Edit tour

Windows Analysis Report
64drop.exe

Overview

General Information

Sample name:	64drop.exe
Analysis ID:	1378064
MD5:	8919a3ebfb67cc3d12f475baa82ca476
SHA1:	0e6aa733c49dc293f2936b32600390cedb0767ae
SHA256:	07b03eeff0d15ffa67346df3c0d0aceaa18be760811579e274066f3f2c5ec9e9
Tags:	64exe
Infos:

Detection

44Caliber Stealer, Rags Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected 44Caliber Stealer

Yara detected Rags Stealer

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has nameless sections

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Generic Downloader

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

64drop.exe (PID: 5984 cmdline: C:\Users\user\Desktop\64drop.exe MD5: 8919A3EBFB67CC3D12F475BAA82CA476)

CromulentLauncher.exe (PID: 6444 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe" MD5: 23D86A9388B2473D0B8C8D8C75DE793C)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.1716566592.0000000000F32000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1716566592.0000000000F32000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_RagsStealer	Yara detected Rags Stealer	Joe Security
00000001.00000002.1716566592.0000000000F32000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_44CaliberStealer	Yara detected 44Caliber Stealer	Joe Security
00000001.00000002.1716566592.0000000000F32000.00000040.00000001.01000000.00000009.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x377ce:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000001.00000002.1718689420.0000000005B58000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RagsStealer	Yara detected Rags Stealer	Joe Security
00000001.00000002.1718689420.0000000005BC3000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x150ac:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x15584:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: CromulentLauncher.exe PID: 6444	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CromulentLauncher.exe PID: 6444	JoeSecurity_RagsStealer	Yara detected Rags Stealer	Joe Security
Process Memory Space: CromulentLauncher.exe PID: 6444	JoeSecurity_44CaliberStealer	Yara detected 44Caliber Stealer	Joe Security
Process Memory Space: CromulentLauncher.exe PID: 6444	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0xdb93:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x61b0d:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x61c0b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.CromulentLauncher.exe.f30000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.CromulentLauncher.exe.f30000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.CromulentLauncher.exe.f30000.0.unpack	JoeSecurity_RagsStealer	Yara detected Rags Stealer	Joe Security
1.2.CromulentLauncher.exe.f30000.0.unpack	JoeSecurity_44CaliberStealer	Yara detected 44Caliber Stealer	Joe Security
1.2.CromulentLauncher.exe.f30000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x397ce:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
1.2.CromulentLauncher.exe.f30000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x3aea2:$s1: \VPN\NordVPN 0x3af46:$s1: \VPN\NordVPN 0x3afdc:$s2: \VPN\OpenVPN 0x3b04a:$s3: \VPN\ProtonVPN
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe

Avira: detection malicious, Label: TR/Crypt.XPACK.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Virustotal: Detection: 49%			Perma Link

Multi AV Scanner detection for submitted file

Source: 64drop.exe	Virustotal: Detection: 57%			Perma Link
Source: 64drop.exe	ReversingLabs: Detection: 75%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 64drop.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: freegeoip.app

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe

Unpacked PE file: 1.2.CromulentLauncher.exe.f30000.0.unpack

Source: 64drop.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.73.97:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: 64drop.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005C22000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: 64drop.exe
Source:	Binary string: wminet_utils.dll.pdb source: CromulentLauncher.exe, 00000001.00000002.1715767818.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: CromulentLauncher.exe, 00000001.00000002.1715767818.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *c:\windows\system.pdb source: CromulentLauncher.exe, 00000001.00000002.1715767818.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: `uyoasymreader.dllib.pdbpdb source: CromulentLauncher.exe, 00000001.00000002.1715767818.0000000000C8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BC:\Windows\symbols\dll\System.pdbGAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbtem.drawing.dlll source: CromulentLauncher.exe, 00000001.00000002.1715767818.0000000000C8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005C22000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_2_009E2C15 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_009E2C15
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_2_009F2D90 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_009F2D90

Networking

Yara detected Generic Downloader

Source: Yara match

File source: 1.2.CromulentLauncher.exe.f30000.0.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.85.189 104.21.85.189
Source: Joe Sandbox View	IP Address: 104.21.73.97 104.21.73.97

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: freegeoip.app

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 20 Jan 2024 19:35:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 49123Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01HMM5YR1DAQMYCA70A6AA4ATMCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3wp7UdVjfhykbLXgoIlI8oIM1dBON1pwjBVPUumt92WKQBMqsGwRABVDKGzSsQTUra6UlPTwUT1CdazoBSdA97z56uNNokOWx8pXjeL5dhM9QUOqMTy0BLz4vF2m"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8489c36cd931673c-ATLalt-svc: h3=":443"; ma=86400

Source: CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005B58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://freegeoip.app
Source: CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005B58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://freegeoip.appd
Source: CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005B97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipbase.com
Source: CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005B97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipbase.comd
Source: CromulentLauncher.exe	String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: CromulentLauncher.exe	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: CromulentLauncher.exe	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005B4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.enigmaprotector.com/
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.enigmaprotector.com/openU
Source: CromulentLauncher.exe, 00000001.00000002.1724017060.0000000006BB1000.00000004.00000800.00020000.00000000.sdmp, tmpCEE3.tmp.dat.1.dr, tmpCE92.tmp.dat.1.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005B7C000.00000004.00000800.00020000.00000000.sdmp, CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005C22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://answers.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/125
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.vimeworld.ru/user/name/
Source: CromulentLauncher.exe, 00000001.00000002.1716566592.0000000000F32000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/
Source: CromulentLauncher.exe, 00000001.00000002.1724017060.0000000006BB1000.00000004.00000800.00020000.00000000.sdmp, tmpCEE3.tmp.dat.1.dr, tmpCE92.tmp.dat.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: CromulentLauncher.exe, 00000001.00000002.1724017060.0000000006BB1000.00000004.00000800.00020000.00000000.sdmp, tmpCEE3.tmp.dat.1.dr, tmpCE92.tmp.dat.1.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: CromulentLauncher.exe, 00000001.00000002.1724017060.0000000006BB1000.00000004.00000800.00020000.00000000.sdmp, tmpCEE3.tmp.dat.1.dr, tmpCE92.tmp.dat.1.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: CromulentLauncher.exe, 00000001.00000002.1724017060.0000000006BB1000.00000004.00000800.00020000.00000000.sdmp, tmpCEE3.tmp.dat.1.dr, tmpCE92.tmp.dat.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: CromulentLauncher.exe, 00000001.00000002.1724017060.0000000006BB1000.00000004.00000800.00020000.00000000.sdmp, tmpCEE3.tmp.dat.1.dr, tmpCE92.tmp.dat.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: CromulentLauncher.exe, 00000001.00000002.1724017060.0000000006BB1000.00000004.00000800.00020000.00000000.sdmp, tmpCEE3.tmp.dat.1.dr, tmpCE92.tmp.dat.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: CromulentLauncher.exe	String found in binary or memory: https://enigmaprotector.com/
Source: CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005C22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
Source: CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005B4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app/xml/
Source: CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005B84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipbase.com
Source: CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005B80000.00000004.00000800.00020000.00000000.sdmp, CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005B58000.00000004.00000800.00020000.00000000.sdmp, CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005B84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipbase.com/xml/
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716566592.0000000000F32000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://ptb.discord.com/api/webhooks/1191727961125158913/AO3r_s05R0U-6xEmnSGeaNuYUkFwxvk1U1oYOinVZKj
Source: CromulentLauncher.exe	String found in binary or memory: https://steamcommunity.com/profiles/
Source: CromulentLauncher.exe, 00000001.00000002.1716566592.0000000000F32000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/ASOFTWARE
Source: tmpCEA2.tmp.tmpdb.1.dr	String found in binary or memory: https://support.mozilla.org
Source: tmpCEA2.tmp.tmpdb.1.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmpCEA2.tmp.tmpdb.1.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: CromulentLauncher.exe, 00000001.00000002.1724017060.0000000006BB1000.00000004.00000800.00020000.00000000.sdmp, tmpCEE3.tmp.dat.1.dr, tmpCE92.tmp.dat.1.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: CromulentLauncher.exe, 00000001.00000002.1724017060.0000000006BB1000.00000004.00000800.00020000.00000000.sdmp, tmpCEE3.tmp.dat.1.dr, tmpCE92.tmp.dat.1.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tmpCEA2.tmp.tmpdb.1.dr	String found in binary or memory: https://www.mozilla.org
Source: tmpCEA2.tmp.tmpdb.1.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: tmpCEA2.tmp.tmpdb.1.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: tmpCEA2.tmp.tmpdb.1.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: tmpCEA2.tmp.tmpdb.1.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: tmpCEA2.tmp.tmpdb.1.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729

Source: unknown	HTTPS traffic detected: 104.21.73.97:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.4:49730 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.CromulentLauncher.exe.f30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 1.2.CromulentLauncher.exe.f30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 00000001.00000002.1716566592.0000000000F32000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000001.00000002.1718689420.0000000005BC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: CromulentLauncher.exe PID: 6444, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

PE file has nameless sections

Source: CromulentLauncher.exe.0.dr	Static PE information: section name:
Source: CromulentLauncher.exe.0.dr	Static PE information: section name:
Source: CromulentLauncher.exe.0.dr	Static PE information: section name:
Source: CromulentLauncher.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_2_00A03850	0_2_00A03850
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_2_009E5AFD	0_2_009E5AFD
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_2_009E54DD	0_2_009E54DD
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_2_00A03CFE	0_2_00A03CFE
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_2_009FB4FD	0_2_009FB4FD
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_2_009EC42B	0_2_009EC42B
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_2_00A07E04	0_2_00A07E04
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_2_009EB79D	0_2_009EB79D
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_2_009E4F3C	0_2_009E4F3C
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_2_009FB72C	0_2_009FB72C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Code function: 1_2_0340EBC0	1_2_0340EBC0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Code function: 1_2_0340EBAF	1_2_0340EBAF
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Code function: 1_2_09129F20	1_2_09129F20
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Code function: 1_2_09129650	1_2_09129650
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Code function: 1_2_09129308	1_2_09129308
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Code function: 1_2_091257F8	1_2_091257F8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Code function: 1_2_091257E7	1_2_091257E7

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Code function: String function: 00F7C2AC appears 46 times
Source: C:\Users\user\Desktop\64drop.exe	Code function: String function: 009F5690 appears 44 times

Source: C:\Users\user\Desktop\64drop.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\64drop.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\64drop.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\64drop.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\64drop.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\64drop.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Section loaded: sfc.dll	Jump to behavior

Source: 64drop.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2.CromulentLauncher.exe.f30000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 1.2.CromulentLauncher.exe.f30000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 00000001.00000002.1716566592.0000000000F32000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000001.00000002.1718689420.0000000005BC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: CromulentLauncher.exe PID: 6444, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: CromulentLauncher.exe.0.dr

Static PE information: Section: ZLIB complexity 0.9997350031407035

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/14@2/2

Source: C:\Users\user\Desktop\64drop.exe

Code function: 0_2_009E1891 GetLastError,FormatMessageW,

0_2_009E1891

Source: C:\Users\user\Desktop\64drop.exe

Code function: 0_2_009F11D2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_009F11D2

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe

File created: C:\Users\user\AppData\Local\44

Jump to behavior

Source: C:\Users\user\Desktop\64drop.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: C:\Users\user\Desktop\64drop.exe	Command line argument: sfxname	0_2_009F4968
Source: C:\Users\user\Desktop\64drop.exe	Command line argument: sfxstime	0_2_009F4968
Source: C:\Users\user\Desktop\64drop.exe	Command line argument: STARTDLG	0_2_009F4968

Source: 64drop.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\64drop.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\64drop.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmpCED2.tmp.dat.1.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 64drop.exe	Virustotal: Detection: 57%
Source: 64drop.exe	ReversingLabs: Detection: 75%

Source: C:\Users\user\Desktop\64drop.exe

File read: C:\Users\user\Desktop\64drop.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\64drop.exe C:\Users\user\Desktop\64drop.exe
Source: C:\Users\user\Desktop\64drop.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe"
Source: C:\Users\user\Desktop\64drop.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe"	Jump to behavior

Source: C:\Users\user\Desktop\64drop.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 64drop.exe

Static file information: File size 1778157 > 1048576

Source: 64drop.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 64drop.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 64drop.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 64drop.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 64drop.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 64drop.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 64drop.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 64drop.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005C22000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: 64drop.exe
Source:	Binary string: wminet_utils.dll.pdb source: CromulentLauncher.exe, 00000001.00000002.1715767818.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: CromulentLauncher.exe, 00000001.00000002.1715767818.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *c:\windows\system.pdb source: CromulentLauncher.exe, 00000001.00000002.1715767818.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: `uyoasymreader.dllib.pdbpdb source: CromulentLauncher.exe, 00000001.00000002.1715767818.0000000000C8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BC:\Windows\symbols\dll\System.pdbGAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbtem.drawing.dlll source: CromulentLauncher.exe, 00000001.00000002.1715767818.0000000000C8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005C22000.00000004.00000800.00020000.00000000.sdmp

Source: 64drop.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 64drop.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 64drop.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 64drop.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 64drop.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe

Unpacked PE file: 1.2.CromulentLauncher.exe.f30000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:R;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;.rsrc:R;Unknown_Section4:ER;.data:ER;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe

Unpacked PE file: 1.2.CromulentLauncher.exe.f30000.0.unpack

Source: CromulentLauncher.exe.0.dr

Static PE information: 0xFA6AE732 [Mon Feb 19 06:33:22 2103 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .data

Source: C:\Users\user\Desktop\64drop.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_4043218

Jump to behavior

Source: 64drop.exe	Static PE information: section name: .didat
Source: CromulentLauncher.exe.0.dr	Static PE information: section name:
Source: CromulentLauncher.exe.0.dr	Static PE information: section name:
Source: CromulentLauncher.exe.0.dr	Static PE information: section name:
Source: CromulentLauncher.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_3_02B170E5 pushad ; retf	0_3_02B170ED
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_3_02B170E5 pushad ; retf	0_3_02B170ED
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_3_02B18596 push cs; retf 0025h	0_3_02B185AA
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_3_02B18596 push cs; retf 0025h	0_3_02B185AA
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_3_02B0F9E9 push esi; retf	0_3_02B0F9F2
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_3_02B0F9E9 push esi; retf	0_3_02B0F9F2
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_3_02B147CF push cs; retf	0_3_02B147D2
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_3_02B147CF push cs; retf	0_3_02B147D2
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_3_02B170E5 pushad ; retf	0_3_02B170ED
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_3_02B170E5 pushad ; retf	0_3_02B170ED
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_3_02B18596 push cs; retf 0025h	0_3_02B185AA
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_3_02B18596 push cs; retf 0025h	0_3_02B185AA
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_3_02B0F9E9 push esi; retf	0_3_02B0F9F2
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_3_02B0F9E9 push esi; retf	0_3_02B0F9F2
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_3_02B147CF push cs; retf	0_3_02B147D2
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_3_02B147CF push cs; retf	0_3_02B147D2
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_2_009F6260 push ecx; ret	0_2_009F6273
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_2_009F5668 push eax; ret	0_2_009F5686
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Code function: 1_2_00F88348 push 00F88794h; ret	1_2_00F8878C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Code function: 1_2_00F804F4 push 00F80520h; ret	1_2_00F80518
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Code function: 1_2_00F804BA push 00F804E8h; ret	1_2_00F804E0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Code function: 1_2_00F805C8 push 00F805FCh; ret	1_2_00F805F4
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Code function: 1_2_00F80564 push 00F80590h; ret	1_2_00F80588
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Code function: 1_2_00F8052C push 00F80558h; ret	1_2_00F80550
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Code function: 1_2_00F7E658 push 00F7E6A9h; ret	1_2_00F7E6A1
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Code function: 1_2_00F88796 push 00F88807h; ret	1_2_00F887FF
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Code function: 1_2_00F91860 push 00F918C0h; ret	1_2_00F918B8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Code function: 1_2_00F7E9D0 push 00F7E9FCh; ret	1_2_00F7E9F4
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Code function: 1_2_00F909DE push 00F90A5Dh; ret	1_2_00F90A55
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Code function: 1_2_00F8894C push 00F88978h; ret	1_2_00F88970
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Code function: 1_2_00F7E912 push 00F7E940h; ret	1_2_00F7E938

Source: CromulentLauncher.exe.0.dr	Static PE information: section name: entropy: 7.998108637306767
Source: CromulentLauncher.exe.0.dr	Static PE information: section name: .data entropy: 7.962214038818199

Source: C:\Users\user\Desktop\64drop.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe

Jump to dropped file

Source: C:\Users\user\Desktop\64drop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 599338	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 598544	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Window / User API: threadDelayed 456	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Window / User API: threadDelayed 2142	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Window / User API: threadDelayed 584	Jump to behavior

Source: C:\Users\user\Desktop\64drop.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-21568

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe TID: 4500	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe TID: 4500	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe TID: 4500	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe TID: 4500	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe TID: 4500	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe TID: 4500	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe TID: 4500	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe TID: 4500	Thread sleep time: -599338s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe TID: 4500	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe TID: 4500	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe TID: 4500	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe TID: 4500	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe TID: 4500	Thread sleep time: -598765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe TID: 4500	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe TID: 4500	Thread sleep time: -598544s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe TID: 4500	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe TID: 7152	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe TID: 2640	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\64drop.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_2_009E2C15 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_009E2C15
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_2_009F2D90 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_009F2D90

Source: C:\Users\user\Desktop\64drop.exe

Code function: 0_2_009F50C6 VirtualQuery,GetSystemInfo,

0_2_009F50C6

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 599338	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 598544	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: vmware
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Hyper-V (guest)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.00000000010DD000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.00000000010DD000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.00000000010DD000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Hyper-V
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: ]VBoxService.exe
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: CromulentLauncher.exe, 00000001.00000002.1715767818.0000000000D20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: VBoxService.exe
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: VMWare
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: #Windows 11 Microsoft Hyper-V Server

Source: C:\Users\user\Desktop\64drop.exe

API call chain: ExitProcess graph end node

graph_0-23092

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe

Code function: 1_2_034092A8 LdrInitializeThunk,

1_2_034092A8

Source: C:\Users\user\Desktop\64drop.exe

Code function: 0_2_009FA24F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_009FA24F

Source: C:\Users\user\Desktop\64drop.exe

Code function: 0_2_009FE3C2 mov eax, dword ptr fs:[00000030h]

0_2_009FE3C2

Source: C:\Users\user\Desktop\64drop.exe

Code function: 0_2_00A02440 GetProcessHeap,

0_2_00A02440

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_2_009F6195 SetUnhandledExceptionFilter,	0_2_009F6195
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_2_009FA24F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009FA24F
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_2_009F63EA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_009F63EA
Source: C:\Users\user\Desktop\64drop.exe	Code function: 0_2_009F5FF2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009F5FF2

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\64drop.exe

Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe"

Jump to behavior

Source: C:\Users\user\Desktop\64drop.exe

Code function: 0_2_009F1981 SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateDirectoryW,LocalFree,

0_2_009F1981

Source: C:\Users\user\Desktop\64drop.exe

Code function: 0_2_009E6B0D cpuid

0_2_009E6B0D

Source: C:\Users\user\Desktop\64drop.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_009F1B15

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\64drop.exe

Code function: 0_2_009F4968 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_009F4968

Source: C:\Users\user\Desktop\64drop.exe

Code function: 0_2_009E2D8E GetVersionExW,

0_2_009E2D8E

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected 44Caliber Stealer

Source: Yara match	File source: 1.2.CromulentLauncher.exe.f30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1716566592.0000000000F32000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CromulentLauncher.exe PID: 6444, type: MEMORYSTR

Yara detected Rags Stealer

Source: Yara match	File source: 1.2.CromulentLauncher.exe.f30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1716566592.0000000000F32000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1718689420.0000000005B58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CromulentLauncher.exe PID: 6444, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: CromulentLauncher.exe	String found in binary or memory: \Wallets\Electrum\
Source: CromulentLauncher.exe	String found in binary or memory: \com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: CromulentLauncher.exe	String found in binary or memory: \Wallets\Exodus\
Source: CromulentLauncher.exe	String found in binary or memory: \Wallets\Ethereum\
Source: CromulentLauncher.exe	String found in binary or memory: \Wallets\Exodus\
Source: CromulentLauncher.exe	String found in binary or memory: \Wallets\Ethereum\
Source: CromulentLauncher.exe	String found in binary or memory: \Exodus\exodus.wallet\
Source: CromulentLauncher.exe	String found in binary or memory: \Ethereum\keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior

Source: Yara match	File source: 1.2.CromulentLauncher.exe.f30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1716566592.0000000000F32000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CromulentLauncher.exe PID: 6444, type: MEMORYSTR

Remote Access Functionality

Yara detected 44Caliber Stealer

Source: Yara match	File source: 1.2.CromulentLauncher.exe.f30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1716566592.0000000000F32000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CromulentLauncher.exe PID: 6444, type: MEMORYSTR

Yara detected Rags Stealer

Source: Yara match	File source: 1.2.CromulentLauncher.exe.f30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1716566592.0000000000F32000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1718689420.0000000005B58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CromulentLauncher.exe PID: 6444, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	Exfiltration Over Bluetooth	11 Encrypted Channel	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	57 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	23 Software Packing	NTDS	341 Security Software Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	4 Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	241 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	241 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies
Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Web Protocols			Internal Defacement	Malvertising	Network Topology

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
64drop.exe	58%	Virustotal		Browse
64drop.exe	75%	ReversingLabs	Win32.Ransomware.Generic
64drop.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	79%	ReversingLabs	Win32.Ransomware.Generic
C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe	49%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ipbase.com	1%	Virustotal		Browse
freegeoip.app	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://pki-ocsp.symauth.com0	0%	URL Reputation	safe
https://freegeoip.app/xml/	1%	Virustotal		Browse
https://freegeoip.app	0%	Virustotal		Browse
http://www.enigmaprotector.com/openU	1%	Virustotal		Browse
http://freegeoip.appd	0%	Avira URL Cloud	safe
http://ipbase.comd	0%	Avira URL Cloud	safe
http://www.enigmaprotector.com/openU	0%	Avira URL Cloud	safe
https://freegeoip.app	0%	Avira URL Cloud	safe
https://freegeoip.app/xml/	0%	Avira URL Cloud	safe
http://ipbase.com	0%	Avira URL Cloud	safe
https://enigmaprotector.com/	0%	Avira URL Cloud	safe
https://answers.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/125	0%	Avira URL Cloud	safe
https://ipbase.com/xml/	0%	Avira URL Cloud	safe
https://ptb.discord.com/api/webhooks/1191727961125158913/AO3r_s05R0U-6xEmnSGeaNuYUkFwxvk1U1oYOinVZKj	0%	Avira URL Cloud	safe
https://enigmaprotector.com/	0%	Virustotal		Browse
http://ipbase.com	1%	Virustotal		Browse
https://ipbase.com/xml/	0%	Virustotal		Browse
http://www.enigmaprotector.com/	0%	Avira URL Cloud	safe
https://answers.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/125	0%	Virustotal		Browse
https://ipbase.com	0%	Avira URL Cloud	safe
http://freegeoip.app	0%	Avira URL Cloud	safe
https://ipbase.com	1%	Virustotal		Browse
https://ptb.discord.com/api/webhooks/1191727961125158913/AO3r_s05R0U-6xEmnSGeaNuYUkFwxvk1U1oYOinVZKj	0%	Virustotal		Browse
http://www.enigmaprotector.com/	0%	Virustotal		Browse
http://freegeoip.app	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipbase.com	104.21.85.189	true	false	1%, Virustotal, Browse	unknown
freegeoip.app	104.21.73.97	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://freegeoip.app/xml/	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipbase.com/xml/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	CromulentLauncher.exe, 00000001.00000002.1724017060.0000000006BB1000.00000004.00000800.00020000.00000000.sdmp, tmpCEE3.tmp.dat.1.dr, tmpCE92.tmp.dat.1.dr	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	tmpCEA2.tmp.tmpdb.1.dr	false		high
https://duckduckgo.com/ac/?q=	CromulentLauncher.exe, 00000001.00000002.1724017060.0000000006BB1000.00000004.00000800.00020000.00000000.sdmp, tmpCEE3.tmp.dat.1.dr, tmpCE92.tmp.dat.1.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	CromulentLauncher.exe, 00000001.00000002.1724017060.0000000006BB1000.00000004.00000800.00020000.00000000.sdmp, tmpCEE3.tmp.dat.1.dr, tmpCE92.tmp.dat.1.dr	false		high
http://ipbase.comd	CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005B97000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/ASOFTWARE	CromulentLauncher.exe, 00000001.00000002.1716566592.0000000000F32000.00000040.00000001.01000000.00000009.sdmp	false		high
http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07	CromulentLauncher.exe	false		high
http://www.enigmaprotector.com/openU	CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://freegeoip.app	CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005B4D000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://freegeoip.appd	CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005B58000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	CromulentLauncher.exe, 00000001.00000002.1724017060.0000000006BB1000.00000004.00000800.00020000.00000000.sdmp, tmpCEE3.tmp.dat.1.dr, tmpCE92.tmp.dat.1.dr	false		high
https://enigmaprotector.com/	CromulentLauncher.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr	CromulentLauncher.exe	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	CromulentLauncher.exe, 00000001.00000002.1724017060.0000000006BB1000.00000004.00000800.00020000.00000000.sdmp, tmpCEE3.tmp.dat.1.dr, tmpCE92.tmp.dat.1.dr	false		high
https://www.ecosia.org/newtab/	CromulentLauncher.exe, 00000001.00000002.1724017060.0000000006BB1000.00000004.00000800.00020000.00000000.sdmp, tmpCEE3.tmp.dat.1.dr, tmpCE92.tmp.dat.1.dr	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	tmpCEA2.tmp.tmpdb.1.dr	false		high
https://answers.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/125	CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005B7C000.00000004.00000800.00020000.00000000.sdmp, CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005C22000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	CromulentLauncher.exe, 00000001.00000002.1724017060.0000000006BB1000.00000004.00000800.00020000.00000000.sdmp, tmpCEE3.tmp.dat.1.dr, tmpCE92.tmp.dat.1.dr	false		high
http://ipbase.com	CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005B97000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pki-ocsp.symauth.com0	CromulentLauncher.exe	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	CromulentLauncher.exe, 00000001.00000002.1724017060.0000000006BB1000.00000004.00000800.00020000.00000000.sdmp, tmpCEE3.tmp.dat.1.dr, tmpCE92.tmp.dat.1.dr	false		high
https://steamcommunity.com/profiles/	CromulentLauncher.exe	false		high
https://api.vimeworld.ru/user/name/	CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005B31000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/	CromulentLauncher.exe, 00000001.00000002.1716566592.0000000000F32000.00000040.00000001.01000000.00000009.sdmp	false		high
https://ptb.discord.com/api/webhooks/1191727961125158913/AO3r_s05R0U-6xEmnSGeaNuYUkFwxvk1U1oYOinVZKj	CromulentLauncher.exe, CromulentLauncher.exe, 00000001.00000002.1716566592.0000000000F32000.00000040.00000001.01000000.00000009.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.mozilla.org	tmpCEA2.tmp.tmpdb.1.dr	false		high
http://www.enigmaprotector.com/	CromulentLauncher.exe, 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005B4D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	CromulentLauncher.exe, 00000001.00000002.1724017060.0000000006BB1000.00000004.00000800.00020000.00000000.sdmp, tmpCEE3.tmp.dat.1.dr, tmpCE92.tmp.dat.1.dr	false		high
https://ipbase.com	CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005B84000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://freegeoip.app	CromulentLauncher.exe, 00000001.00000002.1718689420.0000000005B58000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.85.189	ipbase.com	United States		13335	CLOUDFLARENETUS	false
104.21.73.97	freegeoip.app	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1378064
Start date and time:	2024-01-20 20:35:00 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	64drop.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/14@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 55% Number of executed functions: 125 Number of non-executed functions: 68
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:35:54	API Interceptor	16x Sleep call for process: CromulentLauncher.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.85.189	123.scr.exe	Get hash	malicious	Unknown	Browse
	RP.sfx.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse
	i6R4NsEd8t.exe	Get hash	malicious	Snake Keylogger	Browse
	rvYr7FRwkG.dll	Get hash	malicious	Unknown	Browse
	case (426).xls	Get hash	malicious	Unknown	Browse
	case (61).xls	Get hash	malicious	Unknown	Browse
104.21.73.97	123.scr.exe	Get hash	malicious	Unknown	Browse
	123.scr.exe	Get hash	malicious	Rags Stealer	Browse
	i6R4NsEd8t.exe	Get hash	malicious	Snake Keylogger	Browse
	bcAE21roAv.exe	Get hash	malicious	Snake Keylogger	Browse
	VegaStealer_v1.bin.exe	Get hash	malicious	Ades Stealer, NitroStealer	Browse
	SPYGAME.bin.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse
	gjqYWrWZfb.exe	Get hash	malicious	Snake Keylogger	Browse
	UNKnyg3t3D.exe	Get hash	malicious	Snake Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipbase.com	123.scr.exe	Get hash	malicious	Unknown	Browse	104.21.85.189
	123.scr.exe	Get hash	malicious	Rags Stealer	Browse	172.67.209.71
	123.scr.exe	Get hash	malicious	Rags Stealer	Browse	172.67.209.71
	RP.sfx.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse	104.21.85.189
	i6R4NsEd8t.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.85.189
	3vj5tYFb6a.exe	Get hash	malicious	Snake Keylogger, zgRAT	Browse	104.21.28.190
	7nYkVlcnfx.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.147.81
	bcAE21roAv.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.147.81
	VegaStealer_v1.bin.exe	Get hash	malicious	Ades Stealer, NitroStealer	Browse	75.2.60.5
	Yandex.bin.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse	75.2.60.5
	SPYGAME.bin.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse	75.2.60.5
	A6KiC17VqI.exe	Get hash	malicious	Snake Keylogger	Browse	75.2.60.5
	TwB13kUEGN.exe	Get hash	malicious	Snake Keylogger	Browse	75.2.60.5
	w5gL8sZU6z.exe	Get hash	malicious	Snake Keylogger	Browse	99.83.231.61
	k2Bg5AlSk1.exe	Get hash	malicious	MassLogger RAT, Matiex, Snake Keylogger	Browse	75.2.60.5
	vYT3XBi8du.exe	Get hash	malicious	Snake Keylogger	Browse	99.83.231.61
	CJCxcYxjhF.exe	Get hash	malicious	Snake Keylogger	Browse	99.83.231.61
	g95CmPy67V.exe	Get hash	malicious	Snake Keylogger	Browse	75.2.60.5
	nesbiPpHpN.exe	Get hash	malicious	Snake Keylogger	Browse	99.83.231.61
	M6VkStAYfV.exe	Get hash	malicious	Snake Keylogger	Browse	99.83.231.61
freegeoip.app	123.scr.exe	Get hash	malicious	Unknown	Browse	104.21.73.97
	123.scr.exe	Get hash	malicious	Rags Stealer	Browse	104.21.73.97
	123.scr.exe	Get hash	malicious	Rags Stealer	Browse	172.67.160.84
	RP.sfx.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse	172.67.160.84
	i6R4NsEd8t.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.73.97
	3vj5tYFb6a.exe	Get hash	malicious	Snake Keylogger, zgRAT	Browse	172.67.160.84
	7nYkVlcnfx.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.160.84
	bcAE21roAv.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.73.97
	VegaStealer_v1.bin.exe	Get hash	malicious	Ades Stealer, NitroStealer	Browse	104.21.73.97
	Yandex.bin.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse	172.67.160.84
	SPYGAME.bin.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse	104.21.73.97
	A6KiC17VqI.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.7
	TwB13kUEGN.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.7
	w5gL8sZU6z.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.7
	k2Bg5AlSk1.exe	Get hash	malicious	MassLogger RAT, Matiex, Snake Keylogger	Browse	188.114.97.7
	vYT3XBi8du.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.7
	CJCxcYxjhF.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.7
	g95CmPy67V.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.7
	nesbiPpHpN.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.7
	M6VkStAYfV.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.7

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SecuriteInfo.com.Trojan.Win32.Redline.15061.23904.exe	Get hash	malicious	LummaC	Browse	104.21.71.213
	toolspub1.exe	Get hash	malicious	LummaC, Babuk, Djvu, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	162.159.134.233
	WINVER.EXE.exe	Get hash	malicious	Blank Grabber	Browse	162.159.136.232
	Fantasy.exe	Get hash	malicious	LummaC	Browse	104.21.35.143
	explorhe.exe	Get hash	malicious	LummaC, Amadey, Fabookie, Glupteba, LummaC Stealer, RedLine, Stealc	Browse	172.67.175.187
	C5A6377F2AC72B0E24F3F44995EEEDD5591825C59EF70.exe	Get hash	malicious	Unknown	Browse	172.67.210.35
	4779988F265D9FCDC5CE077D8E9E409B9B53C12218F31.exe	Get hash	malicious	RedLine	Browse	172.67.34.170
	4779988F265D9FCDC5CE077D8E9E409B9B53C12218F31.exe	Get hash	malicious	RedLine	Browse	104.20.67.143
	2D5770EB59209D2238670233CB2BE6424F7974800B83F.exe	Get hash	malicious	Unknown	Browse	172.67.210.35
	6D3F3F26752DF1A041952CEAB949662805FFF34D6D06D.exe	Get hash	malicious	Unknown	Browse	104.21.38.59
	SecuriteInfo.com.Win64.TrojanX-gen.10450.23478.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	9bb9a1974de3b7ca8de3fd9afd7fb0f92d8f24c33b651584b2d7e2d0bd0da2fe.zip	Get hash	malicious	LimeRAT	Browse	172.67.34.170
	bTcG.exe	Get hash	malicious	LimeRAT	Browse	172.67.34.170
	SecuriteInfo.com.Win64.PWSX-gen.25941.20836.exe	Get hash	malicious	Unknown	Browse	162.159.137.232
	SecuriteInfo.com.Win64.PWSX-gen.25941.20836.exe	Get hash	malicious	Unknown	Browse	162.159.135.232
	file.exe	Get hash	malicious	LummaC, zgRAT	Browse	104.21.10.151
	https://far-skateboard-ba2.notion.site/GAFFNEY-Electrical-Services-Pty-Ltd-4f330ac7f10f4d20a77520190e6fd06c?pvs=4%22)%20and%20ContentType:(%221%22)	Get hash	malicious	HTMLPhisher	Browse	172.64.148.154
	https://far-skateboard-ba2.notion.site/GAFFNEY-Electrical-Services-Pty-Ltd-4f330ac7f10f4d20a77520190e6fd06c?pvs=4%22)%20and%20ContentType:(%221%22)	Get hash	malicious	HTMLPhisher	Browse	172.64.148.154
	bTc8.exe	Get hash	malicious	Njrat	Browse	172.67.34.170
	SecuriteInfo.com.Win64.Evo-gen.27818.14006.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
CLOUDFLARENETUS	SecuriteInfo.com.Trojan.Win32.Redline.15061.23904.exe	Get hash	malicious	LummaC	Browse	104.21.71.213
	toolspub1.exe	Get hash	malicious	LummaC, Babuk, Djvu, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	162.159.134.233
	WINVER.EXE.exe	Get hash	malicious	Blank Grabber	Browse	162.159.136.232
	Fantasy.exe	Get hash	malicious	LummaC	Browse	104.21.35.143
	explorhe.exe	Get hash	malicious	LummaC, Amadey, Fabookie, Glupteba, LummaC Stealer, RedLine, Stealc	Browse	172.67.175.187
	C5A6377F2AC72B0E24F3F44995EEEDD5591825C59EF70.exe	Get hash	malicious	Unknown	Browse	172.67.210.35
	4779988F265D9FCDC5CE077D8E9E409B9B53C12218F31.exe	Get hash	malicious	RedLine	Browse	172.67.34.170
	4779988F265D9FCDC5CE077D8E9E409B9B53C12218F31.exe	Get hash	malicious	RedLine	Browse	104.20.67.143
	2D5770EB59209D2238670233CB2BE6424F7974800B83F.exe	Get hash	malicious	Unknown	Browse	172.67.210.35
	6D3F3F26752DF1A041952CEAB949662805FFF34D6D06D.exe	Get hash	malicious	Unknown	Browse	104.21.38.59
	SecuriteInfo.com.Win64.TrojanX-gen.10450.23478.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	9bb9a1974de3b7ca8de3fd9afd7fb0f92d8f24c33b651584b2d7e2d0bd0da2fe.zip	Get hash	malicious	LimeRAT	Browse	172.67.34.170
	bTcG.exe	Get hash	malicious	LimeRAT	Browse	172.67.34.170
	SecuriteInfo.com.Win64.PWSX-gen.25941.20836.exe	Get hash	malicious	Unknown	Browse	162.159.137.232
	SecuriteInfo.com.Win64.PWSX-gen.25941.20836.exe	Get hash	malicious	Unknown	Browse	162.159.135.232
	file.exe	Get hash	malicious	LummaC, zgRAT	Browse	104.21.10.151
	https://far-skateboard-ba2.notion.site/GAFFNEY-Electrical-Services-Pty-Ltd-4f330ac7f10f4d20a77520190e6fd06c?pvs=4%22)%20and%20ContentType:(%221%22)	Get hash	malicious	HTMLPhisher	Browse	172.64.148.154
	https://far-skateboard-ba2.notion.site/GAFFNEY-Electrical-Services-Pty-Ltd-4f330ac7f10f4d20a77520190e6fd06c?pvs=4%22)%20and%20ContentType:(%221%22)	Get hash	malicious	HTMLPhisher	Browse	172.64.148.154
	bTc8.exe	Get hash	malicious	Njrat	Browse	172.67.34.170
	SecuriteInfo.com.Win64.Evo-gen.27818.14006.exe	Get hash	malicious	Unknown	Browse	104.26.0.5

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	toolspub1.exe	Get hash	malicious	LummaC, Babuk, Djvu, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	104.21.85.189 104.21.73.97
	SecuriteInfo.com.Trojan-PSW.Agent.30453.11887.exe	Get hash	malicious	Unknown	Browse	104.21.85.189 104.21.73.97
	SecuriteInfo.com.Trojan-PSW.Agent.30453.11887.exe	Get hash	malicious	Unknown	Browse	104.21.85.189 104.21.73.97
	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.21.85.189 104.21.73.97
	file.exe	Get hash	malicious	RisePro Stealer, Vidar	Browse	104.21.85.189 104.21.73.97
	SecuriteInfo.com.IL.Trojan.MSILZilla.53588.22756.16168.exe	Get hash	malicious	Unknown	Browse	104.21.85.189 104.21.73.97
	SecuriteInfo.com.IL.Trojan.MSILZilla.53588.22756.16168.exe	Get hash	malicious	Unknown	Browse	104.21.85.189 104.21.73.97
	ODDBALL0.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	104.21.85.189 104.21.73.97
	latestrocki.exe	Get hash	malicious	LummaC, Fabookie, Glupteba, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	104.21.85.189 104.21.73.97
	toolspub1.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, RedLine	Browse	104.21.85.189 104.21.73.97
	VXl6IxOofO.exe	Get hash	malicious	Gurcu Stealer	Browse	104.21.85.189 104.21.73.97
	7UunqDE3X2.exe	Get hash	malicious	PureLog Stealer	Browse	104.21.85.189 104.21.73.97
	spoofer.exe	Get hash	malicious	Blank Grabber, Dicrord Rat, Umbral Stealer	Browse	104.21.85.189 104.21.73.97
	https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=fVW0Q484ME-xmkayXQgIKyKJkC3KriNNt5AG7Ds4ctRUM0hPVDc2SkRNSjY1Vk9JRjU5V1BTQThIQy4u	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.21.85.189 104.21.73.97
	InvoiceN0180A209_PDF.vbs	Get hash	malicious	XWorm	Browse	104.21.85.189 104.21.73.97
	http://uodrle.com	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.21.85.189 104.21.73.97
	pdfcentral.exe	Get hash	malicious	Unknown	Browse	104.21.85.189 104.21.73.97
	pdfcentral.exe	Get hash	malicious	Unknown	Browse	104.21.85.189 104.21.73.97
	https://gate.getmygateway.com/KQGrXb?c=	Get hash	malicious	Unknown	Browse	104.21.85.189 104.21.73.97
	PDF2DoConvert (1).exe	Get hash	malicious	Unknown	Browse	104.21.85.189 104.21.73.97

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	105
Entropy (8bit):	3.8863455911790052
Encrypted:	false
SSDEEP:	3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
MD5:	2E9D094DDA5CDC3CE6519F75943A4FF4
SHA1:	5D989B4AC8B699781681FE75ED9EF98191A5096C
SHA-256:	C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
SHA-512:	D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
Malicious:	false
Reputation:	low
Preview:	### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

C:\Users\user\AppData\Local\44\Information.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	645
Entropy (8bit):	4.175130895137056
Encrypted:	false
SSDEEP:	12:pYzdcsggfSBLoTSTeftRQ6vV2MWYY7VondA6r:psdvfSBL/4nvV6B7Voa4
MD5:	97F0DA276EAF1D64D56F8D782583A038
SHA1:	8F530A6BB4C7C633A86D34E60D967807C6CE55E7
SHA-256:	41D20437D1DF0A9A89D0E13F57CF8C589DAECC3C6046623BAA12670B4B7EA9C9
SHA-512:	B1C714F79AE9F1E15BC2D8ACC9CBC4A2A582D3B8E9C6DF527E85839A17E4F3D86B14AEF2FFF82E79F0953A4DFCB9AEA6983A5A5C5172F82A7B21B820CE4E78A3
Malicious:	false
Reputation:	low
Preview:	==================================================. Operating system: Windows 10 Pro (64 Bit). PC user: 642294/user. ClipBoard: . Launch: C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe. ==================================================. Screen resolution: 1280x1024. Current time: 20/01/2024 22:45:45. HWID: DE2C84916D. ==================================================. CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz. RAM: 4094MB. GPU: A1HRLS. ==================================================. IP Geolocation: Fail Fail. Log Date: 01/20/2024 8:35. BSSID: 00:50:56:a7:21:15. ==================================================

C:\Users\user\AppData\Local\44\Process.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	3674
Entropy (8bit):	4.726177092843143
Encrypted:	false
SSDEEP:	48:VTjLrVAG2VbAJtEyeVZiVjV7VsVcVHQSVAVVqVVVbAVVAAAmumjqVg5VVUtlVVC/:YG3trEUZjCBRzUi
MD5:	8AF65C058B1A30C6F0DFC075C0622FA2
SHA1:	224CD79BF73D0A3621F09812A0DDC0D50DC13802
SHA-256:	D48D3BCABEF88BC9D5733B2D27EFBA13A114B19199B8845528E9E6E31E5B67CB
SHA-512:	C268A53B9EA7A80A6BF81863985AACB4F838A4DC1B316F8F01D2D781E9C5955F60F1130936A5F6D09A4A746985B01222D48C505563FE92E7CF4654C75C95D6AA
Malicious:	false
Reputation:	low
Preview:	NAME: svchost..NAME: GfRiSOBRkZVtonVG..NAME: explorer..NAME: WmiPrvSE..NAME: GfRiSOBRkZVtonVG..NAME: fontdrvhost..NAME: GfRiSOBRkZVtonVG..NAME: smartscreen..NAME: svchost..NAME: CromulentLauncher..NAME: csrss..NAME: svchost..NAME: sihost..NAME: GfRiSOBRkZVtonVG..NAME: GfRiSOBRkZVtonVG..NAME: RuntimeBroker..NAME: OfficeClickToRun..NAME: GfRiSOBRkZVtonVG..NAME: GfRiSOBRkZVtonVG..NAME: svchost..NAME: svchost..NAME: dasHost..NAME: svchost..NAME: ctfmon..NAME: 64drop..NAME: WmiPrvSE..NAME: conhost..NAME: svchost..NAME: GfRiSOBRkZVtonVG..NAME: svchost..NAME: GfRiSOBRkZVtonVG..NAME: svchost..NAME: svchost..NAME: backgroundTaskHost..NAME: svchost..NAME: GfRiSOBRkZVtonVG..NAME: svchost..NAME: dllhost..NAME: GfRiSOBRkZVtonVG..NAME: GfRiSOBRkZVtonVG..NAME: svchost..NAME: RuntimeBroker..NAME: StartMenuExperienceHost..NAME: GfRiSOBRkZVtonVG..NAME: GfRiSOBRkZVtonVG..NAME: fontdrvhost..NAME: GfRiSOBRkZVtonVG..NAME: GfRiSOBRkZVtonVG..NAME: TextInputHost..NAME: svchost..NAME: svchost..NAME: GfRiSOBRkZV

C:\Users\user\AppData\Local\44\Screen.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	716623
Entropy (8bit):	7.928642097663503
Encrypted:	false
SSDEEP:	12288:kaGkcf1u7ROGZg8Wfv8zx22zzFUJPOds/53O8EWCz7WhOOwSgPGx6mV/Q9tlV6kk:v+1wOGynS5UVUa+ICP+BHoj6dVZ
MD5:	EEE95499D20167CB8428FA2D913CDC3A
SHA1:	FA1D823CA08512189A19FC53AE05F3F2E82578FF
SHA-256:	8A08ADE04033ACDE6AE912B9471338670E12B784269226890AAFBAD2BC8B9968
SHA-512:	5ED8AD181D1C4A41A11C1504C33E955F9FB2CEEB6F96B3E63EFFB0D2473F2D899F91F4DFB8A3F0E5849480A1DE95193724D59B51B1845ED95B69AA815EE71708
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e....Y..5=.{.o.{..3o...3...............H........)$.Fx#...C ..{...{o%..R\|....O.....YU...~+"v.s..,.....Zg..F..]x..6w.....N../..f..v..L..7..u.....W;Q\|92V...%3..g...'..Z.x9C_.Q.}..}..h.....zL.k/...{a..Z..@..+^.I....cGO..Q..e.....5}..5......N...4.M...OO...<5....Hi.....+h...i...c.._\|<....$..<........~......#.c.><<.<4%.{/...@.}~j.?....}.....zc<`..7..{=.0.........=.....1c....d..'......9.+V....M_c...]...w7..r.$..........4....9.....we.v.3..\|_9...S0...c.h.xGj.d.x{...->nq......*..hqc.N.W.c.C{..2..m.{.[...i.........n..........n.y...ng9.Z~/...n}k...........'>o;.7.i,.....i...v.1..G..[......>..o.....hK..-nNs..}k..ons..iozC.[...i....}..-l...&7.....v\|S....mz]jorm.c...]......[....]..ki.1?.>.<..s7.>..+6g...#.s.k3....6..F6o.?.......19.g..7..S......]...5il.s..v....:W5.~.>....u}.^......Y.....j<g].[..4..]...'.3..-..s..\|.../O..y.5..1..z\.9]O{...o.\`1.y..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CromulentLauncher.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1248
Entropy (8bit):	5.347863460191528
Encrypted:	false
SSDEEP:	24:ML9E4KXAE4Kze41qE4qXKDE4KhKiKhPKIE4oKNzKogE4K5sXE4qdKm:MxHKXAHKze41qHiYHKh3oPtHo64HKMHA
MD5:	902DC85AB4A707C2AE73570A764FD473
SHA1:	D5B0FD2C3A487F93F819D9B84572BAA735C827AF
SHA-256:	83781ECAC28FA86EBA51089023042AF8936233D03CC0737FCF932648A1BA234B
SHA-512:	8F50D6A8C208378D04FD9A503FEC05AEB0F23930E8C2E6730FFBC8BCF7801EC1AB74BEFA0C24A5639C36A8E6CD66F8A313FC26D12907CB1530AEB3AD17A0175D
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, Publi

C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe

Download File

Process:	C:\Users\user\Desktop\64drop.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1289216
Entropy (8bit):	7.963070019788221
Encrypted:	false
SSDEEP:	24576:UAf8XwYjslts9M5I8ke6JXHLgr8zRmtIDhe7xKP8xL7o1Nzwta2:UcYIXUuIxe0+imyEZvo3Q
MD5:	23D86A9388B2473D0B8C8D8C75DE793C
SHA1:	D7938FB0DDAEED76D6EAD3AD9ED030934603247E
SHA-256:	9633ED8A684B052247E4850948B3E8B33C428066EB1C32179C547F477C5DFAF7
SHA-512:	7115B93EFBB44AB74B157D683A61BB4E8DBF6FAAC46516916CB95EF310B1CCB587FF638113FFBB76530A936EE5358562132475DE74710FF64E27D5ADD68D842D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79% Antivirus: Virustotal, Detection: 49%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2.j...............0.............48>.. ........@.. .......................`>.. ........`... .. .... .. .................. ./......`......................../.................................................................................................. ....... ..............@............ ... ......................@............ ...@......................@....rsrc.... ...`......................@..@..........+......(..................@....data........./.....................@...........................................N.L......L.o(.........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCE92.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCEA2.tmp.tmpdb

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCED2.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCEE3.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCF13.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCF33.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCF44.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCF54.tmp.tmpdb

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.782837985955761
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	64drop.exe
File size:	1'778'157 bytes
MD5:	8919a3ebfb67cc3d12f475baa82ca476
SHA1:	0e6aa733c49dc293f2936b32600390cedb0767ae
SHA256:	07b03eeff0d15ffa67346df3c0d0aceaa18be760811579e274066f3f2c5ec9e9
SHA512:	eac4ba93e8f84413a4d5a4e590263c493011cdfa2a6b96dee2222930a22c30ef885d4651d0783b10c26b8b75cc1f61c32302671dcf9de9f1a3dd19a29c1d1593
SSDEEP:	24576:rcbD/3+3Nb8c6xUN8c/CNlSC3Af8XwYJs4nUAo3E5IuquLJlxpCp8zMgNFLtU5Vp:rcbz+3H6NXL3cYi4nUpmIm2BIG5VBj
TLSH:	2F8501153A84CC76C6721BFC16E1E334A77DAE246E29C683CAF1CDA7F6E5C952C11281
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=LF.S.F.S.F.S..$..K.S..$....S..$..^.S.....D.S...W.U.S...P.Q.S...V.t.S.O...M.S.O...A.S.F.R.N.S...V.`.S...S.G.S.....G.S...Q.G.S

File Icon


Icon Hash:	86961e87874d5e52

Static PE Info

General

Entrypoint:	0x415de0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x64C8CFB7 [Tue Aug 1 09:26:15 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fa8d20faea9ef7b4e2b7fbfe93442593

Entrypoint Preview

Instruction
call 00007FE661562791h
jmp 00007FE66156212Dh
jmp 00007FE66156693Fh
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FE6615619A7h
push 00431B08h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FE6615630CAh
int3
push ebp
mov ebp, esp
and dword ptr [004692A8h], 00000000h
sub esp, 24h
or dword ptr [00434674h], 01h
push 0000000Ah
call dword ptr [00429170h]
test eax, eax
je 00007FE661562462h
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
nop
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-20h]
mov dword ptr [ebp-0Ch], eax
xor edi, 756E6547h
mov eax, dword ptr [ebp-18h]
xor eax, 49656E69h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr [ebp-1Ch]
xor eax, 6C65746Eh
mov dword ptr [ebp-08h], eax
xor eax, eax
inc eax
push ebx
cpuid
mov esi, ebx
pop ebx
nop
lea ebx, dword ptr [ebp-24h]
mov dword ptr [ebx], eax
mov eax, dword ptr [ebp-04h]
or eax, dword ptr [ebp-08h]
or eax, edi
mov dword ptr [ebx+04h], esi
mov dword ptr [ebx+08h], ecx
mov dword ptr [ebx+0Ch], edx
jne 00007FE6615622F5h
mov eax, dword ptr [ebp-24h]
and eax, 0FFF3FF0h
cmp eax, 000106C0h
je 00007FE6615622D5h

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x32a30	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x32a64	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6b000	0x4662b	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb2000	0x2954	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x30e40	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2b338	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x29000	0x22c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3205c	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x27d0c	0x27e00	False	0.5858946414576802	data	6.69415089194142	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x29000	0xa6e6	0xa800	False	0.4578218005952381	data	5.246739495724833	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x34000	0x35ca0	0x1000	False	0.41455078125	DOS executable (block device driver w{\362ko\3050)	4.160089790234222	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x6a000	0x178	0x200	False	0.4296875	data	3.2022535810191277	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6b000	0x4662b	0x46800	False	0.5762411347517731	data	6.073263397508148	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb2000	0x2954	0x2a00	False	0.7797619047619048	data	6.703800314116885	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
PNG	0x6b53c	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	1.0027729636048528
PNG	0x6c084	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	0.9363390441839495
RT_ICON	0x6d630	0x41c28	Device independent bitmap graphic, 255 x 512 x 32, image size 261120	0.5717314146544299
RT_DIALOG	0xaf258	0x2ba	data	0.5286532951289399
RT_DIALOG	0xaf514	0x13a	data	0.6560509554140127
RT_DIALOG	0xaf650	0xf2	data	0.71900826446281
RT_DIALOG	0xaf744	0x14a	data	0.6
RT_DIALOG	0xaf890	0x314	data	0.47588832487309646
RT_DIALOG	0xafba4	0x24a	data	0.6279863481228669
RT_STRING	0xafdf0	0x1fc	data	0.421259842519685
RT_STRING	0xaffec	0x246	data	0.41924398625429554
RT_STRING	0xb0234	0x1a6	data	0.514218009478673
RT_STRING	0xb03dc	0xdc	data	0.65
RT_STRING	0xb04b8	0x470	data	0.3873239436619718
RT_STRING	0xb0928	0x164	data	0.5056179775280899
RT_STRING	0xb0a8c	0x110	data	0.5772058823529411
RT_STRING	0xb0b9c	0x158	data	0.4563953488372093
RT_STRING	0xb0cf4	0xe8	data	0.5948275862068966
RT_STRING	0xb0ddc	0xe6	data	0.5695652173913044
RT_GROUP_ICON	0xb0ec4	0x14	data	1.25
RT_MANIFEST	0xb0ed8	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileTime, CloseHandle, CreateFileW, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, MoveFileW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetTimeFormatW, GetDateFormatW, LocalFree, GetCurrentProcess, GetExitCodeProcess, WaitForSingleObject, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, GetOEMCP, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetCommandLineA
OLEAUT32.dll	VariantClear
gdiplus.dll	GdipCreateBitmapFromStream, GdipAlloc, GdipCloneImage, GdipDisposeImage, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 20, 2024 20:35:54.496850014 CET	49729	443	192.168.2.4	104.21.73.97
Jan 20, 2024 20:35:54.496886015 CET	443	49729	104.21.73.97	192.168.2.4
Jan 20, 2024 20:35:54.496963978 CET	49729	443	192.168.2.4	104.21.73.97
Jan 20, 2024 20:35:54.527277946 CET	49729	443	192.168.2.4	104.21.73.97
Jan 20, 2024 20:35:54.527299881 CET	443	49729	104.21.73.97	192.168.2.4
Jan 20, 2024 20:35:54.786549091 CET	443	49729	104.21.73.97	192.168.2.4
Jan 20, 2024 20:35:54.787332058 CET	49729	443	192.168.2.4	104.21.73.97
Jan 20, 2024 20:35:54.790524006 CET	49729	443	192.168.2.4	104.21.73.97
Jan 20, 2024 20:35:54.790535927 CET	443	49729	104.21.73.97	192.168.2.4
Jan 20, 2024 20:35:54.790875912 CET	443	49729	104.21.73.97	192.168.2.4
Jan 20, 2024 20:35:54.844450951 CET	49729	443	192.168.2.4	104.21.73.97
Jan 20, 2024 20:35:54.893923998 CET	49729	443	192.168.2.4	104.21.73.97
Jan 20, 2024 20:35:54.941900969 CET	443	49729	104.21.73.97	192.168.2.4
Jan 20, 2024 20:35:55.060861111 CET	443	49729	104.21.73.97	192.168.2.4
Jan 20, 2024 20:35:55.060929060 CET	443	49729	104.21.73.97	192.168.2.4
Jan 20, 2024 20:35:55.060995102 CET	49729	443	192.168.2.4	104.21.73.97
Jan 20, 2024 20:35:55.065911055 CET	49729	443	192.168.2.4	104.21.73.97
Jan 20, 2024 20:35:55.193849087 CET	49730	443	192.168.2.4	104.21.85.189
Jan 20, 2024 20:35:55.193902016 CET	443	49730	104.21.85.189	192.168.2.4
Jan 20, 2024 20:35:55.193985939 CET	49730	443	192.168.2.4	104.21.85.189
Jan 20, 2024 20:35:55.194880009 CET	49730	443	192.168.2.4	104.21.85.189
Jan 20, 2024 20:35:55.194900036 CET	443	49730	104.21.85.189	192.168.2.4
Jan 20, 2024 20:35:55.454297066 CET	443	49730	104.21.85.189	192.168.2.4
Jan 20, 2024 20:35:55.454390049 CET	49730	443	192.168.2.4	104.21.85.189
Jan 20, 2024 20:35:55.458699942 CET	49730	443	192.168.2.4	104.21.85.189
Jan 20, 2024 20:35:55.458714008 CET	443	49730	104.21.85.189	192.168.2.4
Jan 20, 2024 20:35:55.459125042 CET	443	49730	104.21.85.189	192.168.2.4
Jan 20, 2024 20:35:55.461339951 CET	49730	443	192.168.2.4	104.21.85.189
Jan 20, 2024 20:35:55.505902052 CET	443	49730	104.21.85.189	192.168.2.4
Jan 20, 2024 20:35:55.768868923 CET	443	49730	104.21.85.189	192.168.2.4
Jan 20, 2024 20:35:55.768925905 CET	443	49730	104.21.85.189	192.168.2.4
Jan 20, 2024 20:35:55.768958092 CET	443	49730	104.21.85.189	192.168.2.4
Jan 20, 2024 20:35:55.768970966 CET	49730	443	192.168.2.4	104.21.85.189
Jan 20, 2024 20:35:55.768985987 CET	443	49730	104.21.85.189	192.168.2.4
Jan 20, 2024 20:35:55.769023895 CET	49730	443	192.168.2.4	104.21.85.189
Jan 20, 2024 20:35:55.769033909 CET	443	49730	104.21.85.189	192.168.2.4
Jan 20, 2024 20:35:55.769082069 CET	443	49730	104.21.85.189	192.168.2.4
Jan 20, 2024 20:35:55.769121885 CET	49730	443	192.168.2.4	104.21.85.189
Jan 20, 2024 20:35:55.776118040 CET	49730	443	192.168.2.4	104.21.85.189

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 20, 2024 20:35:54.353410006 CET	55915	53	192.168.2.4	1.1.1.1
Jan 20, 2024 20:35:54.473994970 CET	53	55915	1.1.1.1	192.168.2.4
Jan 20, 2024 20:35:55.071039915 CET	56421	53	192.168.2.4	1.1.1.1
Jan 20, 2024 20:35:55.192543983 CET	53	56421	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 20, 2024 20:35:54.353410006 CET	192.168.2.4	1.1.1.1	0x9fc	Standard query (0)	freegeoip.app	A (IP address)	IN (0x0001)	false
Jan 20, 2024 20:35:55.071039915 CET	192.168.2.4	1.1.1.1	0x85d0	Standard query (0)	ipbase.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 20, 2024 20:35:54.473994970 CET	1.1.1.1	192.168.2.4	0x9fc	No error (0)	freegeoip.app	104.21.73.97	A (IP address)	IN (0x0001)	false
Jan 20, 2024 20:35:54.473994970 CET	1.1.1.1	192.168.2.4	0x9fc	No error (0)	freegeoip.app	172.67.160.84	A (IP address)	IN (0x0001)	false
Jan 20, 2024 20:35:55.192543983 CET	1.1.1.1	192.168.2.4	0x85d0	No error (0)	ipbase.com	104.21.85.189	A (IP address)	IN (0x0001)	false
Jan 20, 2024 20:35:55.192543983 CET	1.1.1.1	192.168.2.4	0x85d0	No error (0)	ipbase.com	172.67.209.71	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

freegeoip.app

ipbase.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49729	104.21.73.97	443	6444	C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe

Timestamp	Bytes transferred	Direction	Data
2024-01-20 19:35:54 UTC	67	OUT	GET /xml/ HTTP/1.1 Host: freegeoip.app Connection: Keep-Alive
2024-01-20 19:35:55 UTC	627	IN	HTTP/1.1 301 Moved Permanently Date: Sat, 20 Jan 2024 19:35:54 GMT Transfer-Encoding: chunked Connection: close Cache-Control: max-age=3600 Expires: Sat, 20 Jan 2024 20:35:54 GMT Location: https://ipbase.com/xml/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=hy%2B0oN%2BuuIEKRSmvNB6qMqeaeSpwtLXH3flRtrxS9oxs3mZyi8h86Lk9wuXTQrCjF6Hju0nTda80tSGnmxLVChY9jPXgQoU4lR%2FZ%2BSdm%2F6ff14NzBHutY%2FZi4jq7YKjI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8489c368ab4f4583-ATL alt-svc: h3=":443"; ma=86400
2024-01-20 19:35:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49730	104.21.85.189	443	6444	C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe

Timestamp	Bytes transferred	Direction	Data
2024-01-20 19:35:55 UTC	64	OUT	GET /xml/ HTTP/1.1 Host: ipbase.com Connection: Keep-Alive
2024-01-20 19:35:55 UTC	729	IN	HTTP/1.1 404 Not Found Date: Sat, 20 Jan 2024 19:35:55 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Age: 49123 Cache-Control: public,max-age=0,must-revalidate Cache-Status: "Netlify Edge"; hit Vary: Accept-Encoding X-Nf-Request-Id: 01HMM5YR1DAQMYCA70A6AA4ATM CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3wp7UdVjfhykbLXgoIlI8oIM1dBON1pwjBVPUumt92WKQBMqsGwRABVDKGzSsQTUra6UlPTwUT1CdazoBSdA97z56uNNokOWx8pXjeL5dhM9QUOqMTy0BLz4vF2m"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8489c36cd931673c-ATL alt-svc: h3=":443"; ma=86400
2024-01-20 19:35:55 UTC	640	IN	Data Raw: 63 30 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d Data Ascii: c09<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
2024-01-20 19:35:55 UTC	1369	IN	Data Raw: 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 76 68 3b 0a Data Ascii: } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height: 100vh;
2024-01-20 19:35:55 UTC	1079	IN	Data Raw: 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32 39 34 39 33 36 20 4c 39 Data Ascii: h fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.43294936 L9
2024-01-20 19:35:55 UTC	6	IN	Data Raw: 31 0d 0a 0a 0d 0a Data Ascii: 1
2024-01-20 19:35:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	20:35:45
Start date:	20/01/2024
Path:	C:\Users\user\Desktop\64drop.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\64drop.exe
Imagebase:	0x9e0000
File size:	1'778'157 bytes
MD5 hash:	8919A3EBFB67CC3D12F475BAA82CA476
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:35:46
Start date:	20/01/2024
Path:	C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe"
Imagebase:	0xf30000
File size:	1'289'216 bytes
MD5 hash:	23D86A9388B2473D0B8C8D8C75DE793C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1716566592.0000000000F32000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_RagsStealer, Description: Yara detected Rags Stealer, Source: 00000001.00000002.1716566592.0000000000F32000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_44CaliberStealer, Description: Yara detected 44Caliber Stealer, Source: 00000001.00000002.1716566592.0000000000F32000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000001.00000002.1716566592.0000000000F32000.00000040.00000001.01000000.00000009.sdmp, Author: ditekSHen Rule: JoeSecurity_RagsStealer, Description: Yara detected Rags Stealer, Source: 00000001.00000002.1718689420.0000000005B58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000001.00000002.1718689420.0000000005BC3000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs Detection: 49%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3%
Total number of Nodes:	2000
Total number of Limit Nodes:	29

Executed Functions

Function 009F4968 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 202
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009E6BE4: GetModuleHandleW.KERNEL32(kernel32), ref: 009E6BFD
Part of subcall function 009E6BE4: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 009E6C0F
Part of subcall function 009E6BE4: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 009E6C40

Part of subcall function 009F115D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 009F1165

Part of subcall function 009F181B: OleInitialize.OLE32(00000000), ref: 009F1834
Part of subcall function 009F181B: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 009F186B
Part of subcall function 009F181B: SHGetMalloc.SHELL32(00A2F948), ref: 009F1875

GetCommandLineW.KERNEL32 ref: 009F49A7
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 009F49D1
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007402), ref: 009F49E2
UnmapViewOfFile.KERNEL32(00000000), ref: 009F4A33

Part of subcall function 009F4676: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 009F468C
Part of subcall function 009F4676: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 009F46C8

Part of subcall function 009E5A27: _wcslen.LIBCMT ref: 009E5A4B

CloseHandle.KERNEL32(00000000), ref: 009F4A3A
GetModuleFileNameW.KERNEL32(00000000,00A46210,00000800), ref: 009F4A54
SetEnvironmentVariableW.KERNELBASE(sfxname,00A46210), ref: 009F4A60
GetLocalTime.KERNEL32(?), ref: 009F4A6B
_swprintf.LIBCMT ref: 009F4AAA
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 009F4ABF
GetModuleHandleW.KERNEL32(00000000), ref: 009F4AC6
LoadIconW.USER32(00000000,00000064), ref: 009F4ADD
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00012350,00000000), ref: 009F4B2E
Sleep.KERNEL32(?), ref: 009F4B5C
DeleteObject.GDI32 ref: 009F4B95
DeleteObject.GDI32(?), ref: 009F4BA5
CloseHandle.KERNEL32 ref: 009F4BE8

Strings

sfxstime, xrefs: 009F4ABA
winrarsfxmappingfile.tmp, xrefs: 009F49C5
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 009F4A9B
STARTDLG, xrefs: 009F4B23
sfxname, xrefs: 009F4A5B

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf_wcslen
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3014515783-3710569615
Opcode ID: e41d16bc765923bd03bb00a0fe0359ad5fb021b1b45ff19475bfe927a3259615
Instruction ID: de12843a50d8c3e67efa82d99217ebdd743f5d1d291d95066330680141fec47d
Opcode Fuzzy Hash: e41d16bc765923bd03bb00a0fe0359ad5fb021b1b45ff19475bfe927a3259615
Instruction Fuzzy Hash: 7061E575544358BBD311EBE5EC49F7B3BACABD6345F000529F680921A2DB75CC42C762

Uniqueness

Uniqueness Score: -1.00%

Function 009F11D2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,009F22AD,00000066), ref: 009F11E5
SizeofResource.KERNEL32(00000000,?,?,?,009F22AD,00000066), ref: 009F11FC
LoadResource.KERNEL32(00000000,?,?,?,009F22AD,00000066), ref: 009F1213
LockResource.KERNEL32(00000000,?,?,?,009F22AD,00000066), ref: 009F1222
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,009F22AD,00000066), ref: 009F123D
GlobalLock.KERNEL32(00000000,?,?,?,?,?,009F22AD,00000066), ref: 009F124E
GlobalUnlock.KERNEL32(00000000), ref: 009F12D6

Part of subcall function 009F1136: GdipAlloc.GDIPLUS(00000010), ref: 009F113C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 009F12B7
GlobalFree.KERNEL32(00000000), ref: 009F12DD

Strings

PNG, xrefs: 009F11D6

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
String ID: PNG
API String ID: 541704414-364855578
Opcode ID: f36c592f03f043ce42cd23174221220181e3b2d644ce2e701c209f42680ef99c
Instruction ID: 7724b57e9b0a86a57cf0b98a4951e95765b12b317333415edf0acb395a1df34f
Opcode Fuzzy Hash: f36c592f03f043ce42cd23174221220181e3b2d644ce2e701c209f42680ef99c
Instruction Fuzzy Hash: D5315E7560071AEFD711DFE1EC489ABBABCFF85760B004919FA55D2261EB31D802CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009E2C15 Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?), ref: 009E2C3E

Part of subcall function 009E35E5: _wcslen.LIBCMT ref: 009E3609

FindFirstFileW.KERNELBASE(?,?,?,?,00000800), ref: 009E2C6C
GetLastError.KERNEL32(?,?,00000800), ref: 009E2C78
FindNextFileW.KERNEL32(?,?), ref: 009E2CA2
GetLastError.KERNEL32 ref: 009E2CAE

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: 847bd5ff10acb1a835c5eb9f5f9d75e8e561a975b9e05c4c0e2fef6854f62c90
Instruction ID: 5e7722f5a964ef15717606fb6081e6b90a6500df23513f6dc7a7418e342206c4
Opcode Fuzzy Hash: 847bd5ff10acb1a835c5eb9f5f9d75e8e561a975b9e05c4c0e2fef6854f62c90
Instruction Fuzzy Hash: E9417D72900559ABCB26DF64CC84BEEB3BCBB48350F104596E99DE3201D734AE85DF90

Uniqueness

Uniqueness Score: -1.00%

Function 009F1981 Relevance: 7.6, APIs: 5, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009F1C99: GetCurrentProcess.KERNEL32(00020008,009F1996,?,?,?,?,009F1996,?), ref: 009F1CA8
Part of subcall function 009F1C99: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,009F1996,?), ref: 009F1CAF
Part of subcall function 009F1C99: GetTokenInformation.KERNELBASE(009F1996,00000001(TokenIntegrityLevel),00000000,00000000,?,?,?,?,?,009F1996,?), ref: 009F1CC9
Part of subcall function 009F1C99: GetLastError.KERNEL32(?,?,?,?,009F1996,?), ref: 009F1CD3
Part of subcall function 009F1C99: GetTokenInformation.KERNELBASE(009F1996,00000001(TokenIntegrityLevel),00000000,?,?,?,?,?,?,?,009F1996,?), ref: 009F1CF7
Part of subcall function 009F1C99: CopySid.ADVAPI32(00000044,009F1996,00000000,?,?,?,?,?,009F1996,?), ref: 009F1D08

SetEntriesInAclW.ADVAPI32(00000001,11060000,00000000,?,?,?,?), ref: 009F19D8
InitializeSecurityDescriptor.ADVAPI32(?,00000001,?,?,?), ref: 009F19E7
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,?,?), ref: 009F19FA
CreateDirectoryW.KERNELBASE(?,0000000C,?,?,?), ref: 009F1A1B
LocalFree.KERNEL32(?,?,?,?), ref: 009F1A29

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: Token$DescriptorInformationProcessSecurity$CopyCreateCurrentDaclDirectoryEntriesErrorFreeInitializeLastLocalOpen
String ID:
API String ID: 2740647886-0
Opcode ID: 0a0ac444d6cbec6d644605edfc84378bb7ace7604d28ae0785d44fc8e10b3d66
Instruction ID: 31b293cae472b9560f8b47d231b32c813daae25db817f6eca1dfcb0e35a66b13
Opcode Fuzzy Hash: 0a0ac444d6cbec6d644605edfc84378bb7ace7604d28ae0785d44fc8e10b3d66
Instruction Fuzzy Hash: AA21C4B5C0121DEADF21CFA5D948AEEBBBCFF85700F10806AE905E2110D7759B46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009FE3C2 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,009FE398,00000003,00A11D50,0000000C,009FE4EF,00000003,00000002,00000000,?,009FF382,00000003), ref: 009FE3E3
TerminateProcess.KERNEL32(00000000,?,009FE398,00000003,00A11D50,0000000C,009FE4EF,00000003,00000002,00000000,?,009FF382,00000003), ref: 009FE3EA
ExitProcess.KERNEL32 ref: 009FE3FC

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 360914952deec7436ba919c34427a3c0acc729e8241617174447baac84f99e99
Instruction ID: b5d9ab35797207a5a06e01ed027294a4a43766a59b21f59347ef989dae00f09f
Opcode Fuzzy Hash: 360914952deec7436ba919c34427a3c0acc729e8241617174447baac84f99e99
Instruction Fuzzy Hash: 59E0B63151029CABCF15AFA8DE4DA5A3B6AEB44391B044814FE158B172CB75ED53CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009F2350 Relevance: 102.2, APIs: 49, Strings: 9, Instructions: 730windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009F2355

Part of subcall function 009E11C6: GetDlgItem.USER32(00000000,00003021), ref: 009E120A
Part of subcall function 009E11C6: SetWindowTextW.USER32(00000000,00A09584), ref: 009E1220

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 009F2441
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009F245F
IsDialogMessageW.USER32(?,?), ref: 009F2472
TranslateMessage.USER32(?), ref: 009F2480
DispatchMessageW.USER32(?), ref: 009F248A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 009F24AD
EndDialog.USER32(?,00000001), ref: 009F24D0
GetDlgItem.USER32(?,00000068), ref: 009F24F3
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 009F250E
SendMessageW.USER32(00000000,000000C2,00000000,00A09584), ref: 009F2521

Part of subcall function 009F3F05: _wcslen.LIBCMT ref: 009F3F2F

SetFocus.USER32(00000000), ref: 009F2528
_swprintf.LIBCMT ref: 009F2587

Part of subcall function 009E2AA2: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009E2AB5

GetLastError.KERNEL32(00000000,?), ref: 009F25EA
GetLastError.KERNEL32(?,00000000,?), ref: 009F2612
GetTickCount.KERNEL32 ref: 009F2630
_swprintf.LIBCMT ref: 009F2648
GetLastError.KERNEL32 ref: 009F267A
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,00000000,?), ref: 009F26CD
_swprintf.LIBCMT ref: 009F2704
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007402,winrarsfxmappingfile.tmp), ref: 009F2758
GetCommandLineW.KERNEL32 ref: 009F276E
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,00A3696A,00000400,00000001,00000001), ref: 009F27C5
ShellExecuteExW.SHELL32(0000003C), ref: 009F27ED
WaitForInputIdle.USER32(?,00002710), ref: 009F2821
Sleep.KERNEL32(00000064), ref: 009F2835
UnmapViewOfFile.KERNEL32(?,?,0000421C,00A3696A,00000400), ref: 009F285E
CloseHandle.KERNEL32(00000000), ref: 009F2867
_swprintf.LIBCMT ref: 009F289A
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 009F28F9
SetDlgItemTextW.USER32(?,00000065,00A09584), ref: 009F2910
GetDlgItem.USER32(?,00000065), ref: 009F2919
GetWindowLongW.USER32(00000000,000000F0), ref: 009F2928
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 009F2937
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 009F29E4
_wcslen.LIBCMT ref: 009F2A3A
_swprintf.LIBCMT ref: 009F2A64
SendMessageW.USER32(?,00000080,00000001,?), ref: 009F2AAE
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 009F2AC8
GetDlgItem.USER32(?,00000068), ref: 009F2AD1
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 009F2AE7
GetDlgItem.USER32(?,00000066), ref: 009F2B01
SetWindowTextW.USER32(00000000,00A38D8A), ref: 009F2B23
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 009F2B78
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 009F2B8B
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_00012130,00000000,?), ref: 009F2C2E
EnableWindow.USER32(00000000,00000000), ref: 009F2D08
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 009F2D4A

Part of subcall function 009F31F1: __EH_prolog.LIBCMT ref: 009F31F6

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 009F2D6E

Strings

-el -s2 "-d%s" "-sp%s", xrefs: 009F26F3
winrarsfxmappingfile.tmp, xrefs: 009F272E
STARTDLG, xrefs: 009F2371
__tmp_rar_sfx_access_check_%u, xrefs: 009F2637
<, xrefs: 009F270C
"%s"%s, xrefs: 009F2889
%s, xrefs: 009F2A54
LICENSEDLG, xrefs: 009F2C23
@, xrefs: 009F2719

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: Item$MessageText$Send$Window_swprintf$File$DialogErrorLast$H_prologLongView_wcslen$CloseCommandCountCreateDispatchEnableExecuteFocusHandleIdleInputLineMappingModuleNameParamShellSleepTickTranslateUnmapWait__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3103142498-1645151803
Opcode ID: e16ed3f17559f3d5d471be802298838f869a93b149b887e5fb2f32012c8219e6
Instruction ID: d733ebb9b1af2577d834e3ca86504bf7e03d4200b915aa9b6a9108a7ca72ef9c
Opcode Fuzzy Hash: e16ed3f17559f3d5d471be802298838f869a93b149b887e5fb2f32012c8219e6
Instruction Fuzzy Hash: 1542A575A44348BEEB21DBA49C4AFBE377CAB91700F144165F740A60E2C7B94D86CB62

Uniqueness

Uniqueness Score: -1.00%

Function 009E6BE4 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 009E6BFD
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 009E6C0F
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 009E6C40
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 009E6EEA
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009E6F04
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 009E6F14
ReadFile.KERNEL32(00000000,?,00007FFE,00A0987C,00000000), ref: 009E6F32
CloseHandle.KERNEL32(00000000), ref: 009E6F8A
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 009E6F9F
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00A0987C,?,00000000,?,00000800), ref: 009E6FF3
GetFileAttributesW.KERNELBASE(?,?,00A0987C,00000800,?,00000000,?,00000800), ref: 009E701D
GetFileAttributesW.KERNEL32(?,?,00A09944,00000800), ref: 009E7059

Part of subcall function 009E6B9C: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 009E6BB7
Part of subcall function 009E6B9C: LoadLibraryW.KERNELBASE(?,?,009E590F,Crypt32.dll,00000000,009E5989,?,?,009E596C,00000000,00000000,?,00000000), ref: 009E6BD9

_swprintf.LIBCMT ref: 009E70CB
_swprintf.LIBCMT ref: 009E7117

Part of subcall function 009E2AA2: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009E2AB5

AllocConsole.KERNEL32 ref: 009E711F
GetCurrentProcessId.KERNEL32 ref: 009E7129
AttachConsole.KERNEL32(00000000), ref: 009E7130
_wcslen.LIBCMT ref: 009E7145
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 009E7156
WriteConsoleW.KERNEL32(00000000), ref: 009E715D
Sleep.KERNEL32(00002710), ref: 009E7168
FreeConsole.KERNEL32 ref: 009E716E
ExitProcess.KERNEL32 ref: 009E7176

Strings

DXGIDebug.dll, xrefs: 009E6C7D, 009E6FDF
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 009E7105
uxtheme.dll, xrefs: 009E7098
SetDllDirectoryW, xrefs: 009E6C09
dwmapi.dll, xrefs: 009E6CA8, 009E708E
kernel32, xrefs: 009E6BF4
SetDefaultDllDirectories, xrefs: 009E6C3A

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: 92355b89d315db847583c107b634e995b6e653ef5505365f833e93d869754421
Instruction ID: 0f6aa1d4b6ad0ffab6df72a2ecba425382735ac189de16fd92e3b1367a37e1e4
Opcode Fuzzy Hash: 92355b89d315db847583c107b634e995b6e653ef5505365f833e93d869754421
Instruction Fuzzy Hash: 3CD173B1508388AFD731DF91E848BDFBBECBB85344F50491DF18996292D7B08949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 009E3FF7 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E4000
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 009E403C

Part of subcall function 009E3919: _wcslen.LIBCMT ref: 009E3921

Part of subcall function 009E6934: _wcslen.LIBCMT ref: 009E693A

Part of subcall function 009E7956: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,009E35CB,00000000,?,?), ref: 009E7972

_wcslen.LIBCMT ref: 009E4379
__fprintf_l.LIBCMT ref: 009E44AC

Strings

, xrefs: 009E42FC
*messages***, xrefs: 009E4151
a, xrefs: 009E41A6
*messages***, xrefs: 009E418A
@%s:, xrefs: 009E4496, 009E44A2
$%s:, xrefs: 009E448F
RTL, xrefs: 009E446E
R, xrefs: 009E419C
,, xrefs: 009E44E7

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 566448164-801612888
Opcode ID: 2498d71e5da23ea4cb5c2afd97b07480228d4cb734589ca2daa09ee3859cabf5
Instruction ID: 61c6561905c35f99ea110876b5a35f2258d5f18324336ed5cd917fa3c5c681e3
Opcode Fuzzy Hash: 2498d71e5da23ea4cb5c2afd97b07480228d4cb734589ca2daa09ee3859cabf5
Instruction Fuzzy Hash: 75320F71900298EBCF26EF65CC45BEE37A8FF55700F40456AFA0597291EB729D84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009F3F86 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009F20D8: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 009F20E9
Part of subcall function 009F20D8: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009F20FA
Part of subcall function 009F20D8: IsDialogMessageW.USER32(?,?), ref: 009F210E
Part of subcall function 009F20D8: TranslateMessage.USER32(?), ref: 009F211C
Part of subcall function 009F20D8: DispatchMessageW.USER32(?), ref: 009F2126

GetDlgItem.USER32(00000068,00A47248), ref: 009F3F9A
ShowWindow.USER32(00000000,00000005,?,?,?,009F1B0D,00000001,?,?,009F2329,00A0ADA0,00A47248,00A47248,00001000,00000000,00000000), ref: 009F3FC2
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 009F3FCD
SendMessageW.USER32(00000000,000000C2,00000000,00A09584), ref: 009F3FDB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 009F3FF1
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 009F400B
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 009F404F
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 009F405D
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 009F406C
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 009F4093
SendMessageW.USER32(00000000,000000C2,00000000,00A09F1C), ref: 009F40A2

Strings

\, xrefs: 009F3FFB

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 008b60a1e65d0f0eb7826166b334511b0ce251d7dc4c7c21ca8576eab9ff1255
Instruction ID: 8768c56aa0b52016a931ce02fe1da4620f9f213595de6829515fc87e609570b9
Opcode Fuzzy Hash: 008b60a1e65d0f0eb7826166b334511b0ce251d7dc4c7c21ca8576eab9ff1255
Instruction Fuzzy Hash: C7310175185340BFE321DF64AC08FAB3FACEBD2314F000528F652962A0C766494EC7A7

Uniqueness

Uniqueness Score: -1.00%

Function 009E8FC3 Relevance: 20.6, APIs: 5, Strings: 6, Instructions: 1383COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E8FCC
_wcslen.LIBCMT ref: 009E94F1
__allrem.LIBCMT ref: 009E9764
__allrem.LIBCMT ref: 009E97E4
_wcslen.LIBCMT ref: 009E9F60

Strings

zip, xrefs: 009E966C, 009E9676
z01, xrefs: 009E95A0, 009E95AA
AES-0017, xrefs: 009E93C5
zipx, xrefs: 009E9665
zx01, xrefs: 009E9599
x, xrefs: 009E90A6

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: __allrem_wcslen$H_prolog
String ID: AES-0017$x$z01$zip$zipx$zx01
API String ID: 2085098250-2742067682
Opcode ID: ad9cca37f24403b3b54abf8a42d6bdc6c4b507d1ed21bdc2ce048a347b7f1e20
Instruction ID: 51dcd85db1e25eda16fbc798be24c0f038ddead80618c2ff7e1e725904354e52
Opcode Fuzzy Hash: ad9cca37f24403b3b54abf8a42d6bdc6c4b507d1ed21bdc2ce048a347b7f1e20
Instruction Fuzzy Hash: 69B2C074900294AFDB26DFAADC85ABD77B9FB99304F14402AF805D72A1E734DC82CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009F424F Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 184
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 009F426E
ShellExecuteExW.SHELL32(?), ref: 009F439E
IsWindowVisible.USER32(?), ref: 009F43D1
ShowWindow.USER32(?,00000000), ref: 009F43DD
WaitForInputIdle.USER32(?,000007D0), ref: 009F43EE
GetExitCodeProcess.KERNEL32(?,?), ref: 009F4419
CloseHandle.KERNEL32(?), ref: 009F443F
ShowWindow.USER32(?,00000001), ref: 009F44A1

Strings

.exe, xrefs: 009F4449
.inf, xrefs: 009F435A

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: Window$Show$CloseCodeExecuteExitHandleIdleInputProcessShellVisibleWait_wcslen
String ID: .exe$.inf
API String ID: 3646668279-3750412487
Opcode ID: 7be3d57e7ec74b07e9764c6a0b658c75abe98e3b1a0afe4ab7af3fc05fbe0d9d
Instruction ID: 9936475adaaf690967caf33bd57ddd3e4a5f70c75aa5a6992a89e18bf04f04f1
Opcode Fuzzy Hash: 7be3d57e7ec74b07e9764c6a0b658c75abe98e3b1a0afe4ab7af3fc05fbe0d9d
Instruction Fuzzy Hash: F051E6341083889ADB31DF61D8447BB7BECAF81754F04481DF7C0A72A1D7B58D859B52

Uniqueness

Uniqueness Score: -1.00%

Function 00A00D74 Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,009FBD5E,009FBD5E,?,?,?,00A00FC5,00000001,00000001,F4E85006), ref: 00A00DCE
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00A00FC5,00000001,00000001,F4E85006,?,?,?), ref: 00A00E54
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F4E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00A00F4E
__freea.LIBCMT ref: 00A00F5B

Part of subcall function 009FF9E5: RtlAllocateHeap.NTDLL(00000000,?,?,?,009FA7E9,?,0000015D,?,?,?,?,009FBCC5,000000FF,00000000,?,?), ref: 009FFA17

__freea.LIBCMT ref: 00A00F64
__freea.LIBCMT ref: 00A00F89

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 2d38bb5245d2b1e207722cb4ad0dd7a4e83088abeb220ad3c7d9470fe0f50db2
Instruction ID: d9cbf2d3e50cede4634e2192ee82febd4ee9024da7b5a1de730c40f2f539227f
Opcode Fuzzy Hash: 2d38bb5245d2b1e207722cb4ad0dd7a4e83088abeb220ad3c7d9470fe0f50db2
Instruction Fuzzy Hash: DF519E7260021FABDB258F64EC81FAB77A9EB44750F194629FD08D61D0EB74DC50E6A0

Uniqueness

Uniqueness Score: -1.00%

Function 009E723D Relevance: 9.1, APIs: 6, Instructions: 98
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 009E7295

Part of subcall function 009E2D8E: GetVersionExW.KERNEL32(?), ref: 009E2DB3

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009E72B9
FileTimeToSystemTime.KERNEL32(?,?), ref: 009E72D3
TzSpecificLocalTimeToSystemTime.KERNELBASE(00000000,?,?), ref: 009E72E6
SystemTimeToFileTime.KERNEL32(?,?), ref: 009E72F6
SystemTimeToFileTime.KERNEL32(?,?), ref: 009E7306

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 82879cc0a16220a8540bdc405ec1672db69f9ececc26d357fe86edfd0866f8af
Instruction ID: 56a56a182c506606d2c20d2c7483926723b8fdd63c75e27bd664f89a73e98617
Opcode Fuzzy Hash: 82879cc0a16220a8540bdc405ec1672db69f9ececc26d357fe86edfd0866f8af
Instruction Fuzzy Hash: 9531EA75108356AFC704DFA9D88499BB7E8BF88754F00591EF999C3210E730D949CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 009F1C99 Relevance: 9.1, APIs: 6, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00020008,009F1996,?,?,?,?,009F1996,?), ref: 009F1CA8
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,009F1996,?), ref: 009F1CAF
GetTokenInformation.KERNELBASE(009F1996,00000001(TokenIntegrityLevel),00000000,00000000,?,?,?,?,?,009F1996,?), ref: 009F1CC9
GetLastError.KERNEL32(?,?,?,?,009F1996,?), ref: 009F1CD3
GetTokenInformation.KERNELBASE(009F1996,00000001(TokenIntegrityLevel),00000000,?,?,?,?,?,?,?,009F1996,?), ref: 009F1CF7
CopySid.ADVAPI32(00000044,009F1996,00000000,?,?,?,?,?,009F1996,?), ref: 009F1D08

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: Token$InformationProcess$CopyCurrentErrorLastOpen
String ID:
API String ID: 3984476752-0
Opcode ID: 90cfcd85f973375e0d59848bef32fd650e186f375fd1a2155b06ae5bd92edc6e
Instruction ID: c41ce8be430d603c868f88a45c70cd718cba634021a7572512ea8685058575b8
Opcode Fuzzy Hash: 90cfcd85f973375e0d59848bef32fd650e186f375fd1a2155b06ae5bd92edc6e
Instruction Fuzzy Hash: 67015B79640108FFEB159FE0AC89EEE7B7DEB55340F200015F606A10A1D7728E41ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 009F46D3 Relevance: 9.0, APIs: 6, Instructions: 42
windowsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 009F46DF
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 009F46F9
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009F470A
TranslateMessage.USER32(?), ref: 009F4714
DispatchMessageW.USER32(?), ref: 009F471E
WaitForSingleObject.KERNEL32(?,0000000A), ref: 009F4729

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: e29a7cca054c80dcd0585693801f2cc98a920a23896fd624dda0e7bb1b813e87
Instruction ID: 7435d22740c7a9de0470fd957fcd394ebd6aa6b1056ccd025973308d28bfdbd8
Opcode Fuzzy Hash: e29a7cca054c80dcd0585693801f2cc98a920a23896fd624dda0e7bb1b813e87
Instruction Fuzzy Hash: C2F03C76A0112DABDB20ABE5DC8DDDB7F6DEF92391B004011F606D2050E6358546CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009F3939 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 009F394F

Part of subcall function 009E31E2: _wcslen.LIBCMT ref: 009E31E8

_swprintf.LIBCMT ref: 009F3983

Part of subcall function 009E2AA2: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009E2AB5

SetDlgItemTextW.USER32(?,00000066,00A37D82), ref: 009F39A3
EndDialog.USER32(?,00000001), ref: 009F3AB0

Strings

%s%s%u, xrefs: 009F3978

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
String ID: %s%s%u
API String ID: 110358324-1360425832
Opcode ID: ec7bfe078c01b8fb879f511629919890378782623f5c6b4a233f840c837566f5
Instruction ID: 6fbb8ec509d1dab7f1ce355812503f2f9b9e0b9a21b5ce008b95fdbbd2a0a8d7
Opcode Fuzzy Hash: ec7bfe078c01b8fb879f511629919890378782623f5c6b4a233f840c837566f5
Instruction Fuzzy Hash: EF418CB190025DAADF21DB95DC40FFE77BCEB54340F4080A6FA08A7081EB799B848F61

Uniqueness

Uniqueness Score: -1.00%

Function 009F181B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009E6B9C: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 009E6BB7
Part of subcall function 009E6B9C: LoadLibraryW.KERNELBASE(?,?,009E590F,Crypt32.dll,00000000,009E5989,?,?,009E596C,00000000,00000000,?,00000000), ref: 009E6BD9

OleInitialize.OLE32(00000000), ref: 009F1834
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 009F186B
SHGetMalloc.SHELL32(00A2F948), ref: 009F1875

Strings

3To, xrefs: 009F184C
riched20.dll, xrefs: 009F1823

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3To
API String ID: 3498096277-2168385784
Opcode ID: 66ba9d7f0714acbec28257f054635f4ca0da3a03836d143ff8bc83334213ae51
Instruction ID: c6d75e7e58905b981fe05fa3b74fc6aa54df282bd85f429e75840f914bb38276
Opcode Fuzzy Hash: 66ba9d7f0714acbec28257f054635f4ca0da3a03836d143ff8bc83334213ae51
Instruction Fuzzy Hash: 8BF04FB9D00209ABDB10AF99D849AAFFBFCEFD5300F00402AE414E2240D7B556058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 009E1EE0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000), ref: 009E1F5F
GetLastError.KERNEL32 ref: 009E1F6C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800), ref: 009E1FA2
GetLastError.KERNEL32 ref: 009E1FAA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000), ref: 009E1FF9

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: c969b4f55fafcc57a56ec915d3a3c6f14cd8d11764a8b8c35eb35c97050a3daa
Instruction ID: bd228858bf62a91a96d28040b559d72ab360a4392dc4e72a1f4608dfb73c0859
Opcode Fuzzy Hash: c969b4f55fafcc57a56ec915d3a3c6f14cd8d11764a8b8c35eb35c97050a3daa
Instruction Fuzzy Hash: 3E311130544785AFE321CF26CC45BEABBA8FB44320F200B19F9A5961D1C7B4AD89CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 009F20D8 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 009F20E9
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009F20FA
IsDialogMessageW.USER32(?,?), ref: 009F210E
TranslateMessage.USER32(?), ref: 009F211C
DispatchMessageW.USER32(?), ref: 009F2126

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 264743d525de62f9495d119ccd15c558687c041d9099a2102532ea5a5a6096fa
Instruction ID: f10713ae80538a1d5c7a889cd55e2ec1aa580c99da4a50a836e322c7f3a30913
Opcode Fuzzy Hash: 264743d525de62f9495d119ccd15c558687c041d9099a2102532ea5a5a6096fa
Instruction Fuzzy Hash: 40F03079A01119AB9B20DBF6DC4CEEB7F7CEE962507004014B605D2040E779D506C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 009F16C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000050), ref: 009F16D7
SHAutoComplete.SHLWAPI(?,00000010), ref: 009F170E

Part of subcall function 009E7D7D: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,009E3108,?,?,?,009E30B5,?,-00000002,?,00000000,?), ref: 009E7D93

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 009F16FE

Strings

EDIT, xrefs: 009F16E2, 009F16ED, 009F16FA

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: a5c3b5edc8330ce3713e394219f1afeccdee5e2e3eac1265ab52f88074c397ab
Instruction ID: 5aa09adec5fa2de0ba98dc41bf3e900f047da467be48d513bd93ce3da5deb048
Opcode Fuzzy Hash: a5c3b5edc8330ce3713e394219f1afeccdee5e2e3eac1265ab52f88074c397ab
Instruction Fuzzy Hash: ABF08236640728B7DB30A6559C09FAB766C9FD6B40F040015BA45F20D0D765990286F6

Uniqueness

Uniqueness Score: -1.00%

Function 009F4676 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 009F468C
SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 009F46C8

Strings

sfxcmd, xrefs: 009F4687
sfxpar, xrefs: 009F46C3

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 799b7e548d47c50fe11edd77a63b786f1741b3ad4f168c11065999656c08d883
Instruction ID: 634eaed32c825b4e32e22194117834f8865ea8308735514c88a049b894a52b94
Opcode Fuzzy Hash: 799b7e548d47c50fe11edd77a63b786f1741b3ad4f168c11065999656c08d883
Instruction Fuzzy Hash: 20F0E57290033CB6DF216B95DC0ABBB7BACAF55B81B000511FE88D6082D7648C41C7F1

Uniqueness

Uniqueness Score: -1.00%

Function 009FA007 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,009F9FB8,00000000,?,00A49614,?,?,?,009FA15B,00000004,InitializeCriticalSectionEx,00A0C0B4,InitializeCriticalSectionEx), ref: 009FA014
GetLastError.KERNEL32(?,009F9FB8,00000000,?,00A49614,?,?,?,009FA15B,00000004,InitializeCriticalSectionEx,00A0C0B4,InitializeCriticalSectionEx,00000000,?,009F9DA2), ref: 009FA01E
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 009FA046

Strings

api-ms-, xrefs: 009FA02B

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: d102f051fa8a6a46aa54acc66cdacca32705c5839e23d1d483a4ec8a6293513a
Instruction ID: 0fb657e2dd8e9c19fb651337accfb33c0501b2e6ac0c90d854047f0de627bf2c
Opcode Fuzzy Hash: d102f051fa8a6a46aa54acc66cdacca32705c5839e23d1d483a4ec8a6293513a
Instruction Fuzzy Hash: F0E048707C420DFBEF201F90FD0AB793B59BB01B50F144020FE0DA40E1DBA29852D645

Uniqueness

Uniqueness Score: -1.00%

Function 009ED2E8 Relevance: 6.3, APIs: 4, Instructions: 307COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 009ED3B2
_strncpy.LIBCMT ref: 009ED49A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009ED4D8
_strncpy.LIBCMT ref: 009ED5B1

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: _strncpy$Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 2527496121-0
Opcode ID: 68be70dfb966b01a6805ec0a19e3bb824aa465e93b7c207a29034b2408531959
Instruction ID: 4a37f726f8ea9d0ae8747e887be8a290857d942f787e07d38c620d6fb8e9ee86
Opcode Fuzzy Hash: 68be70dfb966b01a6805ec0a19e3bb824aa465e93b7c207a29034b2408531959
Instruction Fuzzy Hash: 0BB18CB16153519FD325DFADDC90A3A77A5FB98308B00093DF855932A0FB34AD478B92

Uniqueness

Uniqueness Score: -1.00%

Function 009E1D95 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009E1DA5
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 009E1DBD
GetLastError.KERNEL32 ref: 009E1DEF
GetLastError.KERNEL32 ref: 009E1E0E

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: d9d66d4dfadb8aa1ffafa2417350a594206938e39771e79932fbc5bf1c08ebb5
Instruction ID: b13e8f6409646e54a1222e1dd339b95bab92600a68eed2b59b3741de23db20fc
Opcode Fuzzy Hash: d9d66d4dfadb8aa1ffafa2417350a594206938e39771e79932fbc5bf1c08ebb5
Instruction Fuzzy Hash: 49118E34A00694EBCF269FA6CC04AAA37ADFB45321F104A2EF826C61D0D7748E85DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A01144 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,009FA652,00000000,00000000,?,00A010EB,009FA652,00000000,00000000,00000000,?,00A012E8,00000006,FlsSetValue), ref: 00A01176
GetLastError.KERNEL32(?,00A010EB,009FA652,00000000,00000000,00000000,?,00A012E8,00000006,FlsSetValue,00A0D690,FlsSetValue,00000000,00000364,?,009FF837), ref: 00A01182
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00A010EB,009FA652,00000000,00000000,00000000,?,00A012E8,00000006,FlsSetValue,00A0D690,FlsSetValue,00000000), ref: 00A01190

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 9b2146098112b5fce9cd912a3328ac31874a6d776b81dee41d1d1adbfe9b3902
Instruction ID: 41c02289b94248e8274d026f2a879c3c0feba736ac41cdb74079caba99edaa22
Opcode Fuzzy Hash: 9b2146098112b5fce9cd912a3328ac31874a6d776b81dee41d1d1adbfe9b3902
Instruction Fuzzy Hash: EE01AC3675122E9BC7258BA8BC84A977B6CAF457617100728FA0AD71C1D721D802C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 009E251A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,00000000,00000000,009EAFDE,?,?,?,?,?,009EB798,00A1E5AC,?,009EC12B,00010000), ref: 009E253E
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 009E2585
WriteFile.KERNELBASE(00000008,?,009EC12B,00010000,00000000,02B1F091,?,?,?,00000000,00000000,009EAFDE,?,?,?,?), ref: 009E25B1

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 37196598a798c533b711639ba50532987d9f27fdf3d9334cbc024442576d553f
Instruction ID: 2cafe70ec1d31e0c3703ecb851c0e82420324e6c42ffc4c591f53273448f4401
Opcode Fuzzy Hash: 37196598a798c533b711639ba50532987d9f27fdf3d9334cbc024442576d553f
Instruction Fuzzy Hash: 9C31D131104386AFDB16CF15D928BAE77AEFB85714F04491DF88157290CB74DD49CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 009E2810 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 009E38FD: _wcslen.LIBCMT ref: 009E3903

CreateDirectoryW.KERNELBASE(?,00000000,?), ref: 009E2837
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?), ref: 009E286A
GetLastError.KERNEL32(?,?), ref: 009E2887

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: c1122606427d84edbdc6aa045dfcecaec5de4d8721cba74e74ffcd8cd8e475c6
Instruction ID: dca1310c3ef2c711a2b832ff4a6c469c1e6da26fff2771f9f20fc52aadd49c82
Opcode Fuzzy Hash: c1122606427d84edbdc6aa045dfcecaec5de4d8721cba74e74ffcd8cd8e475c6
Instruction Fuzzy Hash: A201F7352002E43AEF2BABB68C4ABFE336C6F05780F084464FA46D6091DB64CE81C661

Uniqueness

Uniqueness Score: -1.00%

Function 00A01CA3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00A01CC8

Strings

, xrefs: 00A01D0D

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 1b89ee60b31ab6bf5166808042c428db6551b9e3f17b3a239d5d3e77bc44ae9b
Instruction ID: 03caa62175915ac8120172fd737774df4d2c8df00b98dcfc6623503e94fee13f
Opcode Fuzzy Hash: 1b89ee60b31ab6bf5166808042c428db6551b9e3f17b3a239d5d3e77bc44ae9b
Instruction Fuzzy Hash: ED41087050434C9FDB228F64DC84BFABBFAEB45304F2404ECE58A87182E275AA45DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A0137C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,F4E85006,00000001,?,000000FF), ref: 00A013ED

Strings

LCMapStringEx, xrefs: 00A0138D, 00A01397

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: e3e05426bfa886c69b0434db3f9f0da5ec7fa23a41cdf4e7f600d2cb76e5268e
Instruction ID: 58e9a50a16d1afbde03811168b0e3204a3fbd18dabe6b35949943e9041985d72
Opcode Fuzzy Hash: e3e05426bfa886c69b0434db3f9f0da5ec7fa23a41cdf4e7f600d2cb76e5268e
Instruction Fuzzy Hash: 8301D33250021DBBCF02AF90ED05DEE3F66FB48750F054555FA18251A1CA769932AB85

Uniqueness

Uniqueness Score: -1.00%

Function 00A0131A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00A0091F), ref: 00A01365

Strings

InitializeCriticalSectionEx, xrefs: 00A0132B, 00A01335

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: edb95e3c3c548e161a9c69c369af36082e353a1b42336e943877e0367dcdbaa5
Instruction ID: 868b6ed337c0536b67ff73d0ef177e0bf4781095a68effb18e77814ec04cc588
Opcode Fuzzy Hash: edb95e3c3c548e161a9c69c369af36082e353a1b42336e943877e0367dcdbaa5
Instruction Fuzzy Hash: 2AF0BE32A4121CBBCF11AF90EC05DEEBF65EF48711F408069FD085A2B0CA724D129B84

Uniqueness

Uniqueness Score: -1.00%

Function 00A011BF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00A011FE

Strings

FlsAlloc, xrefs: 00A011D0, 00A011DA

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: edfa53a76177574fd0950e765b54563667810a33b21f941c905549025694a5e0
Instruction ID: 8f664cb444087115f98cdfd0deb3519be131159c4ef2caff70fb7c8bb222d75a
Opcode Fuzzy Hash: edfa53a76177574fd0950e765b54563667810a33b21f941c905549025694a5e0
Instruction Fuzzy Hash: FBE0E532B5121C7BC701AFA4BC06EEE7B64EB59711F414169F909572D1DE721D0286C9

Uniqueness

Uniqueness Score: -1.00%

Function 009F5608 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F561A

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Strings

3To, xrefs: 009F5608, 009F5614

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: 3To
API String ID: 697777088-245939750
Opcode ID: 19923770bd7f20295276096590453040dc92a0ae5a3ac05efdd5aa208c3cb3e9
Instruction ID: e4e1738722c6f3bbc403a0f373f013798764a65304b46c086868f69718e8f22c
Opcode Fuzzy Hash: 19923770bd7f20295276096590453040dc92a0ae5a3ac05efdd5aa208c3cb3e9
Instruction Fuzzy Hash: D8B012952BA4047C310452511D03E7A010CD4C0F123B18B3BF310C008194404C501337

Uniqueness

Uniqueness Score: -1.00%

Function 00A02000 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00A01BCB: GetOEMCP.KERNEL32(00000000,?,?,00A01E54,?), ref: 00A01BF6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00A01E99,?,00000000), ref: 00A02074
GetCPInfo.KERNEL32(00000000,00A01E99,?,?,?,00A01E99,?,00000000), ref: 00A02087

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 8412f509329bd89b778d0cc789b0245ac2dc399d249e55519d379a73062bcdef
Instruction ID: 3d7f0dfbf2d0a9bb041de286fc0c2d5f42c48f2959451d8c3f210625f4733ea3
Opcode Fuzzy Hash: 8412f509329bd89b778d0cc789b0245ac2dc399d249e55519d379a73062bcdef
Instruction Fuzzy Hash: 21512370A0034D9EDB208F75E8897FBBBE5EF41300F14426ED5968B1D1D7759946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009E203C Relevance: 3.1, APIs: 2, Instructions: 134COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 009E21A2
GetLastError.KERNEL32 ref: 009E21B1

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: cf81a796b6500625e8038f283e990af9e9a4261d4381da665477d0dcef81946e
Instruction ID: c7e711db1ea2d2e893a54d2b6962c2f385814e973dd2448583ca252738c6bd64
Opcode Fuzzy Hash: cf81a796b6500625e8038f283e990af9e9a4261d4381da665477d0dcef81946e
Instruction Fuzzy Hash: 274159706083C69BDB26DF66C884AAA73EDFF98362F10091DE945832C1D7B4DD85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A01E37 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 009FF765: GetLastError.KERNEL32(?,?,009FABD7,?,?,?,009FA652,00000050), ref: 009FF769
Part of subcall function 009FF765: _free.LIBCMT ref: 009FF79C
Part of subcall function 009FF765: SetLastError.KERNEL32(00000000), ref: 009FF7DD
Part of subcall function 009FF765: _abort.LIBCMT ref: 009FF7E3

Part of subcall function 00A01F5E: _abort.LIBCMT ref: 00A01F90
Part of subcall function 00A01F5E: _free.LIBCMT ref: 00A01FC4

Part of subcall function 00A01BCB: GetOEMCP.KERNEL32(00000000,?,?,00A01E54,?), ref: 00A01BF6

_free.LIBCMT ref: 00A01EAF
_free.LIBCMT ref: 00A01EE5

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 2e1b6f81737a3d676d5138cd733fc57fcb9a832e0e77149f9a7b6f747cd2e68b
Instruction ID: 871c4108bf9d327a2fcd2b7b2990e73fd936a5c8ff9bfb8fa59c9c96793b118c
Opcode Fuzzy Hash: 2e1b6f81737a3d676d5138cd733fc57fcb9a832e0e77149f9a7b6f747cd2e68b
Instruction Fuzzy Hash: EB31613190420CAFDB10EBA8E981BEDB7F5AF85324F2541A9E9049B2D1EB729D41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009E23A2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?), ref: 009E23BC
SetFileTime.KERNELBASE(?,?,?,?), ref: 009E2470

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 951f4b5f97e1c08fa4a388abd5ea863862efabe489355af63bcb6a7ccf79654a
Instruction ID: f3c7b0a283a2884d07edd4f00d36940ed298ffb5a59d05d46cbcfaaa03881540
Opcode Fuzzy Hash: 951f4b5f97e1c08fa4a388abd5ea863862efabe489355af63bcb6a7ccf79654a
Instruction Fuzzy Hash: BE21D0312483C59BC716DF66C891AABBBECAF95704F04481DF4C587191D329ED0DDB62

Uniqueness

Uniqueness Score: -1.00%

Function 009E1C7E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?), ref: 009E1CF6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800), ref: 009E1D26

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9949ec72d28dede8695f41fe152638c3b39ac1ac67c38343476c08a619caafaa
Instruction ID: 712a4f845bb45fbcedfd44602727f8ffccc945c46d9b6ad54113970aa3a357d6
Opcode Fuzzy Hash: 9949ec72d28dede8695f41fe152638c3b39ac1ac67c38343476c08a619caafaa
Instruction Fuzzy Hash: 6621B0B15443886EE3318A66CC89FF777ECEB49361F504A19FAE6C21D1C778AC848671

Uniqueness

Uniqueness Score: -1.00%

Function 009F9F67 Relevance: 3.1, APIs: 2, Instructions: 67libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00A49614,?,?,?,009FA15B,00000004,InitializeCriticalSectionEx,00A0C0B4,InitializeCriticalSectionEx,00000000,?,009F9DA2,00A49614,00000FA0), ref: 009F9FEA
GetProcAddress.KERNEL32(00000000,?), ref: 009F9FF4

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID:
API String ID: 3013587201-0
Opcode ID: 4d101c8d0c7ba4bc884aeb543551e58ded6a76d39caf5295bfcbe7f87dd6e4d4
Instruction ID: affc98a6822fcade89fc1bf3438fa7f9e51f788dad599e9070f4ddd5b0631380
Opcode Fuzzy Hash: 4d101c8d0c7ba4bc884aeb543551e58ded6a76d39caf5295bfcbe7f87dd6e4d4
Instruction Fuzzy Hash: D5116035A0551D9FCF12CFA4EC80AAA73A9FF463647250165EB06D7250E731DD02DB91

Uniqueness

Uniqueness Score: -1.00%

Function 009E2480 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 009E24C7
GetLastError.KERNEL32 ref: 009E24D4

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 62eca6fe1d15130762b07c8b9229313b4adf1da46e05599a7593e19fd66e4979
Instruction ID: 41c999e29be770df28f29ee477b06139c285852772dc614d08f22e1c9c9d8041
Opcode Fuzzy Hash: 62eca6fe1d15130762b07c8b9229313b4adf1da46e05599a7593e19fd66e4979
Instruction Fuzzy Hash: 5011CE30600250ABE7369B6ACC44B6AB3ECAB45370F604A28E152D25E0F774ED46C760

Uniqueness

Uniqueness Score: -1.00%

Function 009F1A35 Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 009E3919: _wcslen.LIBCMT ref: 009E3921

Part of subcall function 009E7D9F: _wcslen.LIBCMT ref: 009E7DA7
Part of subcall function 009E7D9F: _wcslen.LIBCMT ref: 009E7DB8
Part of subcall function 009E7D9F: _wcslen.LIBCMT ref: 009E7DC8
Part of subcall function 009E7D9F: _wcslen.LIBCMT ref: 009E7DD6
Part of subcall function 009E7D9F: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,009E2F91,?,?,00000000,?,?,?), ref: 009E7DF1

Part of subcall function 009F1719: SetCurrentDirectoryW.KERNELBASE(?,009F1A78,00A36D80,00000000,00A37D82,00000006), ref: 009F171D

_wcslen.LIBCMT ref: 009F1A91
SHFileOperationW.SHELL32(?,?,?,?,?,00A37D82,00000006), ref: 009F1ACA

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: _wcslen$CompareCurrentDirectoryFileOperationString
String ID:
API String ID: 1016385243-0
Opcode ID: 726b27d1c459608a1c3fba11e2ea58afb5d14523b4cf68750a334da7b3aaaa05
Instruction ID: e9f64828b61f2670a7794c9457e1ed260608068722725ae8d0b6ee2a806d4789
Opcode Fuzzy Hash: 726b27d1c459608a1c3fba11e2ea58afb5d14523b4cf68750a334da7b3aaaa05
Instruction Fuzzy Hash: 95017C75D0025CA5DB21ABE4DD0AFEE76BCAF48344F000465F605E3192E6B4EA848BE5

Uniqueness

Uniqueness Score: -1.00%

Function 009FE83C Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00A02340: GetEnvironmentStringsW.KERNEL32 ref: 00A02349
Part of subcall function 00A02340: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A0236C
Part of subcall function 00A02340: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00A02392
Part of subcall function 00A02340: _free.LIBCMT ref: 00A023A5
Part of subcall function 00A02340: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A023B4

_free.LIBCMT ref: 009FE882
_free.LIBCMT ref: 009FE889

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 400815659-0
Opcode ID: d0f1329351df7131d1b91946f84da7d30ab9f0757590b9d3620bc4fffa31fcf3
Instruction ID: 03e26c800435946b15250a90f83a58d1701da3a5474f972b2be445e142cde8c2
Opcode Fuzzy Hash: d0f1329351df7131d1b91946f84da7d30ab9f0757590b9d3620bc4fffa31fcf3
Instruction Fuzzy Hash: 9DE02217A4561841E625363A3C02BFF06498FD23B5F2003BAFF24CB2E2DE2C88020396

Uniqueness

Uniqueness Score: -1.00%

Function 009E4BD8 Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

LoadStringW.USER32(009E1680,?,?,009E1680), ref: 009E4C08
LoadStringW.USER32(009E1680,?,?), ref: 009E4C1F

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 8f6a88a43dcc0069452e4c667019852aeae460c1c0ef3b0a536cff968a1e2fb2
Instruction ID: 9fe5d6625b86b3313ec21414a77db3435d1ffce544d52084b8cd06c9e1d55ffe
Opcode Fuzzy Hash: 8f6a88a43dcc0069452e4c667019852aeae460c1c0ef3b0a536cff968a1e2fb2
Instruction Fuzzy Hash: 5EF01C35201659BBDF125FA6EC08DEB7F6DEF59391B008425FE4486130E6328C61EBE1

Uniqueness

Uniqueness Score: -1.00%

Function 009E2A4B Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,?,?,009E2883,?,?), ref: 009E2A5F

Part of subcall function 009E35E5: _wcslen.LIBCMT ref: 009E3609

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,?,009E2883,?,?), ref: 009E2A90

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 709f64302ec0de6dcc19c9ce0fd72c120abe2dcdf0802a69fa3800d3eebf2af6
Instruction ID: 5704b0bddf36177fcb409e85d33c507c1e8142f79052b064af5ffc9f70c0d9ff
Opcode Fuzzy Hash: 709f64302ec0de6dcc19c9ce0fd72c120abe2dcdf0802a69fa3800d3eebf2af6
Instruction Fuzzy Hash: F5F06D3110025EABEF12DFA2DC05BDA3B6DBF043C5F44C421B989E61A1DB71DE969B60

Uniqueness

Uniqueness Score: -1.00%

Function 009E272F Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,009E1D8F,?,?,009E1BE3,?,?,?,?,?,00A08AA3,000000FF), ref: 009E2740

Part of subcall function 009E35E5: _wcslen.LIBCMT ref: 009E3609

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,009E1D8F,?,?,009E1BE3,?,?,?,?,?,00A08AA3), ref: 009E276E

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: cae023e7d34e728ae937c6ebeb115fe9b7a871a79f25245e4402c508edbdd78c
Instruction ID: 7a76a618fa075fe085425d3676e863307f917d4404b7cf8fe26a64564df89663
Opcode Fuzzy Hash: cae023e7d34e728ae937c6ebeb115fe9b7a871a79f25245e4402c508edbdd78c
Instruction Fuzzy Hash: CBE0D87124024DABDB129F61CC05BDA37ECBF043C2F444021BA48D2061DB71DD85DA50

Uniqueness

Uniqueness Score: -1.00%

Function 009F1881 Relevance: 3.0, APIs: 2, Instructions: 26comCOMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00A08AA3,000000FF), ref: 009F18B5
OleUninitialize.OLE32(?,?,?,?,00A08AA3,000000FF), ref: 009F18BA

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 1c75eca6e5a5264027e48245da1f192c702569bebb4dfde9be313dbf3cbe671c
Instruction ID: 62686fd20d39d281261eb0cd4ea3632554d5a3dc2e936f3967f466dece956c36
Opcode Fuzzy Hash: 1c75eca6e5a5264027e48245da1f192c702569bebb4dfde9be313dbf3cbe671c
Instruction Fuzzy Hash: AAE06576644654EFCB10DB4CED05B4AFBB8FB89B20F004265F515D37A0CB746802CA90

Uniqueness

Uniqueness Score: -1.00%

Function 009F490E Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 009F4938

Part of subcall function 009E2AA2: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009E2AB5

SetDlgItemTextW.USER32(00000065,?), ref: 009F494F

Part of subcall function 009F20D8: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 009F20E9
Part of subcall function 009F20D8: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009F20FA
Part of subcall function 009F20D8: IsDialogMessageW.USER32(?,?), ref: 009F210E
Part of subcall function 009F20D8: TranslateMessage.USER32(?), ref: 009F211C
Part of subcall function 009F20D8: DispatchMessageW.USER32(?), ref: 009F2126

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: b695308eb5d6fea55dde4afb6816141b6e026b366067fe7acdcbe8337abf7d40
Instruction ID: dc3d60e0776b1a674b84d9fe60f8f396369e7a0d7844ee143fecf905fb473423
Opcode Fuzzy Hash: b695308eb5d6fea55dde4afb6816141b6e026b366067fe7acdcbe8337abf7d40
Instruction Fuzzy Hash: DAE09B764042482ADB12ABA5CC06FBA3BAC5B45385F440471B200E60A2E574D9528761

Uniqueness

Uniqueness Score: -1.00%

Function 009E2792 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 009E27A3

Part of subcall function 009E35E5: _wcslen.LIBCMT ref: 009E3609

GetFileAttributesW.KERNELBASE(?,?,?,00000800), ref: 009E27CF

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 765c5788f0451aadae0e5c1cbf429994c366f77798df446520a3f22a6c1d7bb2
Instruction ID: d79fb52b44f021fc95ced977b1c34b542c5cd864a32088bd5e0e653021f1b472
Opcode Fuzzy Hash: 765c5788f0451aadae0e5c1cbf429994c366f77798df446520a3f22a6c1d7bb2
Instruction Fuzzy Hash: 27E092715002685BCB11AB69CC04BE97B6CAB093E1F000160FF59E3295D671DD81CA90

Uniqueness

Uniqueness Score: -1.00%

Function 009E6B9C Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 009E6BB7
LoadLibraryW.KERNELBASE(?,?,009E590F,Crypt32.dll,00000000,009E5989,?,?,009E596C,00000000,00000000,?,00000000), ref: 009E6BD9

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 9a38a2aec38b88c092cb4c2ee26806a1665bf4736a27b266fe9772825d326045
Instruction ID: 9a70afb0b0e3b0fc70b0b8b715983902545ecb129626e75757368c5b64e2d5fd
Opcode Fuzzy Hash: 9a38a2aec38b88c092cb4c2ee26806a1665bf4736a27b266fe9772825d326045
Instruction Fuzzy Hash: D4E0127290016CA6EB119BA5DC08FDB766CAB483D1F4440617549D2009D674DA848BB0

Uniqueness

Uniqueness Score: -1.00%

Function 009F0EC8 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 009F0EE9
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 009F0EF0

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 4f14c8c77561e4348754fd7be5b1b6cc5a0b5b7be8242c1e151705975427eddb
Instruction ID: 058e8420ffb5f9b107ac4769403f5ef83f99da6d65398ef0ddc32ec8c8ad5aaf
Opcode Fuzzy Hash: 4f14c8c77561e4348754fd7be5b1b6cc5a0b5b7be8242c1e151705975427eddb
Instruction Fuzzy Hash: 78E06D7141020CEBCB10DF44C9007ADB7ECEB44355F20841AEA9593641D3B0AE409B51

Uniqueness

Uniqueness Score: -1.00%

Function 009F8F7C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009F8F9A
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 009F8FA5

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: da31cd1f11c7d2345ac3f0e3e739c6ffd4a85b597b8c01a89bee62f249693027
Instruction ID: fe4ec8eec3fd8eeeeef7904c498e43f3ef0e80dfed54e0e6d367109c5315e10f
Opcode Fuzzy Hash: da31cd1f11c7d2345ac3f0e3e739c6ffd4a85b597b8c01a89bee62f249693027
Instruction Fuzzy Hash: A3D0A9A490870D2C5EC07AB43C021BB234A6CA27743B00A56E330890C1EF258000A392

Uniqueness

Uniqueness Score: -1.00%

Function 009E11A1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 009E11B6
ShowWindow.USER32(00000000), ref: 009E11BD

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 327d193c06a617fd11eebc05d49ab7e7fcd50e43c194e9eddd24ec124593a77c
Instruction ID: 31070e89606c0ec098819b4081decd0465787de5a2577ae9e5b04ce517df559f
Opcode Fuzzy Hash: 327d193c06a617fd11eebc05d49ab7e7fcd50e43c194e9eddd24ec124593a77c
Instruction Fuzzy Hash: 4DC0123A098140BECB014BB4DC09D2E7BA89BE6211F10CA04B0A5C0060C239C010DB12

Uniqueness

Uniqueness Score: -1.00%

Function 009E1183 Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 009E1191
KiUserCallbackDispatcher.NTDLL(00000000), ref: 009E1198

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: CallbackDispatcherItemUser
String ID:
API String ID: 4250310104-0
Opcode ID: 6501cf1e9d9af5cceb5151f2612e8ae108311a12b606b5747dd8f8fcfe424a72
Instruction ID: b4f8a681418f77b38b05bb410eb6c1a7879c54bb33a3a1ce81eda845294fbcbf
Opcode Fuzzy Hash: 6501cf1e9d9af5cceb5151f2612e8ae108311a12b606b5747dd8f8fcfe424a72
Instruction Fuzzy Hash: 33C04C7E448240BFCB019BE89C08D2FBFA9ABE6311F10CA09B1A5C0020C6368411DB12

Uniqueness

Uniqueness Score: -1.00%

Function 009EB41D Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 009EB43E

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: __allrem
String ID:
API String ID: 2933888876-0
Opcode ID: 6470bf1f669577e6a5f5066a8502c48e20d6388bc185f07f16c6840375cec032
Instruction ID: 9912bf5556b51a9a64ec3a36c2bcecc3fdf35f73b32fc396ae9a887999b3e2d0
Opcode Fuzzy Hash: 6470bf1f669577e6a5f5066a8502c48e20d6388bc185f07f16c6840375cec032
Instruction Fuzzy Hash: 2731A2366112219FDB25DFADEC54A3A37A6FB88714B15403AE901D73A1F734AC838F91

Uniqueness

Uniqueness Score: -1.00%

Function 00A010A8 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00A01108

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 896b9d31f0b701992c20179957201dccf2b2651787a159cfca961380356a5b30
Instruction ID: 33a70f881dde5d86d35e170e29a653d97853f47b15b7b47f5f8e8708fb5228d5
Opcode Fuzzy Hash: 896b9d31f0b701992c20179957201dccf2b2651787a159cfca961380356a5b30
Instruction Fuzzy Hash: A411E737A002399BDF25DF5DFC409DA73959B853607164228FE25AB294DB31DC4287D0

Uniqueness

Uniqueness Score: -1.00%

Function 00A02889 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00A01546: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,009FF793,00000001,00000364,?,009FABD7,?,?,?,009FA652,00000050), ref: 00A01587

_free.LIBCMT ref: 00A028F5

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
Instruction ID: 5068dd4b50f1709a4b79dd15ce52d5bc03e8513b0d7afd7b1e7e20213e4df32e
Opcode Fuzzy Hash: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
Instruction Fuzzy Hash: 7101F9776003496BF3258F65E885A5AFBE9FBC5370F25052EE695872C0EA30A809C774

Uniqueness

Uniqueness Score: -1.00%

Function 009F4512 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009F4517

Part of subcall function 009E6A26: _wcslen.LIBCMT ref: 009E6A3C

Part of subcall function 009EF482: __EH_prolog.LIBCMT ref: 009EF487

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: e131ff201206418ed9205e4b7d5a3960e81000e9a4b5fa24aac57c868ffa065d
Instruction ID: d7237c568a47f1435124c970c9b131cd45c60bb57b652dea9dbf893f437555fe
Opcode Fuzzy Hash: e131ff201206418ed9205e4b7d5a3960e81000e9a4b5fa24aac57c868ffa065d
Instruction Fuzzy Hash: 0E01B13EA4A384BED705DBA9FC03BA93BB0FBE6310F50402AF454562D2D6B61546C722

Uniqueness

Uniqueness Score: -1.00%

Function 009E1267 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E126C

Part of subcall function 009E5753: __EH_prolog.LIBCMT ref: 009E5758

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9dd333a963092d2a3d3af6a48d154ec05b1738deba720b7e279db3826c6dbfa0
Instruction ID: 68bf4d9c6abd8a0591669b44d9558cb57d5cc04939d1b2e733564d7af641f1e5
Opcode Fuzzy Hash: 9dd333a963092d2a3d3af6a48d154ec05b1738deba720b7e279db3826c6dbfa0
Instruction Fuzzy Hash: 0C016970904B84CEC316EBAAC0657DEFBE4AFA5340F10454EE4AA53382CFB02B04C721

Uniqueness

Uniqueness Score: -1.00%

Function 00A01546 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,009FF793,00000001,00000364,?,009FABD7,?,?,?,009FA652,00000050), ref: 00A01587

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 08ea9ba79a4da5cf88ce05f157dc51f1e8a6e83a6bb9604bee1565510237cd7a
Instruction ID: 4345a5e3b443ae40bbf36b38fe9bd439d7ed9caa3dd56f175a63006a92709798
Opcode Fuzzy Hash: 08ea9ba79a4da5cf88ce05f157dc51f1e8a6e83a6bb9604bee1565510237cd7a
Instruction Fuzzy Hash: 6AF0B43164432CA7DF215B72BC46BEB3798AFC1760B144021F80A9F0D0DA60FD0182E1

Uniqueness

Uniqueness Score: -1.00%

Function 009FF9E5 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,009FA7E9,?,0000015D,?,?,?,?,009FBCC5,000000FF,00000000,?,?), ref: 009FFA17

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0d9247b47b54a98f868646b1242e7055c8b76dca15d071321a9369e2bedd3fff
Instruction ID: e4235a6786bc72af588692977d1cc1df64ac484fe69500a1871b40ed1f5c9b46
Opcode Fuzzy Hash: 0d9247b47b54a98f868646b1242e7055c8b76dca15d071321a9369e2bedd3fff
Instruction Fuzzy Hash: DEE02B3221471D66DB202771AD61BBB764CDF827A4F150171EF4DA20D0EF90CC0183A0

Uniqueness

Uniqueness Score: -1.00%

Function 009E1C30 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,009E1BEA,?,?,?,?,?,00A08AA3,000000FF), ref: 009E1C4B

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c5e6fbfed480a2bca9ab309976d755e2e012ffce1717fed69c6986998f90bc34
Instruction ID: df5f4d33f82044b13e448a6857cc1efcb6969ccf653173b8b4931ef367050ff1
Opcode Fuzzy Hash: c5e6fbfed480a2bca9ab309976d755e2e012ffce1717fed69c6986998f90bc34
Instruction Fuzzy Hash: B8F03A304C1B958FDB328A26C448792B7ECAB12321F245B1ED0E2829A0D3B2A98D8651

Uniqueness

Uniqueness Score: -1.00%

Function 009E2AE7 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 009E2C15: FindFirstFileW.KERNELBASE(?,?), ref: 009E2C3E
Part of subcall function 009E2C15: FindFirstFileW.KERNELBASE(?,?,?,?,00000800), ref: 009E2C6C
Part of subcall function 009E2C15: GetLastError.KERNEL32(?,?,00000800), ref: 009E2C78

FindClose.KERNELBASE(00000000), ref: 009E2B12

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: bfb2d2577b64a8ed6d3a72bedfb8427ca5c7308b76be2716dc34cbf9cc720f21
Instruction ID: 3180a16b0696127049817b7e20b4c83e9b63389ed70b5dfa7d507fc8e080e21e
Opcode Fuzzy Hash: bfb2d2577b64a8ed6d3a72bedfb8427ca5c7308b76be2716dc34cbf9cc720f21
Instruction Fuzzy Hash: EBF082710097D0AACE635BB58845BCBBBA86F6A331F048A4DF1FD121A2C27558999732

Uniqueness

Uniqueness Score: -1.00%

Function 009EF9A5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009EF9AA

Part of subcall function 009E1EE0: CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000), ref: 009E1F5F
Part of subcall function 009E1EE0: GetLastError.KERNEL32 ref: 009E1F6C
Part of subcall function 009E1EE0: CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800), ref: 009E1FA2
Part of subcall function 009E1EE0: GetLastError.KERNEL32 ref: 009E1FAA
Part of subcall function 009E1EE0: SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000), ref: 009E1FF9

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: File$CreateErrorLast$H_prologTime
String ID:
API String ID: 3517926197-0
Opcode ID: 3db4b69bc8b2d22c5b12fb838e2d1cec096d3cdf749c98b30158a333b2d67bcd
Instruction ID: ea947b0c92c28d51a161c2ec73df5311040c31479a762a54c1930ff4d68c833c
Opcode Fuzzy Hash: 3db4b69bc8b2d22c5b12fb838e2d1cec096d3cdf749c98b30158a333b2d67bcd
Instruction Fuzzy Hash: 4CF0307590158CEBDF52EF50C992BDCB735EF50344F4080A9B755A6191DB789E84CB20

Uniqueness

Uniqueness Score: -1.00%

Function 009F1136 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 009F113C

Part of subcall function 009F0EC8: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 009F0EE9

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 5ab87911419d104bf8d52cca4c52cd39a732c6fb385016300ad2ab0103f248f7
Instruction ID: 3080bc59f1f9962ad89df6bbd2117c099bbc988982cfdcc3c45b1e6eae1023c4
Opcode Fuzzy Hash: 5ab87911419d104bf8d52cca4c52cd39a732c6fb385016300ad2ab0103f248f7
Instruction Fuzzy Hash: 3CD0A93070820CBADF412B208C02B7EBAACAB80340F008421FB01D5281EBB1D910A3A2

Uniqueness

Uniqueness Score: -1.00%

Function 009F47C9 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,009E790C), ref: 009F47EE

Part of subcall function 009F20D8: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 009F20E9
Part of subcall function 009F20D8: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009F20FA
Part of subcall function 009F20D8: IsDialogMessageW.USER32(?,?), ref: 009F210E
Part of subcall function 009F20D8: TranslateMessage.USER32(?), ref: 009F211C
Part of subcall function 009F20D8: DispatchMessageW.USER32(?), ref: 009F2126

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 032ed6e486b9185f67aa1ff47aace49a3e6a3db7689bed5d127db16f1e8326e7
Instruction ID: 7cfb14851e85db0b011b26ed1f28ab7ece34293c05db31752c7ca96c131430c0
Opcode Fuzzy Hash: 032ed6e486b9185f67aa1ff47aace49a3e6a3db7689bed5d127db16f1e8326e7
Instruction Fuzzy Hash: 48D0C736145300BEDA126B51CD06F1A7AF2BBE9B05F404564B344740F1CAA2DD76DB02

Uniqueness

Uniqueness Score: -1.00%

Function 009F4C98 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 420f5234d26f58bffac5e901e1c2ef8da7ec3b1d3455be49b77a8e81df2f0c0d
Instruction ID: 09d2a27f6b12f9ee64929f469b3c3a3adb9b09ec4c99e0b4c56e2aa105325c1b
Opcode Fuzzy Hash: 420f5234d26f58bffac5e901e1c2ef8da7ec3b1d3455be49b77a8e81df2f0c0d
Instruction Fuzzy Hash: 4EB012852AA008BC314852481D06EB7016CD4C4F127304B1BF240C1080D8404C512332

Uniqueness

Uniqueness Score: -1.00%

Function 009F4C8E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 57c2fa7b852cef66268ac2ba3c253e27c5f3570188b844248b1b2298708cd75e
Instruction ID: 7f9384a6d1d0157db176baf2c254e7942e513dd72dacc857a1b94ed3a943813b
Opcode Fuzzy Hash: 57c2fa7b852cef66268ac2ba3c253e27c5f3570188b844248b1b2298708cd75e
Instruction Fuzzy Hash: E9B0128529B008BC314852881E06EB7012CC0C4F137304B1BF240C1080D8444C522332

Uniqueness

Uniqueness Score: -1.00%

Function 009F4C84 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: bd3e2e985c799824f0d618c971a9a6e1288cc05b8496b8ab0aacbba93f8f5abc
Instruction ID: e72e7756ed4bc9ea34f546ffa7b71bb761c30cb81a58130762886d8b63298208
Opcode Fuzzy Hash: bd3e2e985c799824f0d618c971a9a6e1288cc05b8496b8ab0aacbba93f8f5abc
Instruction Fuzzy Hash: 12B0129529A108BC318853481D06EB7012CC1C4F127304B1BF240C1080D8404C912332

Uniqueness

Uniqueness Score: -1.00%

Function 009F4CB6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 978915bf63a30affc90f3a283deebcd820bac83e893bebc239c4c4edd33e707b
Instruction ID: 070b518eff4dd6f0ddabf081fca5cae156baad1b470256462e872ac9d92eee66
Opcode Fuzzy Hash: 978915bf63a30affc90f3a283deebcd820bac83e893bebc239c4c4edd33e707b
Instruction Fuzzy Hash: 20B01296299008BC314852481E06EB701ACC0C4F127304B1BF241C1080D8448C522332

Uniqueness

Uniqueness Score: -1.00%

Function 009F4CAC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: c96a6522267b517b3c64d646d6e22020aae418320cd43f058a886ab6c7f06246
Instruction ID: c9a6381d4331d5003525641b529c04d21a271a3c389dc165bec39597dbbbb7dc
Opcode Fuzzy Hash: c96a6522267b517b3c64d646d6e22020aae418320cd43f058a886ab6c7f06246
Instruction Fuzzy Hash: 03B01286299108BC318852481D06EB7016CC1C4F123304B1BF241C1080D8408C912332

Uniqueness

Uniqueness Score: -1.00%

Function 009F4CA2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 04a43a5bf4f130a76afc03eb276ff6f3ac72ec7c62ce8eb63e7ce4f2a12a91bf
Instruction ID: ee8d4249e982995bd31e2ca27bcfef09c85fcf8293edcef2cf26b088ca7f79ca
Opcode Fuzzy Hash: 04a43a5bf4f130a76afc03eb276ff6f3ac72ec7c62ce8eb63e7ce4f2a12a91bf
Instruction Fuzzy Hash: E0B0128A299008BC314852581D06EB7016CC1C4F123308B1BF741C1080D9408C512332

Uniqueness

Uniqueness Score: -1.00%

Function 009F4CDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 61d90a32b3a5de8cb2ca75bee25262749986052d24b89cb3fb1d13df70e922a6
Instruction ID: b2d9d65271db327d8482412be383228a362b483b547709645f787194bef5a0ca
Opcode Fuzzy Hash: 61d90a32b3a5de8cb2ca75bee25262749986052d24b89cb3fb1d13df70e922a6
Instruction Fuzzy Hash: 8BB012D5299008BC314852485E07EB7012CC0C8F123304B1BF240C1080D8444C522332

Uniqueness

Uniqueness Score: -1.00%

Function 009F4CD4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 06e95f6e5f36fc0fa29849607d0e44a61c80ea7ecca62a581e4243cb128ce517
Instruction ID: 335b2c7c2462ed1b1920ef56f19c2cf3b79c4b4c170454f4a573c56d13b68ed8
Opcode Fuzzy Hash: 06e95f6e5f36fc0fa29849607d0e44a61c80ea7ecca62a581e4243cb128ce517
Instruction Fuzzy Hash: DDB01295299108BC318852481D07EB7012CC1C8F123308B1BF240C1080D8404C912372

Uniqueness

Uniqueness Score: -1.00%

Function 009F4CCA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 5a50ddeab230f116799b5634ba87effc9b9431ec827d75b3c9ce001a906e3a2f
Instruction ID: a68a6698b21488551f1da7ddeb28a4c6cc8c0885f4cc02ff95c38bd58c33321d
Opcode Fuzzy Hash: 5a50ddeab230f116799b5634ba87effc9b9431ec827d75b3c9ce001a906e3a2f
Instruction Fuzzy Hash: 07B01295299008BC314853481D07EB7012CC0C8F123308B1BF640C1080D8404C512332

Uniqueness

Uniqueness Score: -1.00%

Function 009F4CE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: a1d07ff041c7eff5950e5b1b933e7418ffa6649b2769620b350259d7746030db
Instruction ID: 445aeb4f18e0c54a66164c6648c821a7cf4a98e42cda3a1727d89cb24a767e5d
Opcode Fuzzy Hash: a1d07ff041c7eff5950e5b1b933e7418ffa6649b2769620b350259d7746030db
Instruction Fuzzy Hash: 9CB01295299008BC314852481D07EB7012CD0C8F123304F1BF240C10C0D8404C512332

Uniqueness

Uniqueness Score: -1.00%

Function 009F4C37 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: ea3c85cfd22aafcf29f2f2c0266568aaa941f813a72c642244be57f3a98ecb04
Instruction ID: e176c2782f34752160cc79653c84f8dde248b6ffa0ea77ee91ae20d63a595e72
Opcode Fuzzy Hash: ea3c85cfd22aafcf29f2f2c0266568aaa941f813a72c642244be57f3a98ecb04
Instruction Fuzzy Hash: 4EB01285299508BC354812441E06DB7012CC1C0F133308F1BF241C0080D8408C953332

Uniqueness

Uniqueness Score: -1.00%

Function 009F4C5C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 7b7155e072a1f22bd43168d96f2e9a0b8f355b6633d3c4a2fab6ea979f6812a4
Instruction ID: ee7e8bc8de55425c3ba4156cdd33fbc5874108b3e766b06cd40ff9c1fe96b53a
Opcode Fuzzy Hash: 7b7155e072a1f22bd43168d96f2e9a0b8f355b6633d3c4a2fab6ea979f6812a4
Instruction Fuzzy Hash: 64B01295299108BC3188524C1D06EB7012CC1C4F123304B1BF240C1080D8404C912332

Uniqueness

Uniqueness Score: -1.00%

Function 009F4C52 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: fb45e82be08fc6a1ee7222d04728d39faa74ed916630710915a2dbe1e0dddf4b
Instruction ID: 76d446f2c13e2e5709aa674d9765e45044d5c65bc916ad9f7ca56c19ed98c06c
Opcode Fuzzy Hash: fb45e82be08fc6a1ee7222d04728d39faa74ed916630710915a2dbe1e0dddf4b
Instruction Fuzzy Hash: 0EB01295299008BC3148524C1D06EB7012CC0C4F123308B1BF640C1080D8404C512332

Uniqueness

Uniqueness Score: -1.00%

Function 009F4C70 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: f5a1e02205550d9c6ff311e2eeb755671336df47810b0c3eda6f21ca5beb997a
Instruction ID: 1926d36274f8929c9354812e8e7aaacf3b9ff30dd8ff2d487187f80ffda69159
Opcode Fuzzy Hash: f5a1e02205550d9c6ff311e2eeb755671336df47810b0c3eda6f21ca5beb997a
Instruction Fuzzy Hash: 85B01295299008BC3148524D1D06EB7012CD0C4F123304B1BF240C1081D8444C512332

Uniqueness

Uniqueness Score: -1.00%

Function 009F4C66 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 005bc455c5b44da80d86e8210f0332b1eb1464f86d72fefbd038b03ee1ee02be
Instruction ID: 078107d78b0b80b6304a270d12b78f707138913d701d89a8792953a13c798ff8
Opcode Fuzzy Hash: 005bc455c5b44da80d86e8210f0332b1eb1464f86d72fefbd038b03ee1ee02be
Instruction Fuzzy Hash: B9B01295299008BD3148524C1E06EB7012CC0C4F123304B1BF240C1080D8444D522332

Uniqueness

Uniqueness Score: -1.00%

Function 009F4E89 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4E62

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: cc90730ede1486bcc5f5435ab1da801f83067540934cc256f5633ecd54aecc2d
Instruction ID: 185c2b444def477260d02d33978b530e66e22ea2d4c7f303b7e17e473b10cd4b
Opcode Fuzzy Hash: cc90730ede1486bcc5f5435ab1da801f83067540934cc256f5633ecd54aecc2d
Instruction Fuzzy Hash: E9B012953D9104BC334452442C02E77020CD4C8F133304B1BF290C0080D4404C984332

Uniqueness

Uniqueness Score: -1.00%

Function 009F4EB1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4E62

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 8937aeb9b93f4d29f6c19f3c22238f26283d1957b54f0e61a5372817ada07d3a
Instruction ID: eed5da014254b2a6581551d077a8578a3ead1b7fa91e067fa2ff17ec76300271
Opcode Fuzzy Hash: 8937aeb9b93f4d29f6c19f3c22238f26283d1957b54f0e61a5372817ada07d3a
Instruction Fuzzy Hash: F8B012953D8104BC334452442C02E77020CE4C8F133304F1BF290C0080D4444C984332

Uniqueness

Uniqueness Score: -1.00%

Function 009F4E7F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4E62

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: deea64c85ec09739984a341be3a40899327f6a85c2bfb6680104a7c8296d427a
Instruction ID: addf9b59d6ae1386c7d294d359920ef2282fd4499d640a527e59a5cc22872df9
Opcode Fuzzy Hash: deea64c85ec09739984a341be3a40899327f6a85c2bfb6680104a7c8296d427a
Instruction Fuzzy Hash: 56B012953D8004BC324456442C02F77020CF4C8F133304B1BF290C0081D4484C504332

Uniqueness

Uniqueness Score: -1.00%

Function 009F4F3A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4F4C

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: a21c73fcac384622fa1d89987191ce0fe6e4b907c268dde73fe8f778c50da338
Instruction ID: d903da1b70fa031c12cf57a5b16665c16fa8a58765d0cad10d1d6edb45b8f659
Opcode Fuzzy Hash: a21c73fcac384622fa1d89987191ce0fe6e4b907c268dde73fe8f778c50da338
Instruction Fuzzy Hash: 67B0128D2DC004FC310412419D02D77020CC0C4B133308B1FF600D0084D8404C900337

Uniqueness

Uniqueness Score: -1.00%

Function 009F4F5F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4F4C

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: a7a9c10a819d22fa334ed437d65cf7235db31026534b9444028086fe50d19f9e
Instruction ID: ce68635a869af6ec45f434506faa1e4a2b60781d0868b1022c70a8266aa7a2fb
Opcode Fuzzy Hash: a7a9c10a819d22fa334ed437d65cf7235db31026534b9444028086fe50d19f9e
Instruction Fuzzy Hash: 38B012892D8104FC314452455D02E77010CC0C4B123308B2FF608C1084D8404C900333

Uniqueness

Uniqueness Score: -1.00%

Function 009F4F55 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4F4C

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 3f97bbfaef8eb833a2a0f4bc000746b4f64507de16e4e078dda81127ec2bb08f
Instruction ID: 68989de434341eefc6bd0d4cc93dc83db8d157ef929ae54551fb87a125d621bf
Opcode Fuzzy Hash: 3f97bbfaef8eb833a2a0f4bc000746b4f64507de16e4e078dda81127ec2bb08f
Instruction Fuzzy Hash: E1B0128D2E8004BC314452859D02F77010CD0C4B133304B1FF204C1084D8404C900337

Uniqueness

Uniqueness Score: -1.00%

Function 009F4F73 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4F4C

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 428a83c09543302b8e93981af09b992972fd21fbd47d6de3fb36bc8752dfe2f5
Instruction ID: d7b2eff72483e71053e38544a518c759192ab3607d143f5bcfbef30767dad83d
Opcode Fuzzy Hash: 428a83c09543302b8e93981af09b992972fd21fbd47d6de3fb36bc8752dfe2f5
Instruction Fuzzy Hash: F0B012892D8204BC324452456F02E77010CC0C4B123308B2FF308C1084D8454C910333

Uniqueness

Uniqueness Score: -1.00%

Function 009F4F69 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4F4C

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: fcf6b4ae3be89172d9c8f27dff0a1b3d16ccb977061f5171b6783882121da3bc
Instruction ID: f3e017d35347cd27c35189f809b9d73d117a5acd5cf3e8ac05e17378417eb900
Opcode Fuzzy Hash: fcf6b4ae3be89172d9c8f27dff0a1b3d16ccb977061f5171b6783882121da3bc
Instruction Fuzzy Hash: FCB012892D8204BC325452455D02E77010CC0C4B123304B2FF208C1084D8404CD84333

Uniqueness

Uniqueness Score: -1.00%

Function 009F4CC5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: f229eb31aecd9f978bf434472da10569ab428e4932211b104ee2774a16541d0e
Instruction ID: 6da5c39b66a49553a447e2793b197b27f975634643dc30a2cb901a14e1e2df87
Opcode Fuzzy Hash: f229eb31aecd9f978bf434472da10569ab428e4932211b104ee2774a16541d0e
Instruction Fuzzy Hash: 94A011822AA00ABC300822802E0AEBB022CC0C8F223308F0AF28280080A8800CA22330

Uniqueness

Uniqueness Score: -1.00%

Function 009F4CF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: d00a2997e50ba02a2c46f0680879a62f0614c090860fa661ac74651759ab82d8
Instruction ID: 6da5c39b66a49553a447e2793b197b27f975634643dc30a2cb901a14e1e2df87
Opcode Fuzzy Hash: d00a2997e50ba02a2c46f0680879a62f0614c090860fa661ac74651759ab82d8
Instruction Fuzzy Hash: 94A011822AA00ABC300822802E0AEBB022CC0C8F223308F0AF28280080A8800CA22330

Uniqueness

Uniqueness Score: -1.00%

Function 009F4C7F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 6c17757a04b35f180d740aa4c91dccbd3c8efcad864a9fd68af2dca75c2471fa
Instruction ID: 6da5c39b66a49553a447e2793b197b27f975634643dc30a2cb901a14e1e2df87
Opcode Fuzzy Hash: 6c17757a04b35f180d740aa4c91dccbd3c8efcad864a9fd68af2dca75c2471fa
Instruction Fuzzy Hash: 94A011822AA00ABC300822802E0AEBB022CC0C8F223308F0AF28280080A8800CA22330

Uniqueness

Uniqueness Score: -1.00%

Function 009F4D1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: a0b2a7c4838afe98cd39409bc42f488d639589558a8ba722dbebdf60b8b7bd43
Instruction ID: 6da5c39b66a49553a447e2793b197b27f975634643dc30a2cb901a14e1e2df87
Opcode Fuzzy Hash: a0b2a7c4838afe98cd39409bc42f488d639589558a8ba722dbebdf60b8b7bd43
Instruction Fuzzy Hash: 94A011822AA00ABC300822802E0AEBB022CC0C8F223308F0AF28280080A8800CA22330

Uniqueness

Uniqueness Score: -1.00%

Function 009F4D15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 7921109abc80b8d9cfce9f1d5aa56884166443174839504383bc08965593760d
Instruction ID: 6da5c39b66a49553a447e2793b197b27f975634643dc30a2cb901a14e1e2df87
Opcode Fuzzy Hash: 7921109abc80b8d9cfce9f1d5aa56884166443174839504383bc08965593760d
Instruction Fuzzy Hash: 94A011822AA00ABC300822802E0AEBB022CC0C8F223308F0AF28280080A8800CA22330

Uniqueness

Uniqueness Score: -1.00%

Function 009F4D0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: f6f0091c45f49c35e8586625179e2cc7d7191d548acf68575677604abc71afc4
Instruction ID: 6da5c39b66a49553a447e2793b197b27f975634643dc30a2cb901a14e1e2df87
Opcode Fuzzy Hash: f6f0091c45f49c35e8586625179e2cc7d7191d548acf68575677604abc71afc4
Instruction Fuzzy Hash: 94A011822AA00ABC300822802E0AEBB022CC0C8F223308F0AF28280080A8800CA22330

Uniqueness

Uniqueness Score: -1.00%

Function 009F4D01 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 3139105e826a8f0c7d089d14509f160738192b419272bdaf2fc0311fa35f56c4
Instruction ID: 6da5c39b66a49553a447e2793b197b27f975634643dc30a2cb901a14e1e2df87
Opcode Fuzzy Hash: 3139105e826a8f0c7d089d14509f160738192b419272bdaf2fc0311fa35f56c4
Instruction Fuzzy Hash: 94A011822AA00ABC300822802E0AEBB022CC0C8F223308F0AF28280080A8800CA22330

Uniqueness

Uniqueness Score: -1.00%

Function 009F4D3D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 25e0899f7f40b28749f1ad06443dbbb1fdbe8c496218e293f53804c7efab9485
Instruction ID: 6da5c39b66a49553a447e2793b197b27f975634643dc30a2cb901a14e1e2df87
Opcode Fuzzy Hash: 25e0899f7f40b28749f1ad06443dbbb1fdbe8c496218e293f53804c7efab9485
Instruction Fuzzy Hash: 94A011822AA00ABC300822802E0AEBB022CC0C8F223308F0AF28280080A8800CA22330

Uniqueness

Uniqueness Score: -1.00%

Function 009F4D33 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 06888f30a4dcb5efe10b879834ba60515d070395507bb374e6b445aeee34b778
Instruction ID: 6da5c39b66a49553a447e2793b197b27f975634643dc30a2cb901a14e1e2df87
Opcode Fuzzy Hash: 06888f30a4dcb5efe10b879834ba60515d070395507bb374e6b445aeee34b778
Instruction Fuzzy Hash: 94A011822AA00ABC300822802E0AEBB022CC0C8F223308F0AF28280080A8800CA22330

Uniqueness

Uniqueness Score: -1.00%

Function 009F4D29 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4C49

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 12f306d0f1d32f371ca85ed18dcfaf5ffbe7bab7323cc215ea85e64a15ee7073
Instruction ID: 6da5c39b66a49553a447e2793b197b27f975634643dc30a2cb901a14e1e2df87
Opcode Fuzzy Hash: 12f306d0f1d32f371ca85ed18dcfaf5ffbe7bab7323cc215ea85e64a15ee7073
Instruction Fuzzy Hash: 94A011822AA00ABC300822802E0AEBB022CC0C8F223308F0AF28280080A8800CA22330

Uniqueness

Uniqueness Score: -1.00%

Function 009F4E98 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4E62

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: faa2e10338e91077c34dfb86f07b75bf6a0ed54cd7e1f17af7e00c6abf802780
Instruction ID: 1686b9b56286ea970286efa847ed5978d511ecaf77e9d823adba334eb66cf46f
Opcode Fuzzy Hash: faa2e10338e91077c34dfb86f07b75bf6a0ed54cd7e1f17af7e00c6abf802780
Instruction Fuzzy Hash: 6AA001962A950ABC324866916D06EBB061CE8C8F633718F1AF6A2C4081A9845CA59335

Uniqueness

Uniqueness Score: -1.00%

Function 009F4EAC Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4E62

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 6af9751e35746538bc0265f22eb8038b5dd321382a7fa5a8b8c2190d462d6ce2
Instruction ID: 1686b9b56286ea970286efa847ed5978d511ecaf77e9d823adba334eb66cf46f
Opcode Fuzzy Hash: 6af9751e35746538bc0265f22eb8038b5dd321382a7fa5a8b8c2190d462d6ce2
Instruction Fuzzy Hash: 6AA001962A950ABC324866916D06EBB061CE8C8F633718F1AF6A2C4081A9845CA59335

Uniqueness

Uniqueness Score: -1.00%

Function 009F4EA2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4E62

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 1cc16b23cbe0fc6af60c232cc3de3a6b136c33608410df25b133389a9a28bec3
Instruction ID: 1686b9b56286ea970286efa847ed5978d511ecaf77e9d823adba334eb66cf46f
Opcode Fuzzy Hash: 1cc16b23cbe0fc6af60c232cc3de3a6b136c33608410df25b133389a9a28bec3
Instruction Fuzzy Hash: 6AA001962A950ABC324866916D06EBB061CE8C8F633718F1AF6A2C4081A9845CA59335

Uniqueness

Uniqueness Score: -1.00%

Function 009F4E55 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4E62

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: b300899507f692a6f2b80ae9827627f3964b226847cb43b3944ade22c4b2ee01
Instruction ID: a74b54b84864dcc546bbd94876303e1947235f73a7245cd01898de10d2628cc9
Opcode Fuzzy Hash: b300899507f692a6f2b80ae9827627f3964b226847cb43b3944ade22c4b2ee01
Instruction Fuzzy Hash: 68A001962A9609BC324866916D06EBB071CE8D8F233728B1AF7A2D4081A9845CA59335

Uniqueness

Uniqueness Score: -1.00%

Function 009F4E7A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4E62

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 5a6df8ccde07bd9b26a3a9001fe1629212bdd6165148b680fb23127117201d58
Instruction ID: 1686b9b56286ea970286efa847ed5978d511ecaf77e9d823adba334eb66cf46f
Opcode Fuzzy Hash: 5a6df8ccde07bd9b26a3a9001fe1629212bdd6165148b680fb23127117201d58
Instruction Fuzzy Hash: 6AA001962A950ABC324866916D06EBB061CE8C8F633718F1AF6A2C4081A9845CA59335

Uniqueness

Uniqueness Score: -1.00%

Function 009F4E70 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4E62

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 0a54f707d9c7041d2215a8a0e1eeb38525587e4a23744b1ff0a1546e8bc3adcc
Instruction ID: 1686b9b56286ea970286efa847ed5978d511ecaf77e9d823adba334eb66cf46f
Opcode Fuzzy Hash: 0a54f707d9c7041d2215a8a0e1eeb38525587e4a23744b1ff0a1546e8bc3adcc
Instruction Fuzzy Hash: 6AA001962A950ABC324866916D06EBB061CE8C8F633718F1AF6A2C4081A9845CA59335

Uniqueness

Uniqueness Score: -1.00%

Function 009F4F96 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4F4C

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: a819dc5f29a8fbc83dab6aabb4a455d551a492f4ee8a2606cca46e46a8f43299
Instruction ID: 9bcf06739dc4051591910adb64fe2823e5c7695f6cd3870a7e0fa154d7378e17
Opcode Fuzzy Hash: a819dc5f29a8fbc83dab6aabb4a455d551a492f4ee8a2606cca46e46a8f43299
Instruction Fuzzy Hash: 12A0118A2A800ABC30082282AE02EBB020CC0C8B223308F0EF20280088A8800CA00332

Uniqueness

Uniqueness Score: -1.00%

Function 009F4F8C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4F4C

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 1ecdd7c4ca106ee5cb337f3f9931c7aeb6b2b66f7b1827a16cbbc4a6d1beab31
Instruction ID: 9bcf06739dc4051591910adb64fe2823e5c7695f6cd3870a7e0fa154d7378e17
Opcode Fuzzy Hash: 1ecdd7c4ca106ee5cb337f3f9931c7aeb6b2b66f7b1827a16cbbc4a6d1beab31
Instruction Fuzzy Hash: 12A0118A2A800ABC30082282AE02EBB020CC0C8B223308F0EF20280088A8800CA00332

Uniqueness

Uniqueness Score: -1.00%

Function 009F4F82 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4F4C

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 29c8b174470b511eda7f0d7fe0ed43c640c2f63cb5905e716a1b9799f83968aa
Instruction ID: 9bcf06739dc4051591910adb64fe2823e5c7695f6cd3870a7e0fa154d7378e17
Opcode Fuzzy Hash: 29c8b174470b511eda7f0d7fe0ed43c640c2f63cb5905e716a1b9799f83968aa
Instruction Fuzzy Hash: 12A0118A2A800ABC30082282AE02EBB020CC0C8B223308F0EF20280088A8800CA00332

Uniqueness

Uniqueness Score: -1.00%

Function 009F4EBB Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4EC3

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 3c8ad5faad1172d056f0294f21835f0e3c1ab2aa87fcab5255bcc7dc7b0163a0
Instruction ID: 373e337c8e5fd3fc06af1bdc0a19597712c3dd2e0763b5e29eaaea8d1e211988
Opcode Fuzzy Hash: 3c8ad5faad1172d056f0294f21835f0e3c1ab2aa87fcab5255bcc7dc7b0163a0
Instruction Fuzzy Hash: ECA002DA6E9545BC355863A16D17EBF461DD4C8F233718B1FF615C40C1A8805CA54335

Uniqueness

Uniqueness Score: -1.00%

Function 009F4F9B Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009F4FA3

Part of subcall function 009F5280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009F528B
Part of subcall function 009F5280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009F52F3
Part of subcall function 009F5280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009F5304

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 41ab95afd6b0326ce7d92408a49940fded98ecbe394578080856063d2faedf7e
Instruction ID: bb195ae0273b755dfa0ece477cb8b617e2d9893db5aceaced4e2723bbd63ab4f
Opcode Fuzzy Hash: 41ab95afd6b0326ce7d92408a49940fded98ecbe394578080856063d2faedf7e
Instruction Fuzzy Hash: A8A002D62BA509BC314863916D07EBB061CD5C4F233718B1FF610D40C1A8805CE54735

Uniqueness

Uniqueness Score: -1.00%

Function 009E2509 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,009EA6E7), ref: 009E250C

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: bc8e0ea2e03724892f86c1df00dc700304085c3b0ab6cad7f310224ed2515935
Instruction ID: 33f38d2d9d466e05479b8899e0dc85b25b3acf8e43e2cfb02a452f1bed791965
Opcode Fuzzy Hash: bc8e0ea2e03724892f86c1df00dc700304085c3b0ab6cad7f310224ed2515935
Instruction Fuzzy Hash: E7A0113088000E8ACE002B30CA0800A3B22EB20BC030002A8A00ACA0A2CB22880BCA00

Uniqueness

Uniqueness Score: -1.00%

Function 009F1719 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,009F1A78,00A36D80,00000000,00A37D82,00000006), ref: 009F171D

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: efe1b646c26823b430a9d434e6c4bc3c360851220516ba4d6fb814efc8c1ab51
Instruction ID: c4f85e5b5376bac5fae5de4f3d6730fddd9e5d4a81d791a0c3ed697baf251cdd
Opcode Fuzzy Hash: efe1b646c26823b430a9d434e6c4bc3c360851220516ba4d6fb814efc8c1ab51
Instruction Fuzzy Hash: B3A011302002088BC3008F20AF0AA0FBAAAAFA0B00B00C02AA20A80030CB308822AA00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 009F2D90 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 233windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 009E11C6: GetDlgItem.USER32(00000000,00003021), ref: 009E120A
Part of subcall function 009E11C6: SetWindowTextW.USER32(00000000,00A09584), ref: 009E1220

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 009F2E21
EndDialog.USER32(?,00000006), ref: 009F2E34
GetDlgItem.USER32(?,0000006C), ref: 009F2E50
SetFocus.USER32(00000000), ref: 009F2E57
SetDlgItemTextW.USER32(?,00000065,?), ref: 009F2E91
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 009F2EC8
FindFirstFileW.KERNEL32(?,?), ref: 009F2EDE

Part of subcall function 009F172B: FileTimeToSystemTime.KERNEL32(?,?), ref: 009F173F
Part of subcall function 009F172B: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 009F1750
Part of subcall function 009F172B: SystemTimeToFileTime.KERNEL32(?,?), ref: 009F175E
Part of subcall function 009F172B: FileTimeToSystemTime.KERNEL32(?,?), ref: 009F176C
Part of subcall function 009F172B: GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 009F1787
Part of subcall function 009F172B: GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032), ref: 009F17AE
Part of subcall function 009F172B: _swprintf.LIBCMT ref: 009F17D4

_swprintf.LIBCMT ref: 009F2F27

Part of subcall function 009E2AA2: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009E2AB5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 009F2F3A
FindClose.KERNEL32(00000000), ref: 009F2F41
_swprintf.LIBCMT ref: 009F2F90
SetDlgItemTextW.USER32(?,00000068,?), ref: 009F2FA3
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 009F2FC0
_swprintf.LIBCMT ref: 009F2FF3
SetDlgItemTextW.USER32(?,0000006B,?), ref: 009F3006
_swprintf.LIBCMT ref: 009F3050
SetDlgItemTextW.USER32(?,00000069,?), ref: 009F3063

Part of subcall function 009F1B15: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 009F1B3B
Part of subcall function 009F1B15: GetNumberFormatW.KERNEL32(00000400,00000000,?,00A1460C,?,?), ref: 009F1B8A

Strings

REPLACEFILEDLG, xrefs: 009F2DB7
%s %s, xrefs: 009F2F14, 009F2F20, 009F2F86, 009F2FE9, 009F3046

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: Item$Time$Text$_swprintf$FileSystem$FormatMessageSend$Find$CloseDateDialogFirstFocusInfoLocalLocaleNumberSpecificWindow__vswprintf_c_l
String ID: %s %s$REPLACEFILEDLG
API String ID: 3464475507-439456425
Opcode ID: c03bdc36fbba39d33170cd0c113ac35e3a35f2408a39a51889192e853fb0f04e
Instruction ID: 25cdbe2edb362f0a428dc234ba46e15db27c033d559b88f1b7a20dae98eceeeb
Opcode Fuzzy Hash: c03bdc36fbba39d33170cd0c113ac35e3a35f2408a39a51889192e853fb0f04e
Instruction Fuzzy Hash: AE71A176648348BBE331EBA4CC49FFB77ACEBDA700F044819B749D2091D67699058763

Uniqueness

Uniqueness Score: -1.00%

Function 00A03CFE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00A03E44

Strings

1#QNAN, xrefs: 00A0504A
1#SNAN, xrefs: 00A05043
1#IND, xrefs: 00A0503C
1#INF, xrefs: 00A05051

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 8f0586c06e493a252b08dbff650fb257b5be1ad8837b882e865ba053f2926a60
Instruction ID: b0c7ebaac65eb5a990c5572cf4a3b496ff05a34056eff364d0ac61a89365349a
Opcode Fuzzy Hash: 8f0586c06e493a252b08dbff650fb257b5be1ad8837b882e865ba053f2926a60
Instruction Fuzzy Hash: A2C228B1E0462D8BDB25CF28AD407EAB7B5FB48305F1545EAD90DE7280E775AE818F40

Uniqueness

Uniqueness Score: -1.00%

Function 009F5FF2 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 009F5FFE
IsDebuggerPresent.KERNEL32 ref: 009F60CA
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 009F60EA
UnhandledExceptionFilter.KERNEL32(?), ref: 009F60F4

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 436d702f299c7db60cac6f902e88c9ad4443100075a08a9cc9c8b06f8a4bd42e
Instruction ID: 7e9046ab6afabca39df5d8edceeb3ee5538e1bd5f1751281fc30c2998c34c12d
Opcode Fuzzy Hash: 436d702f299c7db60cac6f902e88c9ad4443100075a08a9cc9c8b06f8a4bd42e
Instruction Fuzzy Hash: AE312775D0531D9BDF20DFA4D989BCDBBB8BF08304F1041AAE509AB251EB719A85CF44

Uniqueness

Uniqueness Score: -1.00%

Function 009F50C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,009F500B,0000001C,009F5200,00000000,?,?,?,?,?,?,?,009F500B,00000004,00A49274,009F5290), ref: 009F50D7
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,009F500B,00000004,00A49274,009F5290), ref: 009F50F2

Strings

D, xrefs: 009F50E6

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: c126119fcb45186bce38f67e2baf7332396b363019115b5eddc4b2a91326a901
Instruction ID: ab03442276f31120c6adbab5af16157f2a483bf4b326aa64ecc98ec106eef2f9
Opcode Fuzzy Hash: c126119fcb45186bce38f67e2baf7332396b363019115b5eddc4b2a91326a901
Instruction Fuzzy Hash: 0B01D432B0050D6BDB14DE69DC05BEE7BADAFC4328F0DC220EE19D6144DA34E902C780

Uniqueness

Uniqueness Score: -1.00%

Function 009FA24F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 009FA347
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 009FA351
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 009FA35E

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 5cd5d8ffe6d587aa23c4bfe834bb87b5d1b124f1d43b1a1fb1b3b89c9e65fa32
Instruction ID: a025a937911547b85b1445fac73e89b2ac3f2dbf345c53c9b1e42c433c87d632
Opcode Fuzzy Hash: 5cd5d8ffe6d587aa23c4bfe834bb87b5d1b124f1d43b1a1fb1b3b89c9e65fa32
Instruction Fuzzy Hash: D431C27490122DABCB21DF64D988BDDBBB8BF48310F5042EAE51CA6251E7709F818F45

Uniqueness

Uniqueness Score: -1.00%

Function 00A03850 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3dd93da610b919f8d165fbb2784f9b1b6ab208c1227b41d85b18d91c3e1033
Instruction ID: 692bd69b3ed5bd1a6e03448fb2bcc1b51c07f8d784a8b21543561190b97cf121
Opcode Fuzzy Hash: fd3dd93da610b919f8d165fbb2784f9b1b6ab208c1227b41d85b18d91c3e1033
Instruction Fuzzy Hash: 1B022D72E002199FDF14CFA9D8906ADFBF5FF88314F258269D919E7384D731AA458B80

Uniqueness

Uniqueness Score: -1.00%

Function 009F1B15 Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 009F1B3B
GetNumberFormatW.KERNEL32(00000400,00000000,?,00A1460C,?,?), ref: 009F1B8A

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 9fc9348dd424bf93de5a77f6321af018d8d240ca51b0612ba6dc59c9bd65f251
Instruction ID: 4f83376ae049b694c2c3064d9fa70d7625d6638b8c85e513d537c70042d3521a
Opcode Fuzzy Hash: 9fc9348dd424bf93de5a77f6321af018d8d240ca51b0612ba6dc59c9bd65f251
Instruction Fuzzy Hash: A5015A79600248AAD710DBB5DC45FDF7BBCEF89714F008422BA04A7191E3709926CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 009E1891 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(009E19FE,?,00000400), ref: 009E1891
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 009E18B2

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 5e85da20aa442f6f221aaa93db137f25730f9414acba53ccfb16a1c67ba232c3
Instruction ID: 9bf7f4687e18f17ca839fbd9f19c46bef4b111b438b56bb0d1019710927a1fb5
Opcode Fuzzy Hash: 5e85da20aa442f6f221aaa93db137f25730f9414acba53ccfb16a1c67ba232c3
Instruction Fuzzy Hash: 09D0A930344300BBFA024EA24C06F6B3BA9BB80B41F14C404BB02E80E1C6708822E729

Uniqueness

Uniqueness Score: -1.00%

Function 00A07E04 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00A07DFF,?,?,00000008,?,?,00A07A9F,00000000), ref: 00A08031

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6eefcb95eaca98967f9aaa8f1fbfa1fb2271f1a732c1c4b19d2fcc8b7813323e
Instruction ID: 26a4806b083a7ece2f18bc025db947059badd9c67a6d951913a2b237084bca62
Opcode Fuzzy Hash: 6eefcb95eaca98967f9aaa8f1fbfa1fb2271f1a732c1c4b19d2fcc8b7813323e
Instruction Fuzzy Hash: 8DB15A31610609CFD715CF28D48AB697BA0FF05364F298698E8DACF2E1C739E995CB44

Uniqueness

Uniqueness Score: -1.00%

Function 009EB79D Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

c, xrefs: 009EBAAE

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID:
String ID: c
API String ID: 0-112844655
Opcode ID: cffda5e0f70f19dcdfc331a5b13f22da8624d39dc4c14f2f8b083c6e7fcabbeb
Instruction ID: 8439a1b8c80603776f638b6d67ee2868a45ea95d2683b39bfab7fd5a9be934b2
Opcode Fuzzy Hash: cffda5e0f70f19dcdfc331a5b13f22da8624d39dc4c14f2f8b083c6e7fcabbeb
Instruction Fuzzy Hash: E2E16671A083968FC726DF29D480A6BBBE5BBC8308F14492EE58A97341D730EC45CF52

Uniqueness

Uniqueness Score: -1.00%

Function 009E2D8E Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 009E2DB3

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: cb7f5f8e04168e95b66346d55b7e94cb94c251e70573bc1f4d765915d987adf9
Instruction ID: d3a85f131cb01c964711540fb8ffc137de120c0b56bc3d652ff3e6043a68286d
Opcode Fuzzy Hash: cb7f5f8e04168e95b66346d55b7e94cb94c251e70573bc1f4d765915d987adf9
Instruction Fuzzy Hash: 48F05EB4A042088BCB18CF99FC426D977B9F78C354F108295DA16D3390C7749E82CEA1

Uniqueness

Uniqueness Score: -1.00%

Function 009F6195 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000161B0,009F5C55), ref: 009F619A

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d1501f73caca4148ee2d94bae862db31e91ed0f384de3cab349105341dd401be
Instruction ID: 08011530f3bb7124e84c03ff78612e1c4a00ccea4d5daa06a02565211e261abe
Opcode Fuzzy Hash: d1501f73caca4148ee2d94bae862db31e91ed0f384de3cab349105341dd401be
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 009E6B0D Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

, xrefs: 009E6B40

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 934ccf0cd4b67d897cb7c2438ec395f92651c0feaeced376863ec7c5dca47e2e
Instruction ID: 35666149962844f1d4e859f7fb338da4965767e5937e5653e8d8929e2e5ed95a
Opcode Fuzzy Hash: 934ccf0cd4b67d897cb7c2438ec395f92651c0feaeced376863ec7c5dca47e2e
Instruction Fuzzy Hash: 04114F729087469EDB2A8F6A984576AF7F4EB10354F14CD2ED5A6E2280D375E940CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00A02440 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00A02440

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: c2a8fc13da80a31fbf9cf5da71662c61275879e618d9c52c895d1affc7b9f948
Instruction ID: 72400fd6604cfe90e61fffdb250dde015c0cf4669ed5bfc524c434109c87e04e
Opcode Fuzzy Hash: c2a8fc13da80a31fbf9cf5da71662c61275879e618d9c52c895d1affc7b9f948
Instruction Fuzzy Hash: 5FA00274601205CF9780CFB55A4D20B36D9654579170541555405C5171DA254452D601

Uniqueness

Uniqueness Score: -1.00%

Function 009E5AFD Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27329bd2b38ea0fc70af58ccf55552f5284fd50f828b14c9829db2735e4e426b
Instruction ID: 73e921574ca30c28ebd83eb0fdd2a95afc238d5f7f292293cfc62939f6f90ca7
Opcode Fuzzy Hash: 27329bd2b38ea0fc70af58ccf55552f5284fd50f828b14c9829db2735e4e426b
Instruction Fuzzy Hash: 81525A72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86

Uniqueness

Uniqueness Score: -1.00%

Function 009EC42B Relevance: .6, Instructions: 615COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 791aa257b12385cba905f7673c9522a145dc905769f43d4aa0d16e23f948a154
Instruction ID: 8aae8b28aa03fa368b1fbf468426a8f359626bc41f44ea49bbf735939573adc4
Opcode Fuzzy Hash: 791aa257b12385cba905f7673c9522a145dc905769f43d4aa0d16e23f948a154
Instruction Fuzzy Hash: F522B0B15083958FC726DF6AD89053AB7A5FB84724F140A2DF8E1973A1E7309D478B82

Uniqueness

Uniqueness Score: -1.00%

Function 009E4F3C Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd884a3da726c720ab9b4c87bc5d8ecb0d25c3f3ee15a4aa915c92b28da12367
Instruction ID: 4b73227a8f026e778314fa2bc901b0af84aa52a9ffb5846c8de545eefa78937e
Opcode Fuzzy Hash: fd884a3da726c720ab9b4c87bc5d8ecb0d25c3f3ee15a4aa915c92b28da12367
Instruction Fuzzy Hash: 56D15E745182D08FC745CF59E8904BABBE4AF9E310B08899EF5E587352C331EA1ADB71

Uniqueness

Uniqueness Score: -1.00%

Function 009FB72C Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03fea543a58d0dd27e2e864fb02117e59d378e4798fe078c1b3d5c0b9131bf93
Instruction ID: 9501527d17c01a1aff083fb0f64cb64475615e260c0ad03d9c0092ed0b6718a5
Opcode Fuzzy Hash: 03fea543a58d0dd27e2e864fb02117e59d378e4798fe078c1b3d5c0b9131bf93
Instruction Fuzzy Hash: EA61AB7160070CA7DE346D28C992BBF238C9FC1784F24481AEB46DFA91D759DD828396

Uniqueness

Uniqueness Score: -1.00%

Function 009FB4FD Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction ID: 6f5ccfb1b10211333512cc40fab2f3448f416c02369595292b31eae87ab62305
Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction Fuzzy Hash: 3F5186A160464C97DF389D6CC9A6BBF239D9F42318F284919F782CB292C70DDE028352

Uniqueness

Uniqueness Score: -1.00%

Function 009E54DD Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a35da125e80c468dd5aab9f237431b15a2388d6d78beb144d45893835abd1a41
Instruction ID: f61fd32320fb18fa4d8a02381b37017b318185113742a8b8cc6f65e241771862
Opcode Fuzzy Hash: a35da125e80c468dd5aab9f237431b15a2388d6d78beb144d45893835abd1a41
Instruction Fuzzy Hash: CB51F0765087D54FC702CF2A81805AEBFE1AE9A718F4B089AE4D55B142D231DF4ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 009F31F1 Relevance: 49.4, APIs: 24, Strings: 4, Instructions: 428windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009F31F6

Part of subcall function 009F1E84: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 009F1F6B

_wcslen.LIBCMT ref: 009F34BC
_wcslen.LIBCMT ref: 009F34C5
SetWindowTextW.USER32(?,?), ref: 009F3523
_wcslen.LIBCMT ref: 009F3565
_wcsrchr.LIBVCRUNTIME ref: 009F36AD
GetDlgItem.USER32(?,00000066), ref: 009F36E8
SetWindowTextW.USER32(00000000,?), ref: 009F36F8
SendMessageW.USER32(00000000,00000143,00000000,00A38D8A), ref: 009F3706
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009F3731

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 009F35CC
ProgramFilesDir, xrefs: 009F35F7
<br>, xrefs: 009F3486
%s.%d.tmp, xrefs: 009F33F2

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2804936435-312220925
Opcode ID: aa86186e92512b120cdb97580fa0661d1011189140a299bfc07b2cdcdf8b5582
Instruction ID: 64f9cdea92c978d9bea4f45397128cbf5dc47e7e253a288d166bb15da8f428ca
Opcode Fuzzy Hash: aa86186e92512b120cdb97580fa0661d1011189140a299bfc07b2cdcdf8b5582
Instruction Fuzzy Hash: 50E153B290015DAADB25DBA0DC85EFE73BCAF44350F5485A5FB09E3050EB789F858B60

Uniqueness

Uniqueness Score: -1.00%

Function 009E4878 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 009E489E

Part of subcall function 009E2AA2: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009E2AB5

Part of subcall function 009E7B9F: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,009E48BA,?,00000000,00000000,?,?,?,009E48BA,?,?,00000050), ref: 009E7BBC

SetDlgItemTextW.USER32(?,00A14154,?), ref: 009E491F
GetWindowRect.USER32(?,?), ref: 009E4959
GetClientRect.USER32(?,?), ref: 009E4965
GetWindowLongW.USER32(?,000000F0), ref: 009E4A05
GetWindowRect.USER32(?,?), ref: 009E4A32
SetWindowTextW.USER32(?,?), ref: 009E4A6B
GetSystemMetrics.USER32(00000008), ref: 009E4A73
GetWindow.USER32(?,00000005), ref: 009E4A7E
GetWindowRect.USER32(00000000,?), ref: 009E4AAB
GetWindow.USER32(00000000,00000002), ref: 009E4B1D

Strings

$%s:, xrefs: 009E4892
CAPTION, xrefs: 009E4A4D
d, xrefs: 009E4985

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_swprintf
String ID: $%s:$CAPTION$d
API String ID: 3208934588-2512411981
Opcode ID: 530028021234a10aec77c062d46e839d82124c8ab8ddfb8b44cd08aa8763a424
Instruction ID: 7384c1adb3e2d66f6b9dd2dee7fb27469a60b8805c15e5bbd8a51a4171846a95
Opcode Fuzzy Hash: 530028021234a10aec77c062d46e839d82124c8ab8ddfb8b44cd08aa8763a424
Instruction Fuzzy Hash: BB81D076248341AFD711DFA9CC89B6FBBE8EBC9714F04492DFA84A3251D631EC058B52

Uniqueness

Uniqueness Score: -1.00%

Function 00A02F32 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00A02F76

Part of subcall function 00A02B11: _free.LIBCMT ref: 00A02B2E
Part of subcall function 00A02B11: _free.LIBCMT ref: 00A02B40
Part of subcall function 00A02B11: _free.LIBCMT ref: 00A02B52
Part of subcall function 00A02B11: _free.LIBCMT ref: 00A02B64
Part of subcall function 00A02B11: _free.LIBCMT ref: 00A02B76
Part of subcall function 00A02B11: _free.LIBCMT ref: 00A02B88
Part of subcall function 00A02B11: _free.LIBCMT ref: 00A02B9A
Part of subcall function 00A02B11: _free.LIBCMT ref: 00A02BAC
Part of subcall function 00A02B11: _free.LIBCMT ref: 00A02BBE
Part of subcall function 00A02B11: _free.LIBCMT ref: 00A02BD0
Part of subcall function 00A02B11: _free.LIBCMT ref: 00A02BE2
Part of subcall function 00A02B11: _free.LIBCMT ref: 00A02BF4
Part of subcall function 00A02B11: _free.LIBCMT ref: 00A02C06

_free.LIBCMT ref: 00A02F6B

Part of subcall function 009FF8BA: RtlFreeHeap.NTDLL(00000000,00000000,?,00A02CA6,?,00000000,?,00000000,?,00A02CCD,?,00000007,?,?,00A030CA,?), ref: 009FF8D0
Part of subcall function 009FF8BA: GetLastError.KERNEL32(?,?,00A02CA6,?,00000000,?,00000000,?,00A02CCD,?,00000007,?,?,00A030CA,?,?), ref: 009FF8E2

_free.LIBCMT ref: 00A02F8D
_free.LIBCMT ref: 00A02FA2
_free.LIBCMT ref: 00A02FAD
_free.LIBCMT ref: 00A02FCF
_free.LIBCMT ref: 00A02FE2
_free.LIBCMT ref: 00A02FF0
_free.LIBCMT ref: 00A02FFB
_free.LIBCMT ref: 00A03033
_free.LIBCMT ref: 00A0303A
_free.LIBCMT ref: 00A03057
_free.LIBCMT ref: 00A0306F

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: ce8cc2248702d8b00c950205c95df99fc1d094bff593f2447ca4dd1db7063dec
Instruction ID: c55a679ab469053b21663f3a737aac31ded93c5366a878259e86b2783acb9145
Opcode Fuzzy Hash: ce8cc2248702d8b00c950205c95df99fc1d094bff593f2447ca4dd1db7063dec
Instruction Fuzzy Hash: E9314A326003099FEF25AB39E845B6AB3E9FF40390F104469EA4AD7291DB35AD90CB10

Uniqueness

Uniqueness Score: -1.00%

Function 009F415E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 009F4181
GetClassNameW.USER32(00000000,?,00000800), ref: 009F41AD

Part of subcall function 009E7D7D: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,009E3108,?,?,?,009E30B5,?,-00000002,?,00000000,?), ref: 009E7D93

GetWindowLongW.USER32(00000000,000000F0), ref: 009F41C9
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 009F41E0
GetObjectW.GDI32(00000000,00000018,?), ref: 009F41F4
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 009F421D
DeleteObject.GDI32(00000000), ref: 009F4224
GetWindow.USER32(00000000,00000002), ref: 009F422D

Strings

STATIC, xrefs: 009F41B3

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: b150e873a9bfeead4fb9fd1af85a29a6382d12991b1aa496db795e382a98616d
Instruction ID: f502c4ee92181743a83dfab6d8c06746a2d0f8b4194ba3b24d7eb64b7c80ed24
Opcode Fuzzy Hash: b150e873a9bfeead4fb9fd1af85a29a6382d12991b1aa496db795e382a98616d
Instruction Fuzzy Hash: A9113D3A1443147BE330ABA09C09FFF765CEFE5711F000020FB51A50A6DB69894647F2

Uniqueness

Uniqueness Score: -1.00%

Function 009FF671 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009FF685

Part of subcall function 009FF8BA: RtlFreeHeap.NTDLL(00000000,00000000,?,00A02CA6,?,00000000,?,00000000,?,00A02CCD,?,00000007,?,?,00A030CA,?), ref: 009FF8D0
Part of subcall function 009FF8BA: GetLastError.KERNEL32(?,?,00A02CA6,?,00000000,?,00000000,?,00A02CCD,?,00000007,?,?,00A030CA,?,?), ref: 009FF8E2

_free.LIBCMT ref: 009FF691
_free.LIBCMT ref: 009FF69C
_free.LIBCMT ref: 009FF6A7
_free.LIBCMT ref: 009FF6B2
_free.LIBCMT ref: 009FF6BD
_free.LIBCMT ref: 009FF6C8
_free.LIBCMT ref: 009FF6D3
_free.LIBCMT ref: 009FF6DE
_free.LIBCMT ref: 009FF6EC

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: faf5325f49e1a56dbf39cf1df27a64c484156c626c793c0a0c546f1a885f349d
Instruction ID: aa068ade09aafd433e20833a9348fbb81702bf97b3dc3d6fa16fda24064d07ce
Opcode Fuzzy Hash: faf5325f49e1a56dbf39cf1df27a64c484156c626c793c0a0c546f1a885f349d
Instruction Fuzzy Hash: C011897691010CBFDB01EF94C962EED3B66EF48390B5181A5FF098F222DA31DE519B80

Uniqueness

Uniqueness Score: -1.00%

Function 009F9221 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 009F9340
___TypeMatch.LIBVCRUNTIME ref: 009F944E
_UnwindNestedFrames.LIBCMT ref: 009F95A0
CallUnexpected.LIBVCRUNTIME ref: 009F95BB
_abort.LIBCMT ref: 009F95C0

Strings

csm, xrefs: 009F92CB
csm, xrefs: 009F9377
csm, xrefs: 009F925E

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 18402b7581cdd302e7bcc3584fe74cbd0dc6c0571132019e578e81e425cd7c50
Instruction ID: bc2017431508c3321e4fe2bd8e0a6e54827aec4f5761435549519d476c9e2340
Opcode Fuzzy Hash: 18402b7581cdd302e7bcc3584fe74cbd0dc6c0571132019e578e81e425cd7c50
Instruction Fuzzy Hash: 6DB1657180020DEFCF29EFA4C881ABEBBB9BF54314B14455AFA146B212D731DA52CF91

Uniqueness

Uniqueness Score: -1.00%

Function 009F01D1 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009F01F6
_wcslen.LIBCMT ref: 009F0296
GlobalAlloc.KERNEL32(00000040,?), ref: 009F02A5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 009F02C6

Strings

<html>, xrefs: 009F0215, 009F024E
</html>, xrefs: 009F0277
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 009F0220
utf-8"></head>, xrefs: 009F022B

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: _wcslen$AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1116704506-4209811716
Opcode ID: a8a4f258c397d9dcfaa5987830d2e269d8bb8b83b1c9a594a65a58b35d7b483e
Instruction ID: 3cad8b7aa5921d3aeee6d6b9925bdc3bed6063a51780a0d568694d4aa8b1b6d6
Opcode Fuzzy Hash: a8a4f258c397d9dcfaa5987830d2e269d8bb8b83b1c9a594a65a58b35d7b483e
Instruction Fuzzy Hash: EF31373220534D7AD725AB60AC06FBF77ACEFD1310F14041AF765961D3EBA0990583A6

Uniqueness

Uniqueness Score: -1.00%

Function 009F2130 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009E11C6: GetDlgItem.USER32(00000000,00003021), ref: 009E120A
Part of subcall function 009E11C6: SetWindowTextW.USER32(00000000,00A09584), ref: 009E1220

EndDialog.USER32(?,00000001), ref: 009F2180
SendMessageW.USER32(?,00000080,00000001,?), ref: 009F21A7
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 009F21C0
SetWindowTextW.USER32(?,?), ref: 009F21D1
GetDlgItem.USER32(?,00000065), ref: 009F21DA
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 009F21EE
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 009F2204

Strings

LICENSEDLG, xrefs: 009F2144

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: ad510d27635996dd997d75532d1a9652602b686cb5d027715e811b11e6409e88
Instruction ID: 358443f8c3275e612d2764553eb06525c684b282b8a8c63b3595525c6d057db7
Opcode Fuzzy Hash: ad510d27635996dd997d75532d1a9652602b686cb5d027715e811b11e6409e88
Instruction Fuzzy Hash: D021943A2882097BE2219FA5EC49FBB3A6DEBD7781F004414F715A10A1C7979C069776

Uniqueness

Uniqueness Score: -1.00%

Function 009F172B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 009F173F
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 009F1750
SystemTimeToFileTime.KERNEL32(?,?), ref: 009F175E
FileTimeToSystemTime.KERNEL32(?,?), ref: 009F176C
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 009F1787
GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032), ref: 009F17AE
_swprintf.LIBCMT ref: 009F17D4

Strings

%s %s, xrefs: 009F17C9

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: Time$System$File$Format$DateLocalSpecific_swprintf
String ID: %s %s
API String ID: 385609497-2939940506
Opcode ID: fa4cb20c93817436d2b45bf51ebffa77a230aa45be2d904173d0cdfde5198071
Instruction ID: bfa83e3ce3847807410b90ed3a4d325a41f0eaf3ed27c9af0245c918f4647f7e
Opcode Fuzzy Hash: fa4cb20c93817436d2b45bf51ebffa77a230aa45be2d904173d0cdfde5198071
Instruction Fuzzy Hash: 12211AB250015CABDB11DFA1EC44EFF3BADFF09300F044426FA09D2112E625DA4ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009F081E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009F082A

Strings

>, xrefs: 009F086B
<br>, xrefs: 009F091E
<style>, xrefs: 009F0950
</style>, xrefs: 009F0972
</p>, xrefs: 009F0908

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: 8df9176f259babb1d2553407d2052fc96fb7409e38144526471a1610542719c1
Instruction ID: 8315cdcddd3e29b9f80da1fe9a7eeabf3fb5ebe68493839e47c8c43e21a3cfbb
Opcode Fuzzy Hash: 8df9176f259babb1d2553407d2052fc96fb7409e38144526471a1610542719c1
Instruction Fuzzy Hash: A251E75674532F95EB305A549C1177A63ECEFE0790F68442AEBC09B1C3FBE68C8183A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A05A9D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00A06212,00000000,00000000,00000000,00000000,00000000,009FB802), ref: 00A05ADF
__fassign.LIBCMT ref: 00A05B5A
__fassign.LIBCMT ref: 00A05B75
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00A05B9B
WriteFile.KERNEL32(?,00000000,00000000,00A06212,00000000,?,?,?,?,?,?,?,?,?,00A06212,00000000), ref: 00A05BBA
WriteFile.KERNEL32(?,00000000,00000001,00A06212,00000000,?,?,?,?,?,?,?,?,?,00A06212,00000000), ref: 00A05BF3

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 62663136e372cb6fd2d014cee2ab7b516c4688a3ac1622fc680833cce43fccc0
Instruction ID: d1c2cdcbdc46098e0b7f8feb105d71be235a2adf1217f146670c811ce8eff61b
Opcode Fuzzy Hash: 62663136e372cb6fd2d014cee2ab7b516c4688a3ac1622fc680833cce43fccc0
Instruction Fuzzy Hash: 0A517F75E0060D9FDB10CFA8E895AEFBBF8EF49310F14411AE556E7291E730A952CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009F8B60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 009F8B97
___except_validate_context_record.LIBVCRUNTIME ref: 009F8B9F
_ValidateLocalCookies.LIBCMT ref: 009F8C28
__IsNonwritableInCurrentImage.LIBCMT ref: 009F8C53
_ValidateLocalCookies.LIBCMT ref: 009F8CA8

Strings

csm, xrefs: 009F8C3D

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: aa57bbe5902b35cc253a4897ff3493dc52896b8f9e88438655bf82fad2088d66
Instruction ID: b81528ebdb26c7cdb22dfe7db1bea454406b3cc33d9b700dbbffdbc127542788
Opcode Fuzzy Hash: aa57bbe5902b35cc253a4897ff3493dc52896b8f9e88438655bf82fad2088d66
Instruction Fuzzy Hash: 9241C434A1121CABCF10DF68C885BBF7BB5BF45328F148155EA189B392DB319902CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009F09F5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 009F0A0E
GetWindowRect.USER32(?,?), ref: 009F0A64
ShowWindow.USER32(?,00000005,00000000), ref: 009F0B01
SetWindowTextW.USER32(?,00000000), ref: 009F0B09
ShowWindow.USER32(00000000,00000005), ref: 009F0B1F

Strings

RarHtmlClassName, xrefs: 009F0AC5

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 933799f53d7f1b45db5960fce085fb19242e9d8de10fe95c4ae68ad6d2770a04
Instruction ID: 986b1a8e63982e9b0d1af685ee4c3b0a53afbfa4edd238c74e7457d1d3eae361
Opcode Fuzzy Hash: 933799f53d7f1b45db5960fce085fb19242e9d8de10fe95c4ae68ad6d2770a04
Instruction Fuzzy Hash: 2241D039404308AFCB219FA49C4CB6B7BADEBC8705F004658FA49A9063D735D840CB62

Uniqueness

Uniqueness Score: -1.00%

Function 009F0475 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009F047E
_wcslen.LIBCMT ref: 009F04B3

Strings

, xrefs: 009F04D0
<br>, xrefs: 009F04FF
 , xrefs: 009F0541
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 009F04A7

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: 737c6c1d04416a4e2aef94db2dc1f924ddb55f6af9f1b5785253e171e16308f7
Instruction ID: 1f8ac037a7f7db0fb4e2145c2c4a802aab4a617a295d85669169417c7a0e25f4
Opcode Fuzzy Hash: 737c6c1d04416a4e2aef94db2dc1f924ddb55f6af9f1b5785253e171e16308f7
Instruction Fuzzy Hash: 04315E61A4430DA6E634AB54AC42B7673ECEBD0320F10441EFB99971C2FAE4AD4487A2

Uniqueness

Uniqueness Score: -1.00%

Function 00A02CB4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A02C78: _free.LIBCMT ref: 00A02CA1

_free.LIBCMT ref: 00A02D02

Part of subcall function 009FF8BA: RtlFreeHeap.NTDLL(00000000,00000000,?,00A02CA6,?,00000000,?,00000000,?,00A02CCD,?,00000007,?,?,00A030CA,?), ref: 009FF8D0
Part of subcall function 009FF8BA: GetLastError.KERNEL32(?,?,00A02CA6,?,00000000,?,00000000,?,00A02CCD,?,00000007,?,?,00A030CA,?,?), ref: 009FF8E2

_free.LIBCMT ref: 00A02D0D
_free.LIBCMT ref: 00A02D18
_free.LIBCMT ref: 00A02D6C
_free.LIBCMT ref: 00A02D77
_free.LIBCMT ref: 00A02D82
_free.LIBCMT ref: 00A02D8D

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
Instruction ID: 471638b9b7ba8b724fd365262ca87646db3ecfa09d4119308ce7db4896a86bdd
Opcode Fuzzy Hash: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
Instruction Fuzzy Hash: 60118172940B0CBAF520B7B0DD4FFDF77AD6F40700F400D24B79AA6092DA24B5059790

Uniqueness

Uniqueness Score: -1.00%

Function 009F5011 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,009F508C,009F4FEF,009F5290), ref: 009F5028
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 009F503E
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 009F5053

Strings

ReleaseSRWLockExclusive, xrefs: 009F5048
KERNEL32.DLL, xrefs: 009F5023
AcquireSRWLockExclusive, xrefs: 009F5038

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: fbc339b331166a4dd58c588b6dd7dc4889ed70c550f773923bc203f86f7094b6
Instruction ID: e2c5ffd64fb2d8dd7cec605d84ba05d1d86309583e89f490a5aa992a70efb3c6
Opcode Fuzzy Hash: fbc339b331166a4dd58c588b6dd7dc4889ed70c550f773923bc203f86f7094b6
Instruction Fuzzy Hash: DEF0FF35642E2FAB9B208EB06CC49BB238CAA0639630E04399B09EA550DF518C52D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 009F8EEA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,009F8EE1,009F8E6C,009F61F4), ref: 009F8EF8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 009F8F06
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009F8F1F
SetLastError.KERNEL32(00000000,009F8EE1,009F8E6C,009F61F4), ref: 009F8F71

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: cd80af10479b48e76a2fbd4a1331d0ba404b40488c1864f1f066cbcd9ea629d9
Instruction ID: f22ec730af29d4445ff9f6bb79a1ebd0ad0eb1f681af2027b13e6cacdc20ad7a
Opcode Fuzzy Hash: cd80af10479b48e76a2fbd4a1331d0ba404b40488c1864f1f066cbcd9ea629d9
Instruction Fuzzy Hash: 100124B220D71A5EA7506EB87C8567B3649EB82778B30432DF334800F1EF510C02E384

Uniqueness

Uniqueness Score: -1.00%

Function 009FF765 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,009FABD7,?,?,?,009FA652,00000050), ref: 009FF769
_free.LIBCMT ref: 009FF79C
_free.LIBCMT ref: 009FF7C4
SetLastError.KERNEL32(00000000), ref: 009FF7D1
SetLastError.KERNEL32(00000000), ref: 009FF7DD
_abort.LIBCMT ref: 009FF7E3

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 7a2235086a48e24d62024a396c223e261fa1b9aaaf2a8f315d4ad122bc92b34d
Instruction ID: f8599c4c54af99731c870f423d4237ef36a6d3274553a10d5249b58b07391b3f
Opcode Fuzzy Hash: 7a2235086a48e24d62024a396c223e261fa1b9aaaf2a8f315d4ad122bc92b34d
Instruction Fuzzy Hash: 6BF0C83624460C6BC61177786DAABBF266A9FD2764F310134FB16D26E3EF248C038320

Uniqueness

Uniqueness Score: -1.00%

Function 009E35E5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009E3609
GetCurrentDirectoryW.KERNEL32(000007FF,?,000000FF,000000FF,?,?,?,?,009E2763,000000FF,?,00000800,?,?,009E1D8F,?), ref: 009E36A7
_wcslen.LIBCMT ref: 009E371D

Strings

\\?\, xrefs: 009E3634, 009E367B, 009E36D9, 009E3730
UNC, xrefs: 009E3689

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: 7f0a12145c7f0bd9ce2e38fd6a6eb1e07711e131eaacbe1229107058faaf4345
Instruction ID: daf8539efca7a7cbdd0056e6b08e80502968e7a5611ca35742d4a9fadcd95524
Opcode Fuzzy Hash: 7f0a12145c7f0bd9ce2e38fd6a6eb1e07711e131eaacbe1229107058faaf4345
Instruction Fuzzy Hash: A041C1F1844299B6CB23AF26CC4AAEA776DBF50790B01C425F55497142E772DF40C660

Uniqueness

Uniqueness Score: -1.00%

Function 009F224D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 009F225D
GetObjectW.GDI32(00000000,00000018,?), ref: 009F2282
DeleteObject.GDI32(00000000), ref: 009F22B4
DeleteObject.GDI32(00000000), ref: 009F22D7

Part of subcall function 009F11D2: FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,009F22AD,00000066), ref: 009F11E5
Part of subcall function 009F11D2: SizeofResource.KERNEL32(00000000,?,?,?,009F22AD,00000066), ref: 009F11FC
Part of subcall function 009F11D2: LoadResource.KERNEL32(00000000,?,?,?,009F22AD,00000066), ref: 009F1213
Part of subcall function 009F11D2: LockResource.KERNEL32(00000000,?,?,?,009F22AD,00000066), ref: 009F1222
Part of subcall function 009F11D2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,009F22AD,00000066), ref: 009F123D
Part of subcall function 009F11D2: GlobalLock.KERNEL32(00000000,?,?,?,?,?,009F22AD,00000066), ref: 009F124E
Part of subcall function 009F11D2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 009F12B7
Part of subcall function 009F11D2: GlobalUnlock.KERNEL32(00000000), ref: 009F12D6
Part of subcall function 009F11D2: GlobalFree.KERNEL32(00000000), ref: 009F12DD

Strings

], xrefs: 009F228A

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
String ID: ]
API String ID: 1428510222-3352871620
Opcode ID: 25a65b214e6256cb81399cc951c838217362bb504de27cb224cf2d2237358bbf
Instruction ID: 94ceac15f299565b1607df9a6896d2ab9e52c1dbf0c207558d28e49f068b79af
Opcode Fuzzy Hash: 25a65b214e6256cb81399cc951c838217362bb504de27cb224cf2d2237358bbf
Instruction Fuzzy Hash: 5301D23A540609A7D71567A48C0ABBF7A7EABC1B51F180014FF20B7292DF758C0687A2

Uniqueness

Uniqueness Score: -1.00%

Function 009F40C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 009E11C6: GetDlgItem.USER32(00000000,00003021), ref: 009E120A
Part of subcall function 009E11C6: SetWindowTextW.USER32(00000000,00A09584), ref: 009E1220

EndDialog.USER32(?,00000001), ref: 009F410B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 009F4121
SetDlgItemTextW.USER32(?,00000066,?), ref: 009F4135
SetDlgItemTextW.USER32(?,00000068), ref: 009F4144

Strings

RENAMEDLG, xrefs: 009F40D8

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: dd04c278a67d0bb99fff66591eb24d7aa9065e2fd45dd3a7379e6669594a344d
Instruction ID: e7aabea42360a59fe6135669811509fc12dc4a18220b063e7e471a13200b29d3
Opcode Fuzzy Hash: dd04c278a67d0bb99fff66591eb24d7aa9065e2fd45dd3a7379e6669594a344d
Instruction Fuzzy Hash: 0B01B93678C2187AE2219FA85C49F7B775CFBB7742F200905F301920D1C3A659858765

Uniqueness

Uniqueness Score: -1.00%

Function 009FE447 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,009FE3F8,00000003,?,009FE398,00000003,00A11D50,0000000C,009FE4EF,00000003,00000002), ref: 009FE467
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 009FE47A
FreeLibrary.KERNEL32(00000000,?,?,?,009FE3F8,00000003,?,009FE398,00000003,00A11D50,0000000C,009FE4EF,00000003,00000002,00000000), ref: 009FE49D

Strings

CorExitProcess, xrefs: 009FE472
mscoree.dll, xrefs: 009FE460

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5d3281d7f52f09170398c534cf1a43b05aaf63450889dcc2048596843e8d1846
Instruction ID: 8b92455d5e124fd3704d114b2b02ddd63d113befc8c39c08906508a0859cc72f
Opcode Fuzzy Hash: 5d3281d7f52f09170398c534cf1a43b05aaf63450889dcc2048596843e8d1846
Instruction Fuzzy Hash: 21F04431A0021CBBCB119FA5EC49BEEBFB8EB08721F004168F905A2161DB715A46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009E58FC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 009E6B9C: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 009E6BB7
Part of subcall function 009E6B9C: LoadLibraryW.KERNELBASE(?,?,009E590F,Crypt32.dll,00000000,009E5989,?,?,009E596C,00000000,00000000,?,00000000), ref: 009E6BD9

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 009E591B
GetProcAddress.KERNEL32(00A1E028,CryptUnprotectMemory), ref: 009E592B

Strings

Crypt32.dll, xrefs: 009E5905
CryptUnprotectMemory, xrefs: 009E5921
CryptProtectMemory, xrefs: 009E5915

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 31d5b7b75c649c0c22de94c912aa97cd9282d726a5c8dce8e5f1621fc032bcd5
Instruction ID: 473efc57a9a611f30a7aaeef6845192cc6e4cc8ded28997a5aa0884f3667848e
Opcode Fuzzy Hash: 31d5b7b75c649c0c22de94c912aa97cd9282d726a5c8dce8e5f1621fc032bcd5
Instruction Fuzzy Hash: 20E0DF31811B44EED7218F75A88C7C3BAD46F24724B008C1CE0CAC2183C6B5D8818B00

Uniqueness

Uniqueness Score: -1.00%

Function 009F8FCA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 009F9091
___AdjustPointer.LIBCMT ref: 009F90B4
_abort.LIBCMT ref: 009F9102
___AdjustPointer.LIBCMT ref: 009F9150

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 61a444e45aeb7255b60b97b2fd0104783767f1be20b23b6bc4a09d7ed7ee9e86
Instruction ID: 2add8bdef28380bbc94eda69cf595c8c4f4a4d9c155cd97098026db30c150b13
Opcode Fuzzy Hash: 61a444e45aeb7255b60b97b2fd0104783767f1be20b23b6bc4a09d7ed7ee9e86
Instruction Fuzzy Hash: 6951D67260820EAFDB298F14D845BBA77B9FF94310F18452DEB45972A1DB32ED41C790

Uniqueness

Uniqueness Score: -1.00%

Function 00A02340 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00A02349
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A0236C

Part of subcall function 009FF9E5: RtlAllocateHeap.NTDLL(00000000,?,?,?,009FA7E9,?,0000015D,?,?,?,?,009FBCC5,000000FF,00000000,?,?), ref: 009FFA17

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00A02392
_free.LIBCMT ref: 00A023A5
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A023B4

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: d2944513fe77ef99c8ee4fec499c3d7ae5729de0ca7365785f7751c605c00ab5
Instruction ID: 2361f7bd7872830527bae55c53de47e2b2d0f155a5c881714c3253de01c9820c
Opcode Fuzzy Hash: d2944513fe77ef99c8ee4fec499c3d7ae5729de0ca7365785f7751c605c00ab5
Instruction Fuzzy Hash: D401887260171D7FA3215BA67D4CE7B7A6DDFC2B603150179FE04CB281DA688C029271

Uniqueness

Uniqueness Score: -1.00%

Function 009FF7E9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,009FF9D7,00A01598,?,009FF793,00000001,00000364,?,009FABD7,?,?,?,009FA652,00000050), ref: 009FF7EE
_free.LIBCMT ref: 009FF823
_free.LIBCMT ref: 009FF84A
SetLastError.KERNEL32(00000000), ref: 009FF857
SetLastError.KERNEL32(00000000), ref: 009FF860

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 55de5c5211a36f5402d18204491464a59168e100e629d27ebf2dc28414db1091
Instruction ID: cbb77c3b72f76dfe7f19a76ffcab385600f1e7bfd5a24fd8e832df376fc23d10
Opcode Fuzzy Hash: 55de5c5211a36f5402d18204491464a59168e100e629d27ebf2dc28414db1091
Instruction Fuzzy Hash: E601F93620460C67D611A7746D65A7B266EDFD63F4B250538F717E21A3EE248C038360

Uniqueness

Uniqueness Score: -1.00%

Function 00A02C0F Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A02C27

Part of subcall function 009FF8BA: RtlFreeHeap.NTDLL(00000000,00000000,?,00A02CA6,?,00000000,?,00000000,?,00A02CCD,?,00000007,?,?,00A030CA,?), ref: 009FF8D0
Part of subcall function 009FF8BA: GetLastError.KERNEL32(?,?,00A02CA6,?,00000000,?,00000000,?,00A02CCD,?,00000007,?,?,00A030CA,?,?), ref: 009FF8E2

_free.LIBCMT ref: 00A02C39
_free.LIBCMT ref: 00A02C4B
_free.LIBCMT ref: 00A02C5D
_free.LIBCMT ref: 00A02C6F

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bb02264cf14ea6e8624ec900d68c73a60d3393836412cc614b01cc9a131d0c1d
Instruction ID: d468320a94d45e024014549281abf33daf1b8b36e8bf51b90cd9bf18a98ba43b
Opcode Fuzzy Hash: bb02264cf14ea6e8624ec900d68c73a60d3393836412cc614b01cc9a131d0c1d
Instruction Fuzzy Hash: 4EF06873500708ABE920DB68F9C9E6B73D9BF447503644865F94DD7540CB34FC814750

Uniqueness

Uniqueness Score: -1.00%

Function 009E7D9F Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009E7DA7
_wcslen.LIBCMT ref: 009E7DB8
_wcslen.LIBCMT ref: 009E7DC8
_wcslen.LIBCMT ref: 009E7DD6
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,009E2F91,?,?,00000000,?,?,?), ref: 009E7DF1

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: 6bcc026b58af79a092b1cebd7ee1b650d84f7879c6a998994f78d369156386bb
Instruction ID: b8395e9e736bbde6a6635b30cbddf8faf0536979b9eebd44ad617768574c94b9
Opcode Fuzzy Hash: 6bcc026b58af79a092b1cebd7ee1b650d84f7879c6a998994f78d369156386bb
Instruction Fuzzy Hash: A7F09032108058BBCF125F91EC49EDE7F26EF80770B20C401F6395A0A1CB329991DB95

Uniqueness

Uniqueness Score: -1.00%

Function 009FEEE0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009FEEFE

Part of subcall function 009FF8BA: RtlFreeHeap.NTDLL(00000000,00000000,?,00A02CA6,?,00000000,?,00000000,?,00A02CCD,?,00000007,?,?,00A030CA,?), ref: 009FF8D0
Part of subcall function 009FF8BA: GetLastError.KERNEL32(?,?,00A02CA6,?,00000000,?,00000000,?,00A02CCD,?,00000007,?,?,00A030CA,?,?), ref: 009FF8E2

_free.LIBCMT ref: 009FEF10
_free.LIBCMT ref: 009FEF23
_free.LIBCMT ref: 009FEF34
_free.LIBCMT ref: 009FEF45

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 000523123e2993a80ffca1f084285e8282b999a19a83fa0974923e3ba5f243ec
Instruction ID: 80532966c6275fa9f438d1ff0dc9447fd097e73f4781ace6c691ffb0364368f0
Opcode Fuzzy Hash: 000523123e2993a80ffca1f084285e8282b999a19a83fa0974923e3ba5f243ec
Instruction Fuzzy Hash: 86F030BE8001288BEB12EFA8BC5155737A5FB9A7213050165FA0692271CB3608638BC0

Uniqueness

Uniqueness Score: -1.00%

Function 009E73D1 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 009E758F
_swprintf.LIBCMT ref: 009E763E

Strings

%ls, xrefs: 009E7414, 009E742A
%s: %s, xrefs: 009E759E

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 91332470e6f0e775ac7ea725c5036e2039e81b18af1dccf8f1e83064be9e7cb5
Instruction ID: f1d65b1564a14680fe569836a70218c1021a91cb190093acf4567460042f9a23
Opcode Fuzzy Hash: 91332470e6f0e775ac7ea725c5036e2039e81b18af1dccf8f1e83064be9e7cb5
Instruction Fuzzy Hash: 1C51AB3128C785FAE72326D78C02F3AF95AAB14F04F208D06B396644F6E5A59D50B727

Uniqueness

Uniqueness Score: -1.00%

Function 009FE542 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\64drop.exe,00000104), ref: 009FE582
_free.LIBCMT ref: 009FE64D
_free.LIBCMT ref: 009FE657

Strings

C:\Users\user\Desktop\64drop.exe, xrefs: 009FE579, 009FE580, 009FE5AF, 009FE5E7

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\64drop.exe
API String ID: 2506810119-1206620436
Opcode ID: e665b000a4c4105cffc8a45cf5b94176785da77b6b59de434051672069f4571a
Instruction ID: ed06796678a44ae35ad008b405223ba0bb4b4346ee19f7c82c73c61db198da63
Opcode Fuzzy Hash: e665b000a4c4105cffc8a45cf5b94176785da77b6b59de434051672069f4571a
Instruction Fuzzy Hash: B3316DB5A0421CAFDB21DF999C85AAFBBECEF95314B104066FA04D7221D6B18E41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009F95C6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 009F95EB
_abort.LIBCMT ref: 009F96F6

Strings

MOC, xrefs: 009F95FD
RCC, xrefs: 009F9605

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: c589df9293f29f9619797fe3fb40deec1284a47f3645532cc872d665f07d6225
Instruction ID: 64d60ba6a6c5922c4a5d5730c784fa6608a451e52826c29babc9e588990eff81
Opcode Fuzzy Hash: c589df9293f29f9619797fe3fb40deec1284a47f3645532cc872d665f07d6225
Instruction Fuzzy Hash: 0B41267290020DAFCF16DF98CC81BAEBBB9BF48304F158059FA18A7221D7359961DF54

Uniqueness

Uniqueness Score: -1.00%

Function 009E3E7C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 009E3EE4
_strncpy.LIBCMT ref: 009E3F2A

Part of subcall function 009E7B9F: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,009E48BA,?,00000000,00000000,?,?,?,009E48BA,?,?,00000050), ref: 009E7BBC

Strings

$%s, xrefs: 009E3ED9
@%s, xrefs: 009E3ECE

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: e3cd0fd0f2f00ced2d9f12dacd5111dcd0390b7a12af112c80225df74069c2cc
Instruction ID: 199641780b7d22139e1ffe0b907ed1d96a839c870271b3f1e73c8be4c27e88f2
Opcode Fuzzy Hash: e3cd0fd0f2f00ced2d9f12dacd5111dcd0390b7a12af112c80225df74069c2cc
Instruction Fuzzy Hash: 0221937194028CBFEB22DEA6CD4AFEE3BACAF45300F044826F91097192E775DA448B51

Uniqueness

Uniqueness Score: -1.00%

Function 009F1DE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 009E11C6: GetDlgItem.USER32(00000000,00003021), ref: 009E120A
Part of subcall function 009E11C6: SetWindowTextW.USER32(00000000,00A09584), ref: 009E1220

EndDialog.USER32(?,00000001), ref: 009F1E2E
GetDlgItemTextW.USER32(?,00000066,?,00000200), ref: 009F1E46
SetDlgItemTextW.USER32(?,00000067,?), ref: 009F1E74

Strings

GETPASSWORD1, xrefs: 009F1DF9

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 220e97ec57d3916d0d5ceaaf56f868f3beddda95a2b60f7fd1b589e9b9cd6886
Instruction ID: 745d96915018de873090d06147dcd645013fb8569bb4511174af88d32bd47c1b
Opcode Fuzzy Hash: 220e97ec57d3916d0d5ceaaf56f868f3beddda95a2b60f7fd1b589e9b9cd6886
Instruction Fuzzy Hash: 5011C076A4021CFBEB219E789D49FBB3B7CEB9A714F040520FB15B60C0C2799D0297A1

Uniqueness

Uniqueness Score: -1.00%

Function 009F4739 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 009F4778, 009F47AC
RENAMEDLG, xrefs: 009F478D

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: e0321bd762b47b6bd7d341c08ecab8235359918c8054e397f8d72b2c7d0317e2
Instruction ID: 36d0b8b882281b5e69183a408ccf9bfa7bfcb4274d91ab04ed8acc1930edbeba
Opcode Fuzzy Hash: e0321bd762b47b6bd7d341c08ecab8235359918c8054e397f8d72b2c7d0317e2
Instruction Fuzzy Hash: 10019E75A0024DBFDB11EFA8EC44BB73BA8A796790B004436FB0582270D3329C92DB61

Uniqueness

Uniqueness Score: -1.00%

Function 009E8EA8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 009E8EAD

Part of subcall function 009F55CD: std::invalid_argument::invalid_argument.LIBCONCRT ref: 009F55D9
Part of subcall function 009F55CD: ___delayLoadHelper2@8.DELAYIMP ref: 009F55FF

std::_Xinvalid_argument.LIBCPMT ref: 009E8EB8

Strings

vector too long, xrefs: 009E8EB3
string too long, xrefs: 009E8EA8

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Helper2@8Load___delaystd::invalid_argument::invalid_argument
String ID: string too long$vector too long
API String ID: 2355824318-1617939282
Opcode ID: b7d725740026c16f932f4afa337be5faca2b0075f19a9efb15eecc9c4e351e6b
Instruction ID: e2f1ce78f5e022aa4399ce67375f9084c3887e0b3c47fc34a6c2d30daa662172
Opcode Fuzzy Hash: b7d725740026c16f932f4afa337be5faca2b0075f19a9efb15eecc9c4e351e6b
Instruction Fuzzy Hash: C5F0A031200388ABC7256E9AEC45A4BB7EEEBC1B50B50091AFA4597542DBF1AD0087B5

Uniqueness

Uniqueness Score: -1.00%

Function 009FFDC1 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 009FFE4C
__alldvrm.LIBCMT ref: 00A0004D
__alldvrm.LIBCMT ref: 00A0006F

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: d44050169a961246a75403e81249a310e18b1805ed77af15c25c3f8bfb7b45ee
Instruction ID: ca5b9394fb507af3b0defc4991724d30332fcc73ef77713d95eda07dd80ebe7b
Opcode Fuzzy Hash: d44050169a961246a75403e81249a310e18b1805ed77af15c25c3f8bfb7b45ee
Instruction Fuzzy Hash: 05A1297290078E9FE721CF18D8A1BBEBBE5EF56310F14457DE6859B282C7788941C750

Uniqueness

Uniqueness Score: -1.00%

Function 009E28B2 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000), ref: 009E2958
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800), ref: 009E299C
SetFileTime.KERNEL32(?,?,?,00000000), ref: 009E2A1D
CloseHandle.KERNEL32(?), ref: 009E2A24

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 57140aeaaf9a9070de8e3643b416ec2a113d64ba7c07f697d562e88ccad4e3d7
Instruction ID: 165aeacbe9ce09e655f25fea8f71dd6429fa9fd9e8a4b491ed792cb3847b83f0
Opcode Fuzzy Hash: 57140aeaaf9a9070de8e3643b416ec2a113d64ba7c07f697d562e88ccad4e3d7
Instruction Fuzzy Hash: 6741C9302483C4AAE722DF66CD42BAEBBECAB85300F140919F5D1931D2C664DE48DB22

Uniqueness

Uniqueness Score: -1.00%

Function 00A02D98 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,F4E85006,009FAD29,00000000,00000000,009FBD5E,?,009FBD5E,?,00000001,009FAD29,F4E85006,00000001,009FBD5E,009FBD5E), ref: 00A02DE5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A02E6E
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00A02E80
__freea.LIBCMT ref: 00A02E89

Part of subcall function 009FF9E5: RtlAllocateHeap.NTDLL(00000000,?,?,?,009FA7E9,?,0000015D,?,?,?,?,009FBCC5,000000FF,00000000,?,?), ref: 009FFA17

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: f7c2ed60d512770cb866be4d3ed37fb4325f63c2142e7a04fbeab5a684ec5eb2
Instruction ID: fd9e0937fab4306fc58e1f6880b086e9c077af46e5d63a34d91cf92373085aa6
Opcode Fuzzy Hash: f7c2ed60d512770cb866be4d3ed37fb4325f63c2142e7a04fbeab5a684ec5eb2
Instruction Fuzzy Hash: BF31BE72A0021EABDF25DF64EC49EAF7BA5EB44710B144229FC08D7190EB35CD51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009F1173 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009F1176
GetDeviceCaps.GDI32(00000000,00000058), ref: 009F1185
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009F1193
ReleaseDC.USER32(00000000,00000000), ref: 009F11A1

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: d47ea8a4c6fb2d0f5675d05753751b3f4957fdcafe7ca62258a02f0d8033ce90
Instruction ID: 2b4944f764ec15517af1730ac0904b14bef1c22819cc39c25dc7c11ad65c9cea
Opcode Fuzzy Hash: d47ea8a4c6fb2d0f5675d05753751b3f4957fdcafe7ca62258a02f0d8033ce90
Instruction Fuzzy Hash: 02E0E6399C2720ABD3709BE47C0DB973E64ABA7752F000161FB0595190C76645468BD1

Uniqueness

Uniqueness Score: -1.00%

Function 009F131C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON

Download Yara Rule

APIs

Part of subcall function 009F11A9: GetDC.USER32(00000000), ref: 009F11AD
Part of subcall function 009F11A9: GetDeviceCaps.GDI32(00000000,0000000C), ref: 009F11B8
Part of subcall function 009F11A9: ReleaseDC.USER32(00000000,00000000), ref: 009F11C3

GetObjectW.GDI32(?,00000018,?), ref: 009F134C

Part of subcall function 009F15DE: GetDC.USER32(00000000), ref: 009F15E7
Part of subcall function 009F15DE: GetObjectW.GDI32(?,00000018,?), ref: 009F1616
Part of subcall function 009F15DE: ReleaseDC.USER32(00000000,?), ref: 009F16AE

Strings

(, xrefs: 009F14BF

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: d9b742e0d9ab9a2fbe2a4194027b35e49eb1d14cf4800cbbf2961eb1a65bec28
Instruction ID: 7104a7f9f4d433be1d157f9fda8adf1e2854817868938947febdbfca0044b9d5
Opcode Fuzzy Hash: d9b742e0d9ab9a2fbe2a4194027b35e49eb1d14cf4800cbbf2961eb1a65bec28
Instruction Fuzzy Hash: AB91EF75608348AFC710DF65D844A6BBBF8FBC9710F10485EF59AD3260DB71A806CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 009F1FFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009F2053
_wcslen.LIBCMT ref: 009F206E

Strings

}, xrefs: 009F2046

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: d32a3d81f548f110ed1a4706fb06d8697be8c88834429285cf1284f545ffd86a
Instruction ID: b0c615defef74f234e2906c7c58cb3340a2be811b3285944be0cd764742d161f
Opcode Fuzzy Hash: d32a3d81f548f110ed1a4706fb06d8697be8c88834429285cf1284f545ffd86a
Instruction Fuzzy Hash: CF219D63A0431E5AD721EB64D845BBBB3ECDF81760F58042AF784C2181EB65ED48C3A7

Uniqueness

Uniqueness Score: -1.00%

Function 009E5971 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 009E58FC: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 009E591B
Part of subcall function 009E58FC: GetProcAddress.KERNEL32(00A1E028,CryptUnprotectMemory), ref: 009E592B

GetCurrentProcessId.KERNEL32(?,?,?,009E596C), ref: 009E59FF

Strings

CryptUnprotectMemory failed, xrefs: 009E59F7
CryptProtectMemory failed, xrefs: 009E59B6

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 2f79cfc05fa7572a64805b72ff87bf70f86159e2b8bf80918faecadb20f41e72
Instruction ID: fe3320d20787edc298567374f08bb66d6ffd873a98df58d35f834127d5e44907
Opcode Fuzzy Hash: 2f79cfc05fa7572a64805b72ff87bf70f86159e2b8bf80918faecadb20f41e72
Instruction Fuzzy Hash: 42113B32601A68BBDB13DF22ED416AE376DFF48764B018115FC415B293D7749E02C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 009E3502 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 009E3529

Part of subcall function 009E2AA2: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009E2AB5

Strings

%c:\, xrefs: 009E351F

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: 9af1e53d800125ca7ebc4c4b6369c111c2ea119d9f1081a39ad73a9c39df46a3
Instruction ID: 1c510221ca28e6dfab3a2a7828504853bcea96d2cc7433f44100b5ca79d4916e
Opcode Fuzzy Hash: 9af1e53d800125ca7ebc4c4b6369c111c2ea119d9f1081a39ad73a9c39df46a3
Instruction Fuzzy Hash: 5101F5A3504351B9DA32673ADC4AE6BB7ACEE95760B50C91EF558C7182FE20DE40C2A1

Uniqueness

Uniqueness Score: -1.00%

Function 009F47FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 009F4836
DialogBoxParamW.USER32(GETPASSWORD1,?,009F1DE0,?), ref: 009F4871

Strings

GETPASSWORD1, xrefs: 009F4866

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: DialogParamVisibleWindow
String ID: GETPASSWORD1
API String ID: 3157717868-3292211884
Opcode ID: 8382badb953d121fcb7f472a7669d472a1f4c135fd1ff17f6b1e42425302659f
Instruction ID: 49a691aecd7aa38ef734983e046715afe096a14c27702a79cf4a10a9bb405d9a
Opcode Fuzzy Hash: 8382badb953d121fcb7f472a7669d472a1f4c135fd1ff17f6b1e42425302659f
Instruction Fuzzy Hash: 181129342442D8BECB129FA4DC06FFB3BAC6B853C1F008035B645A3191C6B45C84CB62

Uniqueness

Uniqueness Score: -1.00%

Function 009E11C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 009E4878: _swprintf.LIBCMT ref: 009E489E
Part of subcall function 009E4878: SetDlgItemTextW.USER32(?,00A14154,?), ref: 009E491F
Part of subcall function 009E4878: GetWindowRect.USER32(?,?), ref: 009E4959
Part of subcall function 009E4878: GetClientRect.USER32(?,?), ref: 009E4965

GetDlgItem.USER32(00000000,00003021), ref: 009E120A
SetWindowTextW.USER32(00000000,00A09584), ref: 009E1220

Strings

0, xrefs: 009E11C9

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: ItemRectTextWindow$Client_swprintf
String ID: 0
API String ID: 758586884-4108050209
Opcode ID: 623d688ae7fec5ad9f864612568f06f1aa65b2a32d11a4b3d7743797a02dcf3f
Instruction ID: afe64069a9fe58cb20486cac713a5e7d417c2f84f598f9b35159ae845da33720
Opcode Fuzzy Hash: 623d688ae7fec5ad9f864612568f06f1aa65b2a32d11a4b3d7743797a02dcf3f
Instruction Fuzzy Hash: 30F08C744402CAABDF074FA69C0DBF93BA8AB65365F008118FE58902A2C779CD91EA11

Uniqueness

Uniqueness Score: -1.00%

Function 009E8ABB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 009E8B01

Strings

z%s%02d, xrefs: 009E8AF0, 009E8AFA
z%s%d, xrefs: 009E8AE0

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: _swprintf
String ID: z%s%02d$z%s%d
API String ID: 589789837-468824935
Opcode ID: 368406bbd72925ad5bde2a32d1ca5ce1b0c9e31cea18658fdf807e45d01ce6d7
Instruction ID: 5aa0a8225692803420d96ff2aabe288e131933944eec91caeed597b7e35416cd
Opcode Fuzzy Hash: 368406bbd72925ad5bde2a32d1ca5ce1b0c9e31cea18658fdf807e45d01ce6d7
Instruction Fuzzy Hash: 23F0B4B140018D6BCF02AE86DC019EB775EEB98340F004036FD0AA7192DA71DD5587A1

Uniqueness

Uniqueness Score: -1.00%

Function 009E482E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,009E3FE5,?), ref: 009E4833
FindResourceW.KERNEL32(00000000,RTL,00000005,?,009E3FE5,?), ref: 009E4841

Strings

RTL, xrefs: 009E483B

Memory Dump Source

Source File: 00000000.00000002.1727691538.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.1727661525.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727719271.0000000000A09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727744039.0000000000A49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1727817952.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_64drop.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 0168a1046395cc87a1c6e6c61f22392048e6e900f8e9384e9371911bc9ba3211
Instruction ID: d5ee5f0cd6183582cd397793f07af73802262f72d14c71ae7665f066379a2fed
Opcode Fuzzy Hash: 0168a1046395cc87a1c6e6c61f22392048e6e900f8e9384e9371911bc9ba3211
Instruction Fuzzy Hash: 9AC0123164039466E6305B717C4DB836E587B00712F050558B2429B0C1D7E5CC4386A0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CromulentLauncher.exePID: 6444, Parent PID: 5984COMMON

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	77.8%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	0

Executed Functions

Function 034092A8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1718098943.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3400000_CromulentLauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 834d6c134e318ba805dd360d9db3e3f0040c95921075b7b6ea5177960d2954dd
Instruction ID: 0705a53507ef68853e270e6f640c8dbfa61c2531a80961f4ede17c112a2beb85
Opcode Fuzzy Hash: 834d6c134e318ba805dd360d9db3e3f0040c95921075b7b6ea5177960d2954dd
Instruction Fuzzy Hash: D81167747012018FCB44EB3AE69066E37F3ABC92143A0063AD109DB365EB359803CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0912B5D8 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendARP.IPHLPAPI(?,?,00000000,?), ref: 0912B66A

Memory Dump Source

Source File: 00000001.00000002.1725194828.0000000009120000.00000040.00000800.00020000.00000000.sdmp, Offset: 09120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9120000_CromulentLauncher.jbxd

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: feaaa1e7966dfc6eb91bfe2755e2429174065c1883992a4ae0c4e3b36d438c59
Instruction ID: 62282094c42d2048190ff95a6764b9d1bc80cc67763edb75290a7fc9d85b9d11
Opcode Fuzzy Hash: feaaa1e7966dfc6eb91bfe2755e2429174065c1883992a4ae0c4e3b36d438c59
Instruction Fuzzy Hash: 942100B1A042189FCB14DFAAC885BDEBBF4FB49314F10812AE859A7350D374A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0912B5E0 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendARP.IPHLPAPI(?,?,00000000,?), ref: 0912B66A

Memory Dump Source

Source File: 00000001.00000002.1725194828.0000000009120000.00000040.00000800.00020000.00000000.sdmp, Offset: 09120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9120000_CromulentLauncher.jbxd

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: abed714b02c6e324ebe2b7a52563b4eeb64bf6ab8d9504e377a90d4ea6f8bb56
Instruction ID: 0236f9973cf47cc81e8400357166a99b039167ea674bb34e7c6f81b3fbf46061
Opcode Fuzzy Hash: abed714b02c6e324ebe2b7a52563b4eeb64bf6ab8d9504e377a90d4ea6f8bb56
Instruction Fuzzy Hash: 952104B5A002189FCB10DF9AC884BDEFBF4FB49314F50852AE858A7350D374A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 03403F52 Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 03403FB5

Memory Dump Source

Source File: 00000001.00000002.1718098943.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3400000_CromulentLauncher.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e8c076a781f3c78d146ffe14821131f1d188d39a8f0615de2fd7d4762a8b73c6
Instruction ID: 6bfc4ace627e6ceee808e507c8c050eab5766c2fb94f8ce6584f6d51d7c305d0
Opcode Fuzzy Hash: e8c076a781f3c78d146ffe14821131f1d188d39a8f0615de2fd7d4762a8b73c6
Instruction Fuzzy Hash: 37019978B005249FDB45BB64E41D9AD7BB2FF88705700405AE947D3398DF345A0ADF85

Uniqueness

Uniqueness Score: -1.00%

Function 03403F60 Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 03403FB5

Memory Dump Source

Source File: 00000001.00000002.1718098943.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3400000_CromulentLauncher.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9d71eac5e69cc7b21ce067fdd237b728d7ebaa9b33fe7be76b9ef0621d3bcc72
Instruction ID: 94233424cbe132b0f9e26304c49e52fc382e9977697853bc9a3979748b955b2a
Opcode Fuzzy Hash: 9d71eac5e69cc7b21ce067fdd237b728d7ebaa9b33fe7be76b9ef0621d3bcc72
Instruction Fuzzy Hash: D5019A7CB005248F9B45BB64A01C86D7BB6FB486057004019E907D3394DF345A0BDFC6

Uniqueness

Uniqueness Score: -1.00%

Function 01106578 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 011065A3

Memory Dump Source

Source File: 00000001.00000002.1716620833.00000000010FA000.00000040.00000001.01000000.00000009.sdmp, Offset: 00F78000, based on PE: true

Associated: 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1716620833.00000000010DD000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f30000_CromulentLauncher.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cb4924fe05128a0d05165a668dd92a3733ec39e9cc93e169ea228da6acddbc59
Instruction ID: d7fc683886d7458f300bf84d3d6527e002fba398267e6711976ddc04e2fa7e6a
Opcode Fuzzy Hash: cb4924fe05128a0d05165a668dd92a3733ec39e9cc93e169ea228da6acddbc59
Instruction Fuzzy Hash: 5BE0ECB5B00108ABDB55CE4CDA44B5A33DDA74D250F108411F609D7649C275F860CB75

Uniqueness

Uniqueness Score: -1.00%

Function 0322D4C8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1717812668.000000000322D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0322D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_322d000_CromulentLauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8f0d1c6fe3ea9dd43c13986095595c58a7938e9eacb57015eb5bcd9344fb30
Instruction ID: 1f5ff16187432e718f22befad533bfd0e4d46dd193a7939b6f180bd4721fd604
Opcode Fuzzy Hash: 2b8f0d1c6fe3ea9dd43c13986095595c58a7938e9eacb57015eb5bcd9344fb30
Instruction Fuzzy Hash: 03212271514200EFDB15DF14DDC4B2BBFA5FB88318F24C5A9E9094B216C3BAD4A6CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0322D3DC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1717812668.000000000322D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0322D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_322d000_CromulentLauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be31bb4d36ceb8430c376a6ed64ce8f861b6205ec090b3f4584bc40cab41787
Instruction ID: ff86b36b8f862b84244dad0982a09599677a5fedc3f01bf505723e127d08ff2d
Opcode Fuzzy Hash: 3be31bb4d36ceb8430c376a6ed64ce8f861b6205ec090b3f4584bc40cab41787
Instruction Fuzzy Hash: DC213371514244EFCB04DF14CDC0B2BFF65FB84324F24C1A9E8094B216C376E486CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0337D006 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1717915652.000000000337D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0337D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_337d000_CromulentLauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d829e4b3d084689d651d9097aa5623e0be554f8f9c67cc40d390308253414d3b
Instruction ID: 2c7339bffdf2bff90fc3fb94b89d684e95eaca2f4479f1d79aa8174e4826be21
Opcode Fuzzy Hash: d829e4b3d084689d651d9097aa5623e0be554f8f9c67cc40d390308253414d3b
Instruction Fuzzy Hash: 5831287550E3C48FD713CB24D994755BF71AF46214F29C1DBC8888F6A7C23A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0337D1F4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1717915652.000000000337D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0337D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_337d000_CromulentLauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c21ba429e6c3e1322acaf5bf29a50429f97c20eac8138c88c0e41f836117171a
Instruction ID: 524e3b1a38b0a1920a7fdc6b0534b4c32ac096c55b0113a01f48a15a1c632142
Opcode Fuzzy Hash: c21ba429e6c3e1322acaf5bf29a50429f97c20eac8138c88c0e41f836117171a
Instruction Fuzzy Hash: DC210471604204EFDB25DF14D9C0B26BBA9FF84314F24C9ADD8494B256C33AD847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0337D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1717915652.000000000337D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0337D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_337d000_CromulentLauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a7b5c10471ba6d26e83cf22d5407daba63edcda0f0a1d91afd99dbc38d2370
Instruction ID: b9935eea4f2ec9f75a6e5003f01b4bdaaf8b027fcecf61b8019a6378290678e6
Opcode Fuzzy Hash: b9a7b5c10471ba6d26e83cf22d5407daba63edcda0f0a1d91afd99dbc38d2370
Instruction Fuzzy Hash: 6921F371504244DFDB20DF14D9C4B2ABFA9FF84324F28C5AAD8094B246C37ED446CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0106F284 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1716620833.0000000000F78000.00000040.00000001.01000000.00000009.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000001.00000002.1716550141.0000000000F30000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1716566592.0000000000F32000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1716620833.00000000010DD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1716620833.00000000010FA000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1716620833.000000000122B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f30000_CromulentLauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 518408baf94603cec1b8719a5ba8c227c0da2946edb44c376bd9b90b96e5ed87
Instruction ID: 3a86cd4a1e23052a0528a82ea3970deeb3252bbaf8de909bdcce5c663653845f
Opcode Fuzzy Hash: 518408baf94603cec1b8719a5ba8c227c0da2946edb44c376bd9b90b96e5ed87
Instruction Fuzzy Hash: AE1194307003128FE315EF29E4D4A59B7EBBB8A314F5481B2E684C73A9CE799C41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0322D4C3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1717812668.000000000322D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0322D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_322d000_CromulentLauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c19ffdc8b203b97519f7b0b659eba67c25cdc18a70f81b6ee6acb1924888206d
Instruction ID: 6b1ddef5199e48e44234f025be1b806e9b1ac27456f47cf4c530ba524200ef99
Opcode Fuzzy Hash: c19ffdc8b203b97519f7b0b659eba67c25cdc18a70f81b6ee6acb1924888206d
Instruction Fuzzy Hash: B411D376504280DFDB16CF10D9C4B56BF71FB94318F28C6A9DC094B216C33AD4AACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0322D3D7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1717812668.000000000322D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0322D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_322d000_CromulentLauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c19ffdc8b203b97519f7b0b659eba67c25cdc18a70f81b6ee6acb1924888206d
Instruction ID: 397dead844f1a7e0e561b0627907c29480af21a50b1ccdf2ac311fd0d2b31749
Opcode Fuzzy Hash: c19ffdc8b203b97519f7b0b659eba67c25cdc18a70f81b6ee6acb1924888206d
Instruction Fuzzy Hash: DD11E476404280DFCB01CF00D9C4B16FF62FB94314F28C2A9D8084B616C33AD456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0337D1EF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1717915652.000000000337D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0337D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_337d000_CromulentLauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0187bca310b961ac37e0564660db0e7edeefa82911be206c7875997007e58ac0
Instruction ID: bccd76a415eb7320e13db740b5e8077ff12d438a7b28b53f4c8ac12ee3f859a9
Opcode Fuzzy Hash: 0187bca310b961ac37e0564660db0e7edeefa82911be206c7875997007e58ac0
Instruction Fuzzy Hash: FF118B75504280DFDB16CF14D9C4B15BFA1FF84318F28CAAADC494B656C33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 64drop.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

C:\Users\user\AppData\Local\44\Information.txt

C:\Users\user\AppData\Local\44\Process.txt

C:\Users\user\AppData\Local\44\Screen.png

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CromulentLauncher.exe.log

C:\Users\user\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe

C:\Users\user\AppData\Local\Temp\tmpCE92.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpCEA2.tmp.tmpdb

C:\Users\user\AppData\Local\Temp\tmpCED2.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpCEE3.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpCF13.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpCF33.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpCF44.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpCF54.tmp.tmpdb

Static File Info

General

File Icon

Windows Analysis Report
64drop.exe

Function 009F4968 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 202
filesleeptimeCOMMON

Function 009F11D2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Function 009E2C15 Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Function 009F1981 Relevance: 7.6, APIs: 5, Instructions: 62
COMMON

Function 009E6BE4 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Function 009F3F86 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Function 009F424F Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 184
windowCOMMON

Function 00A00D74 Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Function 009E723D Relevance: 9.1, APIs: 6, Instructions: 98
timeCOMMON

Function 009F1C99 Relevance: 9.1, APIs: 6, Instructions: 56
COMMON

Function 009F46D3 Relevance: 9.0, APIs: 6, Instructions: 42
windowsynchronizationCOMMON

Function 009F3939 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133
COMMON

Function 009F181B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Function 009E1EE0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Function 009F20D8 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre