Edit tour

Windows Analysis Report
elevator.exe

Overview

General Information

Sample name:	elevator.exe
Analysis ID:	1366553
MD5:	73c4afd44c891cd8c5c6471f1c08cbfb
SHA1:	3372f8ae05574924144cb9671fc455f6d7fc19e7
SHA256:	eb9218ab72b011d8d5075fedeaaed45b3e6889ee5d31b53b617ce6951752f132
Tags:	exe
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

elevator.exe (PID: 7052 cmdline: C:\Users\user\Desktop\elevator.exe MD5: 73C4AFD44C891CD8C5C6471F1C08CBFB)

conhost.exe (PID: 3196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Cryptography
• Compliance
• System Summary
• Data Obfuscation
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: elevator.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: elevator.exe	ReversingLabs: Detection: 69%
Source: elevator.exe	Virustotal: Detection: 68%			Perma Link

Source: C:\Users\user\Desktop\elevator.exe

Code function: 0_2_00007FF6CF7EF9A0 BCryptOpenAlgorithmProvider,BCryptCloseAlgorithmProvider,BCryptGenRandom,

0_2_00007FF6CF7EF9A0

Source: elevator.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\elevator.exe	Code function: 0_2_00007FF6CF807F90	0_2_00007FF6CF807F90
Source: C:\Users\user\Desktop\elevator.exe	Code function: 0_2_00007FF6CF7FBE20	0_2_00007FF6CF7FBE20
Source: C:\Users\user\Desktop\elevator.exe	Code function: 0_2_00007FF6CF7E8E1B	0_2_00007FF6CF7E8E1B
Source: C:\Users\user\Desktop\elevator.exe	Code function: 0_2_00007FF6CF7ECC00	0_2_00007FF6CF7ECC00
Source: C:\Users\user\Desktop\elevator.exe	Code function: 0_2_00007FF6CF7E8A68	0_2_00007FF6CF7E8A68
Source: C:\Users\user\Desktop\elevator.exe	Code function: 0_2_00007FF6CF7FD840	0_2_00007FF6CF7FD840
Source: C:\Users\user\Desktop\elevator.exe	Code function: 0_2_00007FF6CF807800	0_2_00007FF6CF807800
Source: C:\Users\user\Desktop\elevator.exe	Code function: 0_2_00007FF6CF7FB810	0_2_00007FF6CF7FB810
Source: C:\Users\user\Desktop\elevator.exe	Code function: 0_2_00007FF6CF7E577C	0_2_00007FF6CF7E577C
Source: C:\Users\user\Desktop\elevator.exe	Code function: 0_2_00007FF6CF8056E0	0_2_00007FF6CF8056E0
Source: C:\Users\user\Desktop\elevator.exe	Code function: 0_2_00007FF6CF809650	0_2_00007FF6CF809650
Source: C:\Users\user\Desktop\elevator.exe	Code function: 0_2_00007FF6CF7E264E	0_2_00007FF6CF7E264E
Source: C:\Users\user\Desktop\elevator.exe	Code function: 0_2_00007FF6CF7F9460	0_2_00007FF6CF7F9460
Source: C:\Users\user\Desktop\elevator.exe	Code function: 0_2_00007FF6CF7E735C	0_2_00007FF6CF7E735C
Source: C:\Users\user\Desktop\elevator.exe	Code function: 0_2_00007FF6CF7F0380	0_2_00007FF6CF7F0380
Source: C:\Users\user\Desktop\elevator.exe	Code function: 0_2_00007FF6CF7FB2F0	0_2_00007FF6CF7FB2F0
Source: C:\Users\user\Desktop\elevator.exe	Code function: 0_2_00007FF6CF804250	0_2_00007FF6CF804250

Source: C:\Users\user\Desktop\elevator.exe	Code function: String function: 00007FF6CF80F950 appears 31 times
Source: C:\Users\user\Desktop\elevator.exe	Code function: String function: 00007FF6CF806C10 appears 51 times

Source: classification engine

Classification label: mal56.winEXE@2/0@0/0

Source: C:\Users\user\Desktop\elevator.exe

Code function: 0_2_00007FF6CF7F8A20 GetModuleHandleW,FormatMessageW,GetLastError,

0_2_00007FF6CF7F8A20

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3196:120:WilError_03

Source: elevator.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\elevator.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: elevator.exe	ReversingLabs: Detection: 69%
Source: elevator.exe	Virustotal: Detection: 68%

Source: elevator.exe	String found in binary or memory: --help
Source: elevator.exe	String found in binary or memory: --help
Source: elevator.exe	String found in binary or memory: ---help
Source: elevator.exe	String found in binary or memory: ---help

Source: unknown	Process created: C:\Users\user\Desktop\elevator.exe C:\Users\user\Desktop\elevator.exe
Source: C:\Users\user\Desktop\elevator.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: elevator.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: elevator.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: elevator.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: elevator.exe

Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\elevator.exe

Code function: 0_2_00007FF6CF7F38FE pushfq ; retn 0001h

0_2_00007FF6CF7F3901

Source: C:\Users\user\Desktop\elevator.exe

API coverage: 6.2 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\elevator.exe

Code function: 0_2_00007FF6CF80AD54 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6CF80AD54

Source: C:\Users\user\Desktop\elevator.exe

Code function: 0_2_00007FF6CF7F6110 HeapReAlloc,GetProcessHeap,HeapAlloc,HeapFree,

0_2_00007FF6CF7F6110

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\elevator.exe	Code function: 0_2_00007FF6CF7EF1C0 RtlAddVectoredExceptionHandler,SetThreadStackGuarantee,GetLastError,	0_2_00007FF6CF7EF1C0
Source: C:\Users\user\Desktop\elevator.exe	Code function: 0_2_00007FF6CF80AEFC SetUnhandledExceptionFilter,	0_2_00007FF6CF80AEFC
Source: C:\Users\user\Desktop\elevator.exe	Code function: 0_2_00007FF6CF80AD54 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6CF80AD54
Source: C:\Users\user\Desktop\elevator.exe	Code function: 0_2_00007FF6CF80E68C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6CF80E68C

Source: C:\Users\user\Desktop\elevator.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\elevator.exe

Code function: 0_2_00007FF6CF80AC2C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6CF80AC2C

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
elevator.exe	70%	ReversingLabs	Win64.Trojan.CobaltStrike
elevator.exe	68%	Virustotal		Browse
elevator.exe	100%	Avira	TR/Redcap.uwlau

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1366553
Start date and time:	2023-12-24 00:49:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	elevator.exe
Detection:	MAL
Classification:	mal56.winEXE@2/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 7 Number of non-executed functions: 50
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.303122399079047
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	elevator.exe
File size:	322'560 bytes
MD5:	73c4afd44c891cd8c5c6471f1c08cbfb
SHA1:	3372f8ae05574924144cb9671fc455f6d7fc19e7
SHA256:	eb9218ab72b011d8d5075fedeaaed45b3e6889ee5d31b53b617ce6951752f132
SHA512:	fe8e07cf2b039ef421a24672435ce4dad506f2317355881b3484fa7bae61856428a54781632cc5bb0615dd07d9fa07d0ce20514dc611f863b55af89b8e77c822
SSDEEP:	3072:8+bwPB64+8ZFjwMVuG74CHy/8c77uv6tvkNN0P3ohRogfhr8aTVcZXaKW:8+bwp64JjtVuG7Hy/7uv6tvNPsfHFK
TLSH:	3D646C16FB8624FDC85BC074864245A676367CD50B36BBEF1A9821393E367F46F38248
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B...:"..B...>...B...>...B...>...B...:...B...B...B...B...B..4>...B..Rich.B..................PE..d....21e.........."

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14002a938
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x653132EA [Thu Oct 19 13:45:14 2023 UTC]
TLS Callbacks:	0x40019c30, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	7cd0bbb42d4b316f99f5cabd76b4bcaa

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F5D68E3C670h
dec eax
add esp, 28h
jmp 00007F5D68E3C1F7h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
sub esp, 10h
dec esp
mov dword ptr [esp], edx
dec esp
mov dword ptr [esp+08h], ebx
dec ebp
xor ebx, ebx
dec esp
lea edx, dword ptr [esp+18h]
dec esp
sub edx, eax
dec ebp
cmovb edx, ebx
dec esp
mov ebx, dword ptr [00000010h]
dec ebp
cmp edx, ebx
jnc 00007F5D68E3C398h
inc cx
and edx, 8D4DF000h
wait
add al, dh

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4b12c	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4d000	0x2b80	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x51000	0x644	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x444e0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x44500	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x443a0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x30000	0x368	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2eec0	0x2f000	False	0.4926601978058511	data	6.364550647052154	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x30000	0x1be04	0x1c000	False	0.39054652622767855	data	5.4836759365830785	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4c000	0xac0	0x200	False	0.32421875	data	3.0192696168758735	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x4d000	0x2b80	0x2c00	False	0.46910511363636365	data	5.403882433651112	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x50000	0x15c	0x200	False	0.419921875	data	3.340048591061336	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x51000	0x644	0x800	False	0.53076171875	data	4.818282541484258	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	GetCurrentProcess, CloseHandle, GetCurrentThread, TerminateProcess, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, RtlCaptureContext, ReleaseMutex, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, RtlLookupFunctionEntry, GetLastError, FormatMessageW, FreeLibrary, GetProcessHeap, HeapFree, HeapAlloc, WaitForSingleObject, ReleaseSRWLockShared, AddVectoredExceptionHandler, SetThreadStackGuarantee, SetLastError, GetCurrentDirectoryW, GetEnvironmentVariableW, SetThreadContext, GetCommandLineW, GetStdHandle, GetCurrentProcessId, QueryPerformanceCounter, TryAcquireSRWLockExclusive, HeapReAlloc, AcquireSRWLockShared, GetModuleHandleW, GetModuleFileNameW, TlsGetValue, TlsSetValue, GetSystemTimeAsFileTime, GetConsoleMode, WriteConsoleW, GetThreadContext, GetSystemInfo, GetProcAddress, GetModuleHandleA, LoadLibraryExW, TlsFree, TlsAlloc, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, EncodePointer, RaiseException, RtlPcToFileHeader, RtlUnwindEx, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, InitializeSListHead, GetCurrentThreadId
ADVAPI32.dll	RegQueryValueExW, RegOpenKeyExW, SystemFunction036
PSAPI.DLL	EnumProcessModulesEx, GetModuleBaseNameW
USER32.dll	GetSystemMetrics
bcrypt.dll	BCryptCloseAlgorithmProvider, BCryptOpenAlgorithmProvider, BCryptGenRandom
api-ms-win-crt-string-l1-1-0.dll	strcpy_s, wcsncmp
api-ms-win-crt-runtime-l1-1-0.dll	terminate, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _seh_filter_exe, _set_app_type, __p___argc, _register_thread_local_exe_atexit_callback, _configure_narrow_argv, _initialize_narrow_environment, _get_initial_narrow_environment, __p___argv, _initterm, _c_exit, _cexit, abort, _initterm_e, _exit, exit
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll	__p__commode, _set_fmode
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll	calloc, malloc, _set_new_mode, free

• elevator.exe
• conhost.exe

Click to jump to process

Click to jump to process

Behavior

• elevator.exe
• conhost.exe

Click to jump to process

Target ID:	0
Start time:	00:49:49
Start date:	24/12/2023
Path:	C:\Users\user\Desktop\elevator.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\elevator.exe
Imagebase:	0x7ff6cf7e0000
File size:	322'560 bytes
MD5 hash:	73C4AFD44C891CD8C5C6471F1C08CBFB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:49:49
Start date:	24/12/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.7%
Total number of Nodes:	528
Total number of Limit Nodes:	3

Executed Functions

Function 00007FF6CF7EF1C0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 139
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 00007FF6CF7EF1EE
SetThreadStackGuarantee.KERNELBASE ref: 00007FF6CF7EF20B
GetLastError.KERNEL32 ref: 00007FF6CF7EF215

Strings

/rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs, xrefs: 00007FF6CF7EF2F2, 00007FF6CF7EF3DA
main, xrefs: 00007FF6CF7EF224
mainfatal runtime error: , xrefs: 00007FF6CF7EF235

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: ErrorExceptionGuaranteeHandlerLastStackThreadVectored
String ID: /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs$main$mainfatal runtime error:
API String ID: 1207050972-2912609590
Opcode ID: 387081641d7f93e8959903aa8c771dc1cef89945946add2f691ebc95df20ffa9
Instruction ID: 5530b4741b976afd7cf6bb576e157651ee12eae0e8328957569f8a272cece02e
Opcode Fuzzy Hash: 387081641d7f93e8959903aa8c771dc1cef89945946add2f691ebc95df20ffa9
Instruction Fuzzy Hash: 40712D36A15B819DEB50DF64E8443E837B4FB04359F904236EA8D87BA8DF78D149D3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF80A7BC Relevance: 13.6, APIs: 9, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF6CF80A7D0

Part of subcall function 00007FF6CF80AA18: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6CF80AA3A

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6CF80A7E5
__scrt_release_startup_lock.LIBCMT ref: 00007FF6CF80A853
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CF80A8A1
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CF80A8A6
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CF80A8AE
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CF80A8B6
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CF80A8D8
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CF80A932

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 2585605439-0
Opcode ID: 56dfb9e491dda5dab7d1a7975450bd8dd5c6badaa86419fabaf779e539128e10
Instruction ID: d0ea74bec0b22e74e13755f230c7996dc8483e0ea70864def60b2fa428c925b5
Opcode Fuzzy Hash: 56dfb9e491dda5dab7d1a7975450bd8dd5c6badaa86419fabaf779e539128e10
Instruction Fuzzy Hash: 08316D21E0B58342FA18AF60D5567BA2371AF41786FC44036E9DDC72D3DEACE445A270

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7FACE0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteConsoleW.KERNELBASE ref: 00007FF6CF7FAE64
WriteConsoleW.KERNEL32 ref: 00007FF6CF7FAEC3
GetLastError.KERNEL32 ref: 00007FF6CF7FAECD
GetLastError.KERNEL32 ref: 00007FF6CF7FAF38

Strings

use of std::thread::current() is not possible after the thread's local data has been destroyed, xrefs: 00007FF6CF7FB0DB
/rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs, xrefs: 00007FF6CF7FACE4
<unknown>, xrefs: 00007FF6CF7FB00C

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: ConsoleErrorLastWrite
String ID: /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs$<unknown>$use of std::thread::current() is not possible after the thread's local data has been destroyed
API String ID: 4006445483-880627562
Opcode ID: a72f5ca739154faab7c2adce1f258874dc75235866e6b4948058faf18c4301cd
Instruction ID: 7437f123fb6e170c77b4923406728dbc90a307f419baecbb0a6c5928b4478113
Opcode Fuzzy Hash: a72f5ca739154faab7c2adce1f258874dc75235866e6b4948058faf18c4301cd
Instruction Fuzzy Hash: 2AB1F266E19A5285FB989F16E8003B927A1FB84792F448136EE9E877C8DF7CD441D330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7FA990 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6CF7FA9C3
GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6CF7FA9FB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6CF7FAA7E
CloseHandle.KERNEL32 ref: 00007FF6CF7FACCC

Strings

/rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs, xrefs: 00007FF6CF7FAC33

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: Handle$CloseConsoleErrorLastMode
String ID: /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs
API String ID: 1170577072-676797997
Opcode ID: f938711357086c68df499030e1b193c11713c4b775c95d0862311d77a65552b0
Instruction ID: 6bf6cf2953b5e2f07446ec5611db103f8210d959bb3b24106e6b29362858e3a2
Opcode Fuzzy Hash: f938711357086c68df499030e1b193c11713c4b775c95d0862311d77a65552b0
Instruction Fuzzy Hash: 6691CD26A09B9188FB55CF66E8047F82761AB05799F858231EDDD837D4EF3CD186D320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7F1E90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF6CF7F1F3C
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF6CF7F1FFF

Strings

stdoutlibrary\std\src\io\mod.rs, xrefs: 00007FF6CF7F1EC2

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: stdoutlibrary\std\src\io\mod.rs
API String ID: 17069307-3595814922
Opcode ID: b747afd013363e6625e808e02ba01ae25b2efc96b1dda638267ba358fa059f4e
Instruction ID: a217e8d74e471c85fa169d19855b3fcd18ac1852e5aa13aa47a0249874dcd97b
Opcode Fuzzy Hash: b747afd013363e6625e808e02ba01ae25b2efc96b1dda638267ba358fa059f4e
Instruction Fuzzy Hash: 67814936A09B8189EB519F29E8413F827B0FF44759F048631EE9D83794EF39E196C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7F1A50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6CF7F2065), ref: 00007FF6CF7F1AA9
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6CF7F2065), ref: 00007FF6CF7F1B99

Strings

lock count overflow in reentrant mutexlibrary\std\src\sys_common\remutex.rs, xrefs: 00007FF6CF7F1BAD

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: lock count overflow in reentrant mutexlibrary\std\src\sys_common\remutex.rs
API String ID: 17069307-1865303543
Opcode ID: 3302a1a42ce2f5f278e7996cc98946a3e4e82dfae6f3b605f45e3171d34068c5
Instruction ID: 56807e080fe10f8d644ede24bb02903bace09ea10b4bfa84708329106122c1c2
Opcode Fuzzy Hash: 3302a1a42ce2f5f278e7996cc98946a3e4e82dfae6f3b605f45e3171d34068c5
Instruction Fuzzy Hash: 83416B76A05A95C9EB508F16E8843EC7370FB48BA5F448131CE9D937A4DF38E596C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7F9A30 Relevance: 1.5, APIs: 1, Instructions: 37
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadDescription.KERNELBASE ref: 00007FF6CF7F9A8A

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: DescriptionThread
String ID:
API String ID: 2285587249-0
Opcode ID: 08f7a9925de75439f3321a6a5d436dd2cef970f874df4fff7daee0cbd3c236b7
Instruction ID: 473641c679fbaa7628afe90c595fcebe073134081c9e7a5e0d37b4a8b6817e39
Opcode Fuzzy Hash: 08f7a9925de75439f3321a6a5d436dd2cef970f874df4fff7daee0cbd3c236b7
Instruction Fuzzy Hash: B501F755A0D98141EA519F02FD047FDA330AF81FC1F500032EA8D83BA9DE2DD441C720

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF6CF7E735C Relevance: 23.2, APIs: 5, Strings: 8, Instructions: 430registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF6CF7E73D9
GetProcAddress.KERNEL32 ref: 00007FF6CF7E73F1
RegOpenKeyExW.ADVAPI32 ref: 00007FF6CF7E749F
RegQueryValueExW.ADVAPI32 ref: 00007FF6CF7E755C
RegQueryValueExW.ADVAPI32 ref: 00007FF6CF7E75D5

Strings

Windows 2000Windows XPWindows Server 2008Windows VistaWindows Server 2008 R2Windows 7Windows Server 2012Windows 8Windows Server 2012 R2Windows 8.1Windows Server 2016Windows 11Windows 10GetModuleHandleA() failed, xrefs: 00007FF6CF7E7809
SOFTWARE\Microsoft\Windows NT\CurrentVersionRegOpenKeyExW(HKEY_LOCAL_MACHINE, ...) failed, xrefs: 00007FF6CF7E7461
ntdll, xrefs: 00007FF6CF7E73D2, 00007FF6CF7E763F
EditionIDProductNameRegQueryValueExW failed, xrefs: 00007FF6CF7E74F0
Windows XP Professional x64 EditionWindows Server 2003Windows 2000Windows XPWindows Server 2008Windows VistaWindows Server 2008 R2Windows 7Windows Server 2012Windows 8Windows Server 2012 R2Windows 8.1Windows Server 2016Windows 11Windows 10GetModuleHandleA() fa, xrefs: 00007FF6CF7E7A5A
Some, xrefs: 00007FF6CF7E73B0, 00007FF6CF7E76EB, 00007FF6CF7E774A
Windows Home ServerWindows XP Professional x64 EditionWindows Server 2003Windows 2000Windows XPWindows Server 2008Windows VistaWindows Server 2008 R2Windows 7Windows Server 2012Windows 8Windows Server 2012 R2Windows 8.1Windows Server 2016Windows 11Windows 10Ge, xrefs: 00007FF6CF7E7B84
RtlGetVersion, xrefs: 00007FF6CF7E73E7

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: QueryValue$AddressHandleModuleOpenProc
String ID: EditionIDProductNameRegQueryValueExW failed$RtlGetVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersionRegOpenKeyExW(HKEY_LOCAL_MACHINE, ...) failed$Some$Windows 2000Windows XPWindows Server 2008Windows VistaWindows Server 2008 R2Windows 7Windows Server 2012Windows 8Windows Server 2012 R2Windows 8.1Windows Server 2016Windows 11Windows 10GetModuleHandleA() failed$Windows Home ServerWindows XP Professional x64 EditionWindows Server 2003Windows 2000Windows XPWindows Server 2008Windows VistaWindows Server 2008 R2Windows 7Windows Server 2012Windows 8Windows Server 2012 R2Windows 8.1Windows Server 2016Windows 11Windows 10Ge$Windows XP Professional x64 EditionWindows Server 2003Windows 2000Windows XPWindows Server 2008Windows VistaWindows Server 2008 R2Windows 7Windows Server 2012Windows 8Windows Server 2012 R2Windows 8.1Windows Server 2016Windows 11Windows 10GetModuleHandleA() fa$ntdll
API String ID: 627184455-1339064517
Opcode ID: c15a7ea3b64ff8dac62a81d3b658b79c25edfb05f1ea52810a1dd947fa21a71f
Instruction ID: 2b28af9f36c52649fb2c4c46ac351de388398096fd279a71e2143a0af70667a2
Opcode Fuzzy Hash: c15a7ea3b64ff8dac62a81d3b658b79c25edfb05f1ea52810a1dd947fa21a71f
Instruction Fuzzy Hash: 7F228F36A05B8298EB21CF25E8403EC33B4FB08799F544136DA9C8B694DF7CD686C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7FB810 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 236libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?,?,?,00000000,?,?,?,00007FF6CF7FB352), ref: 00007FF6CF7FB877
GetCurrentProcess.KERNEL32(00000000,?,?,?,00000000,?,?,?,00007FF6CF7FB352), ref: 00007FF6CF7FB890

Strings

called `Option::unwrap()` on a `None` valueinternal error: entered unreachable code/rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\vec\mod.rs, xrefs: 00007FF6CF7FBC4E
(, xrefs: 00007FF6CF7FBB37
SymGetLineFromAddrW64, xrefs: 00007FF6CF7FBB57
SymFromAddrW, xrefs: 00007FF6CF7FB870
X, xrefs: 00007FF6CF7FB852

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: AddressCurrentProcProcess
String ID: ($SymFromAddrW$SymGetLineFromAddrW64$X$called `Option::unwrap()` on a `None` valueinternal error: entered unreachable code/rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\vec\mod.rs
API String ID: 3217270580-1254548869
Opcode ID: 239b2f6bc228c01c7641c9148616b08464f5dde08d3e956f9b27cd5c24cb4c93
Instruction ID: 4f5c8a75a1fd0a42578063afbda0e4288fd361634de7dd2d49c6d75cb8c51e52
Opcode Fuzzy Hash: 239b2f6bc228c01c7641c9148616b08464f5dde08d3e956f9b27cd5c24cb4c93
Instruction Fuzzy Hash: 64A1DE21A086C681F6758F0AE4457FA73A0FF84792F406132EAC983794EF3DE185C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7FB2F0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 282libraryloadersynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CF7F8010: WaitForSingleObjectEx.KERNEL32(?,?,?,?,/rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs,?,00007FF6CF7F45F7), ref: 00007FF6CF7F803C
Part of subcall function 00007FF6CF7F8010: LoadLibraryA.KERNEL32(?,?,?,?,/rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs,?,00007FF6CF7F45F7), ref: 00007FF6CF7F8054

GetProcAddress.KERNEL32 ref: 00007FF6CF7FB3A8
GetCurrentProcess.KERNEL32 ref: 00007FF6CF7FB3C1

Part of subcall function 00007FF6CF7FB810: GetProcAddress.KERNEL32(00000000,?,?,?,00000000,?,?,?,00007FF6CF7FB352), ref: 00007FF6CF7FB877
Part of subcall function 00007FF6CF7FB810: GetCurrentProcess.KERNEL32(00000000,?,?,?,00000000,?,?,?,00007FF6CF7FB352), ref: 00007FF6CF7FB890

ReleaseMutex.KERNEL32 ref: 00007FF6CF7FB76B

Strings

called `Option::unwrap()` on a `None` valueinternal error: entered unreachable code/rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\vec\mod.rs, xrefs: 00007FF6CF7FB79B, 00007FF6CF7FB7B5
SymGetLineFromInlineContextW, xrefs: 00007FF6CF7FB674
SymFromInlineContextW, xrefs: 00007FF6CF7FB3A1

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: AddressCurrentProcProcess$LibraryLoadMutexObjectReleaseSingleWait
String ID: SymFromInlineContextW$SymGetLineFromInlineContextW$called `Option::unwrap()` on a `None` valueinternal error: entered unreachable code/rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\vec\mod.rs
API String ID: 2306553062-1737085924
Opcode ID: 8d5bbe214f8d6023e503e8029a0c2a3db5ff44b539e7d6b88ed355612bc09706
Instruction ID: c0e6106a45679c8592203c0fa2d8d5680909b162d440e7c06b55c56b921de711
Opcode Fuzzy Hash: 8d5bbe214f8d6023e503e8029a0c2a3db5ff44b539e7d6b88ed355612bc09706
Instruction Fuzzy Hash: 6BC1D235A086C285F7718F16E8457F963A1FF447A9F145132EA8D8B798EF7C9281C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF80AD54 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6CF80AD70
RtlCaptureContext.KERNEL32 ref: 00007FF6CF80AD9D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6CF80ADB7
RtlVirtualUnwind.KERNEL32 ref: 00007FF6CF80ADF8
IsDebuggerPresent.KERNEL32 ref: 00007FF6CF80AE4C
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6CF80AE6D
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6CF80AE78

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 6e1d3c6e1b3271206f2ae3bc457921b7cd8d9329259d29961d7487e56b7f3784
Instruction ID: ef411e6dcf7f4a23e38bf909bf38dd4189cc413693ea4502ea9b8ae592aa9653
Opcode Fuzzy Hash: 6e1d3c6e1b3271206f2ae3bc457921b7cd8d9329259d29961d7487e56b7f3784
Instruction Fuzzy Hash: 4531617260AB8186EB649F60E8407ED7370FB84745F84453ADA8E87B98DF7CD648D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7F8A20 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 228windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6CF7F8A7D
FormatMessageW.KERNEL32 ref: 00007FF6CF7F8AC4
GetLastError.KERNEL32 ref: 00007FF6CF7F8B36

Strings

NTDLL.DLL, xrefs: 00007FF6CF7F8A76
assertion failed: self.is_char_boundary(new_len)/rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\string.rs, xrefs: 00007FF6CF7F8D92

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: ErrorFormatHandleLastMessageModule
String ID: NTDLL.DLL$assertion failed: self.is_char_boundary(new_len)/rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\string.rs
API String ID: 1273946083-2035595366
Opcode ID: 9e93aea6f54aeb2be3cb5e3f8c9c108f1cfd5d46a2e0adb41af2bab8b2e084bc
Instruction ID: cd9910aaafbc2b547c8141bea9ba2855dc7ae68bd1f7732dd5915726ee314cc6
Opcode Fuzzy Hash: 9e93aea6f54aeb2be3cb5e3f8c9c108f1cfd5d46a2e0adb41af2bab8b2e084bc
Instruction Fuzzy Hash: 91A18976915BC288E7B18F21E8447FC73A4FB18395F444232DADC8AA98DF789685D360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7EF9A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

BCryptOpenAlgorithmProvider.BCRYPT ref: 00007FF6CF7EF9EF
BCryptGenRandom.BCRYPT ref: 00007FF6CF7EFA4F

Part of subcall function 00007FF6CF7F9930: SystemFunction036.ADVAPI32 ref: 00007FF6CF7F995B

Strings

RNG, xrefs: 00007FF6CF7EF9DD

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: Crypt$AlgorithmFunction036OpenProviderRandomSystem
String ID: RNG
API String ID: 857443826-373003636
Opcode ID: e70428c5fdc87c7bc5ea91f2110a640a9cdfafc7a219ee50232fc557c60156eb
Instruction ID: 8d710173cbb4b76146b98bc41be6a97ae9349b82e427506b469c965a91cd8007
Opcode Fuzzy Hash: e70428c5fdc87c7bc5ea91f2110a640a9cdfafc7a219ee50232fc557c60156eb
Instruction Fuzzy Hash: 9521D135B09A5286E6208F16F4047B93360FF49B69F144332C9ED8BBE4DF2DE5429760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7E8A68 Relevance: 5.1, Strings: 4, Instructions: 97COMMON

Download Yara Rule

Strings

setybdet, xrefs: 00007FF6CF7E8AA0
uespemos, xrefs: 00007FF6CF7E8A79
arenegyl, xrefs: 00007FF6CF7E8A93
modnarod, xrefs: 00007FF6CF7E8A86

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID:
String ID: arenegyl$modnarod$setybdet$uespemos
API String ID: 0-66988881
Opcode ID: 82967ce77142fc549cc585a09a9597c47691df5377968d4ababdbd2582094fb4
Instruction ID: c144e3c0155b220acda5f63f6499a35f1bee46e9cc8031317d9baff3923f0f91
Opcode Fuzzy Hash: 82967ce77142fc549cc585a09a9597c47691df5377968d4ababdbd2582094fb4
Instruction Fuzzy Hash: AD31D4A2B54F4042FE60DF6AB9643AAA362E7557D0F08A532CF8D47716DF3DE1928240

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7F6110 Relevance: 3.8, APIs: 3, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6CF7F615A
HeapAlloc.KERNEL32 ref: 00007FF6CF7F6177
HeapFree.KERNEL32 ref: 00007FF6CF7F61B9

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: Heap$AllocFreeProcess
String ID:
API String ID: 2113670309-0
Opcode ID: 3aba57d44082e9cf5fd1eb4e85b7e6c0f40645939218ba4626517c7e144a1f42
Instruction ID: ce19002ecd24a9e4eff09f22f88e35cc429019f5189aa0e9392f8015052da952
Opcode Fuzzy Hash: 3aba57d44082e9cf5fd1eb4e85b7e6c0f40645939218ba4626517c7e144a1f42
Instruction Fuzzy Hash: FA110422F0A61581FA45CF93BC444B963B0BF88FE2B454035CD8DC3790DE3CE186A260

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7E264E Relevance: 3.6, Strings: 2, Instructions: 1100COMMON

Download Yara Rule

Strings

=, xrefs: 00007FF6CF7E3A22
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6CF7E3BC5

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: =$called `Result::unwrap()` on an `Err` value
API String ID: 17069307-1309585011
Opcode ID: 80515bfb435867b555ca0b8c0a7b7f82e1abde707c8e44af46e5df24236073c2
Instruction ID: 7e310644c07517ef7642e738b1f0d9690739ee2a89e80aacc6e171cc2e8e5d1e
Opcode Fuzzy Hash: 80515bfb435867b555ca0b8c0a7b7f82e1abde707c8e44af46e5df24236073c2
Instruction Fuzzy Hash: 25D25C76A09EC698EB20DF21FC513E93364FB4474AF804136D68D8BA95DF78D24AC360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7FBE20 Relevance: 3.1, Strings: 2, Instructions: 648COMMON

Download Yara Rule

Strings

called `Option::unwrap()` on a `None` value, xrefs: 00007FF6CF7FC26D
0x00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00007FF6CF809014, 00007FF6CF8090B4, 00007FF6CF809160, 00007FF6CF809210, 00007FF6CF8092B4, 00007FF6CF809354

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID:
String ID: 0x00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$called `Option::unwrap()` on a `None` value
API String ID: 0-2689476215
Opcode ID: d1349fd432d5973bb940cf0904a4ccb14cb9d2e1df91242b0bb5da45fa27dad9
Instruction ID: 8de4872c95d260e1abc51c2c805fb3ec9ac1b499a1e7c13a3f09611a4dde1236
Opcode Fuzzy Hash: d1349fd432d5973bb940cf0904a4ccb14cb9d2e1df91242b0bb5da45fa27dad9
Instruction Fuzzy Hash: AB325463A0A68281F7648F29F4543B92322EB417A5F948231EADD877E1CE7CD646D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF809650 Relevance: 2.7, Strings: 2, Instructions: 191COMMON

Download Yara Rule

Strings

0x00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00007FF6CF809804
called `Option::unwrap()` on a `None` valuefrom_str_radix_int: must lie in the range `[2, 36]` - found , xrefs: 00007FF6CF809858, 00007FF6CF809910

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID:
String ID: 0x00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$called `Option::unwrap()` on a `None` valuefrom_str_radix_int: must lie in the range `[2, 36]` - found
API String ID: 0-3638627821
Opcode ID: 53aad8672bdab399295f89b913bd014ba6207e7ae9bc1c33b06a5990b7f53bbd
Instruction ID: d749b522c2024e98088e71eaf1ec53f5952585e4068bbf6643b08525e8d10082
Opcode Fuzzy Hash: 53aad8672bdab399295f89b913bd014ba6207e7ae9bc1c33b06a5990b7f53bbd
Instruction Fuzzy Hash: 37615773B0A69581EB248F29E4103B97762FB927D5F808232CADE5B7E4DE6CC502D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7ECC00 Relevance: 2.6, Strings: 2, Instructions: 139COMMON

Download Yara Rule

Strings

00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00007FF6CF809977, 00007FF6CF8099BD, 00007FF6CF8099E6
called `Option::unwrap()` on a `None` valuefrom_str_radix_int: must lie in the range `[2, 36]` - found , xrefs: 00007FF6CF809A14

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$called `Option::unwrap()` on a `None` valuefrom_str_radix_int: must lie in the range `[2, 36]` - found
API String ID: 0-3154555240
Opcode ID: ca5e7417b2cb5d09f267e9a85b62ca4979a03b53893c599cc2fc980ca25a9c73
Instruction ID: 1b1110aacef6c9f5b715b196537a9d85f13c2591862da8c033217237fe77351e
Opcode Fuzzy Hash: ca5e7417b2cb5d09f267e9a85b62ca4979a03b53893c599cc2fc980ca25a9c73
Instruction Fuzzy Hash: 88416662B0F49682F72C8B29A4593BD6372DB55792F908132DACECB7D4DD5CC182E320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7F0380 Relevance: 2.0, APIs: 1, Instructions: 474COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32 ref: 00007FF6CF7F03AA

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: CommandLine
String ID:
API String ID: 3253501508-0
Opcode ID: 12e18bfb995368b54948cf70716d8b993a122dd7a43d860b2c75dc5c90172ce9
Instruction ID: 2e7bd6e8e053fcf33fdc16a88d5b4b636d2aac0ed4f98c9dedc9fa359e84acc8
Opcode Fuzzy Hash: 12e18bfb995368b54948cf70716d8b993a122dd7a43d860b2c75dc5c90172ce9
Instruction Fuzzy Hash: 95221767E08B9185EBA08F22D4442FD2761FB58B99F019731DE9E53789DF38E581C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7E577C Relevance: 1.7, Strings: 1, Instructions: 477COMMON

Download Yara Rule

Strings

=, xrefs: 00007FF6CF7E5E98

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: AddressCurrentHandleModuleOpenProcProcess
String ID: =
API String ID: 4221128193-2322244508
Opcode ID: 90e1528bdf51a13f93dba5f2426ce8afb939eada02881c127fd2c5e0f5bf1a72
Instruction ID: e918e9581fbf29ebacefbe6386469fcb6e15f37d8f01d351016130e0bcf2e079
Opcode Fuzzy Hash: 90e1528bdf51a13f93dba5f2426ce8afb939eada02881c127fd2c5e0f5bf1a72
Instruction Fuzzy Hash: 0E328236A05BC688EB71DF26E8513F82361FB48759F408232DADD9BA95DF38D245C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7F9460 Relevance: 1.6, Strings: 1, Instructions: 368COMMON

Download Yara Rule

Strings

/rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs, xrefs: 00007FF6CF7F9799

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID:
String ID: /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs
API String ID: 0-676797997
Opcode ID: 56b4bd50dcf3d6128e88ab486034f2bdf0f722c33cd407d567886cfa65d455b5
Instruction ID: e3f4c669007639e177351e05157f7e3d414dc6eccfd5da66ce9ef59be40f632a
Opcode Fuzzy Hash: 56b4bd50dcf3d6128e88ab486034f2bdf0f722c33cd407d567886cfa65d455b5
Instruction Fuzzy Hash: 57D18A56D0C7D648FBA14F66AC403B977A29B017A6F584331CAFD972D0DE3DA8929330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7FD840 Relevance: 1.6, Strings: 1, Instructions: 358COMMON

Download Yara Rule

Strings

punycode{-}0, xrefs: 00007FF6CF7FDC81

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID:
String ID: punycode{-}0
API String ID: 0-2450133883
Opcode ID: 94a592bc1c72b13e7c584c694bdf37bb4015dec3859baf387f84343dda318835
Instruction ID: 470ca2f7d581f3a47f599e7cc338980f95e20a4339e7dfb61fa6c204c7cbbaa5
Opcode Fuzzy Hash: 94a592bc1c72b13e7c584c694bdf37bb4015dec3859baf387f84343dda318835
Instruction Fuzzy Hash: CED1F166F0DA4549EBA08F06B6043B96791FB98BC1F084132DECD87795DEACE441D730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF804250 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

called `Option::unwrap()` on a `None` valuefrom_str_radix_int: must lie in the range `[2, 36]` - found , xrefs: 00007FF6CF8044BB

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID:
String ID: called `Option::unwrap()` on a `None` valuefrom_str_radix_int: must lie in the range `[2, 36]` - found
API String ID: 0-3293574585
Opcode ID: f8c5c326b3d6767986f8cf918464dfc5ba608e37efdecb426eb411decc80c426
Instruction ID: e3780a7b684c69676d66e477d952c40432cb84a9653f00f7826c72c8dcb1b78d
Opcode Fuzzy Hash: f8c5c326b3d6767986f8cf918464dfc5ba608e37efdecb426eb411decc80c426
Instruction Fuzzy Hash: C4615822A9FAA240F7308E10A84077963B1AF84796FD55130DEDE837E4EEFDD5469220

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF807800 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d251bf4a4e1d1506acc9b8d0cc377bc97dbb99c921d7f501d26d716c88c6ea1c
Instruction ID: f5f193b9ee84ea0de37ecb716b5c7c42a78bfb9a251d7b04265aa4d1199099f6
Opcode Fuzzy Hash: d251bf4a4e1d1506acc9b8d0cc377bc97dbb99c921d7f501d26d716c88c6ea1c
Instruction Fuzzy Hash: 8BD18B96F2B7E200FF138A3A44112B49B505F63BE1A85C337EDBA716E5EF59E1825210

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF807F90 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0618d8cafd2a3e98b2218ae0878583eed7126b63f46f672f6884fd0de6d3fb23
Instruction ID: 2d0720dcf4b06b3944e1dbe1365b60596e7597226ceb4583d6a45d9ef7f2b046
Opcode Fuzzy Hash: 0618d8cafd2a3e98b2218ae0878583eed7126b63f46f672f6884fd0de6d3fb23
Instruction Fuzzy Hash: 33D12922B0FBD586EA508E5599183B577A1AB44BD5FC88631CE9E977C0CFBCE085A310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF8056E0 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a30884c4601423d78863e3434c0be9c8a12c372d150b06344092194ae82e175
Instruction ID: ce4b363a1f6fcdca81d19f82be07631bc7f18c2aeca14b7eef06e4095c2ff048
Opcode Fuzzy Hash: 5a30884c4601423d78863e3434c0be9c8a12c372d150b06344092194ae82e175
Instruction Fuzzy Hash: E8C16D12F1B7914AE6518E229500679A360FF56BE1F848332EE9D6BFC5DF3CE0519324

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7E8E1B Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2323eb2e2201a32413e462eb011bba00e81996142d291da90b7adf4362d8111a
Instruction ID: ad57d170b97546f83354d80a5d097c9aeec2b3a7cada3b1a66774c0ba7ed6a16
Opcode Fuzzy Hash: 2323eb2e2201a32413e462eb011bba00e81996142d291da90b7adf4362d8111a
Instruction Fuzzy Hash: EAB12423A0ABC582EA018F2994053BA6760FB95B94F849331DEED47392DF7CD185D320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF80AEFC Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf0b8fc293d15c8c4fbc3dcdb43f286eb5d4d8cb67bfd2106e12ecf876ef714
Instruction ID: abb49536b5e33644e8eb5d710c420b556c2ad39c17c3247dd149966268123bc8
Opcode Fuzzy Hash: bcf0b8fc293d15c8c4fbc3dcdb43f286eb5d4d8cb67bfd2106e12ecf876ef714
Instruction Fuzzy Hash: 5CA0016190A84690E6098F00E8949212330AB50342F808232D49D910609F6CE401A320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7F8010 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 135libraryloaderCOMMON

Download Yara Rule

APIs

WaitForSingleObjectEx.KERNEL32(?,?,?,?,/rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs,?,00007FF6CF7F45F7), ref: 00007FF6CF7F803C
LoadLibraryA.KERNEL32(?,?,?,?,/rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs,?,00007FF6CF7F45F7), ref: 00007FF6CF7F8054
CloseHandle.KERNEL32(?,?,?,?,/rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs,?,00007FF6CF7F45F7), ref: 00007FF6CF7F80A8
GetProcAddress.KERNEL32(?,?,?,?,/rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs,?,00007FF6CF7F45F7), ref: 00007FF6CF7F80CC
GetProcAddress.KERNEL32(?,?,?,?,/rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs,?,00007FF6CF7F45F7), ref: 00007FF6CF7F8103
GetProcAddress.KERNEL32(?,?,?,?,/rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs,?,00007FF6CF7F45F7), ref: 00007FF6CF7F813D
GetCurrentProcess.KERNEL32(?,?,?,?,/rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs,?,00007FF6CF7F45F7), ref: 00007FF6CF7F8156

Strings

called `Option::unwrap()` on a `None` valueinternal error: entered unreachable code/rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\vec\mod.rs, xrefs: 00007FF6CF7F819B, 00007FF6CF7F81B9, 00007FF6CF7F81D7
SymGetOptions, xrefs: 00007FF6CF7F80C2
SymSetOptions, xrefs: 00007FF6CF7F80FC
/rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs, xrefs: 00007FF6CF7F8011
dbghelp.dll, xrefs: 00007FF6CF7F804D
SymInitializeW, xrefs: 00007FF6CF7F8136
Local\RustBacktraceMutex, xrefs: 00007FF6CF7F8079

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: AddressProc$CloseCurrentHandleLibraryLoadObjectProcessSingleWait
String ID: /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs$Local\RustBacktraceMutex$SymGetOptions$SymInitializeW$SymSetOptions$called `Option::unwrap()` on a `None` valueinternal error: entered unreachable code/rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\vec\mod.rs$dbghelp.dll
API String ID: 3769800572-2039388193
Opcode ID: 4465c8d6f7f8122f1d1dfcfba57a7702fe5ff471bbc9d9ceaaa824b559c4163d
Instruction ID: a8df72dcda014c56edb390c5aff298b34dc7f7abaf244cad2c5bd3c075defbc5
Opcode Fuzzy Hash: 4465c8d6f7f8122f1d1dfcfba57a7702fe5ff471bbc9d9ceaaa824b559c4163d
Instruction Fuzzy Hash: A4517D25E0BA4285FA459F62F8046B523B0AF457A2F488636D89DC73A5DF3CF445E330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7F43C0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 349libraryloadersynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CF7EFBE0: SetLastError.KERNEL32 ref: 00007FF6CF7EFCC9
Part of subcall function 00007FF6CF7EFBE0: GetCurrentDirectoryW.KERNEL32 ref: 00007FF6CF7EFCD4
Part of subcall function 00007FF6CF7EFBE0: GetLastError.KERNEL32 ref: 00007FF6CF7EFCE1
Part of subcall function 00007FF6CF7EFBE0: GetLastError.KERNEL32 ref: 00007FF6CF7EFCFB

GetCurrentProcess.KERNEL32(?), ref: 00007FF6CF7F45BD
GetCurrentThread.KERNEL32 ref: 00007FF6CF7F45CA
RtlCaptureContext.KERNEL32 ref: 00007FF6CF7F45ED
GetCurrentProcess.KERNEL32 ref: 00007FF6CF7F4611
GetProcAddress.KERNEL32 ref: 00007FF6CF7F463F
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6CF7F47C2
ReleaseMutex.KERNEL32 ref: 00007FF6CF7F47EF
GetProcAddress.KERNEL32 ref: 00007FF6CF7F49C6
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6CF7F4A44

Strings

called `Option::unwrap()` on a `None` valueinternal error: entered unreachable code/rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\vec\mod.rs, xrefs: 00007FF6CF7F4A6F
StackWalkEx, xrefs: 00007FF6CF7F4638
StackWalk64, xrefs: 00007FF6CF7F498D, 00007FF6CF7F4A9A
/rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs, xrefs: 00007FF6CF7F44FA, 00007FF6CF7F47FB

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: Current$ErrorLast$AddressEntryFunctionLookupProcProcess$CaptureContextDirectoryMutexReleaseThread
String ID: /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs$StackWalk64$StackWalkEx$called `Option::unwrap()` on a `None` valueinternal error: entered unreachable code/rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\vec\mod.rs
API String ID: 3845845103-921652489
Opcode ID: fb33be2eaa24ce1d81d3c4cdc367219004e16a01e9be865bf22b91f4864da678
Instruction ID: 9ed8ccb72a5122b8bbd361d9c77c77b6b1215d91a02df9d2b0fe8388123c449f
Opcode Fuzzy Hash: fb33be2eaa24ce1d81d3c4cdc367219004e16a01e9be865bf22b91f4864da678
Instruction Fuzzy Hash: D3125A26919BC18DE770CF21EC503E933A1F79974DF405226DA8C8BB99EF7992A4C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7E735B Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 294registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF6CF7E73D9
GetProcAddress.KERNEL32 ref: 00007FF6CF7E73F1
RegOpenKeyExW.ADVAPI32 ref: 00007FF6CF7E749F
RegQueryValueExW.ADVAPI32 ref: 00007FF6CF7E755C
RegQueryValueExW.ADVAPI32 ref: 00007FF6CF7E75D5

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersionRegOpenKeyExW(HKEY_LOCAL_MACHINE, ...) failed, xrefs: 00007FF6CF7E7461
ntdll, xrefs: 00007FF6CF7E73D2
EditionIDProductNameRegQueryValueExW failed, xrefs: 00007FF6CF7E74F0
Some, xrefs: 00007FF6CF7E73B0
Windows 11Windows 10GetModuleHandleA() failed, xrefs: 00007FF6CF7E77E4
RtlGetVersion, xrefs: 00007FF6CF7E73E7

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: QueryValue$AddressHandleModuleOpenProc
String ID: EditionIDProductNameRegQueryValueExW failed$RtlGetVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersionRegOpenKeyExW(HKEY_LOCAL_MACHINE, ...) failed$Some$Windows 11Windows 10GetModuleHandleA() failed$ntdll
API String ID: 627184455-2383710202
Opcode ID: 6598c172be9c9eb291562a779bdb84e5b6e9a2240ee13e10c86bb3ad3405cbc6
Instruction ID: d36a3db1c2aaf0f23a9b319471b3925207e50b4cb333f2b55003b20546a3f041
Opcode Fuzzy Hash: 6598c172be9c9eb291562a779bdb84e5b6e9a2240ee13e10c86bb3ad3405cbc6
Instruction Fuzzy Hash: 74E16B36A05B8188EB21CF21E8443ED33B4FB58799F404136DA9D8BA95DF7CD696C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF80CD1C Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF6CF80CD79

Part of subcall function 00007FF6CF80DC78: __GetUnwindTryBlock.LIBCMT ref: 00007FF6CF80DCBB
Part of subcall function 00007FF6CF80DC78: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF6CF80DCE0

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6CF80CE51
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF6CF80D0A6
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6CF80D1B2
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CF80D1C8
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CF80D1E5
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CF80D1EB

Strings

csm, xrefs: 00007FF6CF80CD93
csm, xrefs: 00007FF6CF80CE74
csm, xrefs: 00007FF6CF80CDFA

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: BlockFrameHandler3::Unwindterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStateabortstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 9366333-393685449
Opcode ID: 5a3e863c0dde2ccc89f261f27ef5cdee0283ca18c04ebe4c09533880f5115347
Instruction ID: 7b765823c3ad635d9484bdbe69b442e44e4e127a5f222d37fb478faf221213f5
Opcode Fuzzy Hash: 5a3e863c0dde2ccc89f261f27ef5cdee0283ca18c04ebe4c09533880f5115347
Instruction Fuzzy Hash: 8EE17E73A0AB8286EB209F65D4403AD77B0FB45B99F904135EE8D97B99CF78E081D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7F9C30 Relevance: 12.6, APIs: 10, Instructions: 129COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FF6CF7F9C8C
TlsSetValue.KERNEL32 ref: 00007FF6CF7F9C9C
TlsGetValue.KERNEL32 ref: 00007FF6CF7F9CDC
TlsSetValue.KERNEL32 ref: 00007FF6CF7F9CEC
TlsGetValue.KERNEL32 ref: 00007FF6CF7F9D2C
TlsSetValue.KERNEL32 ref: 00007FF6CF7F9D3C
TlsGetValue.KERNEL32 ref: 00007FF6CF7F9D6C
TlsSetValue.KERNEL32 ref: 00007FF6CF7F9D7C
TlsGetValue.KERNEL32 ref: 00007FF6CF7F9DBD
TlsSetValue.KERNEL32 ref: 00007FF6CF7F9DCD

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 53feba5a13e3f5f50ddbd387739c8d2930260fd61d54291a92d0070f358b2bb1
Instruction ID: 7694d9eb67f569e3ed135c6c945a0503b301c881e42e12ffd5973f5e6a19a2fe
Opcode Fuzzy Hash: 53feba5a13e3f5f50ddbd387739c8d2930260fd61d54291a92d0070f358b2bb1
Instruction Fuzzy Hash: 5B414F39B0954286FA999F23EC4027863B1AF84B56F1C8435CE9D873D5DE3CE842E270

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF80F010 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 324COMMON

Download Yara Rule

Strings

use of std::thread::current() is not possible after the thread's local data has been destroyed, xrefs: 00007FF6CF80F4D6, 00007FF6CF80F4F0
already borrowedlibrary\std\src\io\stdio.rs, xrefs: 00007FF6CF80F48B, 00007FF6CF80F4B5
/rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs, xrefs: 00007FF6CF80F592
assertion failed: state_and_queue.addr() & STATE_MASK == RUNNINGOnce instance has previously been poisoned, xrefs: 00007FF6CF80F55D

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID:
String ID: /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs$already borrowedlibrary\std\src\io\stdio.rs$assertion failed: state_and_queue.addr() & STATE_MASK == RUNNINGOnce instance has previously been poisoned$use of std::thread::current() is not possible after the thread's local data has been destroyed
API String ID: 0-2068787710
Opcode ID: 52b1b36f364876668f25b7560195e18c6e826eb34a147db81800d32b59bab3a3
Instruction ID: f8b9e35e55eb9b9bf5491856089c4ae3b127dd8767cd8f6b53df19e4c952b6ac
Opcode Fuzzy Hash: 52b1b36f364876668f25b7560195e18c6e826eb34a147db81800d32b59bab3a3
Instruction Fuzzy Hash: 8FF17D26A06B8684EB10CF25E8847B937B0FB44B69F448632DD9D877A4CF7DE089D350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7EFE40 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF6CF7EFF7C
GetEnvironmentVariableW.KERNEL32 ref: 00007FF6CF7EFF8E
GetLastError.KERNEL32 ref: 00007FF6CF7EFF9B
GetLastError.KERNEL32 ref: 00007FF6CF7EFFB5
GetLastError.KERNEL32 ref: 00007FF6CF7F01A4

Strings

internal error: entered unreachable code/rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\vec\mod.rs, xrefs: 00007FF6CF7F01D0

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: ErrorLast$EnvironmentVariable
String ID: internal error: entered unreachable code/rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\vec\mod.rs
API String ID: 2691138088-3262343523
Opcode ID: 88cc2be511e37aca3f847ec0efe2b04136e57c940fc288d02e4fede0d91c62b8
Instruction ID: 907895f09455c4eefe15c09dee237067c5646bcdbd5aa5c8b7be3bf43e27b219
Opcode Fuzzy Hash: 88cc2be511e37aca3f847ec0efe2b04136e57c940fc288d02e4fede0d91c62b8
Instruction Fuzzy Hash: 72A1B476B04AC589E7718F26E8447ED6364FB44B99F408136DE9C9BB89DF38D2818360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7F8E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF6CF7F8EF9
GetModuleFileNameW.KERNEL32 ref: 00007FF6CF7F8F07
GetLastError.KERNEL32 ref: 00007FF6CF7F8F14
GetLastError.KERNEL32 ref: 00007FF6CF7F8F2E
GetLastError.KERNEL32 ref: 00007FF6CF7F8FC7

Strings

internal error: entered unreachable code/rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\vec\mod.rs, xrefs: 00007FF6CF7F8FEA

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: ErrorLast$FileModuleName
String ID: internal error: entered unreachable code/rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\vec\mod.rs
API String ID: 1026760046-3262343523
Opcode ID: b0cadabc24caf06aaa351e19e4722c51949a50b96c3f59f106edc984a1c35bbd
Instruction ID: 57a7ba4a592862e93b9a5d9c81f4c8d6548012eb61de029f14b4eab10b412b33
Opcode Fuzzy Hash: b0cadabc24caf06aaa351e19e4722c51949a50b96c3f59f106edc984a1c35bbd
Instruction Fuzzy Hash: 5B51E526A057C289EBB18F26EC447F92364BB54BA5F408231DDAD977C5DF7CD2819320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7EFBE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF6CF7EFCC9
GetCurrentDirectoryW.KERNEL32 ref: 00007FF6CF7EFCD4
GetLastError.KERNEL32 ref: 00007FF6CF7EFCE1
GetLastError.KERNEL32 ref: 00007FF6CF7EFCFB
GetLastError.KERNEL32 ref: 00007FF6CF7EFD96

Strings

internal error: entered unreachable code/rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\vec\mod.rs, xrefs: 00007FF6CF7EFDB9

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: ErrorLast$CurrentDirectory
String ID: internal error: entered unreachable code/rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\vec\mod.rs
API String ID: 3993060814-3262343523
Opcode ID: 9edefe1c0cd2534371d38dcf64876484ac7af940515da98889522d338bce85cd
Instruction ID: c8d7223f78405c45b174d9f78c7a597fb31eaa75cacf7a27db3277b5dee20325
Opcode Fuzzy Hash: 9edefe1c0cd2534371d38dcf64876484ac7af940515da98889522d338bce85cd
Instruction Fuzzy Hash: 9051D126A05BC14AEB718F22BC443F92364BB04BA5F108232DDAC97BD5DF78D281D360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF80DFBC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF6CF80E26E,?,?,?,00007FF6CF80DF60,?,?,00000001,00007FF6CF80C559), ref: 00007FF6CF80E041
GetLastError.KERNEL32(?,?,?,00007FF6CF80E26E,?,?,?,00007FF6CF80DF60,?,?,00000001,00007FF6CF80C559), ref: 00007FF6CF80E04F
LoadLibraryExW.KERNEL32(?,?,?,00007FF6CF80E26E,?,?,?,00007FF6CF80DF60,?,?,00000001,00007FF6CF80C559), ref: 00007FF6CF80E079
FreeLibrary.KERNEL32(?,?,?,00007FF6CF80E26E,?,?,?,00007FF6CF80DF60,?,?,00000001,00007FF6CF80C559), ref: 00007FF6CF80E0BF
GetProcAddress.KERNEL32(?,?,?,00007FF6CF80E26E,?,?,?,00007FF6CF80DF60,?,?,00000001,00007FF6CF80C559), ref: 00007FF6CF80E0CB

Strings

api-ms-, xrefs: 00007FF6CF80E061

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 6df8e011888f8e1182aee22d14779a770dc692f00ababe79551ee4131590f100
Instruction ID: e8f336efb44cfce045bd130407b5ccafe0f039805118312d22958e16e02bad3a
Opcode Fuzzy Hash: 6df8e011888f8e1182aee22d14779a770dc692f00ababe79551ee4131590f100
Instruction Fuzzy Hash: EC31C921B1B68291FE519F12A8045B623A4FF44BA1F994535EDADC7394EF7CE1409334

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7F880F Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF6CF7F881D
GetProcAddress.KERNEL32 ref: 00007FF6CF7F8835
GetProcAddress.KERNEL32 ref: 00007FF6CF7F884D

Strings

WaitOnAddress, xrefs: 00007FF6CF7F882B
WakeByAddressSingle, xrefs: 00007FF6CF7F8843
api-ms-win-core-synch-l1-2-0, xrefs: 00007FF6CF7F8816

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: WaitOnAddress$WakeByAddressSingle$api-ms-win-core-synch-l1-2-0
API String ID: 667068680-1826242509
Opcode ID: d39e8b6ad377f1dade52177b3b6248ba4355f11af8c2e5c124f45191d5e821cc
Instruction ID: a56d7116d855621bb3911ad2f41e2dfd70d56ce07276368303d8b1073b000fa9
Opcode Fuzzy Hash: d39e8b6ad377f1dade52177b3b6248ba4355f11af8c2e5c124f45191d5e821cc
Instruction Fuzzy Hash: 60F0DA25E1B642C1F9459F16F94817433B0AF44B92F888135C89DD63A0EF2CF566A330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7F6C70 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6CF7F6D86
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6CF7F6DDE
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6CF7F6E94
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6CF7F6EEC

Strings

/rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs, xrefs: 00007FF6CF7F6E43

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs
API String ID: 17069307-676797997
Opcode ID: 652abcae8657907d4d982d034d3308821a37016112055ede9539b904c9f9e76d
Instruction ID: 5a0d40a318759bf62718dc43cce01ed7ad84818b0aa9a68889b3d6e847b994db
Opcode Fuzzy Hash: 652abcae8657907d4d982d034d3308821a37016112055ede9539b904c9f9e76d
Instruction Fuzzy Hash: B2814636A09B4588EB50CF62E8803AC37B4FB48BA9F448136DE9D97B58DF38D555C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF80D1F4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6CF80D240
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6CF80D28F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CF80D407

Strings

MOC, xrefs: 00007FF6CF80D254
RCC, xrefs: 00007FF6CF80D25D

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: CallEncodePointerTranslatorabort
String ID: MOC$RCC
API String ID: 292945357-2084237596
Opcode ID: 4dae15cf6aa320dafb36cd00ffec971e71f59d8562aec941c45e7c7dd46960af
Instruction ID: 11a651f945e3500b4e86c3b8a4f4cb2d3a836ed812bb7714e3f6235c5ff14ae8
Opcode Fuzzy Hash: 4dae15cf6aa320dafb36cd00ffec971e71f59d8562aec941c45e7c7dd46960af
Instruction Fuzzy Hash: 42617B37A0AB858AE720CF65D4803AD77B0FB45B89F444225EE8D57B98DFB8E045D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF80D550 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6CF80D578
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF6CF80D660
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CF80D781

Strings

csm, xrefs: 00007FF6CF80D6B2
csm, xrefs: 00007FF6CF80D59A

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_recordabort
String ID: csm$csm
API String ID: 4198837600-3733052814
Opcode ID: f2a4ed33a2437aa431d85a5da6ccf30a2340f9fb75d16d34fb3fbd543c7d282b
Instruction ID: 079b7ec2d9bdd77772e3771ec781c0a06e30f319e20331f99c7e7efe2cc1919a
Opcode Fuzzy Hash: f2a4ed33a2437aa431d85a5da6ccf30a2340f9fb75d16d34fb3fbd543c7d282b
Instruction Fuzzy Hash: AC517C3390B3C286EA648F11954436877B0EB54B9AF948135DEDD87B95CFBCE490DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF80C358 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6CF80C383
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6CF80C418
RtlUnwindEx.KERNEL32 ref: 00007FF6CF80C467

Strings

f, xrefs: 00007FF6CF80C396
csm, xrefs: 00007FF6CF80C3FE

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 3cc7576af0ac9cd7ac8639cf3ff8d7e2dc497059e309d2c1df8d9273dc8d2f1e
Instruction ID: 6741c345269a6a763f46158a90e7e4903593a51e509cadd45d15699d5217efd2
Opcode Fuzzy Hash: 3cc7576af0ac9cd7ac8639cf3ff8d7e2dc497059e309d2c1df8d9273dc8d2f1e
Instruction Fuzzy Hash: 6F51C936B1768286EB14CF15E444A3937B5FB56B89F918130DE8A87788DFB8E841D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7F3F60 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6CF7ED6D6), ref: 00007FF6CF7F3FF1
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF6CF7F409E

Strings

called `Option::unwrap()` on a `None` valueinternal error: entered unreachable code/rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\vec\mod.rs, xrefs: 00007FF6CF7F40D9
lock count overflow in reentrant mutexlibrary\std\src\sys_common\remutex.rs, xrefs: 00007FF6CF7F3FD0
already borrowedlibrary\std\src\io\stdio.rs, xrefs: 00007FF6CF7F40FF

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: already borrowedlibrary\std\src\io\stdio.rs$called `Option::unwrap()` on a `None` valueinternal error: entered unreachable code/rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\vec\mod.rs$lock count overflow in reentrant mutexlibrary\std\src\sys_common\remutex.rs
API String ID: 17069307-3558083966
Opcode ID: 182f2515c0c1b6aec977e9c8ef6f96ce0c6d36c67ae27e86f3d32bbec84d74a9
Instruction ID: 231224055a3c5966cdbcc1b3cf6c62b372cae1a31857d6f4e1c968735c5ff25c
Opcode Fuzzy Hash: 182f2515c0c1b6aec977e9c8ef6f96ce0c6d36c67ae27e86f3d32bbec84d74a9
Instruction Fuzzy Hash: 36514925E0AA8686FB508F64E8483B83370EF55726F408232C99CC23A1DF3DB199D370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7FA820 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF6CF7FA8BC
GetProcAddress.KERNEL32 ref: 00007FF6CF7FA8D1

Strings

ntdll, xrefs: 00007FF6CF7FA8B5
/rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs, xrefs: 00007FF6CF7FA84D
NtWaitForKeyedEvent, xrefs: 00007FF6CF7FA8C7

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs$NtWaitForKeyedEvent$ntdll
API String ID: 1646373207-653230520
Opcode ID: 13ecdd4271764ebe76a3a06b8cd6a824db2b3b75f908ea8dc66439d80fc35e81
Instruction ID: c8aed1dd0a73c4dd1aebd40c6f5388b13b4182c3a32270d308d91c815ad37f93
Opcode Fuzzy Hash: 13ecdd4271764ebe76a3a06b8cd6a824db2b3b75f908ea8dc66439d80fc35e81
Instruction Fuzzy Hash: B4116A22B16B0598FB05DF21EC447A837B4BB187A5F848235DDAC83794EF7CA186D320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7FA730 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF6CF7FA7CC
GetProcAddress.KERNEL32 ref: 00007FF6CF7FA7E1

Strings

ntdll, xrefs: 00007FF6CF7FA7C5
/rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs, xrefs: 00007FF6CF7FA75D
NtReleaseKeyedEvent, xrefs: 00007FF6CF7FA7D7

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs$NtReleaseKeyedEvent$ntdll
API String ID: 1646373207-2160096194
Opcode ID: b2ccb9cc61f459e0b3c5dac3db3cc42b8c89609237380c18fb0b9bc35b8f532a
Instruction ID: e03ca079db0015dd69e746e3d2065c3ebb763104aed6c50908804476b515f6c9
Opcode Fuzzy Hash: b2ccb9cc61f459e0b3c5dac3db3cc42b8c89609237380c18fb0b9bc35b8f532a
Instruction Fuzzy Hash: 13116D26B16B4598FB059F11EC447A837B4BB18765F848235DDAC83B94EF7C9186D320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7F67B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 228COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF6CF7F6955
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF6CF7F69B0

Strings

called `Option::unwrap()` on a `None` valueinternal error: entered unreachable code/rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\vec\mod.rs, xrefs: 00007FF6CF7F6AA4
Box<dyn Any><unnamed>, xrefs: 00007FF6CF7F684E

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: Box<dyn Any><unnamed>$called `Option::unwrap()` on a `None` valueinternal error: entered unreachable code/rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\vec\mod.rs
API String ID: 17069307-153253307
Opcode ID: 1dd24a45d2c52c70cc98ed3e77b89220973572f20c9065ab15946082edbffa19
Instruction ID: a5a9c4f3be7ac395df7c9422be8bcaaf38c042d0a070beb43cc149346ee0f40a
Opcode Fuzzy Hash: 1dd24a45d2c52c70cc98ed3e77b89220973572f20c9065ab15946082edbffa19
Instruction Fuzzy Hash: 47B17D26A0AA4289EB918F26E8407F833B0FB4479AF448136DACD87794DF3CE555D370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7F7500 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

AcquireSRWLockShared.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF6CF7E105E), ref: 00007FF6CF7F7593

Part of subcall function 00007FF6CF7F67B0: AcquireSRWLockExclusive.KERNEL32 ref: 00007FF6CF7F6955

ReleaseSRWLockShared.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF6CF7E105E), ref: 00007FF6CF7F7749
ReleaseSRWLockShared.KERNEL32(?,?,?,00000000,?), ref: 00007FF6CF7F77E3

Strings

/rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs, xrefs: 00007FF6CF7F756A, 00007FF6CF7F75F2, 00007FF6CF7F7646

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: Lock$Shared$AcquireRelease$Exclusive
String ID: /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs
API String ID: 1508215558-676797997
Opcode ID: c3431c13c8e29545cb3400ae303440708a12422539ee93ec4c16ba835c065dc6
Instruction ID: b42c0d148067315bc1a4d52e2707bf6bdbcee86da8329762a58b8b21efe39ccd
Opcode Fuzzy Hash: c3431c13c8e29545cb3400ae303440708a12422539ee93ec4c16ba835c065dc6
Instruction Fuzzy Hash: 59814336A15B4199EB508FA2E8803AC37B4FB48759F448136DE8C93B98DF7C915AC360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF80C684 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CF80C6E4

Strings

RCC, xrefs: 00007FF6CF80C694
csm, xrefs: 00007FF6CF80C6A4
MOC, xrefs: 00007FF6CF80C69C

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: terminate
String ID: MOC$RCC$csm
API String ID: 1821763600-2671469338
Opcode ID: c0287bf837e71186ad933ae0ff6c2129d65f765d0507de5d8c0fd6f2c5675833
Instruction ID: f4e63af10fc24f695bba21ea1abbb9d343a607898249304f8f7a13aa7d57b307
Opcode Fuzzy Hash: c0287bf837e71186ad933ae0ff6c2129d65f765d0507de5d8c0fd6f2c5675833
Instruction Fuzzy Hash: 0FF0A43690B6C682E7346F14D18107D3770EF49742F88A035E798866A2CFBCE4A0EB21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7FA6D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF6CF7FA6EA
GetProcAddress.KERNEL32 ref: 00007FF6CF7FA6FF

Strings

ntdll, xrefs: 00007FF6CF7FA6E3
NtCreateKeyedEvent, xrefs: 00007FF6CF7FA6F5

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NtCreateKeyedEvent$ntdll
API String ID: 1646373207-1373576770
Opcode ID: 2925bc3a827a87940cc72ce98806a6b5752391def9c08cb84801bcd64624be40
Instruction ID: 6831ddc47c3e5b99d8182ad1067edc5119754dbb9ea17736f57a37363594ea8f
Opcode Fuzzy Hash: 2925bc3a827a87940cc72ce98806a6b5752391def9c08cb84801bcd64624be40
Instruction Fuzzy Hash: B1F0FE16B1B74195FE498F57BC449B027A46F59B96E488235CD4CC3750EE2CA54AA320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7FA610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF6CF7FA62C
GetProcAddress.KERNEL32 ref: 00007FF6CF7FA641

Strings

ntdll, xrefs: 00007FF6CF7FA625
NtWriteFile, xrefs: 00007FF6CF7FA637

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NtWriteFile$ntdll
API String ID: 1646373207-4004780683
Opcode ID: 6693b4db23d937dc88e957302e65ef29810e580db27f9ecf7f7958dbd497bfb2
Instruction ID: 3dada80cce557887b50c5cdbbb86f66cf342a39f7311f23988f06014e019f083
Opcode Fuzzy Hash: 6693b4db23d937dc88e957302e65ef29810e580db27f9ecf7f7958dbd497bfb2
Instruction Fuzzy Hash: 76F08C55B0B60190FD498F17BC445A023A16F18FD2F888235CC8CC3364EE3CE44A9320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7FA590 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF6CF7FA5A3
GetProcAddress.KERNEL32 ref: 00007FF6CF7FA5B8

Strings

kernel32, xrefs: 00007FF6CF7FA59C
SetThreadDescription, xrefs: 00007FF6CF7FA5AE

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: SetThreadDescription$kernel32
API String ID: 1646373207-1950310818
Opcode ID: 3c0e4a6a5ab68810ff4402aea4ee061283a05ff75e81b80cc8d5f251cc1cf899
Instruction ID: f7938a6b0713bcd326b5d9a6aa06f816a0188bce5f26f64a0c935e0e93e05d5c
Opcode Fuzzy Hash: 3c0e4a6a5ab68810ff4402aea4ee061283a05ff75e81b80cc8d5f251cc1cf899
Instruction Fuzzy Hash: 59E03918B0B60280FD498F16BC8416433A06F09B92B848535CC8CC3368EE2CE48AE330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7FA680 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF6CF7FA68E
GetProcAddress.KERNEL32 ref: 00007FF6CF7FA6A3

Strings

ntdll, xrefs: 00007FF6CF7FA687
RtlNtStatusToDosError, xrefs: 00007FF6CF7FA699

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlNtStatusToDosError$ntdll
API String ID: 1646373207-2182014170
Opcode ID: df34809de7f16530f17050565289d3f8e98aa625134f69521397842935832c97
Instruction ID: 0717c0f3b783e5bddc106316a1d2020843ed041b607f912b5700433b704ed38a
Opcode Fuzzy Hash: df34809de7f16530f17050565289d3f8e98aa625134f69521397842935832c97
Instruction Fuzzy Hash: E5E01225F0B71291FE599F15BC441B033B06F04B12F448135C49DC2350EE2CA446A330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7F6550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF6CF7F659B
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF6CF7F65C0

Strings

/rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs, xrefs: 00007FF6CF7F663A

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs
API String ID: 17069307-676797997
Opcode ID: 1bb5859def7e1193e2f1c44229ad12b98640df0a131b1238ff4f7e1cfa668a98
Instruction ID: 0ec73e42497e1f018515453d20c7d529be7519642cc56bb777a4f0ec1692c30e
Opcode Fuzzy Hash: 1bb5859def7e1193e2f1c44229ad12b98640df0a131b1238ff4f7e1cfa668a98
Instruction Fuzzy Hash: 72318227A06A4198FB51CFA1FC053E82774BB04769F488531DE9C93794DF3CA19AD320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF7F66F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF6CF7F6711
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF6CF7F6733

Strings

/rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs, xrefs: 00007FF6CF7F677F

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\str\pattern.rs
API String ID: 17069307-676797997
Opcode ID: f6899c720fb95d5cda173c2e1f305339a4d9aec558e4671aef8b530163a77711
Instruction ID: 14dd05981bddbabea1ca386257c65a6e575cf1fdd905693b31759ced73c73681
Opcode Fuzzy Hash: f6899c720fb95d5cda173c2e1f305339a4d9aec558e4671aef8b530163a77711
Instruction Fuzzy Hash: 30114535A0AB4281EA908F01F8443A533B0EB4979AF984230D9CC87364DF3DE549E320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6CF80C2B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6CF7FBD6E), ref: 00007FF6CF80C2FC
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6CF7FBD6E), ref: 00007FF6CF80C342

Strings

csm, xrefs: 00007FF6CF80C32F

Memory Dump Source

Source File: 00000000.00000002.1613510838.00007FF6CF7E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CF7E0000, based on PE: true

Associated: 00000000.00000002.1613497519.00007FF6CF7E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613533782.00007FF6CF810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613551793.00007FF6CF82C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1613564429.00007FF6CF82D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6cf7e0000_elevator.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4e33ff39b9d06c1cf8f764f8b05a2fa55bdc02d29c8a427468a7c010e6dd1988
Instruction ID: 6d4904ce8bafb641aba6fb1fa044c493468ace17270791f69239ec0dcd3d4898
Opcode Fuzzy Hash: 4e33ff39b9d06c1cf8f764f8b05a2fa55bdc02d29c8a427468a7c010e6dd1988
Instruction Fuzzy Hash: FB114C3261AB8582EB618F15E440269B7B5FB88B89F588230EECD47B68DF7CD551DB00

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report elevator.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: elevator.exePID: 7052, Parent PID: 2580

General

File Activities

File Opened

File Created

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Registry Activities

Key Opened

Key Value Queried

Windows Analysis Report
elevator.exe

Function 00007FF6CF7EF1C0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 139
threadCOMMON

Function 00007FF6CF80A7BC Relevance: 13.6, APIs: 9, Instructions: 94
COMMON

Function 00007FF6CF7FACE0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 296
COMMON

Function 00007FF6CF7FA990 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 209
COMMON

Function 00007FF6CF7F1E90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 171
COMMON

Function 00007FF6CF7F1A50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108
COMMON

Function 00007FF6CF7F9A30 Relevance: 1.5, APIs: 1, Instructions: 37
threadCOMMON