6CD125CA Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A, xrefs: 6CD12825
H]l2, xrefs: 6CD12814

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap$CloseHandle
String ID: H]l2$A
API String ID: 1910495013-158417659
Opcode ID: 379ef676a521998805599e0c3ae6cf6f95d99b5fc48963b10a617c59912c2301
Instruction ID: c67dae185fe46cfdddffdce4859c584d240d32cf40790b1cc233933e75e15a6f
Opcode Fuzzy Hash: 379ef676a521998805599e0c3ae6cf6f95d99b5fc48963b10a617c59912c2301
Instruction Fuzzy Hash: 1B510BB140C3C0CAE7219F24D45979BBBF4AF96308F14495CE5C80B792DBBA9548CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 6CD125A3 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A, xrefs: 6CD12825
H]l2, xrefs: 6CD12814

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap$CloseHandle
String ID: H]l2$A
API String ID: 1910495013-158417659
Opcode ID: 0633191efe5e8a484f29dc29192a4faf4b2fd9ed204adcd126101c871ea6d505
Instruction ID: 3a02139598d02b8d87e3941373fad80c4e7a756fcc2c5cededdd8a40169c0846
Opcode Fuzzy Hash: 0633191efe5e8a484f29dc29192a4faf4b2fd9ed204adcd126101c871ea6d505
Instruction Fuzzy Hash: FA510CB140C3C0CAE7219F24D45979BBBF4AF96308F14495CE5C81B792DBBA9548CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 6CD125DC Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A, xrefs: 6CD12825
H]l2, xrefs: 6CD12814

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: H]l2$A
API String ID: 3298025750-158417659
Opcode ID: 409596877db272206f9b083e4166ec5b821018b8246347a10383c5acd6562a2c
Instruction ID: f461d6306c577d2879eba3292915ecc739dea5557fad6bfa171b526ac17db404
Opcode Fuzzy Hash: 409596877db272206f9b083e4166ec5b821018b8246347a10383c5acd6562a2c
Instruction Fuzzy Hash: F4510CB140C3C0CAE7619F24D45979BBBF4AF96308F14495CE5C80A792D7BA9548CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 6CD125EA Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A, xrefs: 6CD12825
H]l2, xrefs: 6CD12814

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap$CloseHandle
String ID: H]l2$A
API String ID: 1910495013-158417659
Opcode ID: 43fdfe977cf72946f73ba85467fb31f34a6f2e22158bb6699d2d37e0d0bc9669
Instruction ID: 0894eea557bf35599f2f318d6d9b5aa3d1d6b8941a7517b91f26fd18b3067a32
Opcode Fuzzy Hash: 43fdfe977cf72946f73ba85467fb31f34a6f2e22158bb6699d2d37e0d0bc9669
Instruction Fuzzy Hash: 75510BB140C3C0CAE7619F24C45979BBBF4AF96308F14495CE5C81B792DBBA9548CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 6CD125F8 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A, xrefs: 6CD12825
H]l2, xrefs: 6CD12814

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: H]l2$A
API String ID: 3298025750-158417659
Opcode ID: c3c4c08e778dc8f12f0c07282bf1d2048c19ed16af786be4cd2ef4fbf4a722ff
Instruction ID: 35379300f38a7ef085c986b4859225ef7722870484d5d09201039c34fe2c0327
Opcode Fuzzy Hash: c3c4c08e778dc8f12f0c07282bf1d2048c19ed16af786be4cd2ef4fbf4a722ff
Instruction Fuzzy Hash: 4951EBB140C3C0CAE7619F24C45979BBBF4AF96308F14495CE5D81B792DBBA9148CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 6CCEF6D0 Relevance: 3.9, APIs: 3, Instructions: 110
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 6CCEF78F
HeapAlloc.KERNEL32(?,00000000,?), ref: 6CCEF79E
memcpy.MSVCRT ref: 6CCEF7CB

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcessmemcpy
String ID:
API String ID: 4164033339-0
Opcode ID: 6af51742b8e5722a95259d15a64a1ee5ece7343e53ac63d520af40431b595b26
Instruction ID: 2e8a2e286cef13af286a01b711375bb9e77dc27dd2a8355f33a0f2a432f9e3b1
Opcode Fuzzy Hash: 6af51742b8e5722a95259d15a64a1ee5ece7343e53ac63d520af40431b595b26
Instruction Fuzzy Hash: 3A31E875E042069FE7109BA7E880BAAF7B9FF8A318F194129DC1897741F730D805C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 6CDD2500 Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,00000002,00000000,00000000), ref: 6CDD2504

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: c39359bbe569ece7b67651f7765170398af4dcfa730a54239745832285ee5d8c
Instruction ID: afaa3d293fd4749387d61836570956e3c0e87eeb4d59116b53d0f45e26cdc272
Opcode Fuzzy Hash: c39359bbe569ece7b67651f7765170398af4dcfa730a54239745832285ee5d8c
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6CDEB640 Relevance: 58.5, APIs: 31, Strings: 2, Instructions: 768memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 6CDEB683
GetProcessHeap.KERNEL32(?), ref: 6CDEB6C3
HeapAlloc.KERNEL32(?,00000000,00000050,?), ref: 6CDEB6DD
GetProcessHeap.KERNEL32(?,00000000,00000050,?), ref: 6CDEB798
HeapAlloc.KERNEL32(?,00000000,00000030,?,00000000,00000050,?), ref: 6CDEB7B2
GetProcessHeap.KERNEL32 ref: 6CDEB91A
HeapAlloc.KERNEL32(?,00000000,?), ref: 6CDEB92F
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000), ref: 6CDEB97F
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CDEB998
GetProcessHeap.KERNEL32(?), ref: 6CDEB9B6
HeapAlloc.KERNEL32(?,00000000,0000000C,?), ref: 6CDEB9D0
GetProcessHeap.KERNEL32 ref: 6CDEBADC
HeapAlloc.KERNEL32(?,00000000,00000007), ref: 6CDEBAFB
GetProcessHeap.KERNEL32 ref: 6CDEBB1C
HeapAlloc.KERNEL32(00000000,00000000,?), ref: 6CDEBB3B
memcpy.MSVCRT ref: 6CDEBB53
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CDEBB88
GetProcessHeap.KERNEL32 ref: 6CDEBC29
HeapAlloc.KERNEL32(?,00000008,?), ref: 6CDEBC42
GetProcessHeap.KERNEL32 ref: 6CDEBCA2
HeapAlloc.KERNEL32(?,00000000,?), ref: 6CDEBCBB
GetProcessHeap.KERNEL32 ref: 6CDEBE2E

Strings

0, xrefs: 6CDEB7CC
, xrefs: 6CDEB81D

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$Free$InfoSystemmemcpy
String ID: $0
API String ID: 4091343045-272453368
Opcode ID: 2b5c7af107c00ba53b25338fe37c7e18bb183169b73decb0e8c3a8eb93a2d529
Instruction ID: f5c18cd546aa8a3aeb0cd3f864b79461adf84a0e585425d9c2fb2a15f95c7ed9
Opcode Fuzzy Hash: 2b5c7af107c00ba53b25338fe37c7e18bb183169b73decb0e8c3a8eb93a2d529
Instruction Fuzzy Hash: 30624A70A097419FD720DF25C880B6BBBF5BF8A348F10491DE4999B7A1EB70D849CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6CE1F560 Relevance: 44.1, APIs: 22, Strings: 7, Instructions: 552memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CE1F57A
HeapAlloc.KERNEL32(00000000,00000000,00000003), ref: 6CE1F58E
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,?,?,?,?,?,00000000), ref: 6CE1F6D8
GetProcessHeap.KERNEL32(?,?,?,?,?,00000000,00000000,00000003), ref: 6CE1F70F
HeapAlloc.KERNEL32(00000003,00000000,00000021,?,?,?,?,?,00000000,00000000,00000003), ref: 6CE1F723
memcpy.MSVCRT ref: 6CE1F73A
GetProcessHeap.KERNEL32(00000003,00000000,00000021,?,?,?,?,?,00000000,00000000,00000003), ref: 6CE1F759
HeapAlloc.KERNEL32(00000000,00000000,0000000C,00000003,00000000,00000021,?,?,?,?,?,00000000,00000000,00000003), ref: 6CE1F76D
GetProcessHeap.KERNEL32(00000000,00000000,0000000C,00000003,00000000,00000021,?,?,?,?,?,00000000,00000000,00000003), ref: 6CE1F7A0
HeapAlloc.KERNEL32(00000000,00000000,0000000C,00000000,00000000,0000000C,00000003,00000000,00000021,?,?,?,?,?,00000000,00000000), ref: 6CE1F7B4
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000,00000003), ref: 6CE1F807
HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000003), ref: 6CE1F811
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,00000003), ref: 6CE1F824
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000003), ref: 6CE1F83F
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000,00000003), ref: 6CE1F85A
GetProcessHeap.KERNEL32 ref: 6CE1F996
HeapAlloc.KERNEL32(00000001,00000000,00000018), ref: 6CE1F9AA

Strings

', xrefs: 6CE1F78A
/C[INFO] WOW64 redirection reverted, xrefs: 6CE1F60D
!, xrefs: 6CE1F745
failed to spawn thread/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\thread\mod.rs, xrefs: 6CE1FB86
for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"[WARNING] Cannot clean event logs[INFO] Event logs purger process spawned., xrefs: 6CE1F61D
called `Option::unwrap()` on a `None` value/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\alloc\src\collections\btree\navigate.rs, xrefs: 6CE1FC0B
cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs, xrefs: 6CE1FBBA, 6CE1FBD9

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess$CloseFreeHandle$memcpy
String ID: !$'$/C[INFO] WOW64 redirection reverted$called `Option::unwrap()` on a `None` value/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\alloc\src\collections\btree\navigate.rs$cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs$failed to spawn thread/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\thread\mod.rs$for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"[WARNING] Cannot clean event logs[INFO] Event logs purger process spawned.
API String ID: 1376290354-2163988920
Opcode ID: 9defd1c3ee887d506dfa57604338d093e027f5e7628cdef28b7ce97ef1fc3f76
Instruction ID: 55990ba2ce5b2a53ecdb6e1fb9d8659519e1fea22f51562cf16f8cad93355b7e
Opcode Fuzzy Hash: 9defd1c3ee887d506dfa57604338d093e027f5e7628cdef28b7ce97ef1fc3f76
Instruction Fuzzy Hash: B422C4B1D043089BEB10CFA5DC45BEEBBB4BF0530CF244019E914ABB91EB799955CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD0DDE7 Relevance: 33.8, APIs: 16, Strings: 3, Instructions: 590memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,00000000,00000020), ref: 6CD0DE00
GetProcessHeap.KERNEL32 ref: 6CD0DF40
HeapAlloc.KERNEL32(?,00000000,?), ref: 6CD0DF59
memcpy.MSVCRT ref: 6CD0DF6D
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD0DFB8
HeapFree.KERNEL32(6CF8B0E0,00000000), ref: 6CD0E01A

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 6CD116D2
j j, xrefs: 6CD0DDFB
PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs, xrefs: 6CD0E25C, 6CD0E344, 6CD0E683

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocFree$Processmemcpy
String ID: PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs$called `Result::unwrap()` on an `Err` value$j j
API String ID: 1009194398-2602185676
Opcode ID: bda7877485d4fd81cf0a3d87d1b394c5e32d17850bfbbe011d15a16b9f8f9abc
Instruction ID: 12f699ea6251c2620be030213c51c5418c3af9426e62f1b2d7a83059ddb7c47b
Opcode Fuzzy Hash: bda7877485d4fd81cf0a3d87d1b394c5e32d17850bfbbe011d15a16b9f8f9abc
Instruction Fuzzy Hash: AA526CB1A09B84CBD720DF64C844BDFB7F4BF89308F108A1DE4985B661DB719549CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CD08910 Relevance: 30.5, APIs: 14, Strings: 3, Instructions: 737COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CD073DA), ref: 6CD08943
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CD073DA), ref: 6CD089FF
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CD08B5B
memmove.MSVCRT ref: 6CD08BD3
ReleaseSRWLockExclusive.KERNEL32(?,?,?), ref: 6CD08C3B

Part of subcall function 6CDCA0C0: QueryPerformanceCounter.KERNEL32 ref: 6CDCA0DD

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CD08E84

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 6CD08C93, 6CD08CE4, 6CD092F9, 6CD0933C
internal error: entered unreachable code/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\sync\mpmc\mod.rs(WlP, xrefs: 6CD08B42, 6CD0938F
h[lT, xrefs: 6CD08D29, 6CD092C3

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ExclusiveLock$Release$Acquire$CounterPerformanceQuerymemmove
String ID: called `Result::unwrap()` on an `Err` value$h[lT$internal error: entered unreachable code/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\sync\mpmc\mod.rs(WlP
API String ID: 3634184793-724416604
Opcode ID: 96300f3617d9bb90b5e61d6fa2f173b50d8046b3845e232fc61e2ff5d61941a9
Instruction ID: 5a35c3a7dbbb50932fde62fa9b0d2cd930062dcd2f311e7cbc0c2b83367dfb55
Opcode Fuzzy Hash: 96300f3617d9bb90b5e61d6fa2f173b50d8046b3845e232fc61e2ff5d61941a9
Instruction Fuzzy Hash: 0C529071709300DFD700DF29C880B5AB7F5AF85328F298A5EE8985BB61D735D845CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CE2BB10 Relevance: 28.9, APIs: 19, Instructions: 434stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6CE2BB87

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 7e232841a50195c0cad2d7e8fa1f72d0a137f443ae6c0c7c2a9d726eefebae02
Instruction ID: d32d6e2b7a4412610795a5571844b9e54c3fb6e9e06eb64234fa877903bacc12
Opcode Fuzzy Hash: 7e232841a50195c0cad2d7e8fa1f72d0a137f443ae6c0c7c2a9d726eefebae02
Instruction Fuzzy Hash: 77F108B19083558FD700CF29C490395BBF2AF4631CF2C86AED9AA4F796C7799449CB81

Uniqueness

Uniqueness Score: -1.00%

Function 6CD06DBB Relevance: 28.7, APIs: 14, Strings: 2, Instructions: 699memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 6CD0C550: HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,6CD12597), ref: 6CD0C56A

Part of subcall function 6CD0C580: HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,6CD125A1,?), ref: 6CD0C58D

SwitchToThread.KERNEL32 ref: 6CD06E82
GetProcessHeap.KERNEL32 ref: 6CD06EDA
HeapAlloc.KERNEL32(?,00000000,00000178), ref: 6CD06EF7
memset.MSVCRT ref: 6CD06F0E
GetProcessHeap.KERNEL32 ref: 6CD06F8D
HeapAlloc.KERNEL32(?,00000000,00000178), ref: 6CD06FAA
memset.MSVCRT ref: 6CD06FC1
HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,00000000,00000178), ref: 6CD07004
AcquireSRWLockExclusive.KERNEL32(?), ref: 6CD07096
ReleaseSRWLockExclusive.KERNEL32(?,?), ref: 6CD070F8
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD07161
SwitchToThread.KERNEL32 ref: 6CD071C1
ReleaseSRWLockExclusive.KERNEL32(?,?), ref: 6CD0748A

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 6CD07447
internal error: entered unreachable code/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\sync\mpmc\mod.rs(WlP, xrefs: 6CD076F4

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Free$ExclusiveLock$AllocProcessReleaseSwitchThreadmemset$Acquire
String ID: called `Result::unwrap()` on an `Err` value$internal error: entered unreachable code/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\sync\mpmc\mod.rs(WlP
API String ID: 3293618497-19801793
Opcode ID: 77818141c76ce9f1ae3c01754c5383f51dd383853c40069710e649300a5f2f8b
Instruction ID: 06a16b3be2ce129f08ed0935f191ba8706e0ed1b4f1eddf3a406ad004f32a789
Opcode Fuzzy Hash: 77818141c76ce9f1ae3c01754c5383f51dd383853c40069710e649300a5f2f8b
Instruction Fuzzy Hash: 8E42AD71B08741EBD710CF28C44075AB7F1BF85318F258A2DE9A99BB61DB31E845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CCF57F0 Relevance: 23.2, APIs: 7, Strings: 8, Instructions: 728COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6CCF5A21
memset.MSVCRT ref: 6CCF5A37
memcpy.MSVCRT ref: 6CCF5ABC

Strings

assertion failed: d.plus > 0, xrefs: 6CCF58DF
0, xrefs: 6CCF57FF
assertion failed: d.mant.checked_add(d.plus).is_some(), xrefs: 6CCF58F5
assertion failed: noborrowassertion failed: digits < 40assertion failed: other > 0kindEmptyZeroTryFromIntError, xrefs: 6CCF588B
assertion failed: d.minus > 0, xrefs: 6CCF58C9
assertion failed: buf.len() >= MAX_SIG_DIGITS, xrefs: 6CCF5921
assertion failed: d.mant.checked_sub(d.minus).is_some(), xrefs: 6CCF590B
assertion failed: d.mant > 0, xrefs: 6CCF58B3

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: memset$memcpy
String ID: 0$assertion failed: buf.len() >= MAX_SIG_DIGITS$assertion failed: d.mant > 0$assertion failed: d.mant.checked_add(d.plus).is_some()$assertion failed: d.mant.checked_sub(d.minus).is_some()$assertion failed: d.minus > 0$assertion failed: d.plus > 0$assertion failed: noborrowassertion failed: digits < 40assertion failed: other > 0kindEmptyZeroTryFromIntError
API String ID: 368790112-2344143831
Opcode ID: 8d3e8824f07d5dc5ad89ae325631bf080c03515d27c4e269effca7df31975547
Instruction ID: dd778d4846dd3a628db8344035b76b6fc7ed5a189fcd0c7cf325548d3ab900ae
Opcode Fuzzy Hash: 8d3e8824f07d5dc5ad89ae325631bf080c03515d27c4e269effca7df31975547
Instruction Fuzzy Hash: 52424671E002199BDF54CF64D880BED73B6BF89304F2585A9D829F7781F7319A4A8B90

Uniqueness

Uniqueness Score: -1.00%

Function 6CE16B20 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 322memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 6CE16B39
GetLastError.KERNEL32 ref: 6CE16B41
GetProcessHeap.KERNEL32 ref: 6CE16BEA
HeapAlloc.KERNEL32(?,00000000,?), ref: 6CE16C05

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 6CE16EF6
?, xrefs: 6CE16CF7

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocErrorLastNameProcessUser
String ID: ?$called `Result::unwrap()` on an `Err` value
API String ID: 434072182-3528718506
Opcode ID: 365862359d492f9382ffacdbe475e39de8ab7449dd33aa30aa62661a625ce1dc
Instruction ID: cb35f3b10d81a8c822d898ab3de37869c42ce4fc5d1d8dd04929d1ea238dc664
Opcode Fuzzy Hash: 365862359d492f9382ffacdbe475e39de8ab7449dd33aa30aa62661a625ce1dc
Instruction Fuzzy Hash: 58C1B3B2E092598BDF00CF99C8417EEBBB9FF45308F344129E814ABB41D7759A19CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CD0A8A0 Relevance: 23.0, APIs: 15, Instructions: 462memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD0A952
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD0A9A7
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD0C033

Part of subcall function 6CD07FE0: AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,6CD0B20E,00000000,?,?,?,?,6CD0690C), ref: 6CD07FEC
Part of subcall function 6CD07FE0: CloseHandle.KERNEL32(FFFFFFFF), ref: 6CD080B7
Part of subcall function 6CD07FE0: ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CD08110

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap$ExclusiveLock$AcquireCloseHandleRelease
String ID:
API String ID: 3404053607-0
Opcode ID: eb703a318c2cc94b82dd86be4ba67fbf57ea65556031282599e6504b2c2f0507
Instruction ID: ba329a550fe46e2899f621142f2d6264b20a057199c786c453aa7cb838162735
Opcode Fuzzy Hash: eb703a318c2cc94b82dd86be4ba67fbf57ea65556031282599e6504b2c2f0507
Instruction Fuzzy Hash: D102B171B04601DFCB14DF9DC880BAAB7B1FF85308F28416DD9596BB61DB31A845CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CDFDCA0 Relevance: 23.0, APIs: 15, Instructions: 460memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,6CE086C4), ref: 6CDFDD52
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,6CE086C4), ref: 6CDFDDA7
HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,?,?,?,?,?,?,?,6CE086C4,?,00000000), ref: 6CDFF673

Part of subcall function 6CDFA730: AcquireSRWLockExclusive.KERNEL32 ref: 6CDFA98C

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap$AcquireExclusiveLock
String ID:
API String ID: 2371024757-0
Opcode ID: ea6c6b229081447a58cdf517e178854e79d174fdb2a419ee5cbc19e8ae0ce6fe
Instruction ID: 01b7104772d94466fb64c9b9662a1289fb7871437d079e848791357847924573
Opcode Fuzzy Hash: ea6c6b229081447a58cdf517e178854e79d174fdb2a419ee5cbc19e8ae0ce6fe
Instruction Fuzzy Hash: 8B02B171A04205DFCB14DF59C880BAEF7F1FF45308F2A4169D9696BB61DB31A806CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CCF5821 Relevance: 21.7, APIs: 7, Strings: 7, Instructions: 719COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6CCF5A21
memset.MSVCRT ref: 6CCF5A37
memcpy.MSVCRT ref: 6CCF5ABC

Strings

assertion failed: d.plus > 0, xrefs: 6CCF58DF
assertion failed: d.mant.checked_add(d.plus).is_some(), xrefs: 6CCF58F5
assertion failed: noborrowassertion failed: digits < 40assertion failed: other > 0kindEmptyZeroTryFromIntError, xrefs: 6CCF588B
assertion failed: d.minus > 0, xrefs: 6CCF58C9
assertion failed: buf.len() >= MAX_SIG_DIGITS, xrefs: 6CCF5921
assertion failed: d.mant.checked_sub(d.minus).is_some(), xrefs: 6CCF590B
assertion failed: d.mant > 0, xrefs: 6CCF58B3

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: memset$memcpy
String ID: assertion failed: buf.len() >= MAX_SIG_DIGITS$assertion failed: d.mant > 0$assertion failed: d.mant.checked_add(d.plus).is_some()$assertion failed: d.mant.checked_sub(d.minus).is_some()$assertion failed: d.minus > 0$assertion failed: d.plus > 0$assertion failed: noborrowassertion failed: digits < 40assertion failed: other > 0kindEmptyZeroTryFromIntError
API String ID: 368790112-1451125116
Opcode ID: 9d2482dae97f790299a10f0ed8052fd45858911cd287c95760279b9537b69092
Instruction ID: 9c6428e644cd42eea945396a4331589c5e24670e14637dd7d606a0cb59799e67
Opcode Fuzzy Hash: 9d2482dae97f790299a10f0ed8052fd45858911cd287c95760279b9537b69092
Instruction Fuzzy Hash: FE424871E002199BDF54CF64D880BED73B6BF49304F2585A9D829F7781F7349A4A8B90

Uniqueness

Uniqueness Score: -1.00%

Function 6CD1B03B Relevance: 20.1, APIs: 7, Strings: 4, Instructions: 880COMMON

Download Yara Rule

APIs

BCryptGenRandom.BCRYPT(00000000,?,00000020,00000002), ref: 6CD1B17D
BCryptGenRandom.BCRYPT(00000000,?,00000020,00000002), ref: 6CD1B2ED

Strings

4llY, xrefs: 6CD1B362
,ll, xrefs: 6CD1B1F2, 6CD1B1FE
@, xrefs: 6CD1B83B
te k, xrefs: 6CD1BF11

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CryptRandom
String ID: ,ll$4llY$@$te k
API String ID: 2662593985-925207699
Opcode ID: 533727676063573ec2fd450ad36062f4da498b0b67dd530951daa99d4480b8b3
Instruction ID: c6e6f10acd651aeffd1139c478c58a123d04ef9eb86793e20912e52c74f03ff6
Opcode Fuzzy Hash: 533727676063573ec2fd450ad36062f4da498b0b67dd530951daa99d4480b8b3
Instruction Fuzzy Hash: 26B2136440D3D08DD3328B6994517EBFFF06FEA315F084A8EE9D846293D6758288DB63

Uniqueness

Uniqueness Score: -1.00%

Function 6CDCA0C0 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 288COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32 ref: 6CDCA0DD
GetLastError.KERNEL32 ref: 6CDCA0FD
QueryPerformanceFrequency.KERNEL32(00000000), ref: 6CDCA18C

Part of subcall function 6CDD96F0: QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,6CDCA0F3,00000000,00000000), ref: 6CDD9729

Strings

attempt to divide by zero, xrefs: 6CDCA346
t{l, xrefs: 6CDCA3AE, 6CDCA3EA
overflow when subtracting durations, xrefs: 6CDCA3FC
|{lH, xrefs: 6CDCA3B2
called `Result::unwrap()` on an `Err` value, xrefs: 6CDCA11F, 6CDCA377
called `Option::unwrap()` on a `None` value/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\alloc\src\collections\btree\navigate.rs, xrefs: 6CDCA39E
assertion failed: edelta >= 0library\core\src\num\diy_float.rs, xrefs: 6CDCA3D1

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: PerformanceQuery$Frequency$CounterErrorLast
String ID: assertion failed: edelta >= 0library\core\src\num\diy_float.rs$attempt to divide by zero$called `Option::unwrap()` on a `None` value/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\alloc\src\collections\btree\navigate.rs$called `Result::unwrap()` on an `Err` value$overflow when subtracting durations$t{l$|{lH
API String ID: 361767260-1598764566
Opcode ID: 49297a0a1796be110efbeee628887e1ef428d405d4400ac865b01983dc708d4d
Instruction ID: 11b80236c52806f2cf9c8e57348f425328dcb2bdf2a1c97d8f3dd278ca3113fb
Opcode Fuzzy Hash: 49297a0a1796be110efbeee628887e1ef428d405d4400ac865b01983dc708d4d
Instruction Fuzzy Hash: 77A1C1B2B043009BD704DF68CC41B9BB7EAABC4754F158A2DF45997BA0E731E9098793

Uniqueness

Uniqueness Score: -1.00%

Function 6CD20801 Relevance: 18.3, APIs: 6, Strings: 6, Instructions: 309memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CD2095D
HeapAlloc.KERNEL32(00000001,00000000,?), ref: 6CD20970
memcpy.MSVCRT ref: 6CD20984
GetProcessHeap.KERNEL32 ref: 6CD209E8
HeapAlloc.KERNEL32(00000001,00000000,?), ref: 6CD209F7
memcpy.MSVCRT ref: 6CD20A07

Strings

FALS, xrefs: 6CD208FD
fals, xrefs: 6CD208E7
True, xrefs: 6CD208B7
true, xrefs: 6CD208A0
TRUE, xrefs: 6CD208A8
Fals, xrefs: 6CD20916

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcessmemcpy
String ID: FALS$Fals$TRUE$True$fals$true
API String ID: 4164033339-392382064
Opcode ID: 39ed6f3f62869e7b3e0ab8e7a5c32ee11fa655263a3ab6e663ede57cfbb52cfa
Instruction ID: a0ee5ab7530a7c93952d3d3eceac3fd15cf0b3b96690fbb8bfc0aed8dd226be5
Opcode Fuzzy Hash: 39ed6f3f62869e7b3e0ab8e7a5c32ee11fa655263a3ab6e663ede57cfbb52cfa
Instruction Fuzzy Hash: 41B12730A0D3C18FDB168F2488B05ABFFB5AF8324CB19819EC5D54BD62D738A519C791

Uniqueness

Uniqueness Score: -1.00%

Function 6CD18AD0 Relevance: 14.7, APIs: 1, Strings: 8, Instructions: 1216COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6CD19F32

Strings

2-byte k, xrefs: 6CD18EC0
expand 32-byte kte k, xrefs: 6CD18EFB
nd 3, xrefs: 6CD18E45
nd 32-by, xrefs: 6CD18F69
expate k, xrefs: 6CD18E6F
expa, xrefs: 6CD18F79
nd 32-by, xrefs: 6CD18E51
expa, xrefs: 6CD18ECF

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: 2-byte k$expa$expa$expand 32-byte kte k$expate k$nd 3$nd 32-by$nd 32-by
API String ID: 3510742995-3738056600
Opcode ID: 1a36bec88eed8aa5e7e07c4741e89496ad745cfb8a994606b7c4fa921bb846ac
Instruction ID: 49ea64669c67d412110ce674cd550b5b297d6974d5fd5db665e9563362a38710
Opcode Fuzzy Hash: 1a36bec88eed8aa5e7e07c4741e89496ad745cfb8a994606b7c4fa921bb846ac
Instruction Fuzzy Hash: 1BE245B1D002288FDB64CFA9C984BCDFBB1BF48314F6581AAD509BB201D7746A96CF54

Uniqueness

Uniqueness Score: -1.00%

Function 6CDD0E50 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 211memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CDCF000: CreateFileW.KERNEL32(?,00120114,?,?,?,?,00000000), ref: 6CDCF1E8
Part of subcall function 6CDCF000: HeapFree.KERNEL32(00000000,?), ref: 6CDCF206

DeviceIoControl.KERNEL32(?,000900A8,00000000,00000000,?,00004000,00000000,00000000), ref: 6CDD0EE3
GetLastError.KERNEL32 ref: 6CDD0F48
CloseHandle.KERNEL32(?), ref: 6CDD0FC7
GetProcessHeap.KERNEL32 ref: 6CDD0FF7
HeapAlloc.KERNEL32(?,00000000,?), ref: 6CDD100D
memcpy.MSVCRT ref: 6CDD103F
HeapFree.KERNEL32(00000000,?), ref: 6CDD10DE

Strings

J^l, xrefs: 6CDD0E66, 6CDD0EAA

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocCloseControlCreateDeviceErrorFileHandleLastProcessmemcpy
String ID: J^l
API String ID: 1740046355-3444829382
Opcode ID: bcd20a1724e9570d92dd7ca1b55613b9181516452e23e3d1b69bd1ffb9e28d7b
Instruction ID: 01a615e118c7d29a8860f3ca4dcb379ea4fa20b3f6963aa068c824a1f1beec6c
Opcode Fuzzy Hash: bcd20a1724e9570d92dd7ca1b55613b9181516452e23e3d1b69bd1ffb9e28d7b
Instruction Fuzzy Hash: 7981EBB19087819AD700CF24C841B6BB7F5EFC5748F218A1DF8995B6A1E774E508CB63

Uniqueness

Uniqueness Score: -1.00%

Function 6CD1A8A0 Relevance: 13.8, APIs: 3, Strings: 6, Instructions: 259memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CD1AA55
HeapAlloc.KERNEL32(00000000,00000000,00000017), ref: 6CD1AA72
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD1AC66

Strings

st b, xrefs: 6CD1AA9E
ss t, xrefs: 6CD1AA90
100, xrefs: 6CD1AA82
called `Result::unwrap()` on an `Err` value, xrefs: 6CD1AAD2, 6CD1ABE9
han , xrefs: 6CD1AA89
e le, xrefs: 6CD1AA97

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocFreeProcess
String ID: 100$called `Result::unwrap()` on an `Err` value$e le$han $ss t$st b
API String ID: 2113670309-902743412
Opcode ID: ac6657fbe89c02c5a3f83b63e65647cb1e1ffe24edc16d7d07c9764ceeb872b9
Instruction ID: 8ba78a8669fa9f77702550d5042ecbfab06dce6ad0e3baa8b4d8bd5549ede8e4
Opcode Fuzzy Hash: ac6657fbe89c02c5a3f83b63e65647cb1e1ffe24edc16d7d07c9764ceeb872b9
Instruction Fuzzy Hash: 87C1F0B16083449FD710CF25D481B8BBBE1BF88358F148A2DE8999B761D774E948CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6CD02FA0 Relevance: 13.8, APIs: 7, Strings: 2, Instructions: 250memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(-00000001), ref: 6CD02FB0
TlsGetValue.KERNEL32(00000000), ref: 6CD02FD8
TlsGetValue.KERNEL32(-00000001,00000000), ref: 6CD02FF1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6CD03011
HeapAlloc.KERNEL32(00000000,00000000,0000000C,00000000,00000000), ref: 6CD03025
TlsSetValue.KERNEL32(00000000,00000000,00000000,00000000), ref: 6CD03051
TlsGetValue.KERNEL32(00000000,00000000), ref: 6CD030D1

Strings

0x00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 6CD03214
assertion failed: edelta >= 0library\core\src\num\diy_float.rs, xrefs: 6CD03259

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Value$Heap$AllocProcess
String ID: 0x00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$assertion failed: edelta >= 0library\core\src\num\diy_float.rs
API String ID: 3559649508-2220681599
Opcode ID: 972955eb6b35340682bad2130566a1a07751a0d6716edaaf9dc242f192c66faa
Instruction ID: 923fdb33283bc8af99eadd749c0142f5445fdfa2e5f46a8272d2d3d3704626c6
Opcode Fuzzy Hash: 972955eb6b35340682bad2130566a1a07751a0d6716edaaf9dc242f192c66faa
Instruction Fuzzy Hash: 28814C71F01204DFEB204F29C805FA677B9EF0234CF148569E8499BBA1D73AE549C761

Uniqueness

Uniqueness Score: -1.00%

Function 6CDD1950 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 146filenativesynchronizationCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL ref: 6CDD19B2
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 6CDD19C1
RtlNtStatusToDosError.NTDLL ref: 6CDD19F7
NtWriteFile.NTDLL ref: 6CDD1AD2
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 6CDD1AE1

Strings

called `Option::unwrap()` on a `None` value/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\alloc\src\collections\btree\navigate.rs, xrefs: 6CDD1A2C
jjj, xrefs: 6CDD1ACB

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FileObjectSingleWait$ErrorReadStatusWrite
String ID: called `Option::unwrap()` on a `None` value/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\alloc\src\collections\btree\navigate.rs$jjj
API String ID: 221916143-3878638358
Opcode ID: 03eef7dd2e6795799b2d12d364c1a6665e97af40eadc7047f68600cfc80a6d2a
Instruction ID: bd2be75e35926928e116794b01636e91bb4fa06bef37b339ecc470140f7da9df
Opcode Fuzzy Hash: 03eef7dd2e6795799b2d12d364c1a6665e97af40eadc7047f68600cfc80a6d2a
Instruction Fuzzy Hash: E55187B1908345AFE700CF14CC41B9BBBE8EB85728F11892DF5E497691D3B4E949CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CCE1400 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6CCE1410
LoadLibraryA.KERNEL32 ref: 6CCE1426
GetProcAddress.KERNEL32 ref: 6CCE1445
GetProcAddress.KERNEL32 ref: 6CCE1457

Strings

libgcc_s_dw2-1.dll, xrefs: 6CCE1409, 6CCE141F
__register_frame_info, xrefs: 6CCE143A
__deregister_frame_info, xrefs: 6CCE144C

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: b9d8a0cdf6c412f3338e9e42c48c041568d0e77d96541178eb8e30e620bfcfc6
Instruction ID: ab26bf7e3fa2d05ea33d4357932a76e25a868fec3764e8001f582974667b020f
Opcode Fuzzy Hash: b9d8a0cdf6c412f3338e9e42c48c041568d0e77d96541178eb8e30e620bfcfc6
Instruction Fuzzy Hash: 950180B2E193288BCB00BF78950732DBEB4FE46245F114A2DD48947A11E734A414CF93

Uniqueness

Uniqueness Score: -1.00%

Function 6CCF64A0 Relevance: 12.1, Strings: 9, Instructions: 881COMMON

Download Yara Rule

Strings

assertion failed: d.plus > 0, xrefs: 6CCF58DF, 6CCF6FA8
assertion failed: d.mant.checked_add(d.plus).is_some(), xrefs: 6CCF58F5, 6CCF6FBE
attempt to divide by zero, xrefs: 6CCF6A1F
assertion failed: d.minus > 0, xrefs: 6CCF58C9, 6CCF6F92
assertion failed: buf.len() >= MAX_SIG_DIGITS, xrefs: 6CCF5921, 6CCF6FEA
assertion failed: edelta >= 0library\core\src\num\diy_float.rs, xrefs: 6CCF7016
assertion failed: d.mant.checked_sub(d.minus).is_some(), xrefs: 6CCF590B, 6CCF6FD4
assertion failed: d.mant > 0, xrefs: 6CCF58B3, 6CCF63D7, 6CCF6F7C
assertion failed: d.mant + d.plus < (1 << 61), xrefs: 6CCF7000

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: assertion failed: buf.len() >= MAX_SIG_DIGITS$assertion failed: d.mant + d.plus < (1 << 61)$assertion failed: d.mant > 0$assertion failed: d.mant.checked_add(d.plus).is_some()$assertion failed: d.mant.checked_sub(d.minus).is_some()$assertion failed: d.minus > 0$assertion failed: d.plus > 0$assertion failed: edelta >= 0library\core\src\num\diy_float.rs$attempt to divide by zero
API String ID: 0-205705915
Opcode ID: 3933582807865d427f6fd53f652c4864eacc880b20cfa5e096226dc14d36f3fc
Instruction ID: 6c2ef0dc0a7e5dfd6a01d84d866efc0f72d49e82ed3a5283af3de72cc6b4c1fc
Opcode Fuzzy Hash: 3933582807865d427f6fd53f652c4864eacc880b20cfa5e096226dc14d36f3fc
Instruction Fuzzy Hash: 07723D76A087119FC748CF28C48061AB7E2BFC8754F158A2DF8A997755D730ED09CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6CCF3EC0 Relevance: 10.9, APIs: 5, Strings: 2, Instructions: 427memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CCF3F1E
HeapAlloc.KERNEL32(?,00000000), ref: 6CCF3F35
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6CCF3FE0

Strings

0x00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 6CCF4205, 6CCF4364
assertion failed: edelta >= 0library\core\src\num\diy_float.rs, xrefs: 6CCF4246, 6CCF43A9

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc
String ID: 0x00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$assertion failed: edelta >= 0library\core\src\num\diy_float.rs
API String ID: 651230671-2220681599
Opcode ID: f2b8d5f7304ffe779acabbe2fdefcee32ecfcd061575ec677e570318c289eddf
Instruction ID: a3abfed1f110a6009eb54f9f0b7a2dea62c9ba5bc3b523761f9b574ec5990ded
Opcode Fuzzy Hash: f2b8d5f7304ffe779acabbe2fdefcee32ecfcd061575ec677e570318c289eddf
Instruction Fuzzy Hash: 24E18A72A002158FEB14CF29C881BBAB7B5FF85318F148179E9199B781E734AD0AC791

Uniqueness

Uniqueness Score: -1.00%

Function 6CD21670 Relevance: 10.6, APIs: 8, Instructions: 620memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,6CD0BEF8,?,?,?,?), ref: 6CD217A0
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,6CD0BEF8,?,?,?,?), ref: 6CD2196F
HeapAlloc.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,6CD0BEF8,?,?,?), ref: 6CD21984
memcpy.MSVCRT ref: 6CD21A9C
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD21B14
memcpy.MSVCRT ref: 6CD21CD4
memcpy.MSVCRT ref: 6CD21D4F
HeapFree.KERNEL32(6CF8B0E0,00000000,?,?), ref: 6CD21D79

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$memcpy$FreeProcess$Alloc
String ID:
API String ID: 1235786331-0
Opcode ID: 58ae943cd7713ad8b7fc267c1342a6c50b984dcc7b88ad57a5d440de3206a10c
Instruction ID: 1f431672ec53aae2b2c4b94cd7833f0ceab9bffef8c149b072a40f3653e533e7
Opcode Fuzzy Hash: 58ae943cd7713ad8b7fc267c1342a6c50b984dcc7b88ad57a5d440de3206a10c
Instruction Fuzzy Hash: 6C22F371E05215CBDF10CF64C8807AEB7B1BF4531CF288269DA65ABAA0D73ADD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6CD1FAB0 Relevance: 9.8, APIs: 5, Strings: 1, Instructions: 788memoryCOMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6CD1FB7A
GetProcessHeap.KERNEL32 ref: 6CD1FBFE
HeapAlloc.KERNEL32(00000001,00000000,00000011), ref: 6CD1FC14
memset.MSVCRT ref: 6CD1FC57

Strings

C:\Users\runneradmin\.cargo\registry\src\index.crates.io-1cd66030c949c28d\hashbrown-0.12.3\src\raw\mod.rs, xrefs: 6CD2052E

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcessmemmovememset
String ID: C:\Users\runneradmin\.cargo\registry\src\index.crates.io-1cd66030c949c28d\hashbrown-0.12.3\src\raw\mod.rs
API String ID: 2660627060-3661997313
Opcode ID: a538269428feb28627b7132635a04637b28450efb23ca2bb3e916024f2ffd741
Instruction ID: 6910373e57b8508c852db202681301d1a6f1fd90c4310f0e3a0d9ac75dc7a0db
Opcode Fuzzy Hash: a538269428feb28627b7132635a04637b28450efb23ca2bb3e916024f2ffd741
Instruction Fuzzy Hash: 89623871D097644FDB12DB3DC4506AAFFB1AFA7244B09C75AE8697BB61C730A8028750

Uniqueness

Uniqueness Score: -1.00%

Function 6CD3FE90 Relevance: 8.5, APIs: 2, Strings: 3, Instructions: 956COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6CD3FF1A
memcpy.MSVCRT ref: 6CD40090

Strings

assertion failed: ee + 15 < 512, xrefs: 6CD40C6F
assertion failed: cc + 15 < 512, xrefs: 6CD40C7D
assertion failed: self.counter1024 % 16 == 0/usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/rand_hc-0.3.1/src/hc128.rs, xrefs: 6CD40C61

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: memcpymemset
String ID: assertion failed: cc + 15 < 512$assertion failed: ee + 15 < 512$assertion failed: self.counter1024 % 16 == 0/usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/rand_hc-0.3.1/src/hc128.rs
API String ID: 1297977491-1825198817
Opcode ID: 6b1b3da28788f2573d6f39e589c820e1f8242d3cd4c613dcabcce12f2d817f73
Instruction ID: 95defbdb4dd354762e6042e05fdd2a8dc6e6325f42a972430e5e4e865207d397
Opcode Fuzzy Hash: 6b1b3da28788f2573d6f39e589c820e1f8242d3cd4c613dcabcce12f2d817f73
Instruction Fuzzy Hash: DDA22C75D006198FCB18CF4CD490AA9B7F1FF88358F1A81ADE949AB351CB34A952CF84

Uniqueness

Uniqueness Score: -1.00%

Function 6CE2DE50 Relevance: 8.0, APIs: 5, Instructions: 479COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3b9fa05b53efc8474eb10fd678b1593c6f7063641f891777c0add326ae3dc0
Instruction ID: 718a67801a51854e985ef6b08aea5dab1c618f3282ac8e42d4ce0fc59c34f121
Opcode Fuzzy Hash: dd3b9fa05b53efc8474eb10fd678b1593c6f7063641f891777c0add326ae3dc0
Instruction Fuzzy Hash: 5A129F75608B168FD710CF28C48075AB7F1BF89319F248A2DE99997B41D738E946CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 6CD36EA0 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 849memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD37028
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD370FB

Strings

, xrefs: 6CD3726C

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-3916222277
Opcode ID: 62a8c5e28f6843b6b62a91f89fc6272f1f1fc56afc57e6ee1adea962b03c8280
Instruction ID: 75a231c1fcb280aa79d56492161479dcc4c366ef8e5cbf826e9ce7d37f78aee0
Opcode Fuzzy Hash: 62a8c5e28f6843b6b62a91f89fc6272f1f1fc56afc57e6ee1adea962b03c8280
Instruction Fuzzy Hash: 62826875909B55DBC701CF28C88061BB7F1BFCA354F119B1DE8A96B261DB30E945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6CD13DAF Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 195memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6CD1456B
HeapFree.KERNEL32(6CF8B0E0,00000000), ref: 6CD1458E
memset.MSVCRT ref: 6CD145EC
memcpy.MSVCRT ref: 6CD148C4

Strings

, xrefs: 6CD14761

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: memcpy$FreeHeapmemset
String ID:
API String ID: 389588089-3916222277
Opcode ID: 51072a00697b358ba77bbaf1ba83dea1659e930437b48656892b7608474f30f5
Instruction ID: a12b0d3fb3c4130714039a140da97ec07b074286568eb0c5eb84753f26e1e906
Opcode Fuzzy Hash: 51072a00697b358ba77bbaf1ba83dea1659e930437b48656892b7608474f30f5
Instruction Fuzzy Hash: A881EB7192D3C08BE372CB6888807DAB795AFDA308F144B2DF8C857A52E7754289C753

Uniqueness

Uniqueness Score: -1.00%

Function 6CD05D04 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 6CDEEBE0: GetProcessHeap.KERNEL32 ref: 6CDEEC32
Part of subcall function 6CDEEBE0: HeapAlloc.KERNEL32(00000000,00000000,0003A420), ref: 6CDEEC49
Part of subcall function 6CDEEBE0: memset.MSVCRT ref: 6CDEEC6F
Part of subcall function 6CDEEBE0: GetProcessHeap.KERNEL32 ref: 6CDEECB7
Part of subcall function 6CDEEBE0: HeapAlloc.KERNEL32(00000000,00000000,00000009), ref: 6CDEECCB
Part of subcall function 6CDEEBE0: GetProcessHeap.KERNEL32(00000000,00000000,00000009), ref: 6CDEED88
Part of subcall function 6CDEEBE0: HeapAlloc.KERNEL32(00000000,00000000,000000A0,00000000,00000000,00000009), ref: 6CDEED9F

GlobalMemoryStatusEx.KERNEL32(01010101), ref: 6CD05D5B
GetPerformanceInfo.PSAPI(?,00000038), ref: 6CD05DA8
GetDiskFreeSpaceExW.KERNEL32(?,00000000,00000000,00000000), ref: 6CD05EBB

Strings

@, xrefs: 6CD05D52

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess$DiskFreeGlobalInfoMemoryPerformanceSpaceStatusmemset
String ID: @
API String ID: 2129359485-2766056989
Opcode ID: 96c61e5a653ae5327af98da63dac3f360a22ab2720ecbb24568e30e9177f5bca
Instruction ID: 1e94130dc36daef6645e4bd02c0328750d822ccba18f7cd2ebfa13f6561e0bee
Opcode Fuzzy Hash: 96c61e5a653ae5327af98da63dac3f360a22ab2720ecbb24568e30e9177f5bca
Instruction Fuzzy Hash: 56618E71A083809BE721CF18D885BDAB7E5BFC9318F54491DF9C897260E731E589CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CD2C0A0 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 419memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD2C68D

Part of subcall function 6CD29170: memcpy.MSVCRT ref: 6CD291C3
Part of subcall function 6CD29170: HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,?,?,?,00000000,?,?,6CD28804), ref: 6CD291F8

Strings

?, xrefs: 6CD2C241
attempt to divide by zeroassertion failed: self.len() <= isize::MAX as usize/usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/zeroize-1.5.7/src/lib.rs, xrefs: 6CD2C430
capacity overflow, xrefs: 6CD2C44A

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap$memcpy
String ID: ?$attempt to divide by zeroassertion failed: self.len() <= isize::MAX as usize/usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/zeroize-1.5.7/src/lib.rs$capacity overflow
API String ID: 1887603139-3695021941
Opcode ID: f8713efca65de8185e4699f2323703c337df21dbf841975359314bbfb430e40b
Instruction ID: 79f489bc906b7731ed06fa10d9ae438a78d4eafdd3ae22ffa51a93da59999286
Opcode Fuzzy Hash: f8713efca65de8185e4699f2323703c337df21dbf841975359314bbfb430e40b
Instruction Fuzzy Hash: DB029B71908F458BE711DF29C88061BB7F2BFCA398F108B1DE9995B621DB35D845CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6CDEACE0 Relevance: 6.2, APIs: 4, Instructions: 153comCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 6CDEACFE
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,00000000), ref: 6CDEAD31
CoCreateInstance.OLE32(6CE9B5C8,00000000,00000001,6CE9B5D8,00000000,00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000), ref: 6CDEAD7E

Part of subcall function 6CDEAF90: SysAllocString.OLEAUT32(root\WMI), ref: 6CDEAFB5
Part of subcall function 6CDEAF90: SysFreeString.OLEAUT32(00000000), ref: 6CDEAFDB

CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,6CE9B5C8,00000000,00000001,6CE9B5D8,00000000,00000000,000000FF,00000000), ref: 6CDEAE0C

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: InitializeString$AllocBlanketCreateFreeInstanceProxySecurity
String ID:
API String ID: 2775903894-0
Opcode ID: d5c5e503b58ca0b0fe09e6493d37ca00d98ac3185d6968f34307fb526555c712
Instruction ID: ece0b193ad6ffa57307939f2a01cf32c41f17648693fba51306b0234753ba7b1
Opcode Fuzzy Hash: d5c5e503b58ca0b0fe09e6493d37ca00d98ac3185d6968f34307fb526555c712
Instruction Fuzzy Hash: 46711771D01F0EAADB12CFA5C842B9EF7B5BF4A744F209309E8193A591DB70AA45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6CCF7040 Relevance: 5.4, Strings: 4, Instructions: 446COMMON

Download Yara Rule

Strings

attempt to divide by zero, xrefs: 6CCF735F
assertion failed: !buf.is_empty()called `Option::unwrap()` on a `None` valuex, xrefs: 6CCF7584
assertion failed: d.mant < (1 << 61)x, xrefs: 6CCF756E
assertion failed: d.mant > 0, xrefs: 6CCF7558

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: assertion failed: !buf.is_empty()called `Option::unwrap()` on a `None` valuex$assertion failed: d.mant < (1 << 61)x$assertion failed: d.mant > 0$attempt to divide by zero
API String ID: 0-4195645054
Opcode ID: fa907cc3ff0cbc3b63f6b4d5bc1c3a081bf389845358153d82553bfd53795122
Instruction ID: 1b3b4d3da20291588b4bb261bf4ae14ffb79f966d50ebdd24b855a1ef9c0241e
Opcode Fuzzy Hash: fa907cc3ff0cbc3b63f6b4d5bc1c3a081bf389845358153d82553bfd53795122
Instruction Fuzzy Hash: D2F1C172F006198BDB08CF69DC907EEB7F2AF88350F168139E925A7791E6349D45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6CDA14FE Relevance: 5.0, APIs: 2, Strings: 1, Instructions: 523COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6CDA15AE
memcpy.MSVCRT ref: 6CDA1A47

Strings

called `Option::unwrap()` on a `None` value, xrefs: 6CDA1C85

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: called `Option::unwrap()` on a `None` value
API String ID: 3510742995-836832528
Opcode ID: 36aebc8aacfb95733cd637334e813d83b1eca0cb443264b30a36b8ca41bb8ecc
Instruction ID: 3d6f7f78c886a85f83b8efbd716b60b95767452185bfd835a90186c6c2ca15fc
Opcode Fuzzy Hash: 36aebc8aacfb95733cd637334e813d83b1eca0cb443264b30a36b8ca41bb8ecc
Instruction Fuzzy Hash: EEF1EA7148E3A4AFC7028BA1DC519F77F749F03258B0A42D7F4448BA63D2269B99C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD20C40 Relevance: 4.3, APIs: 3, Instructions: 562memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CD20F8F
HeapAlloc.KERNEL32(?,00000000,00000005), ref: 6CD20FA8

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: f2b3e9d673c5e480f90ae80149af121ad6b9d34b76e3ef10439c30161b547429
Instruction ID: 238bdd5196b25b9cff80a62f40fd845143ebd4a44cf4747e2d46fe171eb6a876
Opcode Fuzzy Hash: f2b3e9d673c5e480f90ae80149af121ad6b9d34b76e3ef10439c30161b547429
Instruction Fuzzy Hash: 1A126CB2E01695CBC714CF68C8902AEF7B1BF45358F28832AD555A7BA1D379ED40C790

Uniqueness

Uniqueness Score: -1.00%

Function 6CCEBA40 Relevance: 4.2, APIs: 3, Instructions: 458memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CCEBA6B
HeapAlloc.KERNEL32(?,00000000,?), ref: 6CCEBA84

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 11c8496a8baaca08855d2c8fc70b1e1f33819b08da776de57de579faedcc0bf7
Instruction ID: fa3d0f09378f5e11077b61218e1a64f887c9af548b05d17cfac3970a95d68ed4
Opcode Fuzzy Hash: 11c8496a8baaca08855d2c8fc70b1e1f33819b08da776de57de579faedcc0bf7
Instruction Fuzzy Hash: ABF16C72E0471A4BDB05CE39C8A16BDB7B2BF8F344F188329E85567B45F730AA418784

Uniqueness

Uniqueness Score: -1.00%

Function 6CD00F3E Relevance: 4.0, Strings: 3, Instructions: 274COMMON

Download Yara Rule

Strings

0x00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 6CD011A5
assertion failed: edelta >= 0library\core\src\num\diy_float.rs, xrefs: 6CD011E6
called `Option::unwrap()` on a `None` value/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\sync\once.rs, xrefs: 6CD01002

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: 0x00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$assertion failed: edelta >= 0library\core\src\num\diy_float.rs$called `Option::unwrap()` on a `None` value/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\sync\once.rs
API String ID: 3298025750-2254546133
Opcode ID: 4a9c019bc469835ca493c5f87d3ea079bdea6e04cc310a0ce5033beeb24af22d
Instruction ID: ffa4fc602edd7d77b47893640eb6164af8b8885a24ad82f8efcf37a91f1540f1
Opcode Fuzzy Hash: 4a9c019bc469835ca493c5f87d3ea079bdea6e04cc310a0ce5033beeb24af22d
Instruction Fuzzy Hash: 7BA18B32B042489FDB14CF6CC882BFAB7B6EF85318F108268E9159B7E2D7349908C751

Uniqueness

Uniqueness Score: -1.00%

Function 6CCE1C30 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 633COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6CCE1C43

Strings

!, xrefs: 6CCE1C61

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: memset
String ID: !
API String ID: 2221118986-1387752520
Opcode ID: c3c3017c3d2b5c7f9605994dd18b3ca24f451a551453f6dc40b8b38816efb03c
Instruction ID: 37fe8b2d57d489b55da5f5ede3563ef4228a632d0e913099371977cffc5f6514
Opcode Fuzzy Hash: c3c3017c3d2b5c7f9605994dd18b3ca24f451a551453f6dc40b8b38816efb03c
Instruction Fuzzy Hash: F1429375E25F9842E723963598037E7E7A4AFFB248F00D71FEDAA32E50DB24B5419240

Uniqueness

Uniqueness Score: -1.00%

Function 6CD38A60 Relevance: 3.0, APIs: 2, Instructions: 463COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11671aece59c0aac73dafede399bafd817862ca4b616e35b1c166d5d2fb7044d
Instruction ID: 6304cfbb46e39d99dec5dbfba8d03e0600627c310b9e77193b3561ecca2d4172
Opcode Fuzzy Hash: 11671aece59c0aac73dafede399bafd817862ca4b616e35b1c166d5d2fb7044d
Instruction Fuzzy Hash: AD024676E30B6686EB035B3DE9421A9B778AFE7345F09C32BFD5432950F7215602C248

Uniqueness

Uniqueness Score: -1.00%

Function 6CCFDE84 Relevance: 3.0, Strings: 2, Instructions: 459COMMON

Download Yara Rule

Strings

0000, xrefs: 6CCFE1A1, 6CCFE050
attempt to divide by zero, xrefs: 6CCFE527

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 0000$attempt to divide by zero
API String ID: 0-2494717124
Opcode ID: 1f80993cd44de302fc86b667cb82acb260b11966c49cb0e903e9e0b648f6bcb2
Instruction ID: c1e2eb2f9c9a1295a5c344e5b6a2ff7664036571a7442f3f4de67366247eba3c
Opcode Fuzzy Hash: 1f80993cd44de302fc86b667cb82acb260b11966c49cb0e903e9e0b648f6bcb2
Instruction Fuzzy Hash: F1F1C071B093018FD748CF19C49075ABBE2AFC9314F15CA2EE8A997791E731DD468B82

Uniqueness

Uniqueness Score: -1.00%

Function 6CCE50B0 Relevance: 2.9, Strings: 2, Instructions: 399COMMON

Download Yara Rule

Strings

0x00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 6CCE5194, 6CCE5320, 6CCE5545
assertion failed: edelta >= 0library\core\src\num\diy_float.rs, xrefs: 6CCE51D9, 6CCE539C, 6CCE5586

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 0x00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$assertion failed: edelta >= 0library\core\src\num\diy_float.rs
API String ID: 0-2220681599
Opcode ID: c26d987acf298cd733ef884469bef46e1e27bc36c755452017e32d6f79410215
Instruction ID: f392663600f8449dfd18c3332b9089030f1d6412260aa4d418cd1b5f293d2788
Opcode Fuzzy Hash: c26d987acf298cd733ef884469bef46e1e27bc36c755452017e32d6f79410215
Instruction Fuzzy Hash: C7D1D332B042698FE7148A2DC851BFAB376FF8A314F008639E9499F7C2E6799D05C751

Uniqueness

Uniqueness Score: -1.00%

Function 6CD22080 Relevance: 2.8, Strings: 2, Instructions: 309COMMON

Download Yara Rule

Strings

0x00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 6CD22205, 6CD223F5
assertion failed: edelta >= 0library\core\src\num\diy_float.rs, xrefs: 6CD2224B, 6CD22436

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 0x00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$assertion failed: edelta >= 0library\core\src\num\diy_float.rs
API String ID: 0-2220681599
Opcode ID: 55a57513b35cedd3ef8836137157c5af06593ea9e7c5f8b5418a3507f2b25b26
Instruction ID: e967fc2e3d2511f4e4cd5a23bae615c83e047aafaa8e569124f3dc58e87e23f1
Opcode Fuzzy Hash: 55a57513b35cedd3ef8836137157c5af06593ea9e7c5f8b5418a3507f2b25b26
Instruction Fuzzy Hash: 86B16D327141558FE7188B2CC899BBAB376FF9532CF108679FA498B7D2E6389845C350

Uniqueness

Uniqueness Score: -1.00%

Function 6CCFD0E0 Relevance: 1.8, APIs: 1, Instructions: 535COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 6CCFD288

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 0be9516f759bb08367adcf5869369d1201bf72342a50f7ac874ed8d4305ba1ed
Instruction ID: 4797e9ed9127d099ef0ea16b37344c56a37ecacc336be5d180c1a0e57d7f5eb0
Opcode Fuzzy Hash: 0be9516f759bb08367adcf5869369d1201bf72342a50f7ac874ed8d4305ba1ed
Instruction Fuzzy Hash: DA12E575E042168FCB05CF29C4807AEB7F2AF9A354F26836AE815B7751E770AD4287D0

Uniqueness

Uniqueness Score: -1.00%

Function 6CDC2090 Relevance: 1.7, APIs: 1, Instructions: 445COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF), ref: 6CDC218D

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a4a5d52d421cc430c9542ded50ff9717fe1712568717fdb2d5e5b34449898da4
Instruction ID: 69b1d7a420b28b192393c381a48cbb9d0295e01017f04fce97cd1a74fe9cb7f3
Opcode Fuzzy Hash: a4a5d52d421cc430c9542ded50ff9717fe1712568717fdb2d5e5b34449898da4
Instruction Fuzzy Hash: 5A026C72A083508FD714CF29C89075EF7E5BFC8324F158A2EE9A9977A0D7759804CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6CCFF440 Relevance: 1.7, Strings: 1, Instructions: 438COMMON

Download Yara Rule

Strings

0x00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 6CCFF495, 6CCFF525, 6CCFF5BC, 6CCFF64C, 6CCFF6E2, 6CCFF782, 6CCFF839, 6CCFF8E9

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 0x00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
API String ID: 0-485157861
Opcode ID: 8197ee564e80cf43ffcae27665dce51b69a82bda4c2c9632ef85b1803288a184
Instruction ID: 4837778cdab7b261797c183add6ec049d6c7fcd9cf8ee6a3fb2c1d7a553b36e3
Opcode Fuzzy Hash: 8197ee564e80cf43ffcae27665dce51b69a82bda4c2c9632ef85b1803288a184
Instruction Fuzzy Hash: 5DD17C72E00254AFEB244B18EC45FFAB769EF85318F048138FA586F782DA755D0AC790

Uniqueness

Uniqueness Score: -1.00%

Function 6CD04790 Relevance: 1.5, APIs: 1, Instructions: 281memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD04960

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e78a51342eddf4ab2c9de514c9a393ed0acf2306bb486c744695ffbf4ad4ae8b
Instruction ID: 0074f258d37e2ea55bd1b7de4cc2600dbd4a9e2489d22831218b7a41ee1ec77e
Opcode Fuzzy Hash: e78a51342eddf4ab2c9de514c9a393ed0acf2306bb486c744695ffbf4ad4ae8b
Instruction Fuzzy Hash: 29C18D70E04B198BDB10CFADC4907AEB7F2FF9A314F10822ED469AB6A1C7749945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6CD22640 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

BCryptGenRandom.BCRYPT(00000000,?,?,00000002), ref: 6CD22652

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CryptRandom
String ID:
API String ID: 2662593985-0
Opcode ID: 5c576fc24f6e8369fd3d3cd96ffba47190fd06c0bf65f92d6d7af0636e92b47b
Instruction ID: 2c605053ce189a0ac5515d56c5ccc6c64f4163a63377ce548af082d0c7e3edef
Opcode Fuzzy Hash: 5c576fc24f6e8369fd3d3cd96ffba47190fd06c0bf65f92d6d7af0636e92b47b
Instruction Fuzzy Hash: D2D05E323942086EEB049EB99C09FB733D9AB88618F208424F90ECA581E564D8004550

Uniqueness

Uniqueness Score: -1.00%

Function 6CD3AED0 Relevance: .7, Instructions: 714COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16fbc2fd5b81998d7d8a071fe2811c85c186650915add4b5709901eb81786625
Instruction ID: f2ab24a9844a180be37afc1c120ba5e90565d041e39bbe6bdbb4b5d737a8e09b
Opcode Fuzzy Hash: 16fbc2fd5b81998d7d8a071fe2811c85c186650915add4b5709901eb81786625
Instruction Fuzzy Hash: 63629C71E00A29CBCB14CF98C4907AEF7B1FF4A314F25926AD858BB791C7759D818B90

Uniqueness

Uniqueness Score: -1.00%

Function 6CDA0E91 Relevance: .5, Instructions: 512COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f45385492a4020898e971b0f71704674466a7aaedfcfdc359359c3db9277ec0b
Instruction ID: c7d495a5dcb67fab70517b53edf6672e16e4ac00ede05ed7be59882f583ce681
Opcode Fuzzy Hash: f45385492a4020898e971b0f71704674466a7aaedfcfdc359359c3db9277ec0b
Instruction Fuzzy Hash: 41127F3184A382DFC7039FB4C8511997BF5AF47319B2A84FAD480DB562E37D588ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CD3B9A0 Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 855ba48f5fffb7282bbd5aed48ccbeaca2b230ba58f668f888784da104c412b6
Instruction ID: 6cc4fea66f65a6a9c98355c65ac45ee9b328d93f332089ccec12e73841dd0aa5
Opcode Fuzzy Hash: 855ba48f5fffb7282bbd5aed48ccbeaca2b230ba58f668f888784da104c412b6
Instruction Fuzzy Hash: A4228E70E04A698BDB15CFA9C4503EEFBB1BF8A300F14825ED459BB781DB749A85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6CDA4F40 Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8edd90c632105b4c95f69994ca464a46f9ebc92567cef265b2d61f6b1e4260d
Instruction ID: 5e61aec0f6b28510693dee2cf6626afa6ce20f077975579e84f010d1cf0d201c
Opcode Fuzzy Hash: d8edd90c632105b4c95f69994ca464a46f9ebc92567cef265b2d61f6b1e4260d
Instruction Fuzzy Hash: EA12C131E04A19CBCB11CFA9C4803AEF7B2FF8A314F258269D8596B791D7759C42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6CDA55B0 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e35c142868b44627c56a95987aaf684b145f52c73e2f292becd49c5231e6f71
Instruction ID: 8804b4cd90ad3aa8e2a6ac4efdf518716de3f0486e2420df9d11979b09f1f787
Opcode Fuzzy Hash: 5e35c142868b44627c56a95987aaf684b145f52c73e2f292becd49c5231e6f71
Instruction Fuzzy Hash: A202A435E05E19CBCB11CFA8C4807AEB7B2AF4A354F2482A9D8097F655EB358D47CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6CD0CE70 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5941b04db232a910353bca7bbc04f4789ca7b70563a912600c8871805134b4
Instruction ID: a3e3c62795b6b04398200d1b4db34176642c6b3154d977e650acac3297021020
Opcode Fuzzy Hash: 4c5941b04db232a910353bca7bbc04f4789ca7b70563a912600c8871805134b4
Instruction Fuzzy Hash: 4EB1D375E057158FDB02DF7DC8812AAF7F1AF9A240F64C32AE825B7622D731E8818750

Uniqueness

Uniqueness Score: -1.00%

Function 6CDE7AD0 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5941b04db232a910353bca7bbc04f4789ca7b70563a912600c8871805134b4
Instruction ID: 7fe2b8d792c842a89f6f46e4f658c4e2f369a0273bd0411d75bcd98c3974a09f
Opcode Fuzzy Hash: 4c5941b04db232a910353bca7bbc04f4789ca7b70563a912600c8871805134b4
Instruction Fuzzy Hash: 19B1F571E057168FDB06DF7DC88126AF7F1AF9A240F55832AE825B7622E731E8818750

Uniqueness

Uniqueness Score: -1.00%

Function 6CD1F6F0 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5941b04db232a910353bca7bbc04f4789ca7b70563a912600c8871805134b4
Instruction ID: b33acec4ca9b9b630ed5942770e8f93930535d2135e569113771c24c9fa163fe
Opcode Fuzzy Hash: 4c5941b04db232a910353bca7bbc04f4789ca7b70563a912600c8871805134b4
Instruction Fuzzy Hash: 0CB1F475E197158FDB02DF7DC88126AF7F1BF9A240F54C32AE825B7A22D731A8818750

Uniqueness

Uniqueness Score: -1.00%

Function 6CCE3FB0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 955eb4e5b45e9059c91a2217d8ca98cedba0241f59eb2338f613b50f96b08863
Instruction ID: 3c7ac8a8c17c778a672e1f788be24e7e157962cd7aa543071664544c2ed9372f
Opcode Fuzzy Hash: 955eb4e5b45e9059c91a2217d8ca98cedba0241f59eb2338f613b50f96b08863
Instruction Fuzzy Hash: 28C13170C1DFC542E733A73E98032EAE7A4AFEB255F00DB0AEDE835D11DB21A6456241

Uniqueness

Uniqueness Score: -1.00%

Function 6CCECFF0 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 259ccf681b5ac38167ebb6095f75bf86753556ed3a2169d97838b421cc10f66f
Instruction ID: 54b618789bd4e433fd97098e74ed7a4ad403efce30e78bda73e2d4f349f3c660
Opcode Fuzzy Hash: 259ccf681b5ac38167ebb6095f75bf86753556ed3a2169d97838b421cc10f66f
Instruction Fuzzy Hash: B391E5B0A087018BD714CF29C89176AB7E2BFCF314F158A2EE4958B781E735D985C792

Uniqueness

Uniqueness Score: -1.00%

Function 6CDA1EB0 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf52fefd47fc3d40ebfdbf7a0078c9eaf05b0b7d300ee78e329a1046205f74f
Instruction ID: d5632cd744eefa61a0370ceda5986a372f5f8074e9c67a53a8ad4ba2f0a13504
Opcode Fuzzy Hash: baf52fefd47fc3d40ebfdbf7a0078c9eaf05b0b7d300ee78e329a1046205f74f
Instruction Fuzzy Hash: 267138B2D002559FD700DFA9C840AABB7F9EF86348F08C269D4496B711EB31E946C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 6CCE3880 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 077f857fc95e9de93b93bf22a7222b223ecf341776a5fbd5a74f7481a976f95e
Instruction ID: c046acf4b1528f71e3a36ee86187bd5f28baa190b78c6430256e83326e630090
Opcode Fuzzy Hash: 077f857fc95e9de93b93bf22a7222b223ecf341776a5fbd5a74f7481a976f95e
Instruction Fuzzy Hash: F5918872E106198F9F08CFEAD8815DEF7F2BF8C314B66816AD419FB204D77469428B94

Uniqueness

Uniqueness Score: -1.00%

Function 6CCFCC90 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6de02cd48be07d1f573e454a36241c9b05d79b644e644cf0e3b500e3153fa0
Instruction ID: 9ce5cc162347c0733e62e2e2eb82f5996f0dc5ae2d2b58d50369400389bb0cb2
Opcode Fuzzy Hash: 1d6de02cd48be07d1f573e454a36241c9b05d79b644e644cf0e3b500e3153fa0
Instruction Fuzzy Hash: 70617B33F166254BEB259B3DCC513A9B6629FD2354B1AC33ADC74B7795FB3095028280

Uniqueness

Uniqueness Score: -1.00%

Function 6CCE3AC0 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21c5529f0772083689dfc8eb28deda7be2f709c8ca1d821584ff3cf9671a535
Instruction ID: 39d4a6c35f7e849963cc2bf708ab4efaad8f99627c194b41a971455f5c33ba6b
Opcode Fuzzy Hash: f21c5529f0772083689dfc8eb28deda7be2f709c8ca1d821584ff3cf9671a535
Instruction Fuzzy Hash: 2A61D277E155319BE760CF50CC80759B2A6BBC93A4F1F42A9CD2A2B511DA30BA09CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6CDE5B20 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 233c2c2f5fd9a8bc013564f3573fe2225f198b6fbc5a8ab793d3bc39748220bd
Instruction ID: d4c9d8f4dedb3ce9eb50793a1060ec83e1d03bf8173c0911f1cc044726401dbb
Opcode Fuzzy Hash: 233c2c2f5fd9a8bc013564f3573fe2225f198b6fbc5a8ab793d3bc39748220bd
Instruction Fuzzy Hash: 9F61C4A6C2EBA14EDB13FA3A8412246D6A85FF75C8B50D70BFC9135672FB21B5C30251

Uniqueness

Uniqueness Score: -1.00%

Function 6CDE5810 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d82159bb36dd1e3c1cfb0150e0b9b67f7906665545f8a60dc56a59dd69099f
Instruction ID: cacc6c1d03fc3fdaf9ad97c1da083c18410baab3116bb0d53fdb2f245f7ad7af
Opcode Fuzzy Hash: 79d82159bb36dd1e3c1cfb0150e0b9b67f7906665545f8a60dc56a59dd69099f
Instruction Fuzzy Hash: CD61A1A5C2EBA14EDB13FA3A841228AD6A85FF75C8B50D70BFC9135672E721B5C30251

Uniqueness

Uniqueness Score: -1.00%

Function 6CD1F0A0 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a82c9902031ab9e070728771b1a433a7981fe036b6d90ac304dfba823a885a
Instruction ID: 3b945a316cecda10d395ede6f2dad3b86cd278605b87d19b52b092270077482a
Opcode Fuzzy Hash: 39a82c9902031ab9e070728771b1a433a7981fe036b6d90ac304dfba823a885a
Instruction Fuzzy Hash: CD61B0A5C2EBA14EDB13FA3A8412286DAA84FF75C8B50D70BFC9135672E721B5C34251

Uniqueness

Uniqueness Score: -1.00%

Function 6CCE3D70 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fced3df81500bb054c0549ab584360752711a90ea3159b13b83ac298d089b73
Instruction ID: a8645046cf17a9c1fc932386db9138d9bc8e0f5441fd1833691a203564aaae59
Opcode Fuzzy Hash: 4fced3df81500bb054c0549ab584360752711a90ea3159b13b83ac298d089b73
Instruction Fuzzy Hash: 21515E72F105154B9B48CFA9C8855AFF7F2EF88220719C13AD91AE7351DA74E901CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6CD40C90 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a6630cccdee9cb0ab248aef143c8d64895da61284240ac91d5d7021655b8c5e
Instruction ID: 8cab33edae8105fa45b372e6adfe243935425af6bdf31b722f4bf37e9d6bb02f
Opcode Fuzzy Hash: 0a6630cccdee9cb0ab248aef143c8d64895da61284240ac91d5d7021655b8c5e
Instruction Fuzzy Hash: 81E0E2756017199B87108F4ED840886FBE8EE88660700C42FE99DC7710D2B0A8008B90

Uniqueness

Uniqueness Score: -1.00%

Function 6CE1E5C0 Relevance: 44.0, APIs: 17, Strings: 12, Instructions: 475memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CE1E70E
HeapAlloc.KERNEL32(?,00000000,00000003), ref: 6CE1E728
GetProcessHeap.KERNEL32(00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1E945
HeapAlloc.KERNEL32(?,00000000,0000001E,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1E95F
GetProcessHeap.KERNEL32(?,00000000,0000001E,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1E9C9
HeapAlloc.KERNEL32(?,00000000,0000000C,?,00000000,0000001E,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1E9E3
GetProcessHeap.KERNEL32(?,00000000,0000000C,?,00000000,0000001E,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1EA22

Part of subcall function 6CE18110: CloseHandle.KERNEL32(?,00000000,?,?,6CE1F28F,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1811A
Part of subcall function 6CE18110: CloseHandle.KERNEL32(?,?,00000000,?,?,6CE1F28F,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE18122
Part of subcall function 6CE18110: CloseHandle.KERNEL32(?,?,?,00000000,?,?,6CE1F28F,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1812F
Part of subcall function 6CE18110: CloseHandle.KERNEL32(?,?,?,00000000,?,?,6CE1F28F,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1813D
Part of subcall function 6CE18110: CloseHandle.KERNEL32(?,?,?,00000000,?,?,6CE1F28F,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1814B

HeapAlloc.KERNEL32(?,00000000,0000000C,?,00000000,0000000C,?,00000000,0000001E,00000001,00000002,?,?,?,?,00000000), ref: 6CE1EA3C
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,?,?,?,?,?,?,?,00000000,00000003), ref: 6CE1EA8F
HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,?,?,?,?,?,?,00000000,00000003), ref: 6CE1EA9E
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1EB11
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1EB31
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,?,?,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1EBDB
HeapFree.KERNEL32(6CF8B0E0,00000000,`vl,?,?,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1EBEC
CloseHandle.KERNEL32(00000002,?,?,?,?,00000000,00000003), ref: 6CE1EC3F
CloseHandle.KERNEL32(00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1EC60
CloseHandle.KERNEL32(?,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1EC7E

Strings

hl#, xrefs: 6CE1EB4C
fail, xrefs: 6CE1E974
`vl, xrefs: 6CE1EBAE, 6CE1EBE0, 6CE1E926, 6CE1EBB6
NING, xrefs: 6CE1E997
/C[INFO] WOW64 redirection reverted, xrefs: 6CE1E7E9
lf d, xrefs: 6CE1E989
ion , xrefs: 6CE1E97B
4l&, xrefs: 6CE1ECB5
', xrefs: 6CE1EA00
] Se, xrefs: 6CE1E990
called `Result::unwrap()` on an `Err` value, xrefs: 6CE1ECC2
elet, xrefs: 6CE1E982

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$CloseHandle$Free$AllocProcess
String ID: '$/C[INFO] WOW64 redirection reverted$4l&$NING$] Se$`vl$called `Result::unwrap()` on an `Err` value$elet$fail$hl#$ion $lf d
API String ID: 196451283-3482696771
Opcode ID: 461f7682b4d9841b2ba86463d0e0171de9e58286de4ea4a6473de98fc0fefc43
Instruction ID: 775922758d94ab0a10e9d65ba6ebc1fbbaa5f84016854740aa7a3a5a275f90b8
Opcode Fuzzy Hash: 461f7682b4d9841b2ba86463d0e0171de9e58286de4ea4a6473de98fc0fefc43
Instruction Fuzzy Hash: 24227D70E05658CBEB20CF64CC45B9DBBB2BF05308F248199E519ABB91DB719A84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6CE2A8B0 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA15
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA1A
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA1F
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA24
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA29
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA2E
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA33
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA38
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA3D
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA42
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA47
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA4C
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA51
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA56
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA5B
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA60
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA68
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA6D
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA72
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA77
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA7C
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA81
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA86
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA8B

Strings

P, xrefs: 6CE2A950

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: abort
String ID: P
API String ID: 4206212132-3110715001
Opcode ID: c2a55ef51929a263e95ddff5047f217ce7685313d94bad75d9393927e1646890
Instruction ID: a7b7ac4ab487b17744e77c8be7b6ceccb3cd23f1aeea8c489195b9d170575eb2
Opcode Fuzzy Hash: c2a55ef51929a263e95ddff5047f217ce7685313d94bad75d9393927e1646890
Instruction Fuzzy Hash: 7A3157316887189FD7108F1AE481757B7F5AF8232CF29D95EE5A847B41C33CA449DB11

Uniqueness

Uniqueness Score: -1.00%

Function 6CE1EE20 Relevance: 39.4, APIs: 16, Strings: 10, Instructions: 395memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CCEB890: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,89C88904,?,?,?,?,6CCEB740), ref: 6CCEB982
Part of subcall function 6CCEB890: HeapAlloc.KERNEL32(00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,89C88904,?,?), ref: 6CCEB995

GetProcessHeap.KERNEL32 ref: 6CE1EEAC
HeapAlloc.KERNEL32(?,00000000,00000003), ref: 6CE1EEC6
GetProcessHeap.KERNEL32(00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1F0D9

Part of subcall function 6CE18110: CloseHandle.KERNEL32(?,00000000,?,?,6CE1F28F,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1811A
Part of subcall function 6CE18110: CloseHandle.KERNEL32(?,?,00000000,?,?,6CE1F28F,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE18122
Part of subcall function 6CE18110: CloseHandle.KERNEL32(?,?,?,00000000,?,?,6CE1F28F,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1812F
Part of subcall function 6CE18110: CloseHandle.KERNEL32(?,?,?,00000000,?,?,6CE1F28F,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1813D
Part of subcall function 6CE18110: CloseHandle.KERNEL32(?,?,?,00000000,?,?,6CE1F28F,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1814B

HeapAlloc.KERNEL32(?,00000000,0000001F,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1F0F3
GetProcessHeap.KERNEL32(?,00000000,0000001F,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1F15E
HeapAlloc.KERNEL32(?,00000000,0000000C,?,00000000,0000001F,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1F178
GetProcessHeap.KERNEL32(?,00000000,0000000C,?,00000000,0000001F,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1F1B7
HeapAlloc.KERNEL32(?,00000000,0000000C,?,00000000,0000000C,?,00000000,0000001F,00000001,00000002,?,?,?,?,00000000), ref: 6CE1F1D1
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,?,?,?,?,?,?,?,00000000,00000003), ref: 6CE1F224
HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,?,?,?,?,?,?,00000000,00000003), ref: 6CE1F233
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1F2AC
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,?,?,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1F363
HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,?,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1F374
CloseHandle.KERNEL32(00000002,?,?,?,?,00000000,00000003), ref: 6CE1F3DC
CloseHandle.KERNEL32(00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1F400
CloseHandle.KERNEL32(?,00000001,00000002,?,?,?,?,00000000,00000003), ref: 6CE1F424

Strings

sks , xrefs: 6CE1F11E
iled, xrefs: 6CE1F100
n up, xrefs: 6CE1F110
`vl, xrefs: 6CE1F056
', xrefs: 6CE1F195
/C[INFO] WOW64 redirection reverted, xrefs: 6CE1EF99
fai, xrefs: 6CE1F109
NING, xrefs: 6CE1F12C
clea, xrefs: 6CE1F117
] Di, xrefs: 6CE1F125

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$CloseHandle$AllocFreeProcess
String ID: fai$'$/C[INFO] WOW64 redirection reverted$NING$] Di$`vl$clea$iled$n up$sks
API String ID: 3512142491-1927724501
Opcode ID: 5b40834b4c794835c07a8490f5d45929b48ed852dd0154bf656753ce3229c026
Instruction ID: 3c9143e5fbee67778d78eb3373780f7755ea22eaee55f34eb770f579b6abaeae
Opcode Fuzzy Hash: 5b40834b4c794835c07a8490f5d45929b48ed852dd0154bf656753ce3229c026
Instruction Fuzzy Hash: 590258B0E05258CFEB10CF65C845B9EBBB1BF06308F2441A9D509ABB91D7759A88CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6CE2B040 Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

@, xrefs: 6CE2B2E5

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 02f8578d5f82ea87d36092dbb4552799a354716275e5e5ee88c3fe307731728d
Instruction ID: 5ebb73b8770e3fa84fc3ed9a03a82c19a5f2e3860a2ffb994832d04c297ad49b
Opcode Fuzzy Hash: 02f8578d5f82ea87d36092dbb4552799a354716275e5e5ee88c3fe307731728d
Instruction Fuzzy Hash: D9B17871A08346CFD710CF28C48075ABBF1BF86308F29496DE9959B752D379E845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CE2A720 Relevance: 37.7, APIs: 25, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12cdc691d45e3f5139acbbf2238407f0870855ef8dd62ab3bf491d16d93a547c
Instruction ID: 0031e08e6bdeb643467858b6f380481b87e5eb1c15d41e2ab028f340dd784870
Opcode Fuzzy Hash: 12cdc691d45e3f5139acbbf2238407f0870855ef8dd62ab3bf491d16d93a547c
Instruction Fuzzy Hash: D941EF719897459FE715CE29C480726BBF0AF8632CF29898DC9954BB42C33DE846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 6CE2AA50 Relevance: 34.6, APIs: 23, Instructions: 106COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA1A
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA1F
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA24
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA29
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA2E
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA33
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA38
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA3D
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA42
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA47
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA4C
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA51
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA56
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA5B
abort.MSVCRT(?,?,?,00000001,?,?,6CE2B4B9), ref: 6CE2FA60
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA68
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA6D
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA72
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA77
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA7C
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA81
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA86
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA8B

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 79a4254f61617160ebe845348d87405e2af915e8f6e12b27edd113784e667f5e
Instruction ID: dc402c4cff78bd1051eb06269bbb0868c1fbb0a4486bc17d11940fb40bacfded
Opcode Fuzzy Hash: 79a4254f61617160ebe845348d87405e2af915e8f6e12b27edd113784e667f5e
Instruction Fuzzy Hash: EE2166326887148FD710CF1AE8C07A6B7F1EFC3718F29892ED5A957B40C278A40E9791

Uniqueness

Uniqueness Score: -1.00%

Function 6CDDA440 Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 265memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000), ref: 6CDDA4E6
GetFullPathNameW.KERNEL32(?,00000000,00000002,00000000,00000000), ref: 6CDDA4F5
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,?,00000000,00000002,00000000,00000000), ref: 6CDDA500
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,?,00000000,00000002,00000000,00000000), ref: 6CDDA515
memcmp.MSVCRT ref: 6CDDA587
HeapFree.KERNEL32(00000000,00000002,?,00000000,00000002,00000000,00000000), ref: 6CDDA5CF
HeapFree.KERNEL32(00000000,?,?,00000000,00000002,00000000,00000000), ref: 6CDDA5EB

Strings

SetThreadDescription, xrefs: 6CDDA7A1
kernel32, xrefs: 6CDDA793

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ErrorLast$FreeHeap$FullNamePathmemcmp
String ID: SetThreadDescription$kernel32
API String ID: 3874603709-1950310818
Opcode ID: 4ac7e257839a358fe7b4c3b18bbb1bf865918857ccff796a2a3175b74c504e29
Instruction ID: 0e0b4c2c9c8aaf954727f200da8561dfa58b6309a9c7160bc54ce33403560885
Opcode Fuzzy Hash: 4ac7e257839a358fe7b4c3b18bbb1bf865918857ccff796a2a3175b74c504e29
Instruction Fuzzy Hash: D191B7B1E40609DFDF00DFA4C884BAEB7B5EF05348F25812DE819A7B61EB35A905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6CD16046 Relevance: 26.0, APIs: 10, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 6CD0CBA0: GetProcessHeap.KERNEL32 ref: 6CD0CBF7
Part of subcall function 6CD0CBA0: HeapAlloc.KERNEL32(00000000,00000000), ref: 6CD0CC0F
Part of subcall function 6CD0CBA0: GetProcessHeap.KERNEL32 ref: 6CD0CCB1

Part of subcall function 6CCEC4B0: GetProcessHeap.KERNEL32 ref: 6CCEC4D2
Part of subcall function 6CCEC4B0: HeapAlloc.KERNEL32(?,00000000,?), ref: 6CCEC4E1
Part of subcall function 6CCEC4B0: memcpy.MSVCRT ref: 6CCEC506

Part of subcall function 6CCF3DB0: GetProcessHeap.KERNEL32 ref: 6CCF3DDE
Part of subcall function 6CCF3DB0: HeapAlloc.KERNEL32(?,00000000,?), ref: 6CCF3DED

Part of subcall function 6CD0DDE7: HeapAlloc.KERNEL32(00000000,00000000), ref: 6CD11DF5
Part of subcall function 6CD0DDE7: memcpy.MSVCRT ref: 6CD11E0C
Part of subcall function 6CD0DDE7: memcpy.MSVCRT ref: 6CD11EE7

memcpy.MSVCRT ref: 6CD162BE
memcpy.MSVCRT ref: 6CD162D8

Part of subcall function 6CCE1540: HeapAlloc.KERNEL32(00000000,00000000,?), ref: 6CCE155E

memcpy.MSVCRT ref: 6CD16317

Strings

del?, xrefs: 6CD16620
0el,, xrefs: 6CD165C6
ldl, xrefs: 6CD163C3, 6CD165FD, 6CD169F4, 6CD169A8, 6CD16957, 6CD164B9, 6CD163CA, 6CD164C0, 6CD16604, 6CD1695E, 6CD169AF, 6CD169FB
lfl, xrefs: 6CD169BD
PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs, xrefs: 6CD163AD, 6CD163F4, 6CD16449, 6CD164A3, 6CD165E7, 6CD16641, 6CD16941, 6CD16992, 6CD169DE
tdl), xrefs: 6CD163D3
0Vl, xrefs: 6CD1672C

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$memcpy$Alloc$Process
String ID: 0Vl$0el,$PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs$del?$ldl$lfl$tdl)
API String ID: 3292045870-3203382375
Opcode ID: 7d13c314be80490e2163b2038c6d2e19a7622c7b78b3f4f3ac59a444c339b3d9
Instruction ID: 4a0ebc29c11f28d5be2d47e76a7c4b8b44312f95f7807008e77102f58804eaa6
Opcode Fuzzy Hash: 7d13c314be80490e2163b2038c6d2e19a7622c7b78b3f4f3ac59a444c339b3d9
Instruction Fuzzy Hash: 6B3212B18093809BE771CF10D885BDFB7E9BB84308F10891DE58C97A60EB75A549CB93

Uniqueness

Uniqueness Score: -1.00%

Function 6CDEEBE0 Relevance: 24.9, APIs: 11, Strings: 3, Instructions: 429memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CDEEC32
HeapAlloc.KERNEL32(00000000,00000000,0003A420), ref: 6CDEEC49
memset.MSVCRT ref: 6CDEEC6F
GetProcessHeap.KERNEL32 ref: 6CDEECB7
HeapAlloc.KERNEL32(00000000,00000000,00000009), ref: 6CDEECCB
GetProcessHeap.KERNEL32(00000000,00000000,00000009), ref: 6CDEED88
HeapAlloc.KERNEL32(00000000,00000000,000000A0,00000000,00000000,00000009), ref: 6CDEED9F
GetTickCount64.KERNEL32 ref: 6CDEEE8E

Part of subcall function 6CDEF320: PdhOpenQueryA.PDH(00000000,00000000,00000000), ref: 6CDEF350
Part of subcall function 6CDEF320: HeapAlloc.KERNEL32(00000000,00000000,00000023), ref: 6CDEF408
Part of subcall function 6CDEF320: memcpy.MSVCRT ref: 6CDEF41F
Part of subcall function 6CDEF320: GetProcessHeap.KERNEL32 ref: 6CDEF441
Part of subcall function 6CDEF320: HeapAlloc.KERNEL32(00000000,00000000,00000005), ref: 6CDEF455

GlobalMemoryStatusEx.KERNEL32(00000040), ref: 6CDEF042
GetPerformanceInfo.PSAPI(?,00000038), ref: 6CDEF093
GetDiskFreeSpaceExW.KERNEL32(?,00000000,00000000,00000000), ref: 6CDEF22B

Strings

cannot access a Thread Local Storage value during or after destruction/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\thread\local.rs, xrefs: 6CDEF282, 6CDEF2A2
l CP, xrefs: 6CDEECDC
@, xrefs: 6CDEF035

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Alloc$Process$Count64DiskFreeGlobalInfoMemoryOpenPerformanceQuerySpaceStatusTickmemcpymemset
String ID: @$cannot access a Thread Local Storage value during or after destruction/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\thread\local.rs$l CP
API String ID: 1153887567-1979277503
Opcode ID: 29c6eae18fb49165083698d1efe72caeda3d1392b227e9505a74e09e586b97b8
Instruction ID: b948060ffb58de6be40a9d341e59d292e200208d1f10cbb048d4c9f0c5ce2a2c
Opcode Fuzzy Hash: 29c6eae18fb49165083698d1efe72caeda3d1392b227e9505a74e09e586b97b8
Instruction Fuzzy Hash: FC02B4B19047809BE720CF24D8457ABB7F4BF89308F14862DEC989F692EB75D548CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6CDFBE40 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 425memoryCOMMON

Download Yara Rule

APIs

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CDFBEDB
AcquireSRWLockExclusive.KERNEL32(?,?), ref: 6CDFBFA0
memmove.MSVCRT ref: 6CDFC023
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CDFC053
AcquireSRWLockExclusive.KERNEL32(?,?), ref: 6CDFC17B
memmove.MSVCRT ref: 6CDFC203
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CDFC233
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CDFC260
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000), ref: 6CDFC292
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CDFC2AD

Strings

/{l, xrefs: 6CDFBE78, 6CDFBECD, 6CDFBF10, 6CDFC108
called `Result::unwrap()` on an `Err` value, xrefs: 6CDFC0CA, 6CDFC2E5

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ExclusiveLock$FreeHeapRelease$Acquirememmove
String ID: /{l$called `Result::unwrap()` on an `Err` value
API String ID: 181249939-3149847514
Opcode ID: dc3a9e5cc603e7716bb5b6e739ba98a76f11022fc9a28c1dbc6ecd09346ae04b
Instruction ID: 44232f6cf025fdfca2aef0e1795da377f8331208137a5374f961274118ee52c3
Opcode Fuzzy Hash: dc3a9e5cc603e7716bb5b6e739ba98a76f11022fc9a28c1dbc6ecd09346ae04b
Instruction Fuzzy Hash: DBF1BE706092009FD710EF15C840B5AB7F1FFC6358F26851DE8A85BBA1D731E856CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CD21E90 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32(00000005,00000000,00000000,?,?,00000000,?), ref: 6CD21EA8
GetProcessHeap.KERNEL32(00000005,00000000,00000000,?,?,00000000,?), ref: 6CD21EED
HeapAlloc.KERNEL32(00000000,00000008,?,00000005,00000000,00000000,?,?,00000000,?), ref: 6CD21EFC
GetComputerNameExW.KERNEL32(00000005,00000000,00000000,00000005,00000000,00000000,?,?,00000000,?), ref: 6CD21F0E
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,00000005,00000000,00000000,?,?,00000000,?), ref: 6CD21F55
GetLastError.KERNEL32 ref: 6CD21FBA

Strings

$wl7, xrefs: 6CD21FF9
$vl[, xrefs: 6CD21F9C
$vl[, xrefs: 6CD2201F
$vl[, xrefs: 6CD21FDA
/usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/gethostname-0.4.1/src/lib.rs, xrefs: 6CD21F8B, 6CD2200E
ul., xrefs: 6CD21F76
GetComputerNameExW failed to read hostname. Please report this issue to <https://github.com/swsnr/gethostname.rs/issues>!, xrefs: 6CD21FEA

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$ComputerName$AllocErrorFreeLastProcess
String ID: $vl[$$vl[$$vl[$$wl7$/usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/gethostname-0.4.1/src/lib.rs$GetComputerNameExW failed to read hostname. Please report this issue to <https://github.com/swsnr/gethostname.rs/issues>!$ul.
API String ID: 3737649113-4040282568
Opcode ID: 302efadf5c01eac792dfbe46d40dd17f18d9e2519fc090e253e2913c72c100a5
Instruction ID: 498cc5a28a0b72cfb52209fbe5007250531b9beceb5b481179f34fd49e2b73ed
Opcode Fuzzy Hash: 302efadf5c01eac792dfbe46d40dd17f18d9e2519fc090e253e2913c72c100a5
Instruction Fuzzy Hash: 5841C6B2D002099BDB109FA5DC45BEF76B8EF0531CF148418EA246BB50E77AD908CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6CE2C490 Relevance: 22.6, APIs: 15, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 23ef73d4ed38cc05c123995d761ec6cb7fb47cc20363047ca69d8b527b2939da
Instruction ID: d40901ecbfbbcf94d1065767e5e4411739619367d54d5af1521082e9f9df84ee
Opcode Fuzzy Hash: 23ef73d4ed38cc05c123995d761ec6cb7fb47cc20363047ca69d8b527b2939da
Instruction Fuzzy Hash: 1C4129B06097018FE710DF19C480B2ABBF0FF89718F20892EE599D7B51E779D9448B86

Uniqueness

Uniqueness Score: -1.00%

Function 6CD0E050 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 445memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CD0A790: HeapFree.KERNEL32(6CF8B0E0,00000000,6CD1260A,?,6CD1260A,?,?), ref: 6CD0A7A8

Part of subcall function 6CD0AAB0: HeapFree.KERNEL32(6CF8B0E0,00000000), ref: 6CD0AAC1

Part of subcall function 6CD09D40: HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,00000000,?,00000000,?,6CD0CD3B), ref: 6CD09D82
Part of subcall function 6CD09D40: HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,00000000,?,00000000,?,6CD0CD3B), ref: 6CD09D9D

GetSystemInfo.KERNEL32(?), ref: 6CD0E0E0

Part of subcall function 6CDF6AD0: GetProcessHeap.KERNEL32 ref: 6CDF6B72
Part of subcall function 6CDF6AD0: HeapAlloc.KERNEL32(?,00000000,00000140), ref: 6CDF6B89
Part of subcall function 6CDF6AD0: memcpy.MSVCRT ref: 6CDF6BB0
Part of subcall function 6CDF6AD0: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 6CDF6C78
Part of subcall function 6CDF6AD0: HeapAlloc.KERNEL32(?,00000000,0000004C,?,?,?,?,?,?,?,?,?,00000000), ref: 6CDF6C88

Part of subcall function 6CDF6AD0: GetSystemInfo.KERNEL32(00000000), ref: 6CDF6BDA

Part of subcall function 6CD04790: HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD04960

memcmp.MSVCRT ref: 6CD0E349
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD0E5A3

Part of subcall function 6CCF34C0: GetProcessHeap.KERNEL32 ref: 6CCF34F5
Part of subcall function 6CCF34C0: HeapAlloc.KERNEL32(?,00000000,?), ref: 6CCF3508
Part of subcall function 6CCF34C0: memcpy.MSVCRT ref: 6CCF351A

memcpy.MSVCRT ref: 6CD0E7E4
GetProcessHeap.KERNEL32 ref: 6CD0E818
HeapAlloc.KERNEL32(?,00000000,00000010), ref: 6CD0E832
AcquireSRWLockExclusive.KERNEL32(?), ref: 6CD0E8A7
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD1181F

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 6CD116D2
PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs, xrefs: 6CD0E25C, 6CD0E344, 6CD0E683

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocProcess$memcpy$InfoSystem$AcquireExclusiveLockmemcmp
String ID: PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs$called `Result::unwrap()` on an `Err` value
API String ID: 2000797427-293423381
Opcode ID: f1321efd6ab2541f53b425e77d43a6494eb361e320cac88e649b78f3352bb0e7
Instruction ID: 304b980e86464d7fae774fdef1461fc97385d1d5edc20a6f36d3336f3cac6a34
Opcode Fuzzy Hash: f1321efd6ab2541f53b425e77d43a6494eb361e320cac88e649b78f3352bb0e7
Instruction Fuzzy Hash: D82235B1908B809AD770DF24D884BDBB7F4BFC9308F008A1DE48D57661EB71A549CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CD0E063 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 440memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CD0AAB0: HeapFree.KERNEL32(6CF8B0E0,00000000), ref: 6CD0AAC1

Part of subcall function 6CD09D40: HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,00000000,?,00000000,?,6CD0CD3B), ref: 6CD09D82
Part of subcall function 6CD09D40: HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,00000000,?,00000000,?,6CD0CD3B), ref: 6CD09D9D

Part of subcall function 6CD0A790: HeapFree.KERNEL32(6CF8B0E0,00000000,6CD1260A,?,6CD1260A,?,?), ref: 6CD0A7A8

GetSystemInfo.KERNEL32(?), ref: 6CD0E0E0

Part of subcall function 6CDF6AD0: GetProcessHeap.KERNEL32 ref: 6CDF6B72
Part of subcall function 6CDF6AD0: HeapAlloc.KERNEL32(?,00000000,00000140), ref: 6CDF6B89
Part of subcall function 6CDF6AD0: memcpy.MSVCRT ref: 6CDF6BB0
Part of subcall function 6CDF6AD0: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 6CDF6C78
Part of subcall function 6CDF6AD0: HeapAlloc.KERNEL32(?,00000000,0000004C,?,?,?,?,?,?,?,?,?,00000000), ref: 6CDF6C88

Part of subcall function 6CDF6AD0: GetSystemInfo.KERNEL32(00000000), ref: 6CDF6BDA

Part of subcall function 6CD04790: HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD04960

memcmp.MSVCRT ref: 6CD0E349
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD0E5A3

Part of subcall function 6CCF34C0: GetProcessHeap.KERNEL32 ref: 6CCF34F5
Part of subcall function 6CCF34C0: HeapAlloc.KERNEL32(?,00000000,?), ref: 6CCF3508
Part of subcall function 6CCF34C0: memcpy.MSVCRT ref: 6CCF351A

memcpy.MSVCRT ref: 6CD0E7E4
GetProcessHeap.KERNEL32 ref: 6CD0E818
HeapAlloc.KERNEL32(?,00000000,00000010), ref: 6CD0E832
AcquireSRWLockExclusive.KERNEL32(?), ref: 6CD0E8A7
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD1181F

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 6CD116D2
PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs, xrefs: 6CD0E25C, 6CD0E344, 6CD0E683

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocProcess$memcpy$InfoSystem$AcquireExclusiveLockmemcmp
String ID: PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs$called `Result::unwrap()` on an `Err` value
API String ID: 2000797427-293423381
Opcode ID: a85ac432d8b3319355bfdba1e84d9214b75ee7791aafffb7432a41d0ae2dbb3b
Instruction ID: 22b9adc5d04e5c559ab5e61800a4775cf393fba0a55425d4dd92d36e77e2e8e0
Opcode Fuzzy Hash: a85ac432d8b3319355bfdba1e84d9214b75ee7791aafffb7432a41d0ae2dbb3b
Instruction Fuzzy Hash: FC2235B1908B809AD770DF24D884BDBB7F4BFC9308F008A1DE49D57661EB71A549CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CD0E07A Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 437memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CD0AAB0: HeapFree.KERNEL32(6CF8B0E0,00000000), ref: 6CD0AAC1

Part of subcall function 6CD0A790: HeapFree.KERNEL32(6CF8B0E0,00000000,6CD1260A,?,6CD1260A,?,?), ref: 6CD0A7A8

GetSystemInfo.KERNEL32(?), ref: 6CD0E0E0

Part of subcall function 6CDF6AD0: GetProcessHeap.KERNEL32 ref: 6CDF6B72
Part of subcall function 6CDF6AD0: HeapAlloc.KERNEL32(?,00000000,00000140), ref: 6CDF6B89
Part of subcall function 6CDF6AD0: memcpy.MSVCRT ref: 6CDF6BB0
Part of subcall function 6CDF6AD0: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 6CDF6C78
Part of subcall function 6CDF6AD0: HeapAlloc.KERNEL32(?,00000000,0000004C,?,?,?,?,?,?,?,?,?,00000000), ref: 6CDF6C88

Part of subcall function 6CDF6AD0: GetSystemInfo.KERNEL32(00000000), ref: 6CDF6BDA

Part of subcall function 6CD04790: HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD04960

memcmp.MSVCRT ref: 6CD0E349
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD0E5A3

Part of subcall function 6CCF34C0: GetProcessHeap.KERNEL32 ref: 6CCF34F5
Part of subcall function 6CCF34C0: HeapAlloc.KERNEL32(?,00000000,?), ref: 6CCF3508
Part of subcall function 6CCF34C0: memcpy.MSVCRT ref: 6CCF351A

memcpy.MSVCRT ref: 6CD0E7E4
GetProcessHeap.KERNEL32 ref: 6CD0E818
HeapAlloc.KERNEL32(?,00000000,00000010), ref: 6CD0E832
AcquireSRWLockExclusive.KERNEL32(?), ref: 6CD0E8A7
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD1181F

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 6CD116D2
PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs, xrefs: 6CD0E25C, 6CD0E344, 6CD0E683

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocProcess$memcpy$InfoSystem$AcquireExclusiveLockmemcmp
String ID: PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs$called `Result::unwrap()` on an `Err` value
API String ID: 2000797427-293423381
Opcode ID: 52e6ccc1e7a75e86f04a90c273b4180529769e516b2e662a42ea0b058d1c36ea
Instruction ID: a257e109fccff010ce682ebcea5192d104a1a57ee75fa0dceb3e294a2955d149
Opcode Fuzzy Hash: 52e6ccc1e7a75e86f04a90c273b4180529769e516b2e662a42ea0b058d1c36ea
Instruction Fuzzy Hash: FA2234B1908B809AD770DF24D884BDBB7F4BFC9308F008A1DE49D57661EB71A549CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CD156AC Relevance: 21.4, APIs: 11, Strings: 3, Instructions: 389memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD156BC

Part of subcall function 6CD0DDE7: HeapAlloc.KERNEL32(00000000,00000000), ref: 6CD11DF5
Part of subcall function 6CD0DDE7: memcpy.MSVCRT ref: 6CD11E0C
Part of subcall function 6CD0DDE7: memcpy.MSVCRT ref: 6CD11EE7

Part of subcall function 6CCEC4B0: GetProcessHeap.KERNEL32 ref: 6CCEC4D2
Part of subcall function 6CCEC4B0: HeapAlloc.KERNEL32(?,00000000,?), ref: 6CCEC4E1
Part of subcall function 6CCEC4B0: memcpy.MSVCRT ref: 6CCEC506

Strings

failed to spawn thread, xrefs: 6CD15ABD
PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs, xrefs: 6CD159CE
\al, xrefs: 6CD159EC, 6CD159F3

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$memcpy$Alloc$FreeProcess
String ID: PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs$\al$failed to spawn thread
API String ID: 457687450-1300963335
Opcode ID: c0c29b60429ec36e64f741f870fe8198151787fbf1f4b2bbfa70363740871939
Instruction ID: 6086227f6cd13365a27abaecd79d87b4ddf2a453a7d6528f95f215f884397598
Opcode Fuzzy Hash: c0c29b60429ec36e64f741f870fe8198151787fbf1f4b2bbfa70363740871939
Instruction Fuzzy Hash: 62F19EB190C3849BE771DB20E840BDFB7E4AF85309F04491DE58D57AA1EB359608CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 6CD0B490 Relevance: 20.2, APIs: 16, Instructions: 198memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,?,6CD0698D), ref: 6CD0B4AB
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,?,6CD0698D), ref: 6CD0B4C2
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,?,6CD0698D), ref: 6CD0B502
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,?,6CD0698D), ref: 6CD0B51E
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,?,6CD0698D), ref: 6CD0B552
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,?,6CD0698D), ref: 6CD0B56E
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,?,6CD0698D), ref: 6CD0B5A2
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,?,6CD0698D), ref: 6CD0B5BE
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,?,6CD0698D), ref: 6CD0B5F2

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c14d39cd9b5d4dac85385e3195ca8e72269c7d4539f3c2ebd6402674b824fe50
Instruction ID: 6cef8fd8d29e9c4ec6624ff6246c94acb048036fbf8b1332f94faa5e2facccbf
Opcode Fuzzy Hash: c14d39cd9b5d4dac85385e3195ca8e72269c7d4539f3c2ebd6402674b824fe50
Instruction Fuzzy Hash: 5D714E71A59650EFEB228F49CC44B65B7B2FB05708F28085CE6612BAF0C772F854CB55

Uniqueness

Uniqueness Score: -1.00%

Function 6CCEE670 Relevance: 20.2, APIs: 16, Instructions: 198memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCEE68B
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCEE6A2
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCEE6E2
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCEE6FE
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCEE732
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCEE74E
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCEE782
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCEE79E
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCEE7D2

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c14d39cd9b5d4dac85385e3195ca8e72269c7d4539f3c2ebd6402674b824fe50
Instruction ID: 1645af8b30ec27c5980997334be54f7b39e72da4539efea4d3f4bb2e64990d2e
Opcode Fuzzy Hash: c14d39cd9b5d4dac85385e3195ca8e72269c7d4539f3c2ebd6402674b824fe50
Instruction Fuzzy Hash: 15717E36951750DFEB228F4ACC40B65B7B2FB0A748F24085CE5612BAA4E772FC54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CCEA590 Relevance: 19.8, APIs: 8, Strings: 5, Instructions: 322memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CCE68AC), ref: 6CCEA5F7
HeapAlloc.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6CCE68AC), ref: 6CCEA60E
HeapAlloc.KERNEL32(?,00000000,?), ref: 6CCEA644
memcpy.MSVCRT ref: 6CCEA660
GetProcessHeap.KERNEL32 ref: 6CCEA6B0
GetProcessHeap.KERNEL32 ref: 6CCEA733
HeapAlloc.KERNEL32(?,00000000,?), ref: 6CCEA74B
memcpy.MSVCRT ref: 6CCEA788

Strings

Patternsbuckets, xrefs: 6CCEA89B
minimum_len, xrefs: 6CCEA909
by_idordermax_pattern_idtotal_pattern_bytes, xrefs: 6CCEA8D7
}, .. } { .. } }((,, xrefs: 6CCEA970
kind, xrefs: 6CCEA8C1

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess$memcpy
String ID: Patternsbuckets$by_idordermax_pattern_idtotal_pattern_bytes$kind$minimum_len$}, .. } { .. } }((,
API String ID: 1759892863-961451234
Opcode ID: 255debac491d5bc57269b469e0934a8ab444e1dfbcf881aae4bc392074c10a77
Instruction ID: 73f2a40c297423d3d3dfe449dbafb14ed705a8048202f42d623c450209ba21d2
Opcode Fuzzy Hash: 255debac491d5bc57269b469e0934a8ab444e1dfbcf881aae4bc392074c10a77
Instruction Fuzzy Hash: E1C1CFB5D012199FDB00CF95C841BEEBBB9AF8A708F258159E8047B751F734DA06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CDF6EF0 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 272memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(E850002C,00000000,?,6CD1122A,?,?,00000010), ref: 6CDF6F1E
SleepConditionVariableSRW.KERNEL32(E8500034,00000000,000000FF,00000000,E850002C,00000000,?,6CD1122A,?,?,00000010), ref: 6CDF6F6B
ReleaseSRWLockExclusive.KERNEL32(00000000,E850002C,00000000,?,6CD1122A,?,?,00000010), ref: 6CDF6FA4
GetProcessHeap.KERNEL32 ref: 6CDF7090
HeapAlloc.KERNEL32(00000000,00000000,?), ref: 6CDF709F
GetProcessHeap.KERNEL32(?,?,00000000,?), ref: 6CDF71FA
HeapAlloc.KERNEL32(00000001,00000000,00000018), ref: 6CDF720E

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 6CDF6FE0, 6CDF7017

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocExclusiveLockProcess$AcquireConditionReleaseSleepVariable
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 1274049008-2333694755
Opcode ID: dee3dd85047b6088ac2f545ca0c207b50b8572ff45db2539e8f3d55b32f74def
Instruction ID: ca9c3ca89de7238b419eb85d9f68dc70a3f68ed5bcf62b00cddd016ce4790700
Opcode Fuzzy Hash: dee3dd85047b6088ac2f545ca0c207b50b8572ff45db2539e8f3d55b32f74def
Instruction Fuzzy Hash: 4FA1A271E05606EBEB01DF65C800BEEB7B4BF06348F264159E834ABA61EB75D447C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6CE086F0 Relevance: 18.4, APIs: 11, Strings: 1, Instructions: 413memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CE08872
HeapAlloc.KERNEL32(00000000,00000000), ref: 6CE08885
GetProcessHeap.KERNEL32 ref: 6CE088AD
HeapAlloc.KERNEL32(00000000,00000000), ref: 6CE088C0
memcpy.MSVCRT ref: 6CE088DE
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000), ref: 6CE089B9
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CE089CA
memcpy.MSVCRT ref: 6CE08A71
GetProcessHeap.KERNEL32 ref: 6CE08AAB
HeapAlloc.KERNEL32(00000000,00000000), ref: 6CE08ABE
memcpy.MSVCRT ref: 6CE08ADB

Part of subcall function 6CE00C10: GetProcessHeap.KERNEL32(?,?,?,?,00000001,00000000,?,?,6CE08AF6,?,?), ref: 6CE00C37
Part of subcall function 6CE00C10: HeapAlloc.KERNEL32(6CE08AF6,00000000,BEC35D5B,?,?,?,?,00000001,00000000,?,?,6CE08AF6,?,?), ref: 6CE00C46

Strings

<unknown>[WARNING] walker: , xrefs: 6CE08B06, 6CE08B17, 6CE08B36

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess$memcpy$Free
String ID: <unknown>[WARNING] walker:
API String ID: 1446904418-1778361470
Opcode ID: c5c4349a93ebb911a5fe20a0ebb52a63e64380b8f2e6a893874c95c1faa9e6c2
Instruction ID: 0579fe3ca48cb96d497ecd68ad8a964fb544e21aa963c9b9ba3d5fa86ca33fc7
Opcode Fuzzy Hash: c5c4349a93ebb911a5fe20a0ebb52a63e64380b8f2e6a893874c95c1faa9e6c2
Instruction Fuzzy Hash: 93D124B1F013168BDF248F64C8817AEB7B6BF86318F38412AD415A7B94E7309865CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6CE2EEE0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6CE2EF0F
vfprintf.MSVCRT ref: 6CE2EF2F
abort.MSVCRT ref: 6CE2EF34
VirtualQuery.KERNEL32 ref: 6CE2EFCB

Strings

Address %p has no image-section, xrefs: 6CE2F08B
Mingw-w64 runtime failure:, xrefs: 6CE2EF08
VirtualProtect failed with code 0x%x, xrefs: 6CE2F046
VirtualQuery failed for %d bytes at address %p, xrefs: 6CE2F077

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: 7905f68f731f0617d8f076c859c82e68d79624c46874a2876a98d59953b85bd6
Instruction ID: 417b7bf8cd20b7500fbb9ed0635e6b482566b5b9af491c34d5c8ace95552cc1f
Opcode Fuzzy Hash: 7905f68f731f0617d8f076c859c82e68d79624c46874a2876a98d59953b85bd6
Instruction Fuzzy Hash: 155177B1A157118BD710DF28C885B5AFBF0FF85758F65892DE8888B714D338E448CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CDF7060 Relevance: 16.9, APIs: 8, Strings: 3, Instructions: 367memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CDF7090
HeapAlloc.KERNEL32(00000000,00000000,?), ref: 6CDF709F
memcpy.MSVCRT ref: 6CDF714F
GetProcessHeap.KERNEL32(?,?,00000000,?), ref: 6CDF71FA
HeapAlloc.KERNEL32(00000001,00000000,00000018), ref: 6CDF720E
GetProcessHeap.KERNEL32(00000001,00000000,00000018), ref: 6CDF7301
HeapAlloc.KERNEL32(?,00000000,00000010,00000001,00000000,00000018), ref: 6CDF7315
CloseHandle.KERNEL32(00000001,00000010,00000001,00000000,00000018), ref: 6CDF7352

Strings

called `Option::unwrap()` on a `None` value/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\alloc\src\collections\btree\navigate.rs, xrefs: 6CDF7483
called `Result::unwrap()` on an `Err` value, xrefs: 6CDF73F8
cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs, xrefs: 6CDF742C, 6CDF744E

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess$CloseHandlememcpy
String ID: called `Option::unwrap()` on a `None` value/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\alloc\src\collections\btree\navigate.rs$called `Result::unwrap()` on an `Err` value$cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs
API String ID: 4145315782-3166664570
Opcode ID: d49a13152722b1b485d4de02cb9b04a27a7fea0ba3fe80f1ea1ce3b98817d590
Instruction ID: cb3f766bb6a2e3e7c70f81c5897fc17751c68d32a685d48a6841eadca219711a
Opcode Fuzzy Hash: d49a13152722b1b485d4de02cb9b04a27a7fea0ba3fe80f1ea1ce3b98817d590
Instruction Fuzzy Hash: F9D1C671E01615EBDB01DFA5CC40BEEB7B5BF46308F27411AE824ABB61EB719446C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6CE198E0 Relevance: 16.7, APIs: 7, Strings: 4, Instructions: 242memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CE1995E
HeapAlloc.KERNEL32(00000004,00000000,AAAAAAAB), ref: 6CE1996D
memcpy.MSVCRT ref: 6CE199E6
memcpy.MSVCRT ref: 6CE19A34
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CE19B45

Strings

%lH, xrefs: 6CE1992F
%lH, xrefs: 6CE19A69
attempt to join into collection with len > usize::MAX/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\alloc\src\str.rs, xrefs: 6CE19936
assertion failed: mid <= self.len(), xrefs: 6CE19A70

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$memcpy$AllocFreeProcess
String ID: %lH$%lH$assertion failed: mid <= self.len()$attempt to join into collection with len > usize::MAX/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\alloc\src\str.rs
API String ID: 2458105893-629508089
Opcode ID: 26acf668442910e5103eecf00a41d4cafd444a161cb53955e52ba6959926a2a4
Instruction ID: 4b8ddc0b409d393bfe7439ea93c862e4e9749684b2062efb6bfc959fef60d7c2
Opcode Fuzzy Hash: 26acf668442910e5103eecf00a41d4cafd444a161cb53955e52ba6959926a2a4
Instruction Fuzzy Hash: DE810672E042158FDB04DF69C880BAEB7F5FF49318F24462DD925A7B50E731AA18CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6CE2CAC0 Relevance: 16.6, APIs: 11, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a1a7ebae2a9e5fa865c9dcdda14bca5513c2e55d47b72cef1f34e083e166ceb
Instruction ID: f0445a4ef5974db5cc55d2201a5c4188846372ea167c02e8497a5f05e8a1a725
Opcode Fuzzy Hash: 6a1a7ebae2a9e5fa865c9dcdda14bca5513c2e55d47b72cef1f34e083e166ceb
Instruction Fuzzy Hash: CF114C35A0022C9BDB14DF68C880ADEB7B5AF85358F208558D80967B40DB34AE498BD1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD0E0A0 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 445memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 6CD0E0E0

Part of subcall function 6CDF6AD0: GetProcessHeap.KERNEL32 ref: 6CDF6B72
Part of subcall function 6CDF6AD0: HeapAlloc.KERNEL32(?,00000000,00000140), ref: 6CDF6B89
Part of subcall function 6CDF6AD0: memcpy.MSVCRT ref: 6CDF6BB0
Part of subcall function 6CDF6AD0: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 6CDF6C78
Part of subcall function 6CDF6AD0: HeapAlloc.KERNEL32(?,00000000,0000004C,?,?,?,?,?,?,?,?,?,00000000), ref: 6CDF6C88

Part of subcall function 6CDF6AD0: GetSystemInfo.KERNEL32(00000000), ref: 6CDF6BDA

Part of subcall function 6CD04790: HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD04960

memcmp.MSVCRT ref: 6CD0E349
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD1181F

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 6CD116D2
[FATAL] Cannot parse public keysrc/encryptor/source/mod.rs, xrefs: 6CD11A36
PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs, xrefs: 6CD0E25C, 6CD0E344, 6CD0E683, 6CD0E6C8, 6CD117F9

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocFreeInfoProcessSystem$memcmpmemcpy
String ID: PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs$[FATAL] Cannot parse public keysrc/encryptor/source/mod.rs$called `Result::unwrap()` on an `Err` value
API String ID: 4021788263-3028633279
Opcode ID: 16328d7fd6d73a9c624351f7e953cd88a1874f8bbcf9ae027140cf570d882661
Instruction ID: d06089dc4dba737d5c448746e1d91a98e0d877a941fe0c5952a2d8e57403a101
Opcode Fuzzy Hash: 16328d7fd6d73a9c624351f7e953cd88a1874f8bbcf9ae027140cf570d882661
Instruction Fuzzy Hash: 2332007190DBC08AD371DF24D889BABB7E4BFCA309F108A1DE48C56651EB719089CB42

Uniqueness

Uniqueness Score: -1.00%

Function 6CD0D960 Relevance: 15.3, APIs: 12, Instructions: 279memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CD0D9A4
HeapAlloc.KERNEL32(?,00000000,?), ref: 6CD0D9B7
memcpy.MSVCRT ref: 6CD0D9D0
GetProcessHeap.KERNEL32(?,00000000,?), ref: 6CD0D9FF
HeapAlloc.KERNEL32(?,00000000,?), ref: 6CD0DA18
memcpy.MSVCRT ref: 6CD0DA2F
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,00000000,?), ref: 6CD0DB09
HeapAlloc.KERNEL32(?,00000000,?), ref: 6CD0DB22
memcpy.MSVCRT ref: 6CD0DB38
GetProcessHeap.KERNEL32(?,00000000,?), ref: 6CD0DB71
HeapAlloc.KERNEL32(?,00000000,?), ref: 6CD0DB8A
memcpy.MSVCRT ref: 6CD0DBA1

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcessmemcpy
String ID:
API String ID: 4164033339-0
Opcode ID: 1e848a8cb306139312df9b38ad3952b061b026fd8340cc00c1d0721146dc051a
Instruction ID: d8b3f4b6cc6bf611fe262abd6e2aa5f89a14adaccd6b9892eca3f8bb577c6e4d
Opcode Fuzzy Hash: 1e848a8cb306139312df9b38ad3952b061b026fd8340cc00c1d0721146dc051a
Instruction Fuzzy Hash: E0B14FB5A05B419FD710DF29C840A9BF7F4BF89308F10451DE99997B21EB70E458CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CCF34C0 Relevance: 15.2, APIs: 12, Instructions: 169memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CCF34F5
HeapAlloc.KERNEL32(?,00000000,?), ref: 6CCF3508
memcpy.MSVCRT ref: 6CCF351A
GetProcessHeap.KERNEL32 ref: 6CCF353C
HeapAlloc.KERNEL32(?,00000000,00000001), ref: 6CCF3556
GetProcessHeap.KERNEL32(?,00000000,00000001), ref: 6CCF3598
HeapAlloc.KERNEL32(?,00000000,?,?,00000000,00000001), ref: 6CCF35B1
memcpy.MSVCRT ref: 6CCF35C3
memcpy.MSVCRT ref: 6CCF35F2
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,?,?,?,?,?,00000000,00000001), ref: 6CCF361A
memcpy.MSVCRT ref: 6CCF3625
memmove.MSVCRT ref: 6CCF3631

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$memcpy$AllocProcess$Freememmove
String ID:
API String ID: 3110823636-0
Opcode ID: 01673dff062c786507fd9fbd31aa1f753873c1784f7d2f12cd7cfd53b906e199
Instruction ID: 108a502391cd9fb0e727e45c647cc4449a9d2eeaa6478a4d9cfbc2461e97565c
Opcode Fuzzy Hash: 01673dff062c786507fd9fbd31aa1f753873c1784f7d2f12cd7cfd53b906e199
Instruction Fuzzy Hash: BB51BEB1E01315ABEB409F65DC45BAE7AB8EF06758F180028E8189B741F775D909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 6CD07D90 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 344COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF), ref: 6CD07E77
memmove.MSVCRT ref: 6CD07F20
memmove.MSVCRT ref: 6CD07F5E
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,6CD0B20E,00000000,?,?,?,?,6CD0690C), ref: 6CD07FEC
CloseHandle.KERNEL32(FFFFFFFF), ref: 6CD080B7

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 6CD0814C
PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs, xrefs: 6CD07EA4, 6CD07EAB

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CloseHandlememmove$AcquireExclusiveLock
String ID: PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs$called `Result::unwrap()` on an `Err` value
API String ID: 1412512203-293423381
Opcode ID: e6f216293f86d162d8aaca0e1c4d74ee679f0e4d0cee4804b52cb7031b5375a5
Instruction ID: 98fcfeed81171308a3e606fabd714229bc4c8e3ec5a39a1afc105c7ef4eb9984
Opcode Fuzzy Hash: e6f216293f86d162d8aaca0e1c4d74ee679f0e4d0cee4804b52cb7031b5375a5
Instruction Fuzzy Hash: 3DD1D271E01219DFDB10CF68CC80BEEB7B5BF45318F25461AD425ABBA1D735A906CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CD06054 Relevance: 14.0, APIs: 8, Strings: 1, Instructions: 455COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 6CD0610E
memcmp.MSVCRT ref: 6CD0638E

Strings

capacity overflow, xrefs: 6CD0662C

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: memcmp
String ID: capacity overflow
API String ID: 1475443563-2273299319
Opcode ID: 5067d45eaf48e23e5386baaea0b3dd58950d8d01bf2978028edce8374b36f16d
Instruction ID: bb1f8ba2ab08b8d3420a06683db5828fb103f90cbbc82936828be1bdb174dd6f
Opcode Fuzzy Hash: 5067d45eaf48e23e5386baaea0b3dd58950d8d01bf2978028edce8374b36f16d
Instruction Fuzzy Hash: F712A071A08784DFC721CF28C880B9FBBF1BF8A304F14495DE98997661D730A989CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6CDE4BC0 Relevance: 13.9, APIs: 11, Instructions: 133memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,-00000001,?,6CDE3B6D,?,?,6CDEF2FB), ref: 6CDE4BE1
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,-00000001,?,6CDE3B6D,?,?,6CDEF2FB), ref: 6CDE4C22
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,-00000001,?,6CDE3B6D,?,?,6CDEF2FB), ref: 6CDE4C44
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,-00000001,?,6CDE3B6D,?,?,6CDEF2FB), ref: 6CDE4C5B
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,-00000001,?,6CDE3B6D,?,?,6CDEF2FB), ref: 6CDE4C7E
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,-00000001,?,6CDE3B6D,?,?,6CDEF2FB), ref: 6CDE4CC2
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,-00000001,?,6CDE3B6D,?,?,6CDEF2FB), ref: 6CDE4CE4
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,-00000001,?,6CDE3B6D,?,?,6CDEF2FB), ref: 6CDE4CFB
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,-00000001,?,6CDE3B6D,?,?,6CDEF2FB), ref: 6CDE4D12

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7b3429de6a86ece179b2c5e320e92a37361ad1d78f9a09894a4ebaf17a413cb7
Instruction ID: 15630f036efa597d492a8378df74184394db27a5f4b78e462871ea0fb3ffa414
Opcode Fuzzy Hash: 7b3429de6a86ece179b2c5e320e92a37361ad1d78f9a09894a4ebaf17a413cb7
Instruction Fuzzy Hash: C441D632641700DFEB219F95DC40FA6B7B2FB09718F28052DE5651BAB0CB72B858CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6CD10D4C Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 231memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,00000000), ref: 6CD10D5F
memcpy.MSVCRT ref: 6CD10D7F
memcpy.MSVCRT ref: 6CD10E66
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD10E9E
GetProcessHeap.KERNEL32 ref: 6CD10F3B
HeapAlloc.KERNEL32(00000000,00000000), ref: 6CD11DF5
memcpy.MSVCRT ref: 6CD11E0C

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 6CD116A1

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$memcpy$Alloc$FreeProcess
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 457687450-2333694755
Opcode ID: efb473adefa41858f4f5c2fb6d1aebe07423e4ec71c07d605ffcc6c12dd5aa89
Instruction ID: 6635693fc9d4406e2eb014adc0191f550b3480988db5b6bf09770783f502d6ad
Opcode Fuzzy Hash: efb473adefa41858f4f5c2fb6d1aebe07423e4ec71c07d605ffcc6c12dd5aa89
Instruction Fuzzy Hash: E891A1716087419BD710DF28D880B9BB7F4BF89304F104A2DE59957B60EB31E958CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CDF6AD0 Relevance: 13.7, APIs: 9, Instructions: 217memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CDF6B72
HeapAlloc.KERNEL32(?,00000000,00000140), ref: 6CDF6B89
memcpy.MSVCRT ref: 6CDF6BB0
GetSystemInfo.KERNEL32(00000000), ref: 6CDF6BDA
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 6CDF6C78
HeapAlloc.KERNEL32(?,00000000,0000004C,?,?,?,?,?,?,?,?,?,00000000), ref: 6CDF6C88
AcquireSRWLockExclusive.KERNEL32(?,00000001), ref: 6CDF6D9D
ReleaseSRWLockExclusive.KERNEL32(?,?,00000001), ref: 6CDF6DC3
WakeAllConditionVariable.KERNEL32(?,?,?,00000001), ref: 6CDF6DCC

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocExclusiveLockProcess$AcquireConditionInfoReleaseSystemVariableWakememcpy
String ID:
API String ID: 3384573377-0
Opcode ID: c0dc6a836fb70513ecbdf5bc4b8f7e4b3c73156391f39e20f450bc9720af2d78
Instruction ID: 83b9948be54d3db52691f69bd30e85bca61e6e7bab6073ccbd151a3925aa7061
Opcode Fuzzy Hash: c0dc6a836fb70513ecbdf5bc4b8f7e4b3c73156391f39e20f450bc9720af2d78
Instruction Fuzzy Hash: 0181A1705083809BE7109F25C85179FBBF4BF86308F15461CE9A89BB91D7B6944BCBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CD477E0 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 149memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(-00000001,?,?,6CDF1795,00000000), ref: 6CD477EF
TlsGetValue.KERNEL32(00000000,00000000), ref: 6CD47813
TlsGetValue.KERNEL32(-00000001,00000000,00000000), ref: 6CD4782C
GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 6CD4784C
HeapAlloc.KERNEL32(00000000,00000000,0000000C,00000000,00000000,00000000), ref: 6CD47860
TlsSetValue.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 6CD47884
TlsGetValue.KERNEL32(00000000,00000000,00000000), ref: 6CD478C1

Strings

ThreadPoolBuildErrorkind, xrefs: 6CD47915
}, .. } { .. } }((,, xrefs: 6CD47979

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Value$Heap$AllocProcess
String ID: ThreadPoolBuildErrorkind$}, .. } { .. } }((,
API String ID: 3559649508-2968193098
Opcode ID: 143c8f2eaf98cf951d077ff978847e3d8e4547d9635b2f9c56ed52c29031a2ae
Instruction ID: 4e55441c8c50c0413aa92589b687b297b6a42761fb62a75c32f9de0c42796c7c
Opcode Fuzzy Hash: 143c8f2eaf98cf951d077ff978847e3d8e4547d9635b2f9c56ed52c29031a2ae
Instruction Fuzzy Hash: 25410771E40304EFEB108FA5D805BA6B7B8EF01358F16C469EA58DBB61D735E504CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD0AB90 Relevance: 12.6, APIs: 10, Instructions: 131memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,?,6CD06918), ref: 6CD0ABD2
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,?,6CD06918), ref: 6CD0ABED
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,00000000,?,?,?,?,6CD06918), ref: 6CD0AC22
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,?,6CD06918), ref: 6CD0AC3E
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,00000000,?,?,?,?,6CD06918), ref: 6CD0AC72
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,?,6CD06918), ref: 6CD0AC8E
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,00000000,?,?,?,?,6CD06918), ref: 6CD0ACC2
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,?,6CD06918), ref: 6CD0ACDE
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,?,6CD06918), ref: 6CD0ACF5
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,?,6CD06918), ref: 6CD0AD0C

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 21316eb126880d6cf7ea766cf628df22d079dc4ca7e3838c8bcc575b17997ad4
Instruction ID: 5e60dd8b5cd20a8845fd98b7e084869016cf134beaccdbce29375556398af24e
Opcode Fuzzy Hash: 21316eb126880d6cf7ea766cf628df22d079dc4ca7e3838c8bcc575b17997ad4
Instruction Fuzzy Hash: 48417079B50600DFEB218F48CC40B65B7B2FB05B08F26085CE9592BBB0C772B854CB55

Uniqueness

Uniqueness Score: -1.00%

Function 6CE2F0A0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 210COMMON

Download Yara Rule

Strings

Unknown pseudo relocation bit size %d., xrefs: 6CE2F1AC
Unknown pseudo relocation protocol version %d., xrefs: 6CE2F30D

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 0-395989641
Opcode ID: fa286498655900cc86fef1f7f01b979c2ada432111b81ab18930c0e1c11ce0bf
Instruction ID: daed24f440442c21bbb832d8989a1fe343f14475e1f5e2f80d459e5eda9f6535
Opcode Fuzzy Hash: fa286498655900cc86fef1f7f01b979c2ada432111b81ab18930c0e1c11ce0bf
Instruction Fuzzy Hash: D371F672A052258FCB10DF69C88179AB7B1FF86718F364919D9449BB05D738E80ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CD105CF Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

capacity overflow, xrefs: 6CD114F8, 6CD11511

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: capacity overflow
API String ID: 0-2273299319
Opcode ID: ea262fa631ad844a43d548d4265e9aee9e248342119a41625e9b4b43e3a6790c
Instruction ID: 8f25af0213042621a727a1216790244c85cbd443543fa14eba6a178155c1f37d
Opcode Fuzzy Hash: ea262fa631ad844a43d548d4265e9aee9e248342119a41625e9b4b43e3a6790c
Instruction Fuzzy Hash: E6D1BF7190C7818FD310DF28D8807AAB7F1BF9A348F144A1DE8D957AA1EB31E549CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6CDDAA40 Relevance: 12.3, APIs: 3, Strings: 5, Instructions: 298COMMON

Download Yara Rule

Strings

TOl, xrefs: 6CDDAA49, 6CDDABF4, 6CDDAB6D
use of std::thread::current() is not possible after the thread's local data has been destroyed, xrefs: 6CDDAD6B, 6CDDAD92
assertion failed: state_and_queue.addr() & STATE_MASK == RUNNINGOnce instance has previously been poisoned, xrefs: 6CDDADFF
called `Option::unwrap()` on a `None` value/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\alloc\src\collections\btree\navigate.rs, xrefs: 6CDDADDB
already borrowedlibrary\std\src\io\stdio.rs, xrefs: 6CDDAD55, 6CDDADB4

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: TOl$already borrowedlibrary\std\src\io\stdio.rs$assertion failed: state_and_queue.addr() & STATE_MASK == RUNNINGOnce instance has previously been poisoned$called `Option::unwrap()` on a `None` value/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\alloc\src\collections\btree\navigate.rs$use of std::thread::current() is not possible after the thread's local data has been destroyed
API String ID: 0-258444476
Opcode ID: 49d33bd756e0387bb0d08066562322c655b3534c379cce159217324733cd82b0
Instruction ID: f546ea8d59ec0cdf03b25dcf0d97b607b426c36271c8bdf1eb7d0d750250ea7e
Opcode Fuzzy Hash: 49d33bd756e0387bb0d08066562322c655b3534c379cce159217324733cd82b0
Instruction Fuzzy Hash: 07B14671E01305DBDF11CF64CC40BAEB7B5AF01318F16821AE869ABBA1EB35B545CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CD0EA02 Relevance: 12.3, APIs: 8, Instructions: 291memoryCOMMON

Download Yara Rule

APIs

ReleaseSRWLockExclusive.KERNEL32(?,?), ref: 6CD0E92E
GetProcessHeap.KERNEL32(?), ref: 6CD0EC2E

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ExclusiveHeapLockProcessRelease
String ID:
API String ID: 2888651213-0
Opcode ID: babca56f0e261a40a92c2eacf5adf1d411e18e0bf1f4d78bc01d22c792b540ae
Instruction ID: ce4aac55d9f538ae5da491383bf9be1bd4929121caf6c345622b5c1e8539c962
Opcode Fuzzy Hash: babca56f0e261a40a92c2eacf5adf1d411e18e0bf1f4d78bc01d22c792b540ae
Instruction Fuzzy Hash: 36D17C75A09B818BD764CF28D840BABB7F1BF9A304F044A1DE8D95B661DB309845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CD93B90 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 278memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CD93BC0
HeapAlloc.KERNEL32(?,00000000,6CD9478F), ref: 6CD93BDD
memcpy.MSVCRT ref: 6CD93BF1
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,?,?,?,?,?,00000000,6CD9478F), ref: 6CD93E9C

Strings

, xrefs: 6CD93C16
capacity overflow/usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/num-bigint-dig-0.8.1/src/biguint.rscalled `Option::unwrap()` on a `None` value, xrefs: 6CD93EC1

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocFreeProcessmemcpy
String ID: $capacity overflow/usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/num-bigint-dig-0.8.1/src/biguint.rscalled `Option::unwrap()` on a `None` value
API String ID: 3455684755-2544271985
Opcode ID: 1d6fadc215dc5ceeecea8ef9c6753702f7ebe89cd8c6eb7672bffc1053c4d6d6
Instruction ID: 035830e3a76a713ffae609e19abd7d81fea7b05e6531473709af3ccc7960b4dc
Opcode Fuzzy Hash: 1d6fadc215dc5ceeecea8ef9c6753702f7ebe89cd8c6eb7672bffc1053c4d6d6
Instruction Fuzzy Hash: 79A1527AD2AB418BDB02CF39C840656B7B1BF97394F148B19FDA827672DB31D8408781

Uniqueness

Uniqueness Score: -1.00%

Function 6CD10B58 Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 205memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CD10B95
HeapAlloc.KERNEL32(?,00000000), ref: 6CD10BB0
memcpy.MSVCRT ref: 6CD10BD0
HeapReAlloc.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD10C06
HeapAlloc.KERNEL32(00000000,00000000), ref: 6CD11DF5
memcpy.MSVCRT ref: 6CD11E0C

Strings

capacity overflow, xrefs: 6CD114F8

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Alloc$memcpy$Process
String ID: capacity overflow
API String ID: 1874662144-2273299319
Opcode ID: 55aee6629f2a8c4e2e261d3767ad63c149422f81b1940a05c23cb3d849b91b3a
Instruction ID: 138adb8348d7b7c4463784648a442ca5ed1ea39ca2bbbad3cb66fc0dbedfb5a2
Opcode Fuzzy Hash: 55aee6629f2a8c4e2e261d3767ad63c149422f81b1940a05c23cb3d849b91b3a
Instruction Fuzzy Hash: E981A271A097419FD710DF28D880BAAF7F5BF9A304F104A1DE5A957B60EB30E918CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6CCF57BF Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 104COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6CCF57C8

Strings

assertion failed: d.plus > 0, xrefs: 6CCF58DF
assertion failed: d.mant.checked_add(d.plus).is_some(), xrefs: 6CCF58F5
assertion failed: noborrowassertion failed: digits < 40assertion failed: other > 0kindEmptyZeroTryFromIntError, xrefs: 6CCF588B
assertion failed: d.minus > 0, xrefs: 6CCF58C9
assertion failed: buf.len() >= MAX_SIG_DIGITS, xrefs: 6CCF5921
assertion failed: d.mant.checked_sub(d.minus).is_some(), xrefs: 6CCF590B
assertion failed: d.mant > 0, xrefs: 6CCF58B3

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: memset
String ID: assertion failed: buf.len() >= MAX_SIG_DIGITS$assertion failed: d.mant > 0$assertion failed: d.mant.checked_add(d.plus).is_some()$assertion failed: d.mant.checked_sub(d.minus).is_some()$assertion failed: d.minus > 0$assertion failed: d.plus > 0$assertion failed: noborrowassertion failed: digits < 40assertion failed: other > 0kindEmptyZeroTryFromIntError
API String ID: 2221118986-1451125116
Opcode ID: 16ad41ab60bcab5f4dc82a90973a48582030d64b7f18f9df5a706b17137f2b1d
Instruction ID: e758a44b87bef5ab4dcbbe699b15e6f2875cc17765e7098f9d775a6e2fe6b810
Opcode Fuzzy Hash: 16ad41ab60bcab5f4dc82a90973a48582030d64b7f18f9df5a706b17137f2b1d
Instruction Fuzzy Hash: 082105AAEC011433CB641BA47C42FD5327A4F34309F7768A4B41C75B83F716A21EC652

Uniqueness

Uniqueness Score: -1.00%

Function 6CE2CEB0 Relevance: 12.1, APIs: 8, Instructions: 87COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA68
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA6D
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA72
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA77
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA7C
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA81
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA86
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA8B

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: ba72e32409556c4ed1c1cab19d057941ab8806fa23a806205a7b351341ac673d
Instruction ID: 6c4ceda6b829e9415aed794a22fd8df2cd95de474085cb70ea48dde7161e1c2b
Opcode Fuzzy Hash: ba72e32409556c4ed1c1cab19d057941ab8806fa23a806205a7b351341ac673d
Instruction Fuzzy Hash: 9E21D7323461148FD704DF29D441BA673F6EBC625CB3882BED4588BB59D63AD8078791

Uniqueness

Uniqueness Score: -1.00%

Function 6CE03670 Relevance: 11.6, APIs: 9, Instructions: 393memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CE0368A
HeapAlloc.KERNEL32(?,00000000,00000068), ref: 6CE036A4
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,?,00000068), ref: 6CE03828

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocFreeProcess
String ID:
API String ID: 2113670309-0
Opcode ID: f95810c78d51d97236ba55c30e369391055989cf7d94780f4ff0d0c487be1e61
Instruction ID: 10ee05e390e7c6d20cb4d14cd2df2ce5d594f86e41c312e85e1a777d85a07da7
Opcode Fuzzy Hash: f95810c78d51d97236ba55c30e369391055989cf7d94780f4ff0d0c487be1e61
Instruction Fuzzy Hash: CCF17AB5A087419FD700CF25C480A5ABBF1FF8A348F248A1DF9956B761D731E949CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6CD024A0 Relevance: 11.6, APIs: 9, Instructions: 346memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6CD028A9
memcpy.MSVCRT ref: 6CD028B8
memcpy.MSVCRT ref: 6CD028CD
GetProcessHeap.KERNEL32 ref: 6CD028F4
HeapAlloc.KERNEL32(00000000,00000000,0000040C), ref: 6CD02907
memcpy.MSVCRT ref: 6CD0291F

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: memcpy$Heap$AllocProcess
String ID:
API String ID: 3823808316-0
Opcode ID: 41df82472b149f329869a45dfc7995dda0969bb29db1b55763b5c14eeeef42cf
Instruction ID: 108e80b2d5d364d364b55b23b886b7160762e505756622220927f8bd2248e2e4
Opcode Fuzzy Hash: 41df82472b149f329869a45dfc7995dda0969bb29db1b55763b5c14eeeef42cf
Instruction Fuzzy Hash: AD0209BAD11FAD87CB60CF148C857AAB376BF9F344F1063D9E5182A111DB704AC59B40

Uniqueness

Uniqueness Score: -1.00%

Function 6CD056C0 Relevance: 11.3, APIs: 9, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD056DB
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD056F8
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD0570F
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD05726
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD05763
HeapFree.KERNEL32(6CF8B0E0,00000000,?,6CF8B0E0,00000000,?), ref: 6CD05779
HeapFree.KERNEL32(6CF8B0E0,00000000,?,6CF8B0E0,00000000,?,6CF8B0E0,00000000,?), ref: 6CD0578B
HeapFree.KERNEL32(6CF8B0E0,00000000,?,6CF8B0E0,00000000,?,6CF8B0E0,00000000,?,6CF8B0E0,00000000,?), ref: 6CD0579D
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD057B9

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 31e9779658dffea3c97a1dda056e9adf9e8c0f55af53ba76c99c27474f7c4e3a
Instruction ID: f2c191f254363a9d90d81c91f7791d28d01ce39f436187ecd67ff445c25aff32
Opcode Fuzzy Hash: 31e9779658dffea3c97a1dda056e9adf9e8c0f55af53ba76c99c27474f7c4e3a
Instruction Fuzzy Hash: 2F317031641200EFEF21AF49CC48BA5B7B6FF45709F24005CE9511BAB0D776A858DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 6CD3A980 Relevance: 10.8, APIs: 5, Strings: 2, Instructions: 290COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 6CD3A99F
memcmp.MSVCRT ref: 6CD3A9B9
memcmp.MSVCRT ref: 6CD3AA0D

Strings

-----BEGIN -----END /usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/pem-rfc7468-0.6.0/src/grammar.rs, xrefs: 6CD3A99A, 6CD3A9B3, 6CD3AA08
assertion failed: mid <= self.len()/usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/base64ct-1.5.1/src/decoder.rs, xrefs: 6CD3ACE1

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: memcmp
String ID: -----BEGIN -----END /usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/pem-rfc7468-0.6.0/src/grammar.rs$assertion failed: mid <= self.len()/usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/base64ct-1.5.1/src/decoder.rs
API String ID: 1475443563-1425366842
Opcode ID: aa9945a70addab002e81ec65fe2302746bf0e462b7837de1d3ff33a65e441df4
Instruction ID: b384f72cd5f402661e713f0a2b4f1793da73aa9ecd81e59a6ff4855b988d98ca
Opcode Fuzzy Hash: aa9945a70addab002e81ec65fe2302746bf0e462b7837de1d3ff33a65e441df4
Instruction Fuzzy Hash: 79A18871F083768BDF208FE9C8D47AA77A69B43728F18925AC4AD57AF1E3298444C350

Uniqueness

Uniqueness Score: -1.00%

Function 6CD10EC8 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 197memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,00000000), ref: 6CD10D5F
memcpy.MSVCRT ref: 6CD10D7F
HeapReAlloc.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD10F25
HeapAlloc.KERNEL32(00000000,00000000), ref: 6CD11DF5
memcpy.MSVCRT ref: 6CD11E0C

Strings

capacity overflow, xrefs: 6CD11511

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: AllocHeap$memcpy
String ID: capacity overflow
API String ID: 1551716280-2273299319
Opcode ID: 4edd7e0d0b0320e66ba100d2220527ea92e7993bd4aedaf623a51c76043a0a04
Instruction ID: 4c9e4ab3ba630865646bb29573455ced49c132e8243f6727ff76fcc97f00fc28
Opcode Fuzzy Hash: 4edd7e0d0b0320e66ba100d2220527ea92e7993bd4aedaf623a51c76043a0a04
Instruction Fuzzy Hash: 48819D71A087419BD700DF28D880B9AF7F4BF9A304F104A1DE5A957B61EB30E959CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CD07FE0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,6CD0B20E,00000000,?,?,?,?,6CD0690C), ref: 6CD07FEC
CloseHandle.KERNEL32(FFFFFFFF), ref: 6CD080B7
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CD08110
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD08208
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD08281

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 6CD0814C

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ExclusiveLock$AcquireRelease$CloseHandle
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 3733085602-2333694755
Opcode ID: 15ea9c22b9fc8b9dc6a6eacca73f099b5585eb493f5690014fcd6d9aa2183856
Instruction ID: aa81bf7fa04e6803e91d6aaa4ac095664460147ead62f85a9a2eb5447c65e547
Opcode Fuzzy Hash: 15ea9c22b9fc8b9dc6a6eacca73f099b5585eb493f5690014fcd6d9aa2183856
Instruction Fuzzy Hash: 9B513970B05210DBDB10CF6DCC40BAB77B4AF42328F24061AE5B45BBA2D735E805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CCF5950 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 145COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6CCF5A21
memset.MSVCRT ref: 6CCF5A37

Strings

assertion failed: d.plus > 0, xrefs: 6CCF58DF, 6CCF63F3
assertion failed: d.mant.checked_add(d.plus).is_some(), xrefs: 6CCF58F5, 6CCF6401
assertion failed: d.minus > 0, xrefs: 6CCF58C9, 6CCF63E5
assertion failed: d.mant.checked_sub(d.minus).is_some(), xrefs: 6CCF590B, 6CCF640F
assertion failed: d.mant > 0, xrefs: 6CCF58B3, 6CCF63D7

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: memset
String ID: assertion failed: d.mant > 0$assertion failed: d.mant.checked_add(d.plus).is_some()$assertion failed: d.mant.checked_sub(d.minus).is_some()$assertion failed: d.minus > 0$assertion failed: d.plus > 0
API String ID: 2221118986-1838371865
Opcode ID: 29b1c140251d095109629e5c645edc5f0c66391f764271c455cf1602d5a3ac12
Instruction ID: 6e79d57bad27d81113b5cc131c4747a57b59d23f9569aedec00cd7279ac63ae3
Opcode Fuzzy Hash: 29b1c140251d095109629e5c645edc5f0c66391f764271c455cf1602d5a3ac12
Instruction Fuzzy Hash: 8B418CB1F402146BDB58DB24CC51FAE76B96F64300F148199F829B7BC1EA74E90ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 6CE2D4E0 Relevance: 10.6, APIs: 7, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: ba6c6a1887b9241dc4b4e0f7c05bf0cda26da1e36844b7535e578f9c321e9d63
Instruction ID: 820632019459d31bd33e08c1fb1cea8be5dd69f53bac36803f19aaebea1ed5a7
Opcode Fuzzy Hash: ba6c6a1887b9241dc4b4e0f7c05bf0cda26da1e36844b7535e578f9c321e9d63
Instruction Fuzzy Hash: BE41F2796443168FD710CE1DC440B56B3F1BF8631CF344A29E9698BB54D338DA0ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CDC4E40 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(00000000), ref: 6CDC4E75
HeapFree.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 6CDC4F1C
HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 6CDC4F2C
ReleaseSRWLockExclusive.KERNEL32(?,?,?,00000000), ref: 6CDC4F41

Strings

lock count overflow in reentrant mutexlibrary\std\src\sync\remutex.rs, xrefs: 6CDC4BAE, 6CDC4F88
cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs, xrefs: 6CDC4B98, 6CDC4F72

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ExclusiveFreeHeapLock$AcquireRelease
String ID: cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs$lock count overflow in reentrant mutexlibrary\std\src\sync\remutex.rs
API String ID: 808636619-1937734220
Opcode ID: 71502ba4310dcfc2e5419773af33aa436930acb00ea9c41aa8356f6423393a38
Instruction ID: a72962766d1958b83769516a6b984293ebc5f25db3e89fbdaab37bac5fa19ac9
Opcode Fuzzy Hash: 71502ba4310dcfc2e5419773af33aa436930acb00ea9c41aa8356f6423393a38
Instruction Fuzzy Hash: 244190B1E00505EFDB01DF94C845BAEB7F9BF06308F248599E9186BA21D731E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CDEB070 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(WQL), ref: 6CDEB094
SysAllocString.OLEAUT32(SELECT * FROM MSAcpi_ThermalZoneTemperature), ref: 6CDEB0A0
SysFreeString.OLEAUT32(00000000), ref: 6CDEB0C0
SysFreeString.OLEAUT32(00000000), ref: 6CDEB0C6

Strings

SELECT * FROM MSAcpi_ThermalZoneTemperature, xrefs: 6CDEB09B
WQL, xrefs: 6CDEB08F

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: String$AllocFree
String ID: SELECT * FROM MSAcpi_ThermalZoneTemperature$WQL
API String ID: 344208780-2989581318
Opcode ID: e30c70cfefc003a510cba7a34f1d4a2bb4dd1f46899496e40998442cd5b393ba
Instruction ID: 7e6471b4c72a574d05d651b981a00a27a4c7fe50f12510f63cda1dbaef1c10b6
Opcode Fuzzy Hash: e30c70cfefc003a510cba7a34f1d4a2bb4dd1f46899496e40998442cd5b393ba
Instruction Fuzzy Hash: A621D1B1900B08DFD724CF64DC81B6BB7B8FF4A318F204A1DE45A5B691C775A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CD28D50 Relevance: 10.2, APIs: 8, Instructions: 158memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(6CF8B0E0,00000000,?,?,?), ref: 6CD28DEC
HeapAlloc.KERNEL32(00000000,00000000,?,?), ref: 6CD28E22
GetProcessHeap.KERNEL32(?), ref: 6CD28E66
HeapAlloc.KERNEL32(?,00000000,?,?), ref: 6CD28E84
memcpy.MSVCRT ref: 6CD28EA7
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,?,00000000,?,?), ref: 6CD28EBB
GetProcessHeap.KERNEL32(?), ref: 6CD28EC5
HeapAlloc.KERNEL32(00000000,00000000,?,?), ref: 6CD28EE5

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Alloc$Process$Freememcpy
String ID:
API String ID: 4102440617-0
Opcode ID: e1ed04b3049941f6a5f005295e885678d1b01ffc8b9af4b8304afb72ce167dc3
Instruction ID: 632b87302f9d985bdf2fde729a114bd61ddd7e873849428bf1a85b93fdb3010a
Opcode Fuzzy Hash: e1ed04b3049941f6a5f005295e885678d1b01ffc8b9af4b8304afb72ce167dc3
Instruction Fuzzy Hash: 0951A372700701DFEB14DF55CC80B6AB7B6BF55308F24812EEA149BA61EB79D8448750

Uniqueness

Uniqueness Score: -1.00%

Function 6CCE5C20 Relevance: 10.1, APIs: 8, Instructions: 132memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(6CF8B0E0,00000000,?,?), ref: 6CCE5C5C
HeapAlloc.KERNEL32(00000000,00000000,?), ref: 6CCE5C92
GetProcessHeap.KERNEL32 ref: 6CCE5CD6
HeapAlloc.KERNEL32(?,00000000), ref: 6CCE5CF4
memcpy.MSVCRT ref: 6CCE5D17
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,?,00000000), ref: 6CCE5D2B
GetProcessHeap.KERNEL32 ref: 6CCE5D35
HeapAlloc.KERNEL32(00000000,00000000), ref: 6CCE5D55

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Alloc$Process$Freememcpy
String ID:
API String ID: 4102440617-0
Opcode ID: 99d770f75089fffb0e278910f4bee980386273a3f82251ea31eb23052ebe862d
Instruction ID: ab6f0aca4eec7f8c15ec325f6ff9a937789324b2a3dbe604982bd5b6293498eb
Opcode Fuzzy Hash: 99d770f75089fffb0e278910f4bee980386273a3f82251ea31eb23052ebe862d
Instruction Fuzzy Hash: D541CF71B417029FE700CF6AC9C4B6AB7B6BB8E308F24812ED4158BB50FBB4D9448B50

Uniqueness

Uniqueness Score: -1.00%

Function 6CE19F80 Relevance: 10.1, APIs: 8, Instructions: 132memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(6CF8B0E0,00000000,?,00000008,00000008,00000001,?,00000001), ref: 6CE19FBC
HeapAlloc.KERNEL32(00000000,00000000,00000008,00000008,00000001,?,00000001), ref: 6CE19FF2
GetProcessHeap.KERNEL32(00000008,00000001,?,00000001), ref: 6CE1A036
HeapAlloc.KERNEL32(?,00000000,?,00000008,00000001,?,00000001), ref: 6CE1A054
memcpy.MSVCRT ref: 6CE1A077
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,?,00000000,?,00000008,00000001,?,00000001), ref: 6CE1A08B
GetProcessHeap.KERNEL32(00000008,00000001,?,00000001), ref: 6CE1A095
HeapAlloc.KERNEL32(00000000,00000000,?,00000008,00000001,?,00000001), ref: 6CE1A0B5

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Alloc$Process$Freememcpy
String ID:
API String ID: 4102440617-0
Opcode ID: 99d770f75089fffb0e278910f4bee980386273a3f82251ea31eb23052ebe862d
Instruction ID: 496190b2f18f839cca21f9b334c93f7f6cb9237267020977bfc2a775f2e229a8
Opcode Fuzzy Hash: 99d770f75089fffb0e278910f4bee980386273a3f82251ea31eb23052ebe862d
Instruction Fuzzy Hash: 364180717893029FEB10CF69C880B7AB7B6AB89308F34812DE5158BF51EB75E818D751

Uniqueness

Uniqueness Score: -1.00%

Function 6CD229E0 Relevance: 10.1, APIs: 8, Instructions: 132memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(6CF8B0E0,00000000,?,?), ref: 6CD22A1C
HeapAlloc.KERNEL32(00000000,00000000,?), ref: 6CD22A52
GetProcessHeap.KERNEL32 ref: 6CD22A96
HeapAlloc.KERNEL32(?,00000000), ref: 6CD22AB4
memcpy.MSVCRT ref: 6CD22AD7
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,?,00000000), ref: 6CD22AEB
GetProcessHeap.KERNEL32 ref: 6CD22AF5
HeapAlloc.KERNEL32(00000000,00000000), ref: 6CD22B15

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Alloc$Process$Freememcpy
String ID:
API String ID: 4102440617-0
Opcode ID: 99d770f75089fffb0e278910f4bee980386273a3f82251ea31eb23052ebe862d
Instruction ID: 8b089df4755fbe46e94347eedcbeab43a61da947296e977277cca4db55e301d8
Opcode Fuzzy Hash: 99d770f75089fffb0e278910f4bee980386273a3f82251ea31eb23052ebe862d
Instruction Fuzzy Hash: 4141B570765302DFE710CF69C8C8B6A77B6AB8931CF24822DE6148BB65EB78D904C710

Uniqueness

Uniqueness Score: -1.00%

Function 6CDFFBB0 Relevance: 10.1, APIs: 8, Instructions: 132memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(6CF8B0E0,00000000,?,?,?,?), ref: 6CDFFBEC
HeapAlloc.KERNEL32(00000000,00000000,?,?,?), ref: 6CDFFC22
GetProcessHeap.KERNEL32(?,?), ref: 6CDFFC66
HeapAlloc.KERNEL32(?,00000000,?,?,?), ref: 6CDFFC84
memcpy.MSVCRT ref: 6CDFFCA7
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,?,00000000,?,?,?), ref: 6CDFFCBB
GetProcessHeap.KERNEL32(?,?), ref: 6CDFFCC5
HeapAlloc.KERNEL32(00000000,00000000,?,?,?), ref: 6CDFFCE5

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Alloc$Process$Freememcpy
String ID:
API String ID: 4102440617-0
Opcode ID: 99d770f75089fffb0e278910f4bee980386273a3f82251ea31eb23052ebe862d
Instruction ID: cae3590009e4decb932df8e6dde5afc8e8e9da8af3a1f930baf862ab831118ea
Opcode Fuzzy Hash: 99d770f75089fffb0e278910f4bee980386273a3f82251ea31eb23052ebe862d
Instruction Fuzzy Hash: DA418E707453429BE700CF69C8C0B6AB7F6FB85348F29812DD9258BB61EB74D806C761

Uniqueness

Uniqueness Score: -1.00%

Function 6CD0C5C0 Relevance: 10.1, APIs: 8, Instructions: 132memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(6CF8B0E0,00000000,?,00000008,00000008,?,?,?), ref: 6CD0C5FC
HeapAlloc.KERNEL32(00000000,00000000,00000008,00000008,?,?,?), ref: 6CD0C632
GetProcessHeap.KERNEL32(00000008,?,?,?), ref: 6CD0C676
HeapAlloc.KERNEL32(?,00000000,?,00000008,?,?,?), ref: 6CD0C694
memcpy.MSVCRT ref: 6CD0C6B7
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,?,00000000,?,00000008,?,?,?), ref: 6CD0C6CB
GetProcessHeap.KERNEL32(00000008,?,?,?), ref: 6CD0C6D5
HeapAlloc.KERNEL32(00000000,00000000,?,00000008,?,?,?), ref: 6CD0C6F5

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Alloc$Process$Freememcpy
String ID:
API String ID: 4102440617-0
Opcode ID: 99d770f75089fffb0e278910f4bee980386273a3f82251ea31eb23052ebe862d
Instruction ID: 79b8988fb744ea5da9eb0b979e00c8157be045805548e67ed4877fa3cff534e5
Opcode Fuzzy Hash: 99d770f75089fffb0e278910f4bee980386273a3f82251ea31eb23052ebe862d
Instruction Fuzzy Hash: D04173B0745302DBE710EFADC880B6A77B6ABC9308F64812DD9158B761EB74E8048762

Uniqueness

Uniqueness Score: -1.00%

Function 6CD24500 Relevance: 10.1, APIs: 8, Instructions: 132memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(6CF8B0E0,00000000,?,-000000FE,-000000FE,?), ref: 6CD2453C
HeapAlloc.KERNEL32(00000000,00000000,-000000FE,-000000FE,?), ref: 6CD24572
GetProcessHeap.KERNEL32(-000000FE,?), ref: 6CD245B6
HeapAlloc.KERNEL32(?,00000000,?,-000000FE,?), ref: 6CD245D4
memcpy.MSVCRT ref: 6CD245F7
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,?,00000000,?,-000000FE,?), ref: 6CD2460B
GetProcessHeap.KERNEL32(-000000FE,?), ref: 6CD24615
HeapAlloc.KERNEL32(00000000,00000000,?,-000000FE,?), ref: 6CD24635

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Alloc$Process$Freememcpy
String ID:
API String ID: 4102440617-0
Opcode ID: 99d770f75089fffb0e278910f4bee980386273a3f82251ea31eb23052ebe862d
Instruction ID: 2ce9253a5105b7b890517991f850636d89bfe913cc930acaf23cb67c071e33f1
Opcode Fuzzy Hash: 99d770f75089fffb0e278910f4bee980386273a3f82251ea31eb23052ebe862d
Instruction Fuzzy Hash: 2E4176B1745301DFEB14CF69C880FAA77B6AB8530CF24852DDA658B761EB7CD8488750

Uniqueness

Uniqueness Score: -1.00%

Function 6CDE6680 Relevance: 10.1, APIs: 8, Instructions: 132memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(6CF8B0E0,00000000,?,00000008,00000008,6CDEC2B4,?,6CDEC2B4), ref: 6CDE66BC
HeapAlloc.KERNEL32(00000000,00000000,00000008,00000008,6CDEC2B4,?,6CDEC2B4), ref: 6CDE66F2
GetProcessHeap.KERNEL32(00000008,6CDEC2B4,?,6CDEC2B4), ref: 6CDE6736
HeapAlloc.KERNEL32(?,00000000,?,00000008,6CDEC2B4,?,6CDEC2B4), ref: 6CDE6754
memcpy.MSVCRT ref: 6CDE6777
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,?,00000000,?,00000008,6CDEC2B4,?,6CDEC2B4), ref: 6CDE678B
GetProcessHeap.KERNEL32(00000008,6CDEC2B4,?,6CDEC2B4), ref: 6CDE6795
HeapAlloc.KERNEL32(00000000,00000000,?,00000008,6CDEC2B4,?,6CDEC2B4), ref: 6CDE67B5

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Alloc$Process$Freememcpy
String ID:
API String ID: 4102440617-0
Opcode ID: 99d770f75089fffb0e278910f4bee980386273a3f82251ea31eb23052ebe862d
Instruction ID: df236f0bf1e84d2667797599e9c8adb9fce07d01164c24131d8b6cc2c00559b9
Opcode Fuzzy Hash: 99d770f75089fffb0e278910f4bee980386273a3f82251ea31eb23052ebe862d
Instruction Fuzzy Hash: CF418274755309DBE700EF6AC880B5E77B6AF89304F24852DD615CBE61EB74E809C750

Uniqueness

Uniqueness Score: -1.00%

Function 6CD0CBA0 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 231memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CD0CBF7
HeapAlloc.KERNEL32(00000000,00000000), ref: 6CD0CC0F
GetProcessHeap.KERNEL32 ref: 6CD0CCB1

Strings

assertion failed: edelta >= 0library\core\src\num\diy_float.rs, xrefs: 6CD0CE53

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc
String ID: assertion failed: edelta >= 0library\core\src\num\diy_float.rs
API String ID: 651230671-1130412906
Opcode ID: 6fe571576baea11d2491fe22c520cbc0f4a38ea55dbb909576d903cc98dbe597
Instruction ID: 03026c5a473f7012f307d2f6d50c4bcb59c15e9d1a1633ed7e3a5ccdbf0dabf0
Opcode Fuzzy Hash: 6fe571576baea11d2491fe22c520cbc0f4a38ea55dbb909576d903cc98dbe597
Instruction Fuzzy Hash: EB81D2B6A012158BEB149F6DC880BBEB7B5EFC5318F25412DD805AB7A0E7349C05C7B6

Uniqueness

Uniqueness Score: -1.00%

Function 6CE25A60 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 229memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CE25C75

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 6CE267A2

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 3298025750-2333694755
Opcode ID: 386a5dfb80145493eae5aa3875e70a554a58f191471603c64166a394e0626f1c
Instruction ID: 6871e69b08c45974ece276abf692c89128c738f8de451f6f300235ee8a1ddf30
Opcode Fuzzy Hash: 386a5dfb80145493eae5aa3875e70a554a58f191471603c64166a394e0626f1c
Instruction Fuzzy Hash: 5AA127B18097809BE721CF24C445B9BBBF5BF89308F204A1DE5A95B660E7789549CF83

Uniqueness

Uniqueness Score: -1.00%

Function 6CD0E998 Relevance: 9.2, APIs: 6, Instructions: 212memoryCOMMON

Download Yara Rule

APIs

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CD0E9D8
GetProcessHeap.KERNEL32(?), ref: 6CD0EC2E
HeapAlloc.KERNEL32(?,00000000,?,6CF8B0E0,00000000), ref: 6CD0EC47

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocExclusiveLockProcessRelease
String ID:
API String ID: 2870571564-0
Opcode ID: e664424f3bc88422dc87183c76f3e4e23f45fbaec0e8e66582ba14b7a257c8c3
Instruction ID: 8ae0239cc68eeb57d06d954bbbee486de1bc7f2827c588618f7e3597c783cb56
Opcode Fuzzy Hash: e664424f3bc88422dc87183c76f3e4e23f45fbaec0e8e66582ba14b7a257c8c3
Instruction Fuzzy Hash: ACA17B75A09B80CFD361DF28D840BABB7F4BF9A348F044A1DE8E957661DB30A544CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6CD01A41 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CD01BF4
HeapAlloc.KERNEL32(00000001,00000000,0000040C), ref: 6CD01C0B

Strings

`NlI, xrefs: 6CD01B68

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess
String ID: `NlI
API String ID: 1617791916-3352512153
Opcode ID: a93a0a2add40e9ddeb5cf50e2cd99f5e20ad67bacd8941b3208d3f846f832855
Instruction ID: 181214223096e511dd18882b22d8ec78b192021e79da0ad9bc5d3d6a5082ebef
Opcode Fuzzy Hash: a93a0a2add40e9ddeb5cf50e2cd99f5e20ad67bacd8941b3208d3f846f832855
Instruction Fuzzy Hash: 0391B171909B84DAD722CF29C8027EBB7F4BF9A348F04461DED985B261EB35C505CB42

Uniqueness

Uniqueness Score: -1.00%

Function 6CD10A18 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 200memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6CD10AF6
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD10B2E

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 6CD11669

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeapmemcpy
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 673829100-2333694755
Opcode ID: cf65056961b12341e2f75b1d31a0435e9f336f782d8f5a0737a036ba03553689
Instruction ID: 07771925578359b285234ab0bc4d9a42d3d37f4df6d25a84a2b0da1d39161dc0
Opcode Fuzzy Hash: cf65056961b12341e2f75b1d31a0435e9f336f782d8f5a0737a036ba03553689
Instruction Fuzzy Hash: 3881AD716087409BD710DF28D880BABF7F5BF8A304F104A2DE59957B60EB31E959CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CE2E850 Relevance: 9.2, APIs: 6, Instructions: 191synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6CE2EA70
WaitForSingleObject.KERNEL32 ref: 6CE2EAB0

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: 69d78f881d925da9f919390377920ed8fb8890a51c1e1a7701b1e43ae0ff8a28
Instruction ID: b1c058da68d4507915038019e122cee85d9c680e46d25a13ce0cee624bcd1b39
Opcode Fuzzy Hash: 69d78f881d925da9f919390377920ed8fb8890a51c1e1a7701b1e43ae0ff8a28
Instruction Fuzzy Hash: F2716A70B05F298BDB549F39C48431677F1BB4771AF248A6AD8698B790D738E805CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD107CB Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 180memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6CD10815
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD10850
HeapAlloc.KERNEL32(00000000,00000000), ref: 6CD11DF5
memcpy.MSVCRT ref: 6CD11E0C

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 6CD11631

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocFree
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 1496448200-2333694755
Opcode ID: 5cd95a7f8adf96fc5dfad15af45583fd55cc68918ae6b8be8f5d9aa67b94e626
Instruction ID: a735f0d13573696d53056be17904d753eafb88f2fa5c6465e791205e48664006
Opcode Fuzzy Hash: 5cd95a7f8adf96fc5dfad15af45583fd55cc68918ae6b8be8f5d9aa67b94e626
Instruction Fuzzy Hash: E0716D756087809FD720DF24D880B9BF7F5BF99304F104A2DE4D957A60EB30A959CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6CDC2DF0 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 169memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000), ref: 6CDC2E96
GetLastError.KERNEL32 ref: 6CDC2EAA
GetLastError.KERNEL32 ref: 6CDC2EBB
HeapFree.KERNEL32(00000000,00000002), ref: 6CDC2F3B
GetLastError.KERNEL32 ref: 6CDC2F87

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 6CDC2FD1

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ErrorLast$FreeHeap
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 3197834085-2333694755
Opcode ID: c76af5b182c750b4c26070805c1a214ffce7432b4ba0fb48008c7e3259beb6fc
Instruction ID: 69066b35524e08c6961892d5692fda13d04f6548c06185658342ae526da9a11d
Opcode Fuzzy Hash: c76af5b182c750b4c26070805c1a214ffce7432b4ba0fb48008c7e3259beb6fc
Instruction Fuzzy Hash: CA51D9B2E0422C9BDB108F99C8847DEFBF8AF05318F154169E85477751D7799A04CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6CDCFAA0 Relevance: 9.1, APIs: 6, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CDD9F50: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,6CDCF016,?), ref: 6CDD9FA0
Part of subcall function 6CDD9F50: HeapAlloc.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,6CDCF016,?), ref: 6CDD9FBB
Part of subcall function 6CDD9F50: HeapFree.KERNEL32(00000000,?), ref: 6CDDA083

MoveFileExW.KERNEL32(?,?,00000001,?,?,?,?,?,00000001,00000000,?,6CD1232B,?,?,?,?), ref: 6CDCFB4A
HeapFree.KERNEL32(00000000,?,?,?,00000001,?,?,?,?,?,00000001,00000000,?,6CD1232B,?,?), ref: 6CDCFB68
HeapFree.KERNEL32(00000000,?,?,?,00000001,?,?,?,?,?,00000001,00000000,?,6CD1232B,?,?), ref: 6CDCFB7A
HeapFree.KERNEL32(00000000,?,?,?,?,?,00000001,00000000,?,6CD1232B,?,?,?,?,00000000), ref: 6CDCFBA5
GetLastError.KERNEL32(?,?,00000001,?,?,?,?,?,00000001,00000000,?,6CD1232B,?,?,?,?), ref: 6CDCFBB4
HeapFree.KERNEL32(00000000,?,?,?,00000001,?,?,?,?,?,00000001,00000000,?,6CD1232B,?,?), ref: 6CDCFBD3

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocErrorFileLastMoveProcess
String ID:
API String ID: 263320699-0
Opcode ID: a22889fde1d63c1d7db205621a4077a09e8da3e6fdb3f4530828ae2f8ef92f9b
Instruction ID: 8d5dcebae78ba3522a53d2d7895dd0dbfd0454a5eec091dcb19ab248b851a416
Opcode Fuzzy Hash: a22889fde1d63c1d7db205621a4077a09e8da3e6fdb3f4530828ae2f8ef92f9b
Instruction Fuzzy Hash: 91416AB1E0120ADBDF00CF94C851BEEBBB9AF58318F244119E9147B760D771AA44CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6CDFD7E0 Relevance: 9.1, APIs: 6, Instructions: 110memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,6CDFE161,?,6CE04D41), ref: 6CDFD85D
FindClose.KERNEL32(?,?,6CDFE161,?,6CE04D41), ref: 6CDFD873
HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,6CDFE161,?,6CE04D41), ref: 6CDFD8C9

Part of subcall function 6CDFECE0: HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,?,?,6CDFD82E,?,6CDFE161,?,6CE04D41), ref: 6CDFED12

HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,6CDFE161,?,6CE04D41), ref: 6CDFD8B2
HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,6CDFE161,?,6CE04D41), ref: 6CDFF628
HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,6CDFE161,?,6CE04D41), ref: 6CDFF642

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap$CloseFind
String ID:
API String ID: 2995094047-0
Opcode ID: c858b6c2c5c0d51ab458a9ff59c5f23c9afd44c565a7857e7c9ec3f358e0cc0b
Instruction ID: be70c09b7c5f971366fbf87fe48d2e347498fefe43ce372c39de1975d595526d
Opcode Fuzzy Hash: c858b6c2c5c0d51ab458a9ff59c5f23c9afd44c565a7857e7c9ec3f358e0cc0b
Instruction Fuzzy Hash: D431E131640644DFDB219F15C840BA6F7B2FB02319F25452EE5754BAB0CB32A84ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CD078A0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,6CD0B25F,00000000,?,?,?,?,6CD0690C), ref: 6CD078AC
CloseHandle.KERNEL32(FFFFFFFF,?,?,?,?,?,?,6CD0B25F,00000000), ref: 6CD07987
CloseHandle.KERNEL32(FFFFFFFF,?,?,?,?,?,?,6CD0B25F,00000000), ref: 6CD07A57
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,6CD0B25F,00000000,?,?,?,?,6CD0690C), ref: 6CD07A94

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 6CD07ACD

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CloseExclusiveHandleLock$AcquireRelease
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 4244960811-2333694755
Opcode ID: 020f8cffb5cdfcbcfe920a21892703240bdb1498d3a04211c77c1f2fe1f17e48
Instruction ID: ac21eddbd6208a232e36a2e7d50306b82f0465d03b97a62f4f44cc1e4293d4db
Opcode Fuzzy Hash: 020f8cffb5cdfcbcfe920a21892703240bdb1498d3a04211c77c1f2fe1f17e48
Instruction Fuzzy Hash: 7B910171E05218EBDB10CF6CCC81BEE77B4AF49328F250618E465AF7A1D774A905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CD93F70 Relevance: 8.8, APIs: 7, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD93FA1
HeapFree.KERNEL32(6CF8B0E0,00000000,6CD94B0A), ref: 6CD93FC2
HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,?,?,?,?,?,?,?,?,6CF8B0E0,00000000,6CD94B0A), ref: 6CD93FD9
HeapFree.KERNEL32(6CF8B0E0,00000000,?,6CF8B0E0,00000000,?,6CF8B0E0,00000000,?,00000000,?,?,?), ref: 6CD940FE

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 576b3be98d7f9a7799f908bcbd1ba8b4c60c09ec22a150fe7ae9df580c4c6b8c
Instruction ID: 129bda9b81411c252c1e7071798c89a3ea083cfb0c3404594869a5f73c6a2361
Opcode Fuzzy Hash: 576b3be98d7f9a7799f908bcbd1ba8b4c60c09ec22a150fe7ae9df580c4c6b8c
Instruction Fuzzy Hash: 1231E175654240EFDB209F48CC44B56B7F2FB06318F28016DF52A0BA71CB32A85CCB52

Uniqueness

Uniqueness Score: -1.00%

Function 6CD0BB40 Relevance: 8.8, APIs: 7, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,?,6CD06999), ref: 6CD0BB5B
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,?,6CD06999), ref: 6CD0BB92
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,?,6CD06999), ref: 6CD0BBAE
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,?,6CD06999), ref: 6CD0BBE2
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,?,6CD06999), ref: 6CD0BBFE
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,?,6CD06999), ref: 6CD0BC32
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,?,6CD06999), ref: 6CD0BC4E

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a54a482f26f4ebc381618093ab896d61d991cc91a789536f14d382924260025c
Instruction ID: ae3433d0d339cbb44150596221fc2b11260fda854ec5eeb7eb0e2e897856a53b
Opcode Fuzzy Hash: a54a482f26f4ebc381618093ab896d61d991cc91a789536f14d382924260025c
Instruction Fuzzy Hash: 7E318D72A49614EFEB118F48CC80F65B7B1FB05718F280958E5612BAF4C772E848CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6CE16F40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CE16F75
GetFileAttributesW.KERNEL32(?), ref: 6CE16F7B
SetFileAttributesW.KERNEL32(?,00000000,?), ref: 6CE16F98
GetLastError.KERNEL32(?), ref: 6CE16FB3

Strings

$l, xrefs: 6CE17019, 6CE17034

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: AttributesFile$ErrorFreeHeapLast
String ID: $l
API String ID: 3275664389-3142327803
Opcode ID: f39ea0bb7ab8d97c664644da5574ee3c2da5c5aaafb49ef824e5984f097b8028
Instruction ID: 901826d6a07070113ef3d1c1368bf0c3b9944d967ced55099816724fd2036325
Opcode Fuzzy Hash: f39ea0bb7ab8d97c664644da5574ee3c2da5c5aaafb49ef824e5984f097b8028
Instruction Fuzzy Hash: 1431B8B1C002599ECF10CF94D8467DEBBB8FF48218F244569D424B7B50E7359A5ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CCE8CD4 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

internal error: entered unreachable code/usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/aho-corasick-0.7.18/src/ahocorasick.rs, xrefs: 6CCE9241

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: internal error: entered unreachable code/usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/aho-corasick-0.7.18/src/ahocorasick.rs
API String ID: 0-3096438005
Opcode ID: 1802bfcb78eea0bb2cb49ce2c45cbcb69456cf3b05685855a6dbecbb4dac0c12
Instruction ID: c0662898ba248a9494f7ba79b3a3d9403f0d1d4b67858051143a95bb6afadb3e
Opcode Fuzzy Hash: 1802bfcb78eea0bb2cb49ce2c45cbcb69456cf3b05685855a6dbecbb4dac0c12
Instruction Fuzzy Hash: B9B13471E453068BEF00CB68CC41BEDB7B6AF5B308F240569D419ABB82F7749949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6CE09BE0 Relevance: 7.8, APIs: 6, Instructions: 301memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CE09C6A
HeapAlloc.KERNEL32(?,00000000,?), ref: 6CE09C79
GetProcessHeap.KERNEL32 ref: 6CE09D01
HeapAlloc.KERNEL32(?,00000000,?), ref: 6CE09D10

Part of subcall function 6CDD1130: HeapFree.KERNEL32(00000000,00000000), ref: 6CDD11F3
Part of subcall function 6CDD1130: HeapFree.KERNEL32(00000000,?), ref: 6CDD1201

memcpy.MSVCRT ref: 6CE09EA6
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CE09EFA

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocProcess$memcpy
String ID:
API String ID: 288019571-0
Opcode ID: c490fd9c285bb34c64dd6e48ae79d838bab0faf9c32998279bf9c387cddd5712
Instruction ID: bd6034e57d5549b6931922f4ba68d10e571372a041aeb0adeba735ab77b86e3b
Opcode Fuzzy Hash: c490fd9c285bb34c64dd6e48ae79d838bab0faf9c32998279bf9c387cddd5712
Instruction Fuzzy Hash: C1D19DB5908745AFC700CF25C4816AAFBF5FF8A308F248A5EE89857711D730E955CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CD178C0 Relevance: 7.7, APIs: 6, Instructions: 200memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6CD17928

Part of subcall function 6CD17DC0: HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,6CD1B00F), ref: 6CD17DCD

GetProcessHeap.KERNEL32 ref: 6CD179D2
HeapAlloc.KERNEL32(00000000,00000000,00000020), ref: 6CD179E6
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,00000000,00000020), ref: 6CD17A58
GetProcessHeap.KERNEL32(?,?,?,00000000,00000020), ref: 6CD17AC8
HeapAlloc.KERNEL32(?,00000000,00000070,?,?,?,00000000,00000020), ref: 6CD17ADC

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocFreeProcess$memset
String ID:
API String ID: 3858697463-0
Opcode ID: d356ee7e4ffc249b0c8e57627634467d4d252873ded850960bddd9e55d87c571
Instruction ID: d07c87d2fd9e2f57272d0ca9961205716dcecda6280a6dd951783e25d85d5f4f
Opcode Fuzzy Hash: d356ee7e4ffc249b0c8e57627634467d4d252873ded850960bddd9e55d87c571
Instruction Fuzzy Hash: CB81F375C24B859AE311CF39C841BA6B7B4BF9B344F104719F9886BA62FB70E184C751

Uniqueness

Uniqueness Score: -1.00%

Function 6CD06760 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CD0C580: HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,6CD125A1,?), ref: 6CD0C58D

memcpy.MSVCRT ref: 6CD067BC
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD0693D
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD0696C
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD069A5

Part of subcall function 6CE051E0: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CE051F5
Part of subcall function 6CE051E0: HeapAlloc.KERNEL32(00000000,00000000,00000068), ref: 6CE05209
Part of subcall function 6CE051E0: HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,?,?,?,?,00000068), ref: 6CE0544F
Part of subcall function 6CE051E0: HeapFree.KERNEL32(6CF8B0E0,00000000,?,6CF8B0E0,00000000,?,?,?,?,?,00000068), ref: 6CE0545F

Strings

PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs, xrefs: 6CD067EF, 6CD0686E

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocProcessmemcpy
String ID: PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs
API String ID: 3951801138-1569620981
Opcode ID: 8a51adb819cb1c60996182899de0c0f19c86861ede4c9b835e1b25177945f0ee
Instruction ID: aa04fc35d7af6d35ac0edfd8474b13bd1dcfc7ef468b89e8e7109abb6cf9223c
Opcode Fuzzy Hash: 8a51adb819cb1c60996182899de0c0f19c86861ede4c9b835e1b25177945f0ee
Instruction Fuzzy Hash: 7F51B4B5A08340DBD7209F54D845BDFB7B4AF84308F14042CD98987BA1EB75A58DCBA3

Uniqueness

Uniqueness Score: -1.00%

Function 6CDFE4E0 Relevance: 7.7, APIs: 6, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?,6CF8B0E0,00000000,?,?,6CDFE758,?,6CE086B6), ref: 6CDFE54F

Part of subcall function 6CDFA730: AcquireSRWLockExclusive.KERNEL32 ref: 6CDFA98C

HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,6CDFE758,?,6CE086B6), ref: 6CDFE5C2
HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,6CDFE758,?,6CE086B6), ref: 6CDFE612
HeapFree.KERNEL32(6CF8B0E0,00000000,?,6CF8B0E0,00000000,?,?,6CDFE758,?,6CE086B6), ref: 6CDFE67B
HeapFree.KERNEL32(6CF8B0E0,00000000,?,6CF8B0E0,00000000,?,?,6CDFE758,?,6CE086B6), ref: 6CDFE6B7

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap$AcquireExclusiveLock
String ID:
API String ID: 2371024757-0
Opcode ID: 505ce58588b847ad310ae40fd6476994dffe8960974779d20315b2c1bc241b92
Instruction ID: 5a96add4042ecc7749117d2156b4a7ac456205a0ce924f494fcb52d91c84f7bf
Opcode Fuzzy Hash: 505ce58588b847ad310ae40fd6476994dffe8960974779d20315b2c1bc241b92
Instruction Fuzzy Hash: AB518D31501604DBDB22CF14C840BAAB3B1FF01318F6A091DD5BA5BEA1DB32B94ACBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD0D460 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6CD0D50A
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD0D53F
memcpy.MSVCRT ref: 6CD0D595
HeapReAlloc.KERNEL32(6CF8B0E0,00000000,?,?), ref: 6CD0D5CE

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 6CD0D62A

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocFree
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 1496448200-2333694755
Opcode ID: 7a3e04be13c7e23385341d26c778ee5e084ca9e723c26e085cc860eb3527d97a
Instruction ID: 896a117d88d8d17f96ed22aa6f13c4a2a03aeb8a0e618038b4332ec6cfcdc607
Opcode Fuzzy Hash: 7a3e04be13c7e23385341d26c778ee5e084ca9e723c26e085cc860eb3527d97a
Instruction Fuzzy Hash: E351FAB2F002059BDB10DF5CC884BAE7776AB4632CF25462ED919A77B0E731E805C791

Uniqueness

Uniqueness Score: -1.00%

Function 6CD108B7 Relevance: 7.6, APIs: 6, Instructions: 147memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CD108C5
HeapAlloc.KERNEL32(?,00000000), ref: 6CD108E0
memcpy.MSVCRT ref: 6CD10900
HeapAlloc.KERNEL32(00000000,00000000), ref: 6CD11DF5
memcpy.MSVCRT ref: 6CD11E0C

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Allocmemcpy$Process
String ID:
API String ID: 3580954859-0
Opcode ID: 06b2c0b044f5eecccc3dd8de0c4ccb9b967ab0314dfe0ea3a7ad47692afc7697
Instruction ID: 45f53ce74bbce758a8932bd2094b3150f613c73a8c015eaf3355d46f506b5fa1
Opcode Fuzzy Hash: 06b2c0b044f5eecccc3dd8de0c4ccb9b967ab0314dfe0ea3a7ad47692afc7697
Instruction Fuzzy Hash: 72516D71A08B459BD714DF34D840BABF7F4BF99304F04462DE8AA57660EB30E919CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6CE280B0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CD21E90: GetComputerNameExW.KERNEL32(00000005,00000000,00000000,?,?,00000000,?), ref: 6CD21EA8
Part of subcall function 6CD21E90: GetProcessHeap.KERNEL32(00000005,00000000,00000000,?,?,00000000,?), ref: 6CD21EED
Part of subcall function 6CD21E90: HeapAlloc.KERNEL32(00000000,00000008,?,00000005,00000000,00000000,?,?,00000000,?), ref: 6CD21EFC
Part of subcall function 6CD21E90: GetComputerNameExW.KERNEL32(00000005,00000000,00000000,00000005,00000000,00000000,?,?,00000000,?), ref: 6CD21F0E
Part of subcall function 6CD21E90: HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,00000005,00000000,00000000,?,?,00000000,?), ref: 6CD21F55

GetProcessHeap.KERNEL32 ref: 6CE28163
HeapAlloc.KERNEL32(?,00000000,?), ref: 6CE28174
memcpy.MSVCRT ref: 6CE28196
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CE281B8

Strings

<unknown>[WARNING] Cannot service compile regex: , xrefs: 6CE281C7

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerFreeNameProcess$memcpy
String ID: <unknown>[WARNING] Cannot service compile regex:
API String ID: 206058342-518872989
Opcode ID: c57dd0204176bc64d26f62a16bb699e11d09354ec417cb644ca06d273002bd30
Instruction ID: 63c1467368dff478a8dd939169a59098de494d19a153d4e7c981b33ce826280a
Opcode Fuzzy Hash: c57dd0204176bc64d26f62a16bb699e11d09354ec417cb644ca06d273002bd30
Instruction Fuzzy Hash: CB410773E012158BEF248E688C40BBEB7B5BF56318F3C422AD415A7B81EB3498448791

Uniqueness

Uniqueness Score: -1.00%

Function 6CE00C10 Relevance: 7.6, APIs: 6, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,00000001,00000000,?,?,6CE08AF6,?,?), ref: 6CE00C37
HeapAlloc.KERNEL32(6CE08AF6,00000000,BEC35D5B,?,?,?,?,00000001,00000000,?,?,6CE08AF6,?,?), ref: 6CE00C46
memcpy.MSVCRT ref: 6CE00C69
HeapFree.KERNEL32(6CF8B0E0,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00000001,00000000,?), ref: 6CE00C99
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 6CE00CFE
HeapFree.KERNEL32(6CF8B0E0,00000000,6CE08AF6,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 6CE00D17

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocProcessmemcpy
String ID:
API String ID: 3951801138-0
Opcode ID: 75e8a169c23330a0ceeb62a8a7fdfde314f9bd6da1219f8165f7590f4300ed04
Instruction ID: a912c6ee627c779a43ee136d7fded226e511cb53e568a14531dddc83fecb624b
Opcode Fuzzy Hash: 75e8a169c23330a0ceeb62a8a7fdfde314f9bd6da1219f8165f7590f4300ed04
Instruction Fuzzy Hash: 913166B1E01248AFEB009F95DC85BEE77B8EF0531CF240029E904AB751E775A958CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 6CD06764 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CD0A9F0: HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,6CD06773), ref: 6CD0AA01

Part of subcall function 6CD0AAD0: HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD0AAEE
Part of subcall function 6CD0AAD0: HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD0AB0A
Part of subcall function 6CD0AAD0: HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD0AB21

Part of subcall function 6CD0C580: HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,6CD125A1,?), ref: 6CD0C58D

memcpy.MSVCRT ref: 6CD067BC
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD0693D
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD0696C
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD069A5

Part of subcall function 6CE051E0: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CE051F5
Part of subcall function 6CE051E0: HeapAlloc.KERNEL32(00000000,00000000,00000068), ref: 6CE05209
Part of subcall function 6CE051E0: HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,?,?,?,?,00000068), ref: 6CE0544F
Part of subcall function 6CE051E0: HeapFree.KERNEL32(6CF8B0E0,00000000,?,6CF8B0E0,00000000,?,?,?,?,?,00000068), ref: 6CE0545F

Strings

PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs, xrefs: 6CD067EF

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocProcessmemcpy
String ID: PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs
API String ID: 3951801138-1569620981
Opcode ID: 871b7d67b96ea97542d439cd0b09b2b58d6ebc1218db23e532395ae659658bc0
Instruction ID: ad20ed74410ec5e6ec0568737b1855a5c0846df23601e80de1ea0af8d550883f
Opcode Fuzzy Hash: 871b7d67b96ea97542d439cd0b09b2b58d6ebc1218db23e532395ae659658bc0
Instruction Fuzzy Hash: 9C41A171A08240DBD720DF54D845BEFB7B4BF84308F14082CE98947AA1DB75A58DCB93

Uniqueness

Uniqueness Score: -1.00%

Function 6CCE8550 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CCE85AC
HeapAlloc.KERNEL32(?,00000000,?), ref: 6CCE85BB
memcpy.MSVCRT ref: 6CCE85D0

Strings

assertion failed: !bytes.is_empty()/usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/aho-corasick-0.7.18/src/packed/pattern.rs, xrefs: 6CCE8631
assertion failed: self.by_id.len() <= u16::MAX as usize, xrefs: 6CCE863F

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcessmemcpy
String ID: assertion failed: !bytes.is_empty()/usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/aho-corasick-0.7.18/src/packed/pattern.rs$assertion failed: self.by_id.len() <= u16::MAX as usize
API String ID: 4164033339-2214136678
Opcode ID: 86ef5e8ba7330024056c63078afaeddc747fb40bd1f0125533f0e2bce98c1859
Instruction ID: 9842dd2c303286a433403ae3484ef5993313a45987c5f0e5c679e992ffd5a2bc
Opcode Fuzzy Hash: 86ef5e8ba7330024056c63078afaeddc747fb40bd1f0125533f0e2bce98c1859
Instruction Fuzzy Hash: 7B31D271A007059BD720DF19D880D9BB7F9EF8A318B20462ED85957B41FB30F948CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CCE8AFF Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CCE8B5A
HeapAlloc.KERNEL32(?,00000008,00000100), ref: 6CCE8B71
memset.MSVCRT ref: 6CCE8C18
memcpy.MSVCRT ref: 6CCE8CA7

Strings

internal error: entered unreachable code/usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/aho-corasick-0.7.18/src/ahocorasick.rs, xrefs: 6CCE8C47

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcessmemcpymemset
String ID: internal error: entered unreachable code/usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/aho-corasick-0.7.18/src/ahocorasick.rs
API String ID: 471586229-3096438005
Opcode ID: 3e542eef404a5903e8bae209c396d09c778b65dea7a00a3186f434e55699a3ce
Instruction ID: f07d09c00165d57c2d24aa48dac5fea8dd47e1b0ced5e939ef3182090351382e
Opcode Fuzzy Hash: 3e542eef404a5903e8bae209c396d09c778b65dea7a00a3186f434e55699a3ce
Instruction Fuzzy Hash: 70314671946F889AD712DF34DC097DBBBB0AF1B304F14055DE89D2B282E7756108C792

Uniqueness

Uniqueness Score: -1.00%

Function 6CE2EBC0 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6CE2EBD9
_unlock.MSVCRT ref: 6CE2EC01
calloc.MSVCRT ref: 6CE2EC4F

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: a15d06f66e0568002a2804e2ffa3ac256ab696c3f8dc9fcffda5940dadc68fb0
Instruction ID: b0a772ff983965e60ddfc5828fcd0f9042620660f30d213a6f9406522531e052
Opcode Fuzzy Hash: a15d06f66e0568002a2804e2ffa3ac256ab696c3f8dc9fcffda5940dadc68fb0
Instruction Fuzzy Hash: E0118E706086618BE7009F78C48575A7BF0EF85315F68C969D4988B788EB78C445CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CDFA730 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 215COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6CDFA8C0
AcquireSRWLockExclusive.KERNEL32 ref: 6CDFA98C

Strings

Index out of bounds, xrefs: 6CDFA844, 6CDFA84B

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: AcquireExclusiveLockmemmove
String ID: Index out of bounds
API String ID: 3602945785-3064291191
Opcode ID: 110122a1ba352c3d1e2d2c4131cca8363749d1f1f1c4d5e96f6642efc9b7a4f2
Instruction ID: b658d72070efafd561a10278baf70863bca4d41bda993a5ddd9a3159b1f81342
Opcode Fuzzy Hash: 110122a1ba352c3d1e2d2c4131cca8363749d1f1f1c4d5e96f6642efc9b7a4f2
Instruction Fuzzy Hash: E081AF71A01619CBCB14CF54C880BEEB7B5FF45318F664519D829ABBA1D731A90BCBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6CDD96F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,6CDCA0F3,00000000,00000000), ref: 6CDD9729
GetLastError.KERNEL32(?,?,?,?,?,?,?,6CDCA0F3,00000000,00000000), ref: 6CDD9805

Strings

attempt to divide by zero, xrefs: 6CDD97F6
called `Result::unwrap()` on an `Err` value, xrefs: 6CDD9827

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ErrorFrequencyLastPerformanceQuery
String ID: attempt to divide by zero$called `Result::unwrap()` on an `Err` value
API String ID: 3362413890-3035377958
Opcode ID: d1bb809595d3dca38b4dbf16ff50380c482f39a2197125156340d248ce92899e
Instruction ID: 495f05bd2f7a73391f6a243cc354280caf7a2d5a5b993cbd155df0f3c782b602
Opcode Fuzzy Hash: d1bb809595d3dca38b4dbf16ff50380c482f39a2197125156340d248ce92899e
Instruction Fuzzy Hash: CD31F5B2A003006FDB08DF28CC02BAFB7B99FC5614F15892DF4599B751E77599088792

Uniqueness

Uniqueness Score: -1.00%

Function 6CD3A500 Relevance: 6.6, APIs: 5, Instructions: 380COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6CD3A57A
memcpy.MSVCRT ref: 6CD3A641
memcpy.MSVCRT ref: 6CD3A8F4

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: c007157f527a6214d6dad92da9ef8b9fd7dc684178129dddce1eec9f09733d18
Instruction ID: 4f51591915c429d0a8386b5f48f62782d4157d589e5b7c4196aad64c2163eaa8
Opcode Fuzzy Hash: c007157f527a6214d6dad92da9ef8b9fd7dc684178129dddce1eec9f09733d18
Instruction Fuzzy Hash: 57D1A5B1B006249FCF14CF98D880AAEB7B5AF89304F15852DD85EA7B51D731ED09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD10666 Relevance: 6.5, APIs: 5, Instructions: 257memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CD10666
HeapAlloc.KERNEL32(?,00000000), ref: 6CD10683
HeapAlloc.KERNEL32(00000000,00000000), ref: 6CD11DF5
memcpy.MSVCRT ref: 6CD11E0C

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Alloc$Processmemcpy
String ID:
API String ID: 3827299791-0
Opcode ID: ec18459d8610e18c14975c79c5a1cfefa3920a65a3dfaf7bc4c2b466373deaec
Instruction ID: cfb556befd2693b71e115e3bc15b0e0c7b490e1487fa03f78fd1c1dbb063d12b
Opcode Fuzzy Hash: ec18459d8610e18c14975c79c5a1cfefa3920a65a3dfaf7bc4c2b466373deaec
Instruction Fuzzy Hash: 68B1BF7190CB818BD310DF28D88079BF7F1BF9A344F148A2DE8D957661EB31A855CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6CD01E70 Relevance: 6.5, APIs: 5, Instructions: 217memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6CD0228C
memcpy.MSVCRT ref: 6CD022BB
GetProcessHeap.KERNEL32 ref: 6CD022DA
HeapAlloc.KERNEL32(00000000,00000000,0000041C), ref: 6CD022ED
memcpy.MSVCRT ref: 6CD02312

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: memcpy$Heap$AllocProcess
String ID:
API String ID: 3823808316-0
Opcode ID: 9566f1806ef3fe1fd56e75b772bc84103f42df3ba20cca99d00914e990935d73
Instruction ID: 5198a353aa78751ca89e4d943fdb345eedb3ca6858160d2acef661b295756119
Opcode Fuzzy Hash: 9566f1806ef3fe1fd56e75b772bc84103f42df3ba20cca99d00914e990935d73
Instruction Fuzzy Hash: DED126BAD21FAD86DB61CE508C457EAB276BFEF344F1063D9A54829111DF700AC4AB44

Uniqueness

Uniqueness Score: -1.00%

Function 6CD01E32 Relevance: 6.5, APIs: 5, Instructions: 212memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CD01370: HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD013D8
Part of subcall function 6CD01370: memmove.MSVCRT ref: 6CD013FA
Part of subcall function 6CD01370: HeapFree.KERNEL32(6CF8B0E0,00000000,00000000), ref: 6CD0148C

memcpy.MSVCRT ref: 6CD0228C
memcpy.MSVCRT ref: 6CD022BB
GetProcessHeap.KERNEL32 ref: 6CD022DA
HeapAlloc.KERNEL32(00000000,00000000,0000041C), ref: 6CD022ED
memcpy.MSVCRT ref: 6CD02312

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$memcpy$Free$AllocProcessmemmove
String ID:
API String ID: 2150248107-0
Opcode ID: b1848057e47b209d1537171c1584ba15112d02328d9c58746796fd10f3524179
Instruction ID: 6d57aa194793f200daceade8c8ae6006506179a3450663a23e8f1c51037dbac3
Opcode Fuzzy Hash: b1848057e47b209d1537171c1584ba15112d02328d9c58746796fd10f3524179
Instruction Fuzzy Hash: 20C1257AD20FAD86DB61CF208C857EAB276BFEF344F1063D9A54829111DF704AC4AB44

Uniqueness

Uniqueness Score: -1.00%

Function 6CD0EA47 Relevance: 6.4, APIs: 5, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?), ref: 6CD0EC2E
HeapAlloc.KERNEL32(?,00000000,?,6CF8B0E0,00000000), ref: 6CD0EC47
HeapAlloc.KERNEL32(00000000,00000000), ref: 6CD11DF5
memcpy.MSVCRT ref: 6CD11E0C

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Alloc$Processmemcpy
String ID:
API String ID: 3827299791-0
Opcode ID: 05fe160a082a981b6d99ce0334904add8828a17474ba1fc5ce5be203210d5e7e
Instruction ID: 576a7cf102d2c1338afb5de510cc5934ace0065aa803e6652edb9c4f50094611
Opcode Fuzzy Hash: 05fe160a082a981b6d99ce0334904add8828a17474ba1fc5ce5be203210d5e7e
Instruction Fuzzy Hash: AC918A75A09B808BD361DF28C840BABB7F4BF9A344F004A1DE8ED57621EB30A544CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6CCE1A30 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CCE1A68
HeapAlloc.KERNEL32(?,00000000,?), ref: 6CCE1A81
memcpy.MSVCRT ref: 6CCE1A95
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCE1AAE
memcpy.MSVCRT ref: 6CCE1B61

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$memcpy$AllocFreeProcess
String ID:
API String ID: 2458105893-0
Opcode ID: d1c04aa60a3fca9a03b369a6a91a02e22641e5f2ba6af2b4daa3c8fe75b42c46
Instruction ID: a9edab7de2c3f2d81c356e86538277f6b5e9a951b2249fd4720c907085020227
Opcode Fuzzy Hash: d1c04aa60a3fca9a03b369a6a91a02e22641e5f2ba6af2b4daa3c8fe75b42c46
Instruction Fuzzy Hash: 8B410BB26043509BD7209F5E8890637B7EAEF4F318B24851ED4A947B62F730D4A5C751

Uniqueness

Uniqueness Score: -1.00%

Function 6CD01B84 Relevance: 6.4, APIs: 5, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CD019E0: HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,6CD00E7D,?), ref: 6CD019FA

Part of subcall function 6CD01A10: HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,6CD00E88), ref: 6CD01A1D

GetProcessHeap.KERNEL32 ref: 6CD01BF4
HeapAlloc.KERNEL32(00000001,00000000,0000040C), ref: 6CD01C0B
GetProcessHeap.KERNEL32 ref: 6CD01DBB
HeapAlloc.KERNEL32(?,00000000,00000180), ref: 6CD01DCE
memcpy.MSVCRT ref: 6CD01DF0

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocFreeProcess$memcpy
String ID:
API String ID: 2967287086-0
Opcode ID: 484a067e07bb16a19980e7dec34aaa7c4c7ea27b46607eb79f376f99601a9657
Instruction ID: 651c144005f758d6e6ec9fe1428ff4c2d980862393f08b74fce336adc3f2bae2
Opcode Fuzzy Hash: 484a067e07bb16a19980e7dec34aaa7c4c7ea27b46607eb79f376f99601a9657
Instruction Fuzzy Hash: CC514C7190DBC48AE732CF2988027DBB7F4BF9A348F049A1DEDC85A161DB358546CB42

Uniqueness

Uniqueness Score: -1.00%

Function 6CD01BC0 Relevance: 6.4, APIs: 5, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CD01BF4
HeapAlloc.KERNEL32(00000001,00000000,0000040C), ref: 6CD01C0B
GetProcessHeap.KERNEL32 ref: 6CD01DBB
HeapAlloc.KERNEL32(?,00000000,00000180), ref: 6CD01DCE
memcpy.MSVCRT ref: 6CD01DF0

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess$memcpy
String ID:
API String ID: 1759892863-0
Opcode ID: 5a0f3cef646120f7f47b206e9e9be1f652b4c4811b43ef510c726c7f9b663578
Instruction ID: 1eb4ebdb80d99e4c8655de7d83ca9b614a55203fcac0391e855be514e440ff0a
Opcode Fuzzy Hash: 5a0f3cef646120f7f47b206e9e9be1f652b4c4811b43ef510c726c7f9b663578
Instruction Fuzzy Hash: FB51E87080DFC49AE732CF2988027DBB3F4BF9A389F005A1DEDD85A161DB7585469B42

Uniqueness

Uniqueness Score: -1.00%

Function 6CCF3DB0 Relevance: 6.3, APIs: 5, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CCF3DDE
HeapAlloc.KERNEL32(?,00000000,?), ref: 6CCF3DED
memcpy.MSVCRT ref: 6CCF3E10
memcpy.MSVCRT ref: 6CCF3E4D
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCF3E80

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$memcpy$AllocFreeProcess
String ID:
API String ID: 2458105893-0
Opcode ID: 458aaa2c8fee914a166d070e774e7a85fddf8fca395c34f1eb98d8700c256edb
Instruction ID: 53ec7e1b1f6c6f42434369481b4b8d2027dbc8c1507c40f7b7b279c221b2c028
Opcode Fuzzy Hash: 458aaa2c8fee914a166d070e774e7a85fddf8fca395c34f1eb98d8700c256edb
Instruction Fuzzy Hash: 4F31F3B2D01215AFEB009F55CC40ABFBB79EF46708F190029E9186B701F7359915CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6CE19BF0 Relevance: 6.3, APIs: 5, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,00000000,?,?,6CE186F3,?,00000000,?,?,6CF8B0E0,00000000,?), ref: 6CE19C32
HeapFree.KERNEL32(6CF8B0E0,00000000,0F2E66C3), ref: 6CE19C57
HeapFree.KERNEL32(6CF8B0E0,00000000,006A36FF), ref: 6CE19C9A
HeapFree.KERNEL32(6CF8B0E0,00000000,841F0F66), ref: 6CE19CC6
HeapFree.KERNEL32(6CF8B0E0,00000000,6CE186F3), ref: 6CE19CFB

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: ce8e253c150aa8fd0582ccb2dc0d289851449328e7355931d1bebc7ce52bcc46
Instruction ID: a3b4b260b584aca74a4449d0a75775d1eb83ebae018b6f85c71a97004bf02fde
Opcode Fuzzy Hash: ce8e253c150aa8fd0582ccb2dc0d289851449328e7355931d1bebc7ce52bcc46
Instruction Fuzzy Hash: 35318E32519600DBDB219B64C840BEAB7F6FB4531CF34092DD1AA17BA0CF317868CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CCE5640 Relevance: 6.3, APIs: 5, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCE5672
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCE568E
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCE56A5
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCE56E2
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCE56FE

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 5c18e6de6feb670661c2d93bcdad120ec93035b4bfd303b97e9ba5916185b160
Instruction ID: bf7dfa76e73b9e4eed787a68a9ab795da915e9668fced2ec545e159180f4f2f9
Opcode Fuzzy Hash: 5c18e6de6feb670661c2d93bcdad120ec93035b4bfd303b97e9ba5916185b160
Instruction Fuzzy Hash: D7218C36251600EFEB118F05CC44F5177BAFB4A728F284459E9141BBA0E772E954CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6CCE15D0 Relevance: 6.3, APIs: 5, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(6CF8B0E0,00000000,?,?), ref: 6CCE15F0
GetProcessHeap.KERNEL32 ref: 6CCE1603
HeapAlloc.KERNEL32(?,00000000), ref: 6CCE1616
memcpy.MSVCRT ref: 6CCE163A
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCE164E

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Alloc$FreeProcessmemcpy
String ID:
API String ID: 1403710057-0
Opcode ID: de7f6910c870b61d1208748c13f465fd9c7a7e76e885ccccbc7e669b3199dacf
Instruction ID: 49cec0d154e1babae4073cbabf6a58e4da9f0c30827c643ca7bd9414500e1e6e
Opcode Fuzzy Hash: de7f6910c870b61d1208748c13f465fd9c7a7e76e885ccccbc7e669b3199dacf
Instruction Fuzzy Hash: FA1104716142409FDB109F6ACC84F5AB7BDFB8A308F18052DF81597642EB35E818CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD05940 Relevance: 6.3, APIs: 5, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD05983
HeapFree.KERNEL32(6CF8B0E0,00000000,?,6CF8B0E0,00000000,?), ref: 6CD05995
HeapFree.KERNEL32(6CF8B0E0,00000000,?,6CF8B0E0,00000000,?,6CF8B0E0,00000000,?), ref: 6CD059A7
HeapFree.KERNEL32(6CF8B0E0,00000000,?,6CF8B0E0,00000000,?,6CF8B0E0,00000000,?,6CF8B0E0,00000000,?), ref: 6CD059B8
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,?,?,?,6CD05548), ref: 6CD059D3

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 9aa2defe1d37e75dca8f4dd4ae0825c269a96c9a1b10e9a6fc3dea074c31bd42
Instruction ID: 6f35d861b8f2776f8d9b29c954279bc3ee3c379a9a231cf8501d2c16c2d303a9
Opcode Fuzzy Hash: 9aa2defe1d37e75dca8f4dd4ae0825c269a96c9a1b10e9a6fc3dea074c31bd42
Instruction Fuzzy Hash: D311CE31A41600EFEF124F48DC88B69BB72FF01328F34006DE9601A6B4D772A854CB66

Uniqueness

Uniqueness Score: -1.00%

Function 6CD09E80 Relevance: 6.3, APIs: 5, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD09E9A
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD09EB7
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD09ED7
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD09EF4
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD09F2C

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1233276996128ccdd2045cf8f0b4b011756964a408d0d7eca8c6588bad702564
Instruction ID: fb8fca81fdb8265e015ed5ccfd5595f70b852c968d3b5f1590595f06cb3ca0b4
Opcode Fuzzy Hash: 1233276996128ccdd2045cf8f0b4b011756964a408d0d7eca8c6588bad702564
Instruction Fuzzy Hash: A8114C31351542FFDB159F6ACC44BA4B7B2FF41309F240119E2280B9B0CB75B868CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6CD07BB0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 237COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF), ref: 6CD07CB0
memmove.MSVCRT ref: 6CD07CFD

Strings

PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs, xrefs: 6CD07EA4, 6CD07EAB
cannot access a Thread Local Storage value during or after destruction/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\thread\local.rs, xrefs: 6CD07D24

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CloseHandlememmove
String ID: PUBLIC KEY0123456789abcdef/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\io\mod.rs$cannot access a Thread Local Storage value during or after destruction/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\std\src\thread\local.rs
API String ID: 3356666258-2951893513
Opcode ID: 9411906ca11e8a161df540edb65dfcf0691b0b0973058b9695a9ba8cdecbd90a
Instruction ID: cf08274887173ca25851e0beb795e80f0a090f90ba138db057c307c977b13fdd
Opcode Fuzzy Hash: 9411906ca11e8a161df540edb65dfcf0691b0b0973058b9695a9ba8cdecbd90a
Instruction Fuzzy Hash: 12919F71E0161AEFCB10CF58C880BAEB7B4FF48318F224569D825AB761D731E945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 6CDDAEC0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,?,?,?,?,?,?), ref: 6CDDAF87

Strings

TOl, xrefs: 6CDDAEC3, 6CDDB043
assertion failed: len as usize >= mem::size_of::<c::sockaddr_in>(), xrefs: 6CDDB155
called `Option::unwrap()` on a `None` value/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\alloc\src\collections\btree\navigate.rs, xrefs: 6CDDAFB0

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: TOl$assertion failed: len as usize >= mem::size_of::<c::sockaddr_in>()$called `Option::unwrap()` on a `None` value/rustc/473f916d836cc662c5bdbb0d40af9fb4678fab9e\library\alloc\src\collections\btree\navigate.rs
API String ID: 2962429428-2307415883
Opcode ID: cfe1e62777d6a9d4f6cd2ee4dcd26efbc2bbfcba5c0c20a57a89dd494ca2f169
Instruction ID: 8169745e6b33a218b8111ed12357cc163f75920f5cdb63d974aba49fc8c4bfd2
Opcode Fuzzy Hash: cfe1e62777d6a9d4f6cd2ee4dcd26efbc2bbfcba5c0c20a57a89dd494ca2f169
Instruction Fuzzy Hash: A481F0B1D00218DBCB14CF59C881BAEB7F4FF49318F25815AE9286B7A1D335E901CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CCF3EA3 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 197memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CCEE4F0: HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCEE508

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CCF3F1E
HeapAlloc.KERNEL32(?,00000000), ref: 6CCF3F35
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6CCF3FE0

Strings

assertion failed: edelta >= 0library\core\src\num\diy_float.rs, xrefs: 6CCF4246

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocFree
String ID: assertion failed: edelta >= 0library\core\src\num\diy_float.rs
API String ID: 756756679-1130412906
Opcode ID: 4622ac3edd4cff11027e0c734d3f7563c3f635453aa40526bbf738eab867cfed
Instruction ID: 6f1fe2e7373b6968a31047f23cd651ac9dcebb28e2a6a51d5fc735c3f9e89dec
Opcode Fuzzy Hash: 4622ac3edd4cff11027e0c734d3f7563c3f635453aa40526bbf738eab867cfed
Instruction Fuzzy Hash: EB515476A002168FEB14CF29C841BBAB7B5AF84308F148179ED289B781F734ED06C791

Uniqueness

Uniqueness Score: -1.00%

Function 6CE2D8B0 Relevance: 6.2, APIs: 4, Instructions: 176COMMON

Download Yara Rule

APIs

Part of subcall function 6CE2D030: strlen.MSVCRT ref: 6CE2D03D

abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA7C
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA81
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA86
abort.MSVCRT(?,?,?,?,?,E589550B,6CE2D0F4), ref: 6CE2FA8B

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: abort$strlen
String ID:
API String ID: 2656325428-0
Opcode ID: 24a2893d99caaf6fb5bad906a0040e59e762907fa504e6da9d3ab7df7584aaca
Instruction ID: dae2e4a6b4c340075de16ed89c0563613898505460cb5abc2f2bd2e5b796763b
Opcode Fuzzy Hash: 24a2893d99caaf6fb5bad906a0040e59e762907fa504e6da9d3ab7df7584aaca
Instruction Fuzzy Hash: 6F51A1B99093158FD710CF29C0407AAB7F1AF8570CF344A1AE9949BB45D378DA4AC7D2

Uniqueness

Uniqueness Score: -1.00%

Function 6CCF0443 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,00000000), ref: 6CCF0C18
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000), ref: 6CCF0C44
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCF0CA6

Strings

file_pattern_black_listprocess_black_listwin_services_black_listaccountsstepskipfastnpcompany_idnotestruct EncryptorEmbedConfigurationstruct EncryptorEmbedConfiguration with 15 elements, xrefs: 6CCF2224

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: file_pattern_black_listprocess_black_listwin_services_black_listaccountsstepskipfastnpcompany_idnotestruct EncryptorEmbedConfigurationstruct EncryptorEmbedConfiguration with 15 elements
API String ID: 3298025750-100071840
Opcode ID: e461571f6154bdd909df5736c5efa6dbe4895a96585371454f9c80d151e68ab6
Instruction ID: ab5692fb03393b2900747df85ec20f6bf36f966487a6c961958a440a29f42ed8
Opcode Fuzzy Hash: e461571f6154bdd909df5736c5efa6dbe4895a96585371454f9c80d151e68ab6
Instruction Fuzzy Hash: A0616C349093C18FD3A0CF28C450B9AB7F1BF95748F145A1DE8A997650FB70A989DB42

Uniqueness

Uniqueness Score: -1.00%

Function 6CCF04FF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,00000000), ref: 6CCF0C18
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000), ref: 6CCF0C44
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCF0CA6

Strings

directory_black_listfile_black_listfile_pattern_black_listprocess_black_listwin_services_black_listaccountsstepskipfastnpcompany_idnotestruct EncryptorEmbedConfigurationstruct EncryptorEmbedConfiguration with 15 elements, xrefs: 6CCF2233

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: directory_black_listfile_black_listfile_pattern_black_listprocess_black_listwin_services_black_listaccountsstepskipfastnpcompany_idnotestruct EncryptorEmbedConfigurationstruct EncryptorEmbedConfiguration with 15 elements
API String ID: 3298025750-865618785
Opcode ID: 17f0b9b405df6ad53fb637f71955ef30ce2c883d3c1f7f1484b6572214ab9070
Instruction ID: b2f276a4915b0d7f163031a234545d5f82e95fbeb3ed50a6fad614afde12c673
Opcode Fuzzy Hash: 17f0b9b405df6ad53fb637f71955ef30ce2c883d3c1f7f1484b6572214ab9070
Instruction Fuzzy Hash: 55516D34909381CFD3A0CF14C450B9AB7F1BF85748F24591DE8A99B750E771E98ADB82

Uniqueness

Uniqueness Score: -1.00%

Function 6CCEB5F0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 133memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CCEB617
HeapAlloc.KERNEL32(?,00000000,?), ref: 6CCEB62A
memcpy.MSVCRT ref: 6CCEB63C

Strings

called `Option::unwrap()` on a `None` value, xrefs: 6CCEB6C5

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcessmemcpy
String ID: called `Option::unwrap()` on a `None` value
API String ID: 4164033339-836832528
Opcode ID: d4b7600a030a240f06a60e914d60626033a04a5db55c0d40d7dd9a52ba207a92
Instruction ID: df913b35de9c3a79b178b1330f0e3cc8841761e846027ccb83afb671889c8f7d
Opcode Fuzzy Hash: d4b7600a030a240f06a60e914d60626033a04a5db55c0d40d7dd9a52ba207a92
Instruction Fuzzy Hash: 0A41E1B69017058BDB089F6688A0BBA77F8AF4A318F28513DD85987B45F730D844CB64

Uniqueness

Uniqueness Score: -1.00%

Function 6CCE6600 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 131memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CCE6610
HeapAlloc.KERNEL32(?,00000008,00000100), ref: 6CCE6623
memset.MSVCRT ref: 6CCE66D8

Strings

called `Option::unwrap()` on a `None` value, xrefs: 6CCE672A

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcessmemset
String ID: called `Option::unwrap()` on a `None` value
API String ID: 2903515874-836832528
Opcode ID: 016ed8cf54d9f438b08735dc9c5a4a2f813328d449c7ed19f6fb2a5724d5b140
Instruction ID: b777b387fb1473858dad3edfae01d2deee0ecf30dff4931ae19167bfb96cef2a
Opcode Fuzzy Hash: 016ed8cf54d9f438b08735dc9c5a4a2f813328d449c7ed19f6fb2a5724d5b140
Instruction Fuzzy Hash: EA41D471614759AFDB108F25CC81FA57BA9EF4A318F248068EE589B782E771E844C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6CD114E5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CD0B0D0: HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD0B0ED
Part of subcall function 6CD0B0D0: HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD0B104

Part of subcall function 6CD0A8A0: HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD0C033

Part of subcall function 6CD0A8A0: HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD0A952
Part of subcall function 6CD0A8A0: HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD0A9A7

Part of subcall function 6CD0B440: HeapFree.KERNEL32(6CF8B0E0,00000000), ref: 6CD0B477

Part of subcall function 6CD0D960: GetProcessHeap.KERNEL32 ref: 6CD0D9A4
Part of subcall function 6CD0D960: HeapAlloc.KERNEL32(?,00000000,?), ref: 6CD0D9B7
Part of subcall function 6CD0D960: memcpy.MSVCRT ref: 6CD0D9D0
Part of subcall function 6CD0D960: GetProcessHeap.KERNEL32(?,00000000,?), ref: 6CD0D9FF
Part of subcall function 6CD0D960: HeapAlloc.KERNEL32(?,00000000,?), ref: 6CD0DA18
Part of subcall function 6CD0D960: memcpy.MSVCRT ref: 6CD0DA2F

HeapAlloc.KERNEL32(00000000,00000000), ref: 6CD11DF5
memcpy.MSVCRT ref: 6CD11E0C

Part of subcall function 6CD0CBA0: GetProcessHeap.KERNEL32 ref: 6CD0CBF7
Part of subcall function 6CD0CBA0: HeapAlloc.KERNEL32(00000000,00000000), ref: 6CD0CC0F
Part of subcall function 6CD0CBA0: GetProcessHeap.KERNEL32 ref: 6CD0CCB1

memcpy.MSVCRT ref: 6CD11EE7

Strings

capacity overflow, xrefs: 6CD114F8

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocProcessmemcpy
String ID: capacity overflow
API String ID: 3951801138-2273299319
Opcode ID: 14fb982632a8d43c187ffbebf54c23363ca36f0d4ae1c77a44d95bce4c432a90
Instruction ID: 25b76388a8f66b4c807d67a6e7f3b9273f66f9065443f534c50092c74027109a
Opcode Fuzzy Hash: 14fb982632a8d43c187ffbebf54c23363ca36f0d4ae1c77a44d95bce4c432a90
Instruction Fuzzy Hash: 79517D75A08B409BD714DF24D840BEBF7F4BF99304F004A2DE8AD57651EB30A519CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CE20AF0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CE20930: HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CE209CB

HeapFree.KERNEL32(6CF8B0E0,00000000,00000000), ref: 6CE20BE0
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CE20BEF
HeapFree.KERNEL32(6CF8B0E0,00000000,8B2A74FF), ref: 6CE20C3F

Strings

Rl, xrefs: 6CE20AF9, 6CE20B4D, 6CE20BF4, 6CE20B87, 6CE20C1C

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: Rl
API String ID: 3298025750-1566955819
Opcode ID: 3c5a8b1c034fde5f31c8d937a0720663df07481bb8fad3801ece2ec57ee67380
Instruction ID: 590586a9cb8074dc37c0d3ac4130bda15883ed746e0d951f7936c0f56fc9733c
Opcode Fuzzy Hash: 3c5a8b1c034fde5f31c8d937a0720663df07481bb8fad3801ece2ec57ee67380
Instruction Fuzzy Hash: 524146B5E002589FDB10CF88C894BAEBBB1FF49318F248059E919AB790D735AD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6CD1AE90 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 110memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CDCF230: GetFileInformationByHandle.KERNEL32(?,?), ref: 6CDCF257
Part of subcall function 6CDCF230: GetFileInformationByHandleEx.KERNEL32(?,00000009,00000000,00000008,?,?), ref: 6CDCF288

HeapFree.KERNEL32(6CF8B0E0,00000000,00000000), ref: 6CD1AF03
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD1AF12

Strings

0ql", xrefs: 6CD1AFBA
called `Result::unwrap()` on an `Err` value, xrefs: 6CD1AFD1

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FileFreeHandleHeapInformation
String ID: 0ql"$called `Result::unwrap()` on an `Err` value
API String ID: 2833491096-1722008994
Opcode ID: 60527d8f6e2e1f5645cd4fb4e1ea838135d05430f844813ed4bfbfc5b5e6d141
Instruction ID: bd8e7626003e2ecc021d13ecec1240069f8f06b6da13653a16fd4f83eab2956f
Opcode Fuzzy Hash: 60527d8f6e2e1f5645cd4fb4e1ea838135d05430f844813ed4bfbfc5b5e6d141
Instruction Fuzzy Hash: 7D41AF71908B40ABD701CF24D841A6BBBF5FF8A344F108A1CF8994B761DB31D809CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CE20930 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CE209CB
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000), ref: 6CE20A74
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CE20A85

Strings

Rl, xrefs: 6CE20935

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: Rl
API String ID: 3298025750-1566955819
Opcode ID: f0f49af6e6cfbce01ff06f3511606e56465e4aa2dcdd30b8d4ffc3b5593f5938
Instruction ID: a89492bbe203569593b6daa00c8c291e2eee36737f0dc945953904160cd3982f
Opcode Fuzzy Hash: f0f49af6e6cfbce01ff06f3511606e56465e4aa2dcdd30b8d4ffc3b5593f5938
Instruction Fuzzy Hash: D64157B1E01249DFEB00CF94D880BDEBBB5FF49308F248019E4156B790D77AA945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6CCF0960 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,00000000), ref: 6CCF0C18
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000), ref: 6CCF0C44
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCF0CA6

Strings

stepskipfastnpcompany_idnotestruct EncryptorEmbedConfigurationstruct EncryptorEmbedConfiguration with 15 elements, xrefs: 6CCF2215

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: stepskipfastnpcompany_idnotestruct EncryptorEmbedConfigurationstruct EncryptorEmbedConfiguration with 15 elements
API String ID: 3298025750-659839540
Opcode ID: 0728d22c230e8e024038a0369915d4afb457d32cf8d9c7538e96f58c8335da39
Instruction ID: 308cc324cfe04b64eb19ee93fd8952557267b9fd08739c995adc993e591970a5
Opcode Fuzzy Hash: 0728d22c230e8e024038a0369915d4afb457d32cf8d9c7538e96f58c8335da39
Instruction Fuzzy Hash: BE418A70509381CFD7A0CF14C450B9ABBE1BF85748F20881DE8A88B750E771A98ADF93

Uniqueness

Uniqueness Score: -1.00%

Function 6CCF0AE9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,00000000), ref: 6CCF0C18
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000), ref: 6CCF0C44
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCF0CA6

Strings

pcompany_idnotestruct EncryptorEmbedConfigurationstruct EncryptorEmbedConfiguration with 15 elements, xrefs: 6CCF2630

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: pcompany_idnotestruct EncryptorEmbedConfigurationstruct EncryptorEmbedConfiguration with 15 elements
API String ID: 3298025750-3284833337
Opcode ID: 1a583a81deed59e6b4e3e21e72b6b36ebcc9611b1ec7186b84b8a84b0407c610
Instruction ID: bbefd2951d0e8ac030989839e72ec64c2d0791f702de6bdb17d9f159aad0fb99
Opcode Fuzzy Hash: 1a583a81deed59e6b4e3e21e72b6b36ebcc9611b1ec7186b84b8a84b0407c610
Instruction Fuzzy Hash: B0414A70509381CFD7A0CF15C450B9ABBE1BF85B48F20481DE8A99B750E771A94ADF93

Uniqueness

Uniqueness Score: -1.00%

Function 6CCF0008 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,00000000), ref: 6CCF0C18
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000), ref: 6CCF0C44
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCF0CA6

Strings

npcompany_idnotestruct EncryptorEmbedConfigurationstruct EncryptorEmbedConfiguration with 15 elements, xrefs: 6CCF263C

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: npcompany_idnotestruct EncryptorEmbedConfigurationstruct EncryptorEmbedConfiguration with 15 elements
API String ID: 3298025750-2106740068
Opcode ID: 0eb303c5523e05f477c9e0224917c506361eb74e518af65f422755a8f976f6b2
Instruction ID: add778626e54ebe2f1c0fcf48b285ca939c23ced06c5a4cef7d7492d59114006
Opcode Fuzzy Hash: 0eb303c5523e05f477c9e0224917c506361eb74e518af65f422755a8f976f6b2
Instruction Fuzzy Hash: FA414A70509381CFD7A0CF15C450B9ABBE1BF85748F20881DE8A99B750E771A98ADF93

Uniqueness

Uniqueness Score: -1.00%

Function 6CDC5060 Relevance: 6.1, APIs: 4, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6CDC5098
HeapFree.KERNEL32(00000000,00000000,?,?,?,00000008), ref: 6CDC510F
HeapFree.KERNEL32(00000000,?,?,?,?,00000008), ref: 6CDC511D
ReleaseSRWLockExclusive.KERNEL32(00000008), ref: 6CDC512B

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ExclusiveFreeHeapLock$AcquireRelease
String ID:
API String ID: 808636619-0
Opcode ID: c06a64d59c402eda50007b93236fe234fe05b591164bcbe1560a4aef1c0496af
Instruction ID: 1bcab1bd435b6c2aa861c21e8ca286580aa88fbf4a5549337b161513a570142e
Opcode Fuzzy Hash: c06a64d59c402eda50007b93236fe234fe05b591164bcbe1560a4aef1c0496af
Instruction Fuzzy Hash: 8B31D370702245DFDF008F65CC84BAA77BDAF42318F244169D8658B7A1E735D809EBA3

Uniqueness

Uniqueness Score: -1.00%

Function 6CDEAF90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(root\WMI), ref: 6CDEAFB5
SysFreeString.OLEAUT32(00000000), ref: 6CDEAFDB

Strings

root\WMI, xrefs: 6CDEAFB0

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: String$AllocFree
String ID: root\WMI
API String ID: 344208780-2712063579
Opcode ID: ef2344f31053d1ded439f9088867510a3a28f1240c1eb3eebb5e1c569f2da414
Instruction ID: 4cf2b2766544f1f894a2f6dbe58e4d3b89cb341d7e75e43cf8f230f970d3ecc5
Opcode Fuzzy Hash: ef2344f31053d1ded439f9088867510a3a28f1240c1eb3eebb5e1c569f2da414
Instruction Fuzzy Hash: FE11AFB1900B069FC315CF69D880B67B3F9FF8A314F208A1DE46A5B651DB75B845CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CD17470 Relevance: 5.2, APIs: 4, Instructions: 228memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6CD174B8
GetProcessHeap.KERNEL32 ref: 6CD1758E
HeapAlloc.KERNEL32(00000000,00000000,00000020), ref: 6CD1759E
memset.MSVCRT ref: 6CD1767F

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heapmemset$AllocProcess
String ID:
API String ID: 1204105928-0
Opcode ID: 022916ef51c0d97beed55bed5de6201b8d24752f022fb50de3d29ad107e3ca54
Instruction ID: a022febe534d7083d1d45526f6e9a0012acb6a8639294790ec1b41c4e9aad2c8
Opcode Fuzzy Hash: 022916ef51c0d97beed55bed5de6201b8d24752f022fb50de3d29ad107e3ca54
Instruction Fuzzy Hash: D791F275D257429BE7118F3AC841796BBB0BF96384F108B0EF89467A62E371E194CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6CD06DDA Relevance: 5.2, APIs: 4, Instructions: 169memorythreadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 6CD06E82
GetProcessHeap.KERNEL32 ref: 6CD06EDA
HeapAlloc.KERNEL32(?,00000000,00000178), ref: 6CD06EF7
memset.MSVCRT ref: 6CD06F0E
GetProcessHeap.KERNEL32 ref: 6CD06F8D
HeapAlloc.KERNEL32(?,00000000,00000178), ref: 6CD06FAA
memset.MSVCRT ref: 6CD06FC1
HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,00000000,00000178), ref: 6CD07004
AcquireSRWLockExclusive.KERNEL32(?), ref: 6CD07096
ReleaseSRWLockExclusive.KERNEL32(?,?), ref: 6CD070F8
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD07161
SwitchToThread.KERNEL32 ref: 6CD071C1
ReleaseSRWLockExclusive.KERNEL32(?,?), ref: 6CD0748A

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$ExclusiveLock$AllocFreeProcessReleaseSwitchThreadmemset$Acquire
String ID:
API String ID: 3437745887-0
Opcode ID: 02dc74ac61772d9f4583b9b8e3735501a17f98d43a70b1b9b50b1ff9b8207725
Instruction ID: 2533c0a7abdf621abb19390e7a26839fa1a6f80507d9fbca9c66c3851de8727b
Opcode Fuzzy Hash: 02dc74ac61772d9f4583b9b8e3735501a17f98d43a70b1b9b50b1ff9b8207725
Instruction Fuzzy Hash: 3151BF75B087019BD714CF2DC44076AB7F5AFC8318F19862DE9A9DB761DB30E8458B82

Uniqueness

Uniqueness Score: -1.00%

Function 6CD1091B Relevance: 5.2, APIs: 4, Instructions: 161memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(?), ref: 6CD10936
HeapAlloc.KERNEL32(00000000,00000000), ref: 6CD11DF5
memcpy.MSVCRT ref: 6CD11E0C

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: AllocHeap$memcpy
String ID:
API String ID: 1551716280-0
Opcode ID: b77ab4d331c2d3b03e1442d5a311eb6aafe0be1e27cf094775b366ea65527a78
Instruction ID: 25c46adf69fde10dcb1e7dfd3c2d7392bda65346aafaea83305965984f94a0ca
Opcode Fuzzy Hash: b77ab4d331c2d3b03e1442d5a311eb6aafe0be1e27cf094775b366ea65527a78
Instruction Fuzzy Hash: A7616B71A08B819FD710DF28D880B9AF7F5BF99304F004A2DE5DD57661EB30A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6CD06E00 Relevance: 5.2, APIs: 4, Instructions: 159memorythreadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 6CD06E82
GetProcessHeap.KERNEL32 ref: 6CD06EDA
HeapAlloc.KERNEL32(?,00000000,00000178), ref: 6CD06EF7
memset.MSVCRT ref: 6CD06F0E
GetProcessHeap.KERNEL32 ref: 6CD06F8D
HeapAlloc.KERNEL32(?,00000000,00000178), ref: 6CD06FAA
memset.MSVCRT ref: 6CD06FC1
HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,00000000,00000178), ref: 6CD07004
AcquireSRWLockExclusive.KERNEL32(?), ref: 6CD07096
ReleaseSRWLockExclusive.KERNEL32(?,?), ref: 6CD070F8
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD07161
SwitchToThread.KERNEL32 ref: 6CD071C1
ReleaseSRWLockExclusive.KERNEL32(?,?), ref: 6CD0748A

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$ExclusiveLock$AllocFreeProcessReleaseSwitchThreadmemset$Acquire
String ID:
API String ID: 3437745887-0
Opcode ID: 258c3b65b47953ae9517154657e1e958f91878221c0007d3695ad902c789dccc
Instruction ID: 42bb841246d467184afbfe85166b31b514d89cc0c1cee419d4a175f07c172794
Opcode Fuzzy Hash: 258c3b65b47953ae9517154657e1e958f91878221c0007d3695ad902c789dccc
Instruction Fuzzy Hash: F5519D717087019BD714CF2DC48075AB7F5ABC8318F25862DE9A9DB7A1DB70E8418B82

Uniqueness

Uniqueness Score: -1.00%

Function 6CCE8DE5 Relevance: 5.1, APIs: 4, Instructions: 139memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CCE8E00
HeapAlloc.KERNEL32(?,00000000,00000002), ref: 6CCE8E14
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCE8F74

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocFreeProcess
String ID:
API String ID: 2113670309-0
Opcode ID: 6baf19000e6cb14fea78b51de45be5fabd7c60711c248c115ac6ac0899cb4a01
Instruction ID: 31686e67aa7eca4658dd0e4c8baac4f9408d2bf2151d20a8da9f4e5fc2bd84f5
Opcode Fuzzy Hash: 6baf19000e6cb14fea78b51de45be5fabd7c60711c248c115ac6ac0899cb4a01
Instruction Fuzzy Hash: 2841F371A453459FDB11CB69C881BEEB7B5AF0F304F18006AD815AB782F735A948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6CCE8E97 Relevance: 5.1, APIs: 4, Instructions: 116memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CCE8EB1
HeapAlloc.KERNEL32(?,00000000,00000103), ref: 6CCE8EC8
memcpy.MSVCRT ref: 6CCE8EE4
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCE8F74

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocFreeProcessmemcpy
String ID:
API String ID: 3455684755-0
Opcode ID: 1de95416180626f3c1d024d3dcfdc5f3f1918f4156fddcbab63e69c8bda8c3e6
Instruction ID: b92924feb7b9d5a57e82b01dc9fe584892d6e144bef09483d548d76daad28200
Opcode Fuzzy Hash: 1de95416180626f3c1d024d3dcfdc5f3f1918f4156fddcbab63e69c8bda8c3e6
Instruction Fuzzy Hash: F6412371E403559FDB018B74DC51BEEBBB4AF0B304F18006AD854AB782F775A948C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 6CCE8E36 Relevance: 5.1, APIs: 4, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CCE8E49
HeapAlloc.KERNEL32(?,00000000,00000102), ref: 6CCE8E60
memcpy.MSVCRT ref: 6CCE8E7C
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CCE8F74

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocFreeProcessmemcpy
String ID:
API String ID: 3455684755-0
Opcode ID: 34c5aa2d5f98d727796db2cc77a638f47263533d206272e456015626804320b9
Instruction ID: 47088bac4c30b87e4e1f95780f2655d0bee1747b4c1256e9ea480e91eb688166
Opcode Fuzzy Hash: 34c5aa2d5f98d727796db2cc77a638f47263533d206272e456015626804320b9
Instruction Fuzzy Hash: 76310071E403559BEB008B74DC41BEEB7B5AF0B308F18006AD815AB782F775A848C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 6CDC39B0 Relevance: 5.1, APIs: 4, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,6CE0A479,?,?), ref: 6CDC39F4
HeapAlloc.KERNEL32(?,00000000,?,?,?,?,?,?,6CE0A479,?,?), ref: 6CDC3A06
memcpy.MSVCRT ref: 6CDC3A2E
HeapFree.KERNEL32(00000000,?), ref: 6CDC3A61

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocFreeProcessmemcpy
String ID:
API String ID: 3455684755-0
Opcode ID: e7b71fe99c32277a7829fda1846d432d859190e62b1ecca667232762fab6efb7
Instruction ID: 926313ddec71c347b79ff3291ea0b8dedb8a85498d3bb4087e47e66147b7efeb
Opcode Fuzzy Hash: e7b71fe99c32277a7829fda1846d432d859190e62b1ecca667232762fab6efb7
Instruction Fuzzy Hash: F641C5B1E01205DFDB00CF65C881BEABBB8EF49358F148159D9089B722E375E955CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6CDD4600 Relevance: 5.1, APIs: 4, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(/CPowerShell.exe (Get-ADComputer -filter *).name[WARNING] Cannot enumerate domain computers: ,00000002,?,00000000,00000003), ref: 6CDD461F
HeapAlloc.KERNEL32(?,00000000,00000002,/CPowerShell.exe (Get-ADComputer -filter *).name[WARNING] Cannot enumerate domain computers: ,00000002,?,00000000,00000003), ref: 6CDD4631
memcpy.MSVCRT ref: 6CDD4656
CloseHandle.KERNEL32(C35D0CC4,00000000,00000002,6CD06A2E,?,?,/CPowerShell.exe (Get-ADComputer -filter *).name[WARNING] Cannot enumerate domain computers: ,00000002,?,00000000,00000003), ref: 6CDD46F3

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseHandleProcessmemcpy
String ID:
API String ID: 2850982947-0
Opcode ID: 9ff375d35f4ee44a241f45279aa560257b31b78ff5daa8d5dd4dd85227fb7148
Instruction ID: 6ab7d2458f9eed0d03d6d3b073010a859223c40e4afa85a9952026198c96d0f6
Opcode Fuzzy Hash: 9ff375d35f4ee44a241f45279aa560257b31b78ff5daa8d5dd4dd85227fb7148
Instruction Fuzzy Hash: B831AFB2D006199BDB00DF69CC81ADEB778FF86358F124169ED096B711EB35A904CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6CDFE810 Relevance: 5.1, APIs: 4, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CDFE874
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,6CF8B0E0,00000000,?), ref: 6CDFE8A7
HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,00000000,?,6CE08175), ref: 6CDFE8EB

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c49d9cdc3108d50ca9f68ba524c30f7e1f2a5a85349fbadd551fba8903edbfe2
Instruction ID: efba0efc59bd3d1f30750940702c35da5dd69a2de24ea4da64f80124026c9632
Opcode Fuzzy Hash: c49d9cdc3108d50ca9f68ba524c30f7e1f2a5a85349fbadd551fba8903edbfe2
Instruction Fuzzy Hash: 6221A632A01209DFDB01EF88C880B79FBB6FB85318F25412DD5255BA71C772A916CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD0A530 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?,6CF8B0E0,00000000,?), ref: 6CD0A564
HeapFree.KERNEL32(6CF8B0E0,00000000,?,6CF8B0E0,00000000,?), ref: 6CD0A589
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000), ref: 6CD0A5FB

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: f21ee67f3ca34cd6d35e63cfc1142f7d174d6c7e440a0f371b542e9c6fc305aa
Instruction ID: 55a5274f05b2d06270925be4f0863162055e2a111e6800023ebeb8ff2dd4ddca
Opcode Fuzzy Hash: f21ee67f3ca34cd6d35e63cfc1142f7d174d6c7e440a0f371b542e9c6fc305aa
Instruction Fuzzy Hash: 1D213672B11104DFDB00CF9CC989B69B7B5FB45318F284169E6199F6B1CB32AD18CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CDFD660 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?,6CF8B0E0,00000000,?,00000000,?,6CDFF99F), ref: 6CDFD694
HeapFree.KERNEL32(6CF8B0E0,00000000,?,6CF8B0E0,00000000,?,00000000,?,6CDFF99F), ref: 6CDFD6B9
HeapFree.KERNEL32(6CF8B0E0,00000000,00000000,?,?,?,6CDFF99F,?,?,?,?,?,?,?,?,6CE086C4), ref: 6CDFD72B

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 28db970a6d66d11656a45e263fd3881f8b7febc24be4dc8f299de0fd1d153d9e
Instruction ID: ea01c56471586d89572992608b4aef768114de24b290cafcdd05c5e93dff384d
Opcode Fuzzy Hash: 28db970a6d66d11656a45e263fd3881f8b7febc24be4dc8f299de0fd1d153d9e
Instruction Fuzzy Hash: EF21AF72A01104DFDB00DF88C984B69B7B5FF45308F294069EA299F7B1CB32AD19CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CDFDA10 Relevance: 5.1, APIs: 4, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?,6CE04D41), ref: 6CDFDA4B
HeapFree.KERNEL32(6CF8B0E0,00000000,6CE9D228,?,?,?,?,?,6CE04D41), ref: 6CDFDA68
HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,?,?,?,?,6CE04D41), ref: 6CDFDAB2
HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,?,?,?,?,6CE04D41), ref: 6CDFDACE

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: edb186e13498e6856d1b4e8a414c71a2992fb58dc972667fa88b1e2b1338c557
Instruction ID: c12093e744ea5cb3c593e2503a1e98ddf427ded04b2480e95aad2304bb3bea52
Opcode Fuzzy Hash: edb186e13498e6856d1b4e8a414c71a2992fb58dc972667fa88b1e2b1338c557
Instruction Fuzzy Hash: EA219D71605640DFEB11CF41C884B66B7B2FB45B08F25046CE5260BAB0CB32E94ACB69

Uniqueness

Uniqueness Score: -1.00%

Function 6CD0AF50 Relevance: 5.1, APIs: 4, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD0AFAC
HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6CF8B0E0,00000000), ref: 6CD0AFC3
HeapFree.KERNEL32(6CF8B0E0,00000000,?), ref: 6CD0AFDE
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000), ref: 6CD0AFF9

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4649ae08b3bde27d1d2a9de896deaa64e9f19e1b75c056b0b49591294f2db7e9
Instruction ID: 2535e6a89d26c3366a2faf76f3c482b9daa2be2a2e87c33939a3fccc4f3ae5e4
Opcode Fuzzy Hash: 4649ae08b3bde27d1d2a9de896deaa64e9f19e1b75c056b0b49591294f2db7e9
Instruction Fuzzy Hash: A0116DB1754204DFDB119F48C884B597BF2FF06318F2941A9F9194FA75CB329848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6CDAA040 Relevance: 5.1, APIs: 4, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6CDAA064
HeapFree.KERNEL32(00000000,?,?,?,?,?,6CDC4224,?,?,?,?,?,?,?,?,00000000), ref: 6CDAA0A7
HeapFree.KERNEL32(00000000,?,?,?,?,?,6CDC4224,?,?,?,?,?,?,?,?,00000000), ref: 6CDAA0BC
HeapFree.KERNEL32(00000000,?,?,?,?,?,6CDC4224,?,?,?,?,?,?,?,?,00000000), ref: 6CDAA0D2

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap$memmove
String ID:
API String ID: 2650465384-0
Opcode ID: 5d00327b0598d9bdac7de6b66ebeb50f5f7af45d5702a84df9cf232c0f5ff293
Instruction ID: fbdf24e5babe55cb3c2fbcccbaa2975f0f19c5d3a351d17daa05afe430d99f6a
Opcode Fuzzy Hash: 5d00327b0598d9bdac7de6b66ebeb50f5f7af45d5702a84df9cf232c0f5ff293
Instruction Fuzzy Hash: 5E012631501300ABDB301B55DC01FA277BAEB81709F34893CF55C06A70EB729845CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 6CDE4E40 Relevance: 5.0, APIs: 4, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?,?,?,?,?,6CDE39A0,00000000,?,6CDEF2DD), ref: 6CDE4E73
HeapFree.KERNEL32(6CF8B0E0,00000000,?,6CF8B0E0,00000000,?,?,?,?,?,6CDE39A0,00000000,?,6CDEF2DD), ref: 6CDE4E85
HeapFree.KERNEL32(6CF8B0E0,00000000,?,6CF8B0E0,00000000,?,6CF8B0E0,00000000,?,?,?,?,?,6CDE39A0,00000000), ref: 6CDE4E97
HeapFree.KERNEL32(6CF8B0E0,00000000,?,6CF8B0E0,00000000,?,6CF8B0E0,00000000,?,6CF8B0E0,00000000,?,?), ref: 6CDE4EA8

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a7a0b4e83cb655fc9744c48ffc63a60c3bac40cea81adfbf272a479beb2a9b70
Instruction ID: 4bd6d9426a865bec38e1150b94d11e025de07dd60425a8c62f18fd241ebfb072
Opcode Fuzzy Hash: a7a0b4e83cb655fc9744c48ffc63a60c3bac40cea81adfbf272a479beb2a9b70
Instruction Fuzzy Hash: 5101F432142211EBEF121B84CC40FA9F773FB89F28F388169F214159B0CBB68464DB52

Uniqueness

Uniqueness Score: -1.00%

Function 6CDE4B40 Relevance: 5.0, APIs: 4, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,6CDEF2EF), ref: 6CDE4B58
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,6CDEF2EF), ref: 6CDE4B75
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,6CDEF2EF), ref: 6CDE4B8C
HeapFree.KERNEL32(6CF8B0E0,00000000,?,00000000,?,6CDEF2EF), ref: 6CDE4BA3

Memory Dump Source

Source File: 00000000.00000002.1686050545.000000006CCE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCE0000, based on PE: true

Associated: 00000000.00000002.1686039815.000000006CCE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686131150.000000006CE3B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686218377.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686228872.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686239458.000000006CF91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: ca494dd31be77a2673a5dc86e6e79d448ed699c546b90c69b6ffe71b2475e9fe
Instruction ID: 2d2ac53db1e7b5f665518f663690f2a2fddac8260ff696d4982c5671e7dee04d
Opcode Fuzzy Hash: ca494dd31be77a2673a5dc86e6e79d448ed699c546b90c69b6ffe71b2475e9fe
Instruction Fuzzy Hash: 26016D31651600EBEB61AB81C904B71B7F2FB09708F24452CF6664BDB0CB76A848DB51

Uniqueness

Uniqueness Score: -1.00%

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD22640 BCryptGenRandom,	0_2_6CD22640
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD1B03B BCryptGenRandom,memcpy,BCryptGenRandom,BCryptGenRandom,memcpy,memcpy,memcpy,	0_2_6CD1B03B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDD3190 SetLastError,GetFullPathNameW,GetCurrentProcessId,BCryptGenRandom,	0_2_6CDD3190
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD3F130 BCryptGenRandom,BCryptGenRandom,GetProcessHeap,HeapAlloc,	0_2_6CD3F130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA8B03B BCryptGenRandom,memcpy,BCryptGenRandom,BCryptGenRandom,memcpy,memcpy,memcpy,	3_2_6CA8B03B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB43190 SetLastError,GetFullPathNameW,GetCurrentProcessId,BCryptGenRandom,	3_2_6CB43190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CAAF130 BCryptGenRandom,BCryptGenRandom,GetProcessHeap,HeapAlloc,	3_2_6CAAF130

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.
Tactics:	Impact
Data Sources:	Application Log: Application Log Content, File: File Creation, File: File Modification, Network Traffic: Network Traffic Content
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report YUoxuUri8M.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Windows Analysis Report
YUoxuUri8M.dll

Function 6CD1288B Relevance: 28.0, APIs: 6, Strings: 12, Instructions: 952
memoryCOMMON

Function 6CD12F9C Relevance: 21.3, APIs: 6, Strings: 8, Instructions: 334
memoryCOMMON

Function 6CDC4A60 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 338
memoryCOMMON

Function 6CD12C50 Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 142
memoryCOMMON

Function 6CCEEBA0 Relevance: 10.1, APIs: 8, Instructions: 132
memoryCOMMON

Function 6CCEF810 Relevance: 6.4, APIs: 5, Instructions: 190
memoryCOMMON

Function 6CD125A9 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 129
COMMON

Function 6CD125CA Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 128
COMMON

Function 6CD125A3 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 128
COMMON

Function 6CD125DC Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 124
COMMON

Function 6CD125EA Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 123
COMMON

Function 6CD125F8 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 122
COMMON

Function 6CCEF6D0 Relevance: 3.9, APIs: 3, Instructions: 110
memoryCOMMON

Function 6CDD2500 Relevance: 1.5, APIs: 1, Instructions: 5
COMMON