Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
Sysmon64.exe

Overview

General Information

Sample name:Sysmon64.exe
Analysis ID:1397930
MD5:dbb70df036b6811f1328bb06bf8671fe
SHA1:52ac1d0b90182e7f4c6667026ecbea5bd82974b8
SHA256:373061d73b6743651050749dba958090a954939109fc51dd27e548b0d71cd75c
Infos:

Detection

Score:36
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Found evasive API chain (may stop execution after checking mutex)
Sigma detected: Suspicious New Service Creation
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Analysis Advice

Initial sample is implementing a service and should be registered / started as service
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7728 cmdline: cmd /c sc create CNVkE binpath= "C:\Users\user\Desktop\Sysmon64.exe" >> C:\servicereg.log 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7780 cmdline: sc create CNVkE binpath= "C:\Users\user\Desktop\Sysmon64.exe" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
  • cmd.exe (PID: 7860 cmdline: cmd /c sc start CNVkE >> C:\servicestart.log 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • conhost.exe (PID: 7868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7912 cmdline: sc start CNVkE MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
  • Sysmon64.exe (PID: 7944 cmdline: C:\Users\user\Desktop\Sysmon64.exe MD5: DBB70DF036B6811F1328BB06BF8671FE)
  • unsecapp.exe (PID: 7976 cmdline: C:\Windows\system32\wbem\unsecapp.exe -Embedding MD5: 9B782B1E1D7A2C28302755F963EAC907)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CNVkE binpath= "C:\Users\user\Desktop\Sysmon64.exe" , CommandLine: sc create CNVkE binpath= "C:\Users\user\Desktop\Sysmon64.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: cmd /c sc create CNVkE binpath= "C:\Users\user\Desktop\Sysmon64.exe" >> C:\servicereg.log 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7728, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CNVkE binpath= "C:\Users\user\Desktop\Sysmon64.exe" , ProcessId: 7780, ProcessName: sc.exe
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CNVkE binpath= "C:\Users\user\Desktop\Sysmon64.exe" , CommandLine: sc create CNVkE binpath= "C:\Users\user\Desktop\Sysmon64.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: cmd /c sc create CNVkE binpath= "C:\Users\user\Desktop\Sysmon64.exe" >> C:\servicereg.log 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7728, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CNVkE binpath= "C:\Users\user\Desktop\Sysmon64.exe" , ProcessId: 7780, ProcessName: sc.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

  • Compliance
  • Networking
  • System Summary
  • Data Obfuscation
  • Boot Survival
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging
  • HIPS / PFW / Operating System Protection Evasion
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results
Source: Sysmon64.exeStatic PE information: certificate valid
Source: Sysmon64.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\agent\1\s\sys\x64\Public_Release\sysmondrv.pdb source: Sysmon64.exe
Source: Binary string: C:\agent\1\s\exe\x64\Public_Release\Sysmon64.pdb source: Sysmon64.exe
Source: Sysmon64.exeString found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: Sysmon64.exeString found in binary or memory: http://relaxng.org/ns/structure/1.0allocating
Source: Sysmon64.exeString found in binary or memory: https://www.sysinternals.com0
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7873CC8706_2_00007FF7873CC870
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7875178486_2_00007FF787517848
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7873D40E06_2_00007FF7873D40E0
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7873DA8A06_2_00007FF7873DA8A0
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7875460986_2_00007FF787546098
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF787409F306_2_00007FF787409F30
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7873D4F306_2_00007FF7873D4F30
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7875187EC6_2_00007FF7875187EC
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF787405FB06_2_00007FF787405FB0
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7873DAE606_2_00007FF7873DAE60
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7873D5EB06_2_00007FF7873D5EB0
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7873DED706_2_00007FF7873DED70
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7873D45506_2_00007FF7873D4550
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7873C4DE06_2_00007FF7873C4DE0
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF787536E046_2_00007FF787536E04
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7873E2C306_2_00007FF7873E2C30
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7873DCC406_2_00007FF7873DCC40
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7873D25106_2_00007FF7873D2510
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7873DFB606_2_00007FF7873DFB60
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7873D1B706_2_00007FF7873D1B70
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7873D83806_2_00007FF7873D8380
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF78740C2706_2_00007FF78740C270
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7875182186_2_00007FF787518218
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7873C52406_2_00007FF7873C5240
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7873C22A06_2_00007FF7873C22A0
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF787518ACC6_2_00007FF787518ACC
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7873C29206_2_00007FF7873C2920
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7873CC9406_2_00007FF7873CC940
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7873D59406_2_00007FF7873D5940
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7873C71506_2_00007FF7873C7150
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: String function: 00007FF7873CF0A0 appears 51 times
Source: Sysmon64.exeStatic PE information: Resource name: BINRES type: PE32+ executable (DLL) (native) x86-64, for MS Windows
Source: Sysmon64.exeBinary or memory string: ing" /> <data name="OriginalFileName" inType="win:UnicodeString" outType="xs:string" /> <data name="CommandLine" inT vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: OriginalFileName vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: ny" inType="win:UnicodeString" outType="xs:string" /> <data name="OriginalFileName" inType="win:UnicodeString" outType="xs:s vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: ring" /> <data name="OriginalFileName" inType="win:UnicodeString" outType="xs:string" /> <data name="CommandLine" inTy vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: /> <data name="OriginalFileName" inType="win:UnicodeString" outType="xs:string" /> <data name="CommandLine" inType="wi vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: > <data name="Company" inType="win:UnicodeString" outType="xs:string" /> <data name="OriginalFileName" inType="win:Uni vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: <data name="Company" inType="win:UnicodeString" outType="xs:string" /> <data name="OriginalFileName" inType="win:Unic vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: a name="Company" inType="win:UnicodeString" outType="xs:string" /> <data name="OriginalFileName" inType="win:UnicodeString" vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: odeString" outType="xs:string" /> <data name="OriginalFileName" inType="win:UnicodeString" outType="xs:string" /> <dat vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: :UnicodeString" outType="xs:string" /> <data name="OriginalFileName" inType="win:UnicodeString" outType="xs:string" /> vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: ersion: %6!s!%n Description: %7!s!%n Product: %8!s!%n Company: %9!s!%n OriginalFileName: %10!s!%n CommandLine: %11! vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: " inType="win:UnicodeString" outType="xs:string" /> <data name="OriginalFileName" inType="win:UnicodeString" outType="xs:str vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: ame="Company" inType="win:UnicodeString" outType="xs:string" /> <data name="OriginalFileName" inType="win:UnicodeString" out vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: : %7!s!%nDescription: %8!s!%nProduct: %9!s!%nCompany: %10!s!%nOriginalFileName: %11!s!%nHashes: %12!s!%nSigned: %13!s!%nSignature: vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: deString" outType="xs:string" /> <data name="OriginalFileName" inType="win:UnicodeString" outType="xs:string" /> <data vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: on: %7!s!%nProduct: %8!s!%nCompany: %9!s!%nOriginalFileName: %10!s!%nCommandLine: %11!s!%nCurrentDirectory: %12!s!%nUser: %13!s!%n vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: nDescription: %7!s!%nProduct: %8!s!%nCompany: %9!s!%nOriginalFileName: %10!s!%nCommandLine: %11!s!%nCurrentDirectory: %12!s!%nUser vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: me="Company" inType="win:UnicodeString" outType="xs:string" /> <data name="OriginalFileName" inType="win:UnicodeString" outT vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: aded: %6!s!%n FileVersion: %7!s!%n Description: %8!s!%n Product: %9!s!%n Company: %10!s!%n OriginalFileName: %11!s! vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: <data name="OriginalFileName" inType="win:UnicodeString" outType="xs:string" /> <data name="Hashes" inType="win:Unic vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: pe="xs:string" /> <data name="OriginalFileName" inType="win:UnicodeString" outType="xs:string" /> <data name="CommandL vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: outType="xs:string" /> <data name="OriginalFileName" inType="win:UnicodeString" outType="xs:string" /> <data name="Ha vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: <data name="Company" inType="win:UnicodeString" outType="xs:string" /> <data name="OriginalFileName" inType="win:Unico vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: nType="win:UnicodeString" outType="xs:string" /> <data name="OriginalFileName" inType="win:UnicodeString" outType="xs:string vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: %9!s!%nCompany: %10!s!%nOriginalFileName: %11!s!%nHashes: %12!s!%nSigned: %13!s!%nSignature: %14!s!%nSignatureStatus: %15!s!%nUse vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: /> <data name="Company" inType="win:UnicodeString" outType="xs:string" /> <data name="OriginalFileName" inType="win:U vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: OriginalFilename vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: e="Company" inType="win:UnicodeString" outType="xs:string" /> <data name="OriginalFileName" inType="win:UnicodeString" outTy vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: ="OriginalFileName" inType="win:UnicodeString" outType="xs:string" /> <data name="Hashes" inType="win:UnicodeString" outType vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: me="OriginalFileName" inType="win:UnicodeString" outType="xs:string" /> <data name="Hashes" inType="win:UnicodeString" outTy vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: e="xs:string" /> <data name="Company" inType="win:UnicodeString" outType="xs:string" /> <data name="OriginalFileName" vs Sysmon64.exe
Source: Sysmon64.exe, 00000006.00000000.1355215817.00007FF787575000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SYSTEM\SelectCurrent%03d@\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENTHKCC\SOFTWARE\CLASSESHKCR\SYSTEM\ControlSetHKLM\System\CurrentControlSetHKLMUSERHKULowMediumHighSystemProtected ProcessOriginalFileNameUnavailableEventTime: %I64x vs Sysmon64.exe
Source: Sysmon64.exe, 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SYSTEM\SelectCurrent%03d@\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENTHKCC\SOFTWARE\CLASSESHKCR\SYSTEM\ControlSetHKLM\System\CurrentControlSetHKLMUSERHKULowMediumHighSystemProtected ProcessOriginalFileNameUnavailableEventTime: %I64x vs Sysmon64.exe
Source: Sysmon64.exe, 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName: %10!s!%n vs Sysmon64.exe
Source: Sysmon64.exe, 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName: %11!s!%n vs Sysmon64.exe
Source: Sysmon64.exe, 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: Image loaded:%nRuleName: %1!s!%nUtcTime: %2!s!%nProcessGuid: %3!s!%nProcessId: %4!s!%nImage: %5!s!%nImageLoaded: %6!s!%nFileVersion: %7!s!%nDescription: %8!s!%nProduct: %9!s!%nCompany: %10!s!%nOriginalFileName: %11!s!%nHashes: %12!s!%nSigned: %13!s!%nSignature: %14!s!%nSignatureStatus: %15!s!%nUser: %16!s! vs Sysmon64.exe
Source: Sysmon64.exe, 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: Process Create:%nRuleName: %1!s!%nUtcTime: %2!s!%nProcessGuid: %3!s!%nProcessId: %4!s!%nImage: %5!s!%nFileVersion: %6!s!%nDescription: %7!s!%nProduct: %8!s!%nCompany: %9!s!%nOriginalFileName: %10!s!%nCommandLine: %11!s!%nCurrentDirectory: %12!s!%nUser: %13!s!%nLogonGuid: %14!s!%nLogonId: %15!s!%nTerminalSessionId: %16!s!%nIntegrityLevel: %17!s!%nHashes: %18!s!%nParentProcessGuid: %19!s!%nParentProcessId: %20!s!%nParentImage: %21!s!%nParentCommandLine: %22!s!%nParentUser: %23!s! vs Sysmon64.exe
Source: Sysmon64.exe, 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs Sysmon64.exe
Source: Sysmon64.exe, 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: Company(OriginalFileName vs Sysmon64.exe
Source: Sysmon64.exe, 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: <data name="OriginalFileName" inType="win:UnicodeString" outType="xs:string" /> vs Sysmon64.exe
Source: Sysmon64.exe, 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: <string id="event.str_SYSMONEVENT_CREATE_PROCESS" value="Process Create:%nRuleName: %1!s!%nUtcTime: %2!s!%nProcessGuid: %3!s!%nProcessId: %4!s!%nImage: %5!s!%nFileVersion: %6!s!%nDescription: %7!s!%nProduct: %8!s!%nCompany: %9!s!%nOriginalFileName: %10!s!%nCommandLine: %11!s!%nCurrentDirectory: %12!s!%nUser: %13!s!%nLogonGuid: %14!s!%nLogonId: %15!s!%nTerminalSessionId: %16!s!%nIntegrityLevel: %17!s!%nHashes: %18!s!%nParentProcessGuid: %19!s!%nParentProcessId: %20!s!%nParentImage: %21!s!%nParentCommandLine: %22!s!%nParentUser: %23!s!" /> vs Sysmon64.exe
Source: Sysmon64.exe, 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: <string id="event.str_SYSMONEVENT_IMAGE_LOAD" value="Image loaded:%nRuleName: %1!s!%nUtcTime: %2!s!%nProcessGuid: %3!s!%nProcessId: %4!s!%nImage: %5!s!%nImageLoaded: %6!s!%nFileVersion: %7!s!%nDescription: %8!s!%nProduct: %9!s!%nCompany: %10!s!%nOriginalFileName: %11!s!%nHashes: %12!s!%nSigned: %13!s!%nSignature: %14!s!%nSignatureStatus: %15!s!%nUser: %16!s!" /> vs Sysmon64.exe
Source: Sysmon64.exe, 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: <data name="OriginalFileName" inType="win:UnicodeString" outType="xs:string" /> vs Sysmon64.exe
Source: Sysmon64.exe, 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: (Default)Unknown Event typeCreateKeyDeleteKeyRenameKeyCreateValueDeleteValueRenameValueSetValueBinary Data(Empty)SHA1MD5SHA256IMPHASH_?@$()UtcTimeIDDescriptionSYSMONEVENT_ERRORError reportRuleNameProcessGuidProcessIdImageFileVersionProductCompanyOriginalFileNameCommandLineCurrentDirectoryUserLogonGuidLogonIdTerminalSessionIdIntegrityLevelHashesParentProcessGuidParentProcessIdParentImageParentCommandLineParentUserSYSMONEVENT_CREATE_PROCESSProcess CreateProcessCreateTargetFilenameCreationUtcTimePreviousCreationUtcTimeSYSMONEVENT_FILE_TIMEFile creation time changedFileCreateTimeProtocolInitiatedSourceIsIpv6SourceIpSourceHostnameSourcePortSourcePortNameDestinationIsIpv6DestinationIpDestinationHostnameDestinationPortDestinationPortNameSYSMONEVENT_NETWORK_CONNECTNetwork connection detectedNetworkConnectStateVersionSchemaVersionSYSMONEVENT_SERVICE_STATE_CHANGESysmon service state changedSYSMONEVENT_PROCESS_TERMINATEProcess terminatedProcessTerminateImageLoadedSignedSignatureSignatureStatusSYSMONEVENT_DRIVER_LOADDriver loadedDriverLoadSYSMONEVENT_IMAGE_LOADImage loadedImageLoadSourceProcessGuidSourceProcessIdSourceImageTargetProcessGuidTargetProcessIdTargetImageNewThreadIdStartAddressStartModuleStartFunctionSourceUserTargetUserSYSMONEVENT_CREATE_REMOTE_THREADCreateRemoteThread detectedCreateRemoteThreadDeviceSYSMONEVENT_RAWACCESS_READRawAccessRead detectedRawAccessReadSourceProcessGUIDSourceThreadIdTargetProcessGUIDGrantedAccessCallTraceSYSMONEVENT_ACCESS_PROCESSProcess accessedProcessAccessSYSMONEVENT_FILE_CREATEFile createdFileCreateEventTypeTargetObjectSYSMONEVENT_REG_KEYRegistry object added or deletedRegistryEventDetailsSYSMONEVENT_REG_SETVALUERegistry value setNewNameSYSMONEVENT_REG_NAMERegistry object renamedHashContentsSYSMONEVENT_FILE_CREATE_STREAM_HASHFile stream createdFileCreateStreamHashConfigurationConfigurationFileHashSYSMONEVENT_SERVICE_CONFIGURATION_CHANGESysmon config state changedPipeNameSYSMONEVENT_CREATE_NAMEDPIPEPipe CreatedPipeEventSYSMONEVENT_CONNECT_NAMEDPIPEPipe ConnectedOperationEventNamespaceNameQuerySYSMONEVENT_WMI_FILTERWmiEventFilter activity detectedWmiEventTypeDestinationSYSMONEVENT_WMI_CONSUMERWmiEventConsumer activity detectedConsumerFilterSYSMONEVENT_WMI_BINDINGWmiEventConsumerToFilter activity detectedQueryNameQueryStatusQueryResultsSYSMONEVENT_DNS_QUERYDns queryDnsQueryIsExecutableArchivedSYSMONEVENT_FILE_DELETEFile Delete archivedFileDeleteSessionClientInfoSYSMONEVENT_CLIPBOARDClipboard changedClipboardChangeSYSMONEVENT_PROCESS_IMAGE_TAMPERINGProcess TamperingProcessTamperingSYSMONEVENT_FILE_DELETE_DETECTEDFile Delete loggedFileDeleteDetectedQ vs Sysmon64.exe
Source: Sysmon64.exe, 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSysmondrv.sysH vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: SYSTEM\SelectCurrent%03d@\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENTHKCC\SOFTWARE\CLASSESHKCR\SYSTEM\ControlSetHKLM\System\CurrentControlSetHKLMUSERHKULowMediumHighSystemProtected ProcessOriginalFileNameUnavailableEventTime: %I64x vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: OriginalFileName: %10!s!%n vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: OriginalFileName: %11!s!%n vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: Image loaded:%nRuleName: %1!s!%nUtcTime: %2!s!%nProcessGuid: %3!s!%nProcessId: %4!s!%nImage: %5!s!%nImageLoaded: %6!s!%nFileVersion: %7!s!%nDescription: %8!s!%nProduct: %9!s!%nCompany: %10!s!%nOriginalFileName: %11!s!%nHashes: %12!s!%nSigned: %13!s!%nSignature: %14!s!%nSignatureStatus: %15!s!%nUser: %16!s! vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: Process Create:%nRuleName: %1!s!%nUtcTime: %2!s!%nProcessGuid: %3!s!%nProcessId: %4!s!%nImage: %5!s!%nFileVersion: %6!s!%nDescription: %7!s!%nProduct: %8!s!%nCompany: %9!s!%nOriginalFileName: %10!s!%nCommandLine: %11!s!%nCurrentDirectory: %12!s!%nUser: %13!s!%nLogonGuid: %14!s!%nLogonId: %15!s!%nTerminalSessionId: %16!s!%nIntegrityLevel: %17!s!%nHashes: %18!s!%nParentProcessGuid: %19!s!%nParentProcessId: %20!s!%nParentImage: %21!s!%nParentCommandLine: %22!s!%nParentUser: %23!s! vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: OriginalFileName vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: Company(OriginalFileName vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: <data name="OriginalFileName" inType="win:UnicodeString" outType="xs:string" /> vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: <string id="event.str_SYSMONEVENT_CREATE_PROCESS" value="Process Create:%nRuleName: %1!s!%nUtcTime: %2!s!%nProcessGuid: %3!s!%nProcessId: %4!s!%nImage: %5!s!%nFileVersion: %6!s!%nDescription: %7!s!%nProduct: %8!s!%nCompany: %9!s!%nOriginalFileName: %10!s!%nCommandLine: %11!s!%nCurrentDirectory: %12!s!%nUser: %13!s!%nLogonGuid: %14!s!%nLogonId: %15!s!%nTerminalSessionId: %16!s!%nIntegrityLevel: %17!s!%nHashes: %18!s!%nParentProcessGuid: %19!s!%nParentProcessId: %20!s!%nParentImage: %21!s!%nParentCommandLine: %22!s!%nParentUser: %23!s!" /> vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: <string id="event.str_SYSMONEVENT_IMAGE_LOAD" value="Image loaded:%nRuleName: %1!s!%nUtcTime: %2!s!%nProcessGuid: %3!s!%nProcessId: %4!s!%nImage: %5!s!%nImageLoaded: %6!s!%nFileVersion: %7!s!%nDescription: %8!s!%nProduct: %9!s!%nCompany: %10!s!%nOriginalFileName: %11!s!%nHashes: %12!s!%nSigned: %13!s!%nSignature: %14!s!%nSignatureStatus: %15!s!%nUser: %16!s!" /> vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: <data name="OriginalFileName" inType="win:UnicodeString" outType="xs:string" /> vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: (Default)Unknown Event typeCreateKeyDeleteKeyRenameKeyCreateValueDeleteValueRenameValueSetValueBinary Data(Empty)SHA1MD5SHA256IMPHASH_?@$()UtcTimeIDDescriptionSYSMONEVENT_ERRORError reportRuleNameProcessGuidProcessIdImageFileVersionProductCompanyOriginalFileNameCommandLineCurrentDirectoryUserLogonGuidLogonIdTerminalSessionIdIntegrityLevelHashesParentProcessGuidParentProcessIdParentImageParentCommandLineParentUserSYSMONEVENT_CREATE_PROCESSProcess CreateProcessCreateTargetFilenameCreationUtcTimePreviousCreationUtcTimeSYSMONEVENT_FILE_TIMEFile creation time changedFileCreateTimeProtocolInitiatedSourceIsIpv6SourceIpSourceHostnameSourcePortSourcePortNameDestinationIsIpv6DestinationIpDestinationHostnameDestinationPortDestinationPortNameSYSMONEVENT_NETWORK_CONNECTNetwork connection detectedNetworkConnectStateVersionSchemaVersionSYSMONEVENT_SERVICE_STATE_CHANGESysmon service state changedSYSMONEVENT_PROCESS_TERMINATEProcess terminatedProcessTerminateImageLoadedSignedSignatureSignatureStatusSYSMONEVENT_DRIVER_LOADDriver loadedDriverLoadSYSMONEVENT_IMAGE_LOADImage loadedImageLoadSourceProcessGuidSourceProcessIdSourceImageTargetProcessGuidTargetProcessIdTargetImageNewThreadIdStartAddressStartModuleStartFunctionSourceUserTargetUserSYSMONEVENT_CREATE_REMOTE_THREADCreateRemoteThread detectedCreateRemoteThreadDeviceSYSMONEVENT_RAWACCESS_READRawAccessRead detectedRawAccessReadSourceProcessGUIDSourceThreadIdTargetProcessGUIDGrantedAccessCallTraceSYSMONEVENT_ACCESS_PROCESSProcess accessedProcessAccessSYSMONEVENT_FILE_CREATEFile createdFileCreateEventTypeTargetObjectSYSMONEVENT_REG_KEYRegistry object added or deletedRegistryEventDetailsSYSMONEVENT_REG_SETVALUERegistry value setNewNameSYSMONEVENT_REG_NAMERegistry object renamedHashContentsSYSMONEVENT_FILE_CREATE_STREAM_HASHFile stream createdFileCreateStreamHashConfigurationConfigurationFileHashSYSMONEVENT_SERVICE_CONFIGURATION_CHANGESysmon config state changedPipeNameSYSMONEVENT_CREATE_NAMEDPIPEPipe CreatedPipeEventSYSMONEVENT_CONNECT_NAMEDPIPEPipe ConnectedOperationEventNamespaceNameQuerySYSMONEVENT_WMI_FILTERWmiEventFilter activity detectedWmiEventTypeDestinationSYSMONEVENT_WMI_CONSUMERWmiEventConsumer activity detectedConsumerFilterSYSMONEVENT_WMI_BINDINGWmiEventConsumerToFilter activity detectedQueryNameQueryStatusQueryResultsSYSMONEVENT_DNS_QUERYDns queryDnsQueryIsExecutableArchivedSYSMONEVENT_FILE_DELETEFile Delete archivedFileDeleteSessionClientInfoSYSMONEVENT_CLIPBOARDClipboard changedClipboardChangeSYSMONEVENT_PROCESS_IMAGE_TAMPERINGProcess TamperingProcessTamperingSYSMONEVENT_FILE_DELETE_DETECTEDFile Delete loggedFileDeleteDetectedQ vs Sysmon64.exe
Source: Sysmon64.exeBinary or memory string: OriginalFilenameSysmondrv.sysH vs Sysmon64.exe
Source: C:\Users\user\Desktop\Sysmon64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Sysmon64.exeSection loaded: tdh.dllJump to behavior
Source: C:\Users\user\Desktop\Sysmon64.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Sysmon64.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Sysmon64.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\Sysmon64.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\Sysmon64.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\Sysmon64.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\Sysmon64.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\Sysmon64.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Sysmon64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Sysmon64.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\Sysmon64.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\Sysmon64.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\Sysmon64.exeSection loaded: dsparse.dllJump to behavior
Source: C:\Windows\System32\wbem\unsecapp.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\unsecapp.exeSection loaded: kernel.appcore.dllJump to behavior
Source: Sysmon64.exeBinary string: \Device\NamedPipe
Source: Sysmon64.exeBinary string: M\Device\Mup\Device\\SystemRoot\\Device\LanmanRedirector\
Source: Sysmon64.exeBinary string: \Device\SysmonPipeFilter
Source: Sysmon64.exeBinary string: \Device\
Source: Sysmon64.exeBinary string: \Device\Mailslot
Source: Sysmon64.exeBinary string: Unable to attach to \device\namedpipe
Source: classification engineClassification label: sus36.evad.winEXE@10/2@0/0
Source: C:\Users\user\Desktop\Sysmon64.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7868:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7736:120:WilError_03
Source: Sysmon64.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\sc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Sysmon64.exeString found in binary or memory: The service logs events immediately and the driver installs as a boot-start driver to capture activity from early in the boot that the service will write to the event log when it starts.
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c sc create CNVkE binpath= "C:\Users\user\Desktop\Sysmon64.exe" >> C:\servicereg.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create CNVkE binpath= "C:\Users\user\Desktop\Sysmon64.exe"
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c sc start CNVkE >> C:\servicestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc start CNVkE
Source: unknownProcess created: C:\Users\user\Desktop\Sysmon64.exe C:\Users\user\Desktop\Sysmon64.exe
Source: unknownProcess created: C:\Windows\System32\wbem\unsecapp.exe C:\Windows\system32\wbem\unsecapp.exe -Embedding
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create CNVkE binpath= "C:\Users\user\Desktop\Sysmon64.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc start CNVkE Jump to behavior
Source: C:\Users\user\Desktop\Sysmon64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: Sysmon64.exeStatic PE information: certificate valid
Source: initial sampleStatic PE information: Valid certificate with Microsoft Issuer
Source: Sysmon64.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: Sysmon64.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: Sysmon64.exeStatic file information: File size 3925928 > 1048576
Source: Sysmon64.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1b3a00
Source: Sysmon64.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x119400
Source: Sysmon64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Sysmon64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Sysmon64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Sysmon64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Sysmon64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Sysmon64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Sysmon64.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Sysmon64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\agent\1\s\sys\x64\Public_Release\sysmondrv.pdb source: Sysmon64.exe
Source: Binary string: C:\agent\1\s\exe\x64\Public_Release\Sysmon64.pdb source: Sysmon64.exe
Source: Sysmon64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Sysmon64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Sysmon64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Sysmon64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Sysmon64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: Sysmon64.exeStatic PE information: section name: _RDATA
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create CNVkE binpath= "C:\Users\user\Desktop\Sysmon64.exe"
Source: C:\Users\user\Desktop\Sysmon64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\Sysmon64.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_6-22023
Source: C:\Users\user\Desktop\Sysmon64.exeAPI coverage: 8.1 %
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: Sysmon64.exe, 00000006.00000002.1358568852.0000022BA2F2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllff
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7874FA3F0 GetLastError,IsDebuggerPresent,OutputDebugStringW,6_2_00007FF7874FA3F0
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7874FA3F0 GetLastError,IsDebuggerPresent,OutputDebugStringW,6_2_00007FF7874FA3F0
Source: C:\Users\user\Desktop\Sysmon64.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF78753ABD0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00007FF78753ABD0
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7874C7140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00007FF7874C7140
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create CNVkE binpath= "C:\Users\user\Desktop\Sysmon64.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc start CNVkE Jump to behavior
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7874C8878 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,6_2_00007FF7874C8878
Source: C:\Users\user\Desktop\Sysmon64.exeCode function: 6_2_00007FF7873C1F30 GetVersionExW,6_2_00007FF7873C1F30
Source: C:\Users\user\Desktop\Sysmon64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Windows Service		11
Process Injection		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		11
Process Injection		1
Deobfuscate/Decode Files or Information		LSASS Memory21
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)1
DLL Side-Loading		1
DLL Side-Loading		Security Account Manager4
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1397930 Sample: Sysmon64.exe Startdate: 23/02/2024 Architecture: WINDOWS Score: 36 26 Sigma detected: Suspicious New Service Creation 2->26 6 Sysmon64.exe 2->6         started        9 cmd.exe 2 2->9         started        12 cmd.exe 2 2->12         started        14 unsecapp.exe 2->14         started        process3 file4 28 Found evasive API chain (may stop execution after checking mutex) 6->28 24 C:\servicereg.log, ASCII 9->24 dropped 16 conhost.exe 9->16         started        18 sc.exe 1 9->18         started        20 conhost.exe 12->20         started        22 sc.exe 1 12->22         started        signatures5 process6

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Sysmon64.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://relaxng.org/ns/structure/1.00%URL Reputationsafe
https://www.sysinternals.com00%Avira URL Cloudsafe
http://relaxng.org/ns/structure/1.0allocating0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://relaxng.org/ns/structure/1.0Sysmon64.exefalse
  • URL Reputation: safe
unknown
https://www.sysinternals.com0Sysmon64.exefalse
  • Avira URL Cloud: safe
unknown
http://relaxng.org/ns/structure/1.0allocatingSysmon64.exefalse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1397930
Start date and time:2024-02-23 20:50:15 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 6s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:Run as Windows Service
Number of analysed new started processes analysed:15
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Sysmon64.exe
Detection:SUS
Classification:sus36.evad.winEXE@10/2@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: Sysmon64.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\servicereg.log

Download File
Process:C:\Windows\SysWOW64\cmd.exe
File Type:ASCII text, with CRLF line terminators
Category:modified
Size (bytes):28
Entropy (8bit):3.678439190827718
Encrypted:false
SSDEEP:3:4A4AnXjzSv:4HAnXjg
MD5:A8F4D690C5BDE96AD275C7D4ABE0E3D3
SHA1:7C62C96EFD2CA4F3C3EBF0B24C9B5B4C04A4570A
SHA-256:596CCC911C1772735AAC6A6B756A76D3D55BCECD006B980CF147090B2243FA7B
SHA-512:A875EBE3C5CDF222FF9D08576F4D996AF827A1C86B3E758CE23F6B33530D512A82CE8E39E519837512080C6212A0A19B3385809BE5F5001C4E488DD79550B852
Malicious:true
Reputation:moderate, very likely benign file
Preview:[SC] CreateService SUCCESS..

C:\servicestart.log

Download File
Process:C:\Windows\SysWOW64\cmd.exe
File Type:ASCII text, with CRLF line terminators
Category:modified
Size (bytes):421
Entropy (8bit):3.504739706684328
Encrypted:false
SSDEEP:6:lg3D/8F1ggVKBRjGxVVLvH2s/u8qLLFmLaZnsHgm66//V+Nm5CWfq:lgAMgV0qVbH2suZLQqOVKm5Ckq
MD5:F4E84FF92F9469A5F8F6DC3A45D19127
SHA1:7F9FDAD2D5837859859730A881F7744C16C0C7B7
SHA-256:5ED4699AB9E51523FFDAFEF74D4F84AEB03FE48616098F0582178138F93F0B08
SHA-512:C1B3692F3EC62DDF6213DC81DF67E0FC3D97C22F56B4E6E234341B084A00AC46E427F9B1239C6629E85747CA5B87E956F085899EC2A05DD65ACD02F57AAFC9C8
Malicious:false
Reputation:low
Preview:..SERVICE_NAME: CNVkE .. TYPE : 10 WIN32_OWN_PROCESS .. STATE : 2 START_PENDING .. (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN).. WIN32_EXIT_CODE : 0 (0x0).. SERVICE_EXIT_CODE : 0 (0x0).. CHECKPOINT : 0x0.. WAIT_HINT : 0x7d0.. PID : 7944.. FLAGS : ..

Static File Info

General

File type:PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):5.8648590295705905
TrID:
  • Win64 Executable Console (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:Sysmon64.exe
File size:3'925'928 bytes
MD5:dbb70df036b6811f1328bb06bf8671fe
SHA1:52ac1d0b90182e7f4c6667026ecbea5bd82974b8
SHA256:373061d73b6743651050749dba958090a954939109fc51dd27e548b0d71cd75c
SHA512:d0f492c92985704ec4a0f0c65003e4ce0cea38c7804814ba11ae630c0914be8cd0be64ee91568de4bacfddde07a10d23ed3af5dd0537376484b7baa42c1070cc
SSDEEP:49152:xp/QdKTO7CsQCR0or2t+RR38MZOCZ0M9v5rgtqDTmnu:cWTqi+OCDsamu
TLSH:3006720267FC0458F6F36B789B3A8841DA37BC660B34E59F01581D5D0B73A928DB6B72
File Content Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........T...5...5...5...^...5...^..L5...^...5...Z...5...@...5...@...5...@...5...^...5..6@...5..5@...5...^...5...5...4..1@...5..1@...5.

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x140108150
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x140000000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x627B1AC2 [Wed May 11 02:09:06 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:92ac089e4b4a4fa0eda7b74b4ba55881

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 02/09/2021 20:32:59 01/09/2022 20:32:59
Subject Chain
  • CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:3
Thumbprint MD5:D15B2B9631F8B37BA8D83A5AE528A8BB
Thumbprint SHA-1:8740DF4ACB749640AD318E4BE842F72EC651AD80
Thumbprint SHA-256:2EB421FBB33BBF9C8F6B58C754B0405F40E02CB6328936AAE39DB7A24880EA21
Serial:33000002528B33AAF895F339DB000000000252
Instruction
dec eax
sub esp, 28h
call 00007F3080E89754h
dec eax
add esp, 28h
jmp 00007F3080E88E17h
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F3080E89042h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F3080E89045h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F3080E8903Dh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F3080E87F76h
int3
and dword ptr [001842E9h], 00000000h
ret
dec eax
mov dword ptr [esp+08h], ebx
push ebp
dec eax
lea ebp, dword ptr [esp-000004C0h]
dec eax
sub esp, 000005C0h
mov ebx, ecx
mov ecx, 00000017h
call dword ptr [000AD36Eh]
test eax, eax
je 00007F3080E89036h
mov ecx, ebx
int 29h
mov ecx, 00000003h
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x2842200x168.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x2a90000x1193d8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2910000x16638.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x3bc0000x27a8.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC0x3c30000x1984.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x25d8500x70.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x25da100x28.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x25d8c00x138.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x1b50000xb28.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x1b39bc0x1b3a00446dc4c3d5be6936c4d3d3575db79178False0.44435471215925393data6.448278764027017IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x1b50000xd180e0xd1a002678644501720baa3cc241aa80e6f52bFalse0.19737859645199762data4.794316875907376IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x2870000x97880x5000a0dd407eeb6a51a78b45acb59f6245c3False0.204150390625DOS executable (block device driver \377\3)3.7686805630056863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x2910000x166380x16800b3e8e8659e2f026794c00e599f0b26abFalse0.48553602430555554data6.246519866550825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA0x2a80000xf40x200ae7a6011637c8a816ca96b93a156a46fFalse0.31640625data2.460670788995041IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x2a90000x1193d80x119400983b5f783759ee3433e65c72dad8279dFalse0.11414149305555556data4.185874405563766IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x3c30000x19840x1a00a953ec41a7d91f6580402d9a4614777dFalse0.35697115384615385data5.417177664326332IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountryZLIB Complexity
BINRES0x39a6c80x27b90PE32+ executable (DLL) (native) x86-64, for MS WindowsEnglishUnited States0.46228734388828796
WEVT_TEMPLATE0x2af8180x89a2dataEnglishUnited States0.14951467332690016
XML0x2ced480xcb97aexported SGML document, Unicode text, UTF-16, little-endian text, with CRLF, LF line terminatorsEnglishUnited States0.04946793074585629
RT_MESSAGETABLE0x2a92700x65a4dataEnglishUnited States0.10288239815526518
RT_VERSION0x2b81c00x400dataEnglishUnited States0.458984375
RT_HTML0x2b85c00x16784XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (399), with CRLF line terminatorsEnglishUnited States0.06426832978399756
RT_MANIFEST0x3c22580x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727
DLLImport
tdh.dllTdhGetEventInformation, TdhGetEventMapInformation
USERENV.dllExpandEnvironmentStringsForUserW
VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeExW, GetFileVersionInfoExW
NETAPI32.dllNetServerEnum, NetApiBufferFree
WS2_32.dllntohs, gethostbyname, WSAStartup, inet_ntoa, gethostname, htons, getnameinfo
MPR.dllWNetCancelConnection2W, WNetAddConnection2W
WTSAPI32.dllWTSQuerySessionInformationW, WTSFreeMemory, WTSQueryUserToken, WTSEnumerateSessionsW
ole32.dllCoCreateInstance, CoUninitialize, CoInitializeEx, IIDFromString, StringFromGUID2, CoSetProxyBlanket, CoInitializeSecurity
KERNEL32.dllRaiseException, DecodePointer, AcquireSRWLockShared, DeviceIoControl, OpenProcess, CreateToolhelp32Snapshot, Module32FirstW, K32EnumProcesses, SystemTimeToFileTime, GetSystemTime, SizeofResource, LockResource, LoadResource, FindResourceW, CreateDirectoryW, GetConsoleScreenBufferInfo, lstrlenW, RemoveDirectoryW, GetTempPathW, CreateFileW, GetFileAttributesW, GetSystemDirectoryW, Process32NextW, SetEvent, DeleteFileW, Process32FirstW, GetSystemInfo, VerSetConditionMask, GetComputerNameW, CreateProcessW, VerifyVersionInfoW, GetSystemTimeAsFileTime, GetTickCount, ConnectNamedPipe, GetExitCodeProcess, ExpandEnvironmentStringsW, ProcessIdToSessionId, ExitProcess, GetCurrentProcessId, CopyFileW, SetConsoleCtrlHandler, GetFileSizeEx, WaitForMultipleObjects, SetThreadPriority, UnmapViewOfFile, CreateEventW, GetOverlappedResult, CreateFileMappingW, MapViewOfFile, QueryDosDeviceW, GetFullPathNameW, WriteFile, AcquireSRWLockExclusive, GetWindowsDirectoryW, GetTempFileNameW, K32GetMappedFileNameW, QueryPerformanceFrequency, ResetEvent, QueryPerformanceCounter, CreateThread, FindFirstFileW, FindNextFileW, FindClose, LoadLibraryW, K32GetModuleBaseNameW, WideCharToMultiByte, TerminateProcess, SetFileAttributesW, GlobalSize, FreeConsole, GlobalLock, GlobalUnlock, GetEnabledXStateFeatures, GetDriveTypeW, FreeLibraryAndExitThread, ResumeThread, ExitThread, GetConsoleCP, GetModuleHandleExW, SetStdHandle, TlsFree, InterlockedFlushSList, InterlockedPushEntrySList, RtlPcToFileHeader, RtlUnwindEx, OutputDebugStringW, GetCPInfo, CompareStringEx, GetLocaleInfoEx, LCMapStringEx, EncodePointer, GetStringTypeW, FormatMessageA, InitializeSListHead, GetStartupInfoW, IsDebuggerPresent, WaitForSingleObjectEx, InitializeCriticalSectionAndSpinCount, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlUnwind, ReleaseSRWLockExclusive, InitializeCriticalSectionEx, InitializeSRWLock, GetLastError, FormatMessageW, ReleaseSRWLockShared, GetDateFormatW, FreeLibrary, GetTimeFormatW, FileTimeToSystemTime, MultiByteToWideChar, TlsGetValue, DeleteCriticalSection, CloseHandle, TlsAlloc, GetCurrentThread, Sleep, DuplicateHandle, ReleaseMutex, GetCurrentThreadId, WaitForSingleObject, CreateMutexW, InitializeCriticalSection, LeaveCriticalSection, GetCurrentProcess, EnterCriticalSection, TlsSetValue, GetModuleHandleW, LocalFree, GetProcAddress, LocalAlloc, GetStdHandle, GetCommandLineW, LoadLibraryExW, GetVersionExW, SetLastError, GetFileType, GetModuleFileNameW, GetFileInformationByHandle, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, GetCommandLineA, ReadFile, GetConsoleMode, ReadConsoleW, GetConsoleOutputCP, HeapFree, HeapAlloc, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, FlushFileBuffers, SetConsoleMode, GetNumberOfConsoleInputEvents, ReadConsoleInputW, PeekConsoleInputA, SetFilePointerEx, HeapReAlloc, SetCurrentDirectoryW, GetCurrentDirectoryW, HeapSize, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, GetProcessHeap, GetTimeZoneInformation, WriteConsoleW, SetEndOfFile, GetLogicalDriveStringsW
USER32.dllChangeClipboardChain, CloseClipboard, RegisterClassW, TranslateMessage, GetClipboardData, GetClipboardOwner, MessageBoxW, UnregisterClassW, InflateRect, OpenClipboard, EndDialog, SetWindowTextW, DialogBoxIndirectParamW, LoadCursorW, SetCursor, GetDlgItem, GetSysColorBrush, SetClipboardViewer, GetMessageW, GetWindowThreadProcessId, GetPriorityClipboardFormat, DispatchMessageW, SendMessageW, CreateWindowExW, GetClipboardSequenceNumber, DefWindowProcW
GDI32.dllStartPage, EndDoc, GetDeviceCaps, SetMapMode, StartDocW, EndPage
COMDLG32.dllPrintDlgW
ADVAPI32.dllRevertToSelf, RegQueryValueExW, RegOpenKeyW, RegCreateKeyW, RegOpenKeyExW, RegCloseKey, SetFileSecurityW, CryptAcquireContextW, CryptGenRandom, CreateProcessAsUserW, ConvertStringSecurityDescriptorToSecurityDescriptorW, DuplicateTokenEx, CryptReleaseContext, DeregisterEventSource, GetSidSubAuthorityCount, GetSidSubAuthority, CopySid, RegisterEventSourceW, RegNotifyChangeKeyValue, RegisterServiceCtrlHandlerExW, SetSecurityDescriptorDacl, RegDeleteKeyW, SetServiceStatus, ChangeServiceConfig2W, SetEntriesInAclW, RegCreateKeyExW, InitializeSecurityDescriptor, RegGetValueW, StartServiceCtrlDispatcherW, QueryServiceConfigW, RegDeleteValueW, LookupAccountSidW, LookupAccountNameW, LookupPrivilegeValueW, AdjustTokenPrivileges, ConvertSidToStringSidW, CreateServiceW, QueryServiceStatus, EqualSid, CloseServiceHandle, OpenSCManagerW, AllocateAndInitializeSid, DeleteService, ControlService, ImpersonateLoggedOnUser, LogonUserW, OpenProcessToken, FreeSid, StartServiceW, RegConnectRegistryW, OpenServiceW, GetTokenInformation, GetLengthSid, GetSecurityDescriptorLength, ReportEventW, StartTraceW, ProcessTrace, CloseTrace, ControlTraceW, OpenTraceW, EnableTraceEx2, RegSetValueExW
OLEAUT32.dllSafeArrayGetElement, VariantChangeType, VariantClear, VariantInit, SysAllocStringByteLen, SysStringLen, SafeArrayUnaccessData, SafeArrayDestroy, SafeArrayGetLBound, SafeArrayGetUBound, GetErrorInfo, SetErrorInfo, SysStringByteLen, SafeArrayAccessData, CreateErrorInfo, SysAllocString, SysFreeString, SysAllocStringLen
CRYPT32.dllCertDuplicateCertificateContext, CryptFindOIDInfo, CertGetNameStringW, CertGetCertificateChain
Secur32.dllLsaGetLogonSessionData, LsaFreeReturnBuffer
RPCRT4.dllRpcServerUseProtseqEpW, NdrServerCallAll, NdrClientCall3, RpcServerRegisterIfEx, RpcStringFreeW, I_RpcBindingInqLocalClientPID, RpcBindingFromStringBindingW, RpcStringBindingComposeW, RpcServerUnregisterIf, NdrServerCall2

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

  • File
  • Registry

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:20:51:04
Start date:23/02/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd /c sc create CNVkE binpath= "C:\Users\user\Desktop\Sysmon64.exe" >> C:\servicereg.log 2>&1
Imagebase:0xa40000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:1
Start time:20:51:04
Start date:23/02/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6ee680000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:2
Start time:20:51:04
Start date:23/02/2024
Path:C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):true
Commandline:sc create CNVkE binpath= "C:\Users\user\Desktop\Sysmon64.exe"
Imagebase:0x980000
File size:61'440 bytes
MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:3
Start time:20:51:05
Start date:23/02/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd /c sc start CNVkE >> C:\servicestart.log 2>&1
Imagebase:0xa40000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:4
Start time:20:51:05
Start date:23/02/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6ee680000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:5
Start time:20:51:05
Start date:23/02/2024
Path:C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):true
Commandline:sc start CNVkE
Imagebase:0x980000
File size:61'440 bytes
MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:6
Start time:20:51:05
Start date:23/02/2024
Path:C:\Users\user\Desktop\Sysmon64.exe
Wow64 process (32bit):false
Commandline:C:\Users\user\Desktop\Sysmon64.exe
Imagebase:0x7ff7873c0000
File size:3'925'928 bytes
MD5 hash:DBB70DF036B6811F1328BB06BF8671FE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Registry Activities

Show Windows behavior

COM Activities

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Process Token Activities


General

Target ID:7
Start time:20:51:06
Start date:23/02/2024
Path:C:\Windows\System32\wbem\unsecapp.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\wbem\unsecapp.exe -Embedding
Imagebase:0x7ff744710000
File size:54'272 bytes
MD5 hash:9B782B1E1D7A2C28302755F963EAC907
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:false
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Disassembly

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:0.9%
Dynamic/Decrypted Code Coverage:0%
Signature Coverage:0.7%
Total number of Nodes:275
Total number of Limit Nodes:10
Show Legend
Hide Nodes/Edges
execution_graph 22257 7ff7873e3a65 73 API calls 22147 7ff787552c78 22148 7ff787552cc3 22147->22148 22152 7ff787552c87 _invalid_parameter_noinfo_noreturn 22147->22152 22155 7ff787527ec8 9 API calls _invalid_parameter_noinfo_noreturn 22148->22155 22150 7ff787552caa RtlAllocateHeap 22151 7ff787552cc1 22150->22151 22150->22152 22152->22148 22152->22150 22154 7ff787544690 EnterCriticalSection LeaveCriticalSection _invalid_parameter_noinfo_noreturn 22152->22154 22154->22152 22155->22151 22261 7ff7873c1a70 46 API calls 2 library calls 22161 7ff7873e406e 76 API calls 22266 7ff7873e1a80 84 API calls 22267 7ff7873c2690 61 API calls 2 library calls 22164 7ff7873c4c94 InitializeCriticalSection EnterCriticalSection LeaveCriticalSection __std_exception_copy _invalid_parameter_noinfo_noreturn 22270 7ff7873c3620 37 API calls 22271 7ff7873c1620 37 API calls vfwprintf 22274 7ff7873ca620 51 API calls 22277 7ff7873cba20 60 API calls 2 library calls 22279 7ff7873c3230 RegOpenKeyW RegQueryValueExW RegCloseKey 22172 7ff7873dcc40 83 API calls _invalid_parameter_noinfo_noreturn 22284 7ff7873e6250 85 API calls 22286 7ff7873c12e0 45 API calls shared_ptr 22287 7ff7873cbee0 52 API calls 22288 7ff7873c92da 71 API calls 22180 7ff7873c3900 65 API calls 22293 7ff7873c3300 52 API calls 22295 7ff7873ccb00 InitializeCriticalSection EnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection 22298 7ff7873c1310 GetSystemTimeAsFileTime QueryPerformanceCounter QueryPerformanceFrequency 22183 7ff7873e6110 82 API calls 22184 7ff7873cc110 CreateMutexW 22008 7ff7873e56a0 22009 7ff7873e58b0 22008->22009 22011 7ff7873e56b1 22008->22011 22010 7ff7873e5778 EnterCriticalSection 22019 7ff7873e571d 22010->22019 22011->22010 22013 7ff7873e56e2 22011->22013 22014 7ff7873e5747 InitializeCriticalSection 22011->22014 22012 7ff7873e58a3 LeaveCriticalSection 22012->22009 22017 7ff7873f87d0 6 API calls 22013->22017 22014->22010 22018 7ff7873e5767 DeleteCriticalSection 22014->22018 22015 7ff7873e57be 22048 7ff7873f87d0 22015->22048 22021 7ff7873e56e7 GetCurrentThreadId 22017->22021 22093 7ff787523918 22018->22093 22019->22015 22023 7ff7873e57ae CreateMutexW 22019->22023 22047 7ff7873e5849 22019->22047 22020 7ff7873e57ca GetCurrentThreadId 22024 7ff7873e57dd 22020->22024 22027 7ff7873e57d8 22020->22027 22025 7ff7873e56f5 22021->22025 22026 7ff7873e56fe 22021->22026 22023->22015 22028 7ff7873f8400 50 API calls 22024->22028 22031 7ff7873f87d0 6 API calls 22025->22031 22065 7ff7873f8400 22026->22065 22030 7ff7873e5807 22027->22030 22034 7ff7873f87d0 6 API calls 22027->22034 22028->22027 22033 7ff7873f87d0 6 API calls 22030->22033 22040 7ff7873e5835 22030->22040 22032 7ff7873e570f GetCurrentThreadId 22031->22032 22032->22019 22035 7ff7873e572e 22032->22035 22036 7ff7873e5822 GetCurrentThreadId 22033->22036 22037 7ff7873e57f9 GetCurrentThreadId 22034->22037 22038 7ff7873f8400 50 API calls 22035->22038 22039 7ff7873e5830 22036->22039 22036->22040 22037->22030 22041 7ff7873e580c 22037->22041 22038->22019 22043 7ff7873f8400 50 API calls 22039->22043 22056 7ff787411c50 22040->22056 22042 7ff7873f8400 50 API calls 22041->22042 22042->22030 22043->22040 22045 7ff7873e5844 22094 7ff7873c73f0 65 API calls 22045->22094 22047->22009 22047->22012 22049 7ff7873f87dd 22048->22049 22050 7ff7873f8837 22048->22050 22051 7ff7873f87f1 TlsAlloc GetCurrentThreadId 22049->22051 22052 7ff7873f881d 22049->22052 22050->22020 22095 7ff7873c4670 InitializeCriticalSection EnterCriticalSection LeaveCriticalSection 22051->22095 22052->22050 22054 7ff7873f8826 Sleep 22052->22054 22054->22050 22054->22054 22055 7ff7873f880e 22055->22020 22057 7ff787411c67 22056->22057 22058 7ff787411c5d 22056->22058 22059 7ff787411c88 CreateMutexW 22057->22059 22060 7ff787411c98 22057->22060 22058->22045 22059->22060 22063 7ff787411cc4 22060->22063 22096 7ff787411bf0 32 API calls 22060->22096 22062 7ff787411ceb 22062->22045 22063->22062 22097 7ff787411bf0 32 API calls 22063->22097 22066 7ff7873f87d0 6 API calls 22065->22066 22067 7ff7873f8409 TlsGetValue 22066->22067 22068 7ff7873f841e 22067->22068 22092 7ff7873f86eb __std_exception_copy 22067->22092 22069 7ff7873f843a 22068->22069 22073 7ff7873f8484 _invalid_parameter_noinfo_noreturn 22068->22073 22070 7ff7873f87d0 6 API calls 22069->22070 22071 7ff7873f843f GetCurrentThreadId 22070->22071 22074 7ff7873f8456 22071->22074 22075 7ff7873f844d 22071->22075 22072 7ff7873f84e3 WaitForSingleObject 22076 7ff7873f84c5 22072->22076 22073->22072 22073->22076 22080 7ff7873f84ce CreateMutexW 22073->22080 22077 7ff7873f8400 39 API calls 22074->22077 22117 7ff7873cc4f0 50 API calls 22075->22117 22078 7ff7873f86a3 ReleaseMutex 22076->22078 22081 7ff7873f86ac 22076->22081 22077->22075 22078->22081 22080->22072 22082 7ff7873f86be 22081->22082 22083 7ff7873f870b GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle TlsSetValue 22081->22083 22085 7ff7873f87d0 6 API calls 22082->22085 22098 7ff78752460c 22083->22098 22084 7ff7873f8467 22084->22025 22087 7ff7873f86c3 GetCurrentThreadId 22085->22087 22088 7ff7873f86d1 22087->22088 22089 7ff7873f86da 22087->22089 22118 7ff7873cc4f0 50 API calls 22088->22118 22090 7ff7873f8400 39 API calls 22089->22090 22090->22088 22092->22025 22094->22047 22095->22055 22096->22063 22097->22062 22099 7ff78752461d 22098->22099 22100 7ff787524636 22098->22100 22126 7ff787527ec8 9 API calls _invalid_parameter_noinfo_noreturn 22099->22126 22119 7ff787524528 22100->22119 22104 7ff787524622 22127 7ff78753ae18 26 API calls _invalid_parameter_noinfo_noreturn 22104->22127 22105 7ff787524646 CreateThread 22107 7ff78752467a GetLastError 22105->22107 22108 7ff7875246c4 ResumeThread 22105->22108 22128 7ff787527e58 9 API calls 2 library calls 22107->22128 22108->22107 22109 7ff787524687 22108->22109 22110 7ff78752462d 22109->22110 22112 7ff787524699 CloseHandle 22109->22112 22113 7ff78752469f 22109->22113 22110->22092 22112->22113 22114 7ff7875246a8 FreeLibrary 22113->22114 22115 7ff7875246ae 22113->22115 22114->22115 22129 7ff787552c38 22115->22129 22117->22084 22118->22092 22135 7ff7875552e8 22119->22135 22122 7ff787552c38 __free_lconv_num 9 API calls 22123 7ff787524554 22122->22123 22124 7ff78752455b GetModuleHandleExW 22123->22124 22125 7ff787524575 22123->22125 22124->22125 22125->22105 22125->22109 22126->22104 22127->22110 22128->22109 22130 7ff787552c3d HeapFree 22129->22130 22134 7ff787552c6d __free_lconv_num 22129->22134 22131 7ff787552c58 22130->22131 22130->22134 22146 7ff787527ec8 9 API calls _invalid_parameter_noinfo_noreturn 22131->22146 22133 7ff787552c5d GetLastError 22133->22134 22134->22110 22136 7ff7875552f9 22135->22136 22143 7ff787555307 _invalid_parameter_noinfo_noreturn 22135->22143 22137 7ff78755534a 22136->22137 22136->22143 22145 7ff787527ec8 9 API calls _invalid_parameter_noinfo_noreturn 22137->22145 22138 7ff78755532e HeapAlloc 22139 7ff787555348 22138->22139 22138->22143 22141 7ff78752454a 22139->22141 22141->22122 22143->22137 22143->22138 22144 7ff787544690 EnterCriticalSection LeaveCriticalSection _invalid_parameter_noinfo_noreturn 22143->22144 22144->22143 22145->22141 22146->22133 22301 7ff7873c12b0 CreateEventW 22197 7ff7873c10d0 44 API calls 22305 7ff7873c32d0 GetStdHandle GetFileType 22306 7ff7873e36cd 66 API calls 21874 7ff7873c1760 21878 7ff7873c179c 21874->21878 21881 7ff7873c17e7 21874->21881 21876 7ff787522054 31 API calls 21876->21878 21877 7ff7873c1a2a 21972 7ff7873c1c10 50 API calls 2 library calls 21877->21972 21878->21876 21878->21881 21880 7ff7873c1878 vfwprintf 21937 7ff787522aa8 21880->21937 21921 7ff7873c3460 21881->21921 21882 7ff7873c19e6 21973 7ff7874c7120 8 API calls 2 library calls 21882->21973 21883 7ff7873c1820 21883->21877 21883->21880 21888 7ff787522054 31 API calls 21883->21888 21887 7ff7873c1a4c 21888->21883 21891 7ff7873c18a3 vfwprintf 21955 7ff787522ad0 21891->21955 21893 7ff7873c18bd 21894 7ff7873c18eb 21893->21894 21896 7ff787522aa8 vfwprintf 26 API calls 21893->21896 21894->21882 21895 7ff7873c18f4 GetModuleFileNameW GetFileVersionInfoSizeW 21894->21895 21897 7ff787522b1c 21895->21897 21898 7ff7873c18d0 21896->21898 21899 7ff7873c1920 GetFileVersionInfoW 21897->21899 21966 7ff7875228bc 28 API calls 3 library calls 21898->21966 21961 7ff7873c3830 VerQueryValueW 21899->21961 21902 7ff7873c18dc 21967 7ff7873c16c0 37 API calls vfwprintf 21902->21967 21905 7ff7873c3830 32 API calls 21906 7ff7873c1957 21905->21906 21907 7ff7873c3830 32 API calls 21906->21907 21908 7ff7873c1969 21907->21908 21909 7ff7873c3830 32 API calls 21908->21909 21910 7ff7873c197b 21909->21910 21911 7ff7873c3830 32 API calls 21910->21911 21912 7ff7873c198d GetStdHandle GetFileType 21911->21912 21913 7ff7873c19a9 vfwprintf 21912->21913 21914 7ff7873c19e8 vfwprintf 21912->21914 21968 7ff7873c1710 37 API calls vfwprintf 21913->21968 21970 7ff7873c1710 37 API calls vfwprintf 21914->21970 21917 7ff7873c1a16 vfwprintf 21971 7ff7875227d8 32 API calls 21917->21971 21918 7ff7873c19d5 vfwprintf 21969 7ff7875227d8 32 API calls 21918->21969 21974 7ff7873c2190 21921->21974 21926 7ff7873c3582 21982 7ff7874c7120 8 API calls 2 library calls 21926->21982 21928 7ff7873c33c0 3 API calls 21930 7ff7873c34d0 21928->21930 21929 7ff7873c3597 21929->21883 21930->21926 21931 7ff7873c34d8 RegOpenKeyExW 21930->21931 21932 7ff7873c3568 21931->21932 21933 7ff7873c350c RegQueryValueExW RegCloseKey 21931->21933 21981 7ff7874c7120 8 API calls 2 library calls 21932->21981 21933->21932 21934 7ff7873c3561 21933->21934 21934->21926 21934->21932 21936 7ff7873c357a 21936->21883 21938 7ff787522ab1 21937->21938 21939 7ff7873c188a 21937->21939 21998 7ff787527ec8 9 API calls _invalid_parameter_noinfo_noreturn 21938->21998 21943 7ff787521bdc 21939->21943 21941 7ff787522ab6 21999 7ff78753ae18 26 API calls _invalid_parameter_noinfo_noreturn 21941->21999 21944 7ff787521bfa 21943->21944 21945 7ff787521be5 21943->21945 21951 7ff7873c1891 GetFileType 21944->21951 22002 7ff787527ea8 9 API calls _invalid_parameter_noinfo_noreturn 21944->22002 22000 7ff787527ea8 9 API calls _invalid_parameter_noinfo_noreturn 21945->22000 21947 7ff787521bea 22001 7ff787527ec8 9 API calls _invalid_parameter_noinfo_noreturn 21947->22001 21949 7ff787521c35 22003 7ff787527ec8 9 API calls _invalid_parameter_noinfo_noreturn 21949->22003 21951->21877 21951->21891 21953 7ff787521c3d 22004 7ff78753ae18 26 API calls _invalid_parameter_noinfo_noreturn 21953->22004 21956 7ff787522ae4 21955->21956 21960 7ff787522af4 21956->21960 22005 7ff787527ec8 9 API calls _invalid_parameter_noinfo_noreturn 21956->22005 21958 7ff787522ae9 22006 7ff78753ae18 26 API calls _invalid_parameter_noinfo_noreturn 21958->22006 21960->21893 21962 7ff7873c2190 30 API calls 21961->21962 21963 7ff7873c38ac VerQueryValueW 21962->21963 22007 7ff7874c7120 8 API calls 2 library calls 21963->22007 21965 7ff7873c1945 21965->21905 21966->21902 21967->21894 21968->21918 21969->21882 21970->21917 21971->21882 21972->21882 21973->21887 21975 7ff7873c21b5 vfwprintf 21974->21975 21983 7ff787521620 21975->21983 21978 7ff7873c33c0 RegOpenKeyExW 21979 7ff7873c343b 21978->21979 21980 7ff7873c33ec RegQueryValueExW RegCloseKey 21978->21980 21979->21926 21979->21928 21980->21979 21981->21936 21982->21929 21984 7ff787521670 21983->21984 21985 7ff787521634 21983->21985 21996 7ff787527ec8 9 API calls _invalid_parameter_noinfo_noreturn 21984->21996 21985->21984 21987 7ff78752163e 21985->21987 21994 7ff78750b510 30 API calls 5 library calls 21987->21994 21990 7ff787521657 21991 7ff7873c21d4 21990->21991 21995 7ff787527ec8 9 API calls _invalid_parameter_noinfo_noreturn 21990->21995 21991->21978 21993 7ff787521668 21997 7ff78753ae18 26 API calls _invalid_parameter_noinfo_noreturn 21993->21997 21994->21990 21995->21993 21996->21993 21997->21991 21998->21941 21999->21939 22000->21947 22001->21951 22002->21949 22003->21953 22004->21951 22005->21958 22006->21960 22007->21965 22308 7ff7873c8e30 69 API calls __std_exception_copy 22309 7ff7873ca560 64 API calls vfwprintf 22310 7ff7873cb560 62 API calls 2 library calls 22312 7ff7873c1570 30 API calls shared_ptr 22313 7ff7873c3170 34 API calls _invalid_parameter_noinfo_noreturn 22317 7ff7873cc180 CreateMutexW WaitForSingleObject ReleaseMutex 22319 7ff7873c1590 29 API calls shared_ptr 22212 7ff7873cab1d 12 API calls _invalid_parameter_noinfo_noreturn 22213 7ff7873c1f30 9 API calls _invalid_parameter_noinfo_noreturn 22326 7ff7873c2130 30 API calls vfwprintf 22217 7ff7873c3740 31 API calls _invalid_parameter_noinfo_noreturn 22330 7ff7873c1540 43 API calls 22331 7ff7873c3940 68 API calls __std_exception_copy 22332 7ff7874c8150 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter __security_init_cookie 22334 7ff7873c1150 46 API calls shared_ptr 22337 7ff7873e61e0 85 API calls 22339 7ff7873d49e0 79 API calls __std_exception_copy 22344 7ff7873e51eb 73 API calls 22347 7ff7873c15ec 32 API calls shared_ptr 22233 7ff7873c1000 31 API calls shared_ptr 22234 7ff7873fa400 67 API calls __std_exception_copy 22238 7ff7873c2fa0 82 API calls 22354 7ff7873c35a0 31 API calls 22360 7ff7873cfdb0 67 API calls 22244 7ff7873c13c0 30 API calls shared_ptr 22365 7ff7873d9dc0 71 API calls 22250 7ff7873e37a3 87 API calls 22253 7ff7873c37d0 32 API calls 22254 7ff7873c6bd0 36 API calls _invalid_parameter_noinfo_noreturn

Executed Functions

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 0 7ff7873c1760-7ff7873c179a 1 7ff7873c179c-7ff7873c17a7 0->1 2 7ff7873c181b-7ff7873c1822 call 7ff7873c3460 0->2 4 7ff7873c17b0-7ff7873c17c6 call 7ff787522054 1->4 7 7ff7873c1a2a-7ff7873c1a2d call 7ff7873c1c10 2->7 8 7ff7873c1828-7ff7873c182b 2->8 10 7ff7873c17e9-7ff7873c17f6 4->10 11 7ff7873c17c8-7ff7873c17d9 call 7ff787522054 4->11 19 7ff7873c1a32 7->19 13 7ff7873c1878-7ff7873c189d call 7ff787521ec8 call 7ff787522aa8 call 7ff787521bdc GetFileType 8->13 14 7ff7873c182d-7ff7873c1835 8->14 16 7ff7873c1816-7ff7873c1819 10->16 17 7ff7873c17f8 10->17 11->10 27 7ff7873c17db-7ff7873c17e5 11->27 13->7 39 7ff7873c18a3-7ff7873c18bf call 7ff787521ec8 call 7ff787522ad0 13->39 20 7ff7873c1840-7ff7873c1851 call 7ff787522054 14->20 16->2 22 7ff7873c1800-7ff7873c1814 17->22 24 7ff7873c1a35-7ff7873c1a67 call 7ff7874c7120 19->24 20->7 30 7ff7873c1857-7ff7873c1868 call 7ff787522054 20->30 22->16 22->22 27->4 31 7ff7873c17e7 27->31 30->7 38 7ff7873c186e-7ff7873c1876 30->38 31->2 38->13 38->20 44 7ff7873c18c1-7ff7873c18c6 39->44 45 7ff7873c18eb-7ff7873c18ee 39->45 44->45 46 7ff7873c18c8-7ff7873c18e6 call 7ff787522aa8 call 7ff7875228bc call 7ff7873c16c0 44->46 45->24 47 7ff7873c18f4-7ff7873c1940 GetModuleFileNameW GetFileVersionInfoSizeW call 7ff787522b1c GetFileVersionInfoW call 7ff7873c3830 45->47 46->45 55 7ff7873c1945-7ff7873c19a7 call 7ff7873c3830 * 4 GetStdHandle GetFileType 47->55 65 7ff7873c19a9-7ff7873c19e6 call 7ff787521ec8 call 7ff7873c1710 call 7ff787521ec8 call 7ff7875227d8 55->65 66 7ff7873c19e8-7ff7873c1a28 call 7ff787521ec8 call 7ff7873c1710 call 7ff787521ec8 call 7ff7875227d8 55->66 65->19 66->19
APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: File$InfoTypeVersion$HandleModuleNameSize_invalid_parameter_noinfo
  • String ID: %s v%s - %s%s%s$-accepteula$-nobanner$/accepteula$/nobanner$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright
  • API String ID: 2281649930-2075756908
  • Opcode ID: 3ccc81dfc057be7565abd70e9777c02c00c592ac5447d7527f099a2fa1c642fd
  • Instruction ID: 673dce24835be299905d3bc8801bfdf361e35747ef0bb0a8536ae30bc164a8d8
  • Opcode Fuzzy Hash: 3ccc81dfc057be7565abd70e9777c02c00c592ac5447d7527f099a2fa1c642fd
  • Instruction Fuzzy Hash: 39819165A5878286EB14FB51E9452B9E3A1BF84B90FE44039DA4F47B92DF3CE443C321
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 83 7ff7873e56a0-7ff7873e56ab 84 7ff7873e58b0-7ff7873e58b4 83->84 85 7ff7873e56b1-7ff7873e56cc 83->85 86 7ff7873e56d2-7ff7873e56e0 call 7ff787522b1c 85->86 87 7ff7873e5778-7ff7873e577f EnterCriticalSection 85->87 94 7ff7873e56e2-7ff7873e56f3 call 7ff7873f87d0 GetCurrentThreadId 86->94 95 7ff7873e5747-7ff7873e5765 InitializeCriticalSection 86->95 89 7ff7873e5785-7ff7873e578c 87->89 91 7ff7873e5792-7ff7873e579a 89->91 92 7ff7873e588d-7ff7873e58a1 89->92 96 7ff7873e57c5-7ff7873e57d6 call 7ff7873f87d0 GetCurrentThreadId 91->96 97 7ff7873e579c-7ff7873e57ac call 7ff787522b1c 91->97 92->84 93 7ff7873e58a3-7ff7873e58aa LeaveCriticalSection 92->93 93->84 110 7ff7873e56f5-7ff7873e56fc 94->110 111 7ff7873e56fe-7ff7873e5703 call 7ff7873f8400 94->111 95->87 101 7ff7873e5767-7ff7873e5773 DeleteCriticalSection call 7ff787523918 95->101 108 7ff7873e57dd-7ff7873e57e2 call 7ff7873f8400 96->108 109 7ff7873e57d8-7ff7873e57db 96->109 106 7ff7873e57be 97->106 107 7ff7873e57ae-7ff7873e57bb CreateMutexW 97->107 101->87 106->96 107->106 112 7ff7873e57e8-7ff7873e57f2 108->112 109->112 114 7ff7873e570a-7ff7873e571b call 7ff7873f87d0 GetCurrentThreadId 110->114 111->114 117 7ff7873e57f4-7ff7873e5805 call 7ff7873f87d0 GetCurrentThreadId 112->117 118 7ff7873e581d-7ff7873e582e call 7ff7873f87d0 GetCurrentThreadId 112->118 124 7ff7873e572e-7ff7873e5745 call 7ff7873f8400 114->124 125 7ff7873e571d-7ff7873e572c 114->125 131 7ff7873e580c-7ff7873e5811 call 7ff7873f8400 117->131 132 7ff7873e5807-7ff7873e580a 117->132 129 7ff7873e5830-7ff7873e5835 call 7ff7873f8400 118->129 130 7ff7873e583c 118->130 124->89 125->89 129->130 138 7ff7873e583f call 7ff787411c50 130->138 133 7ff7873e5817-7ff7873e581b 131->133 132->133 133->118 133->138 143 7ff7873e5844-7ff7873e5883 call 7ff7873c73f0 call 7ff787410a20 call 7ff787410a90 138->143 143->92
APIs
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873E56E7
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873E570F
    • Part of subcall function 00007FF7873F8400: TlsGetValue.KERNEL32 ref: 00007FF7873F840F
    • Part of subcall function 00007FF7873F8400: GetCurrentThreadId.KERNEL32 ref: 00007FF7873F843F
  • InitializeCriticalSection.KERNEL32(?,?,?,?,00007FF7873E36AE), ref: 00007FF7873E574A
  • DeleteCriticalSection.KERNEL32(?,?,?,?,00007FF7873E36AE), ref: 00007FF7873E576A
    • Part of subcall function 00007FF7873F87D0: TlsAlloc.KERNEL32(?,?,?,?,00007FF7873CAE69), ref: 00007FF7873F87F1
    • Part of subcall function 00007FF7873F87D0: GetCurrentThreadId.KERNEL32 ref: 00007FF7873F87FD
  • EnterCriticalSection.KERNEL32(?,?,?,?,00007FF7873E36AE), ref: 00007FF7873E577F
  • CreateMutexW.KERNELBASE(?,?,?,?,00007FF7873E36AE), ref: 00007FF7873E57B5
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873E57CA
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873E57F9
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873E5822
  • LeaveCriticalSection.KERNEL32(?,?,?,?,00007FF7873E36AE), ref: 00007FF7873E58AA
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread$CriticalSection$AllocCreateDeleteEnterInitializeLeaveMutexValue
  • String ID: xmlGlobalInitMutexLock: out of memory
  • API String ID: 1695213902-1530804309
  • Opcode ID: bcadb6ae93e9033c280cbd39ff5508c125ef861292225ef5489397a39ba8f1d9
  • Instruction ID: dcb96ca7102f6f7c4fff1caa91416fdbb8ea67d5b547f25de006444934f6b9c5
  • Opcode Fuzzy Hash: bcadb6ae93e9033c280cbd39ff5508c125ef861292225ef5489397a39ba8f1d9
  • Instruction Fuzzy Hash: F8512971E89A8786FE50FB10D845378A3A2BF41B94FF04039D50F06AA1DF2CA587C632
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CloseOpenQueryValue
  • String ID: %s\%s$EulaAccepted$Software\Sysinternals$System Monitor
  • API String ID: 3677997916-2404948253
  • Opcode ID: 380eb7a0a6d6afbe527a0b89254ac627e43f9efc555af19f5538d89fd5f33fad
  • Instruction ID: 0785abc046fa0c7b9df7e8941bad765080607de66f0bfb2dc5f5afa0772dfada
  • Opcode Fuzzy Hash: 380eb7a0a6d6afbe527a0b89254ac627e43f9efc555af19f5538d89fd5f33fad
  • Instruction Fuzzy Hash: 42314471A5CB8191EB50EB10E4447A6B3A0FB84764FD01235EA8F43B99DF3CD146DB11
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

APIs
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: Thread$CloseCreateErrorFreeHandleLastLibraryResume_invalid_parameter_noinfo
  • String ID:
  • API String ID: 2082702847-0
  • Opcode ID: f4f04a94952ec9d5ee23abf7e405d8d08d4a5e84ec13bb1696ce4217a8ad4bee
  • Instruction ID: 18c328aac8cec0e6f6bfe8e734470ce29b67761308d4fcda55e1444390083a68
  • Opcode Fuzzy Hash: f4f04a94952ec9d5ee23abf7e405d8d08d4a5e84ec13bb1696ce4217a8ad4bee
  • Instruction Fuzzy Hash: 6C216F61A99B8246EF14FB60E404278A291BF44BA4FF40734DA3F863D1DF3CE806C624
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: QueryValue
  • String ID: \StringFileInfo\%04X%04X\%s$\VarFileInfo\Translation
  • API String ID: 3660427363-755172729
  • Opcode ID: 57cc24774d0a32f36b5e0b39b2f80a1e35cf3aab8a7005dfc59e5376bd82053b
  • Instruction ID: 07fd516d374057c747f798f0d2f7ba1427165b006479d37e9b9c965c69c53b52
  • Opcode Fuzzy Hash: 57cc24774d0a32f36b5e0b39b2f80a1e35cf3aab8a7005dfc59e5376bd82053b
  • Instruction Fuzzy Hash: E4113062618B8581DB50DB55F8843AAB361FBC8B95F944032EB8E43B28DF3CC155CB10
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

APIs
  • CreateMutexW.KERNELBASE(?,?,?,?,00007FF7873E5844,?,?,?,?,00007FF7873E36AE), ref: 00007FF787411C8F
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CreateMutex
  • String ID: %ud$XML_MEM_BREAKPOINT$XML_MEM_TRACE
  • API String ID: 1964310414-2307360426
  • Opcode ID: ea0eef1bfb83916a2fc019b946aa80ed0743e135317c2bff8cf9fb799e75e737
  • Instruction ID: 5ece1419e9018798f4f3770b6a0dbff59e3810c528f528d2eece0064ad3045a4
  • Opcode Fuzzy Hash: ea0eef1bfb83916a2fc019b946aa80ed0743e135317c2bff8cf9fb799e75e737
  • Instruction Fuzzy Hash: 2C011B24E99A4281FB15BB25E8512B5B2927F44340FF44236D50F473A6EF6CE546C270
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CloseOpenQueryValue
  • String ID: EulaAccepted
  • API String ID: 3677997916-921354838
  • Opcode ID: 72ed33bf021fb8c596a286bdf7b6bd4e30994008709b55f99afafc4d6c7b669f
  • Instruction ID: d95e47ee1b0b900bb6eb1b4c0d738f0473244fd098baee1bfde579b66a4695bf
  • Opcode Fuzzy Hash: 72ed33bf021fb8c596a286bdf7b6bd4e30994008709b55f99afafc4d6c7b669f
  • Instruction Fuzzy Hash: 6A018C32A18B8287EB50AB11F840A5AB3A0FB84794F901135EA8E43F18EF3CE545CB01
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

APIs
  • RtlAllocateHeap.NTDLL(?,?,?,00007FF787558E01,?,?,00000000,00007FF7875418EB,?,?,?,00007FF78754614F,?,?,?,00007FF787545F09), ref: 00007FF787552CB6
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: AllocateHeap
  • String ID:
  • API String ID: 1279760036-0
  • Opcode ID: 983c8f18d9730b8f715ce8d393a003e851784625f4d648167007a789e2ea83ef
  • Instruction ID: 7b7366de5c8f3f6e948377dc66f7d23184d6feaee132ccf34b85ecc0a0021990
  • Opcode Fuzzy Hash: 983c8f18d9730b8f715ce8d393a003e851784625f4d648167007a789e2ea83ef
  • Instruction Fuzzy Hash: 07F03A81E9C20261FB587761694267491806F847A0FF80A30E92FCA3C2DE6CA482C630
Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 232 7ff7873c2920-7ff7873c297a call 7ff7873c2190 235 7ff7873c2980-7ff7873c298b call 7ff7873c3460 232->235 236 7ff7873c2ded-7ff7873c2e08 RegCreateKeyW 232->236 235->236 242 7ff7873c2991-7ff7873c29bd RegOpenKeyW 235->242 238 7ff7873c2e42 236->238 239 7ff7873c2e0a-7ff7873c2e3c RegSetValueExW RegCloseKey 236->239 241 7ff7873c2e46-7ff7873c2e71 call 7ff7874c7120 238->241 239->238 244 7ff7873c2a83-7ff7873c2ab3 RegOpenKeyW 242->244 245 7ff7873c29c3-7ff7873c29f3 RegQueryValueExW 242->245 249 7ff7873c2ab5-7ff7873c2ae5 RegQueryValueExW 244->249 250 7ff7873c2b04-7ff7873c2b1b GetStdHandle GetFileType 244->250 247 7ff7873c29f9-7ff7873c2a0c call 7ff787522054 245->247 248 7ff7873c2a78-7ff7873c2a7d RegCloseKey 245->248 247->248 261 7ff7873c2a0e-7ff7873c2a2f RegCloseKey call 7ff7873c2070 247->261 248->244 254 7ff7873c2af9-7ff7873c2afe RegCloseKey 249->254 255 7ff7873c2ae7-7ff7873c2aec 249->255 251 7ff7873c2b21-7ff7873c2b77 LocalAlloc call 7ff7873c1fc0 250->251 252 7ff7873c2e7d-7ff7873c2ec1 call 7ff7873c3380 call 7ff7873c1fc0 GetProcAddress 250->252 264 7ff7873c2b80-7ff7873c2b8e 251->264 270 7ff7873c2f81-7ff7873c2f98 call 7ff7873c2920 252->270 271 7ff7873c2ec7-7ff7873c2ee9 GetCommandLineW 252->271 254->250 255->254 259 7ff7873c2aee-7ff7873c2af3 255->259 259->254 263 7ff7873c2e72-7ff7873c2e77 RegCloseKey 259->263 273 7ff7873c2a30-7ff7873c2a58 call 7ff7873c2240 call 7ff787523408 call 7ff7873c2240 261->273 263->252 264->264 268 7ff7873c2b90-7ff7873c2ba7 264->268 272 7ff7873c2bb0-7ff7873c2bbe 268->272 282 7ff7873c2eef-7ff7873c2efb 271->282 283 7ff7873c2f7c 271->283 272->272 276 7ff7873c2bc0-7ff7873c2bfe 272->276 294 7ff7873c2a61-7ff7873c2a67 273->294 295 7ff7873c2a5a-7ff7873c2a5d 273->295 280 7ff7873c2c00-7ff7873c2c0e 276->280 280->280 284 7ff7873c2c10-7ff7873c2c5f 280->284 286 7ff7873c2f00-7ff7873c2f16 call 7ff787522054 282->286 283->270 287 7ff7873c2c60-7ff7873c2c6e 284->287 296 7ff7873c2f18-7ff7873c2f29 call 7ff787522054 286->296 297 7ff7873c2f3c-7ff7873c2f4a 286->297 287->287 290 7ff7873c2c70-7ff7873c2cba 287->290 293 7ff7873c2cc0-7ff7873c2ccf 290->293 293->293 298 7ff7873c2cd1-7ff7873c2d18 293->298 299 7ff7873c2a69-7ff7873c2a6c 294->299 300 7ff7873c2a6e-7ff7873c2a73 294->300 295->294 296->297 311 7ff7873c2f2b-7ff7873c2f38 296->311 302 7ff7873c2f6a-7ff7873c2f6c 297->302 303 7ff7873c2f4c 297->303 304 7ff7873c2d20-7ff7873c2d2f 298->304 299->273 299->300 306 7ff7873c2de7-7ff7873c2deb 300->306 305 7ff7873c2f72-7ff7873c2f77 302->305 308 7ff7873c2f50-7ff7873c2f68 303->308 304->304 309 7ff7873c2d31-7ff7873c2d7a 304->309 305->283 306->236 306->241 308->302 308->308 310 7ff7873c2d80-7ff7873c2d8f 309->310 310->310 312 7ff7873c2d91-7ff7873c2d98 310->312 311->286 313 7ff7873c2f3a 311->313 314 7ff7873c2da0-7ff7873c2dae 312->314 313->305 314->314 315 7ff7873c2db0-7ff7873c2de1 DialogBoxIndirectParamW LocalFree 314->315 315->306
APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: Close$Value$OpenQuery$Local$AddressAllocCommandCreateDialogFileFreeHandleIndirectLineParamProcType_invalid_parameter_noinfo
  • String ID: %c$&Agree$&Decline$&Print$-accepteula$/accepteula$Accept Eula (Y/N)?$CommandLineToArgvW$EulaAccepted$License Agreement$MS Shell Dlg$NanoServer$ProductName$RICHEDIT$Riched32.dll$SYSINTERNALS SOFTWARE LICENSE TERMSThese license terms are an agreement between Sysinternals(a wholly owned subsidiary of Microso$Shell32.dll$Software\Microsoft\Windows NT\CurrentVersion\Server\ServerLevels$Software\Microsoft\windows nt\currentversion$Software\Sysinternals\%s$System Monitor$You can also use the /accepteula command-line switch to accept the EULA.$iotuap
  • API String ID: 3918631088-2397820593
  • Opcode ID: b8534927536c01f52f1b808f7ab5d72032ef3f9774a7e31bca6668a8727f5151
  • Instruction ID: a7bf1e2a61aa11b6faf57067d8a12454f4e609b9f0ca50915c7af93a6e06a4a1
  • Opcode Fuzzy Hash: b8534927536c01f52f1b808f7ab5d72032ef3f9774a7e31bca6668a8727f5151
  • Instruction Fuzzy Hash: C402A47265878286DB10EF14E4402BAB3B0FB84BA4FE04236DB5E57AA4DF7CD54AC711
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CapsDeviceMessagePageSend$CursorStart$HandleInflateLoadModeModulePrintRect
  • String ID: Sysinternals License$x
  • API String ID: 2115769042-2333083431
  • Opcode ID: 817dd3d3b5faff4e33389c2e5aee8211649ac3e1af66e5274e9013bcecd06c33
  • Instruction ID: 719f7147ace1f1ca9d2629d44ae6f2e26d9d9144c94b3cda85e82f99956e4165
  • Opcode Fuzzy Hash: 817dd3d3b5faff4e33389c2e5aee8211649ac3e1af66e5274e9013bcecd06c33
  • Instruction Fuzzy Hash: AE715B36A18B8186E710DF61E8442AEB370F7C9798FA05225DE8E57B58DF3DD685CB00
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID:
  • String ID: Memory allocation failed : %s$Namespace prefix %s for %s on %s is not defined$Namespace prefix %s on %s is not defined$Namespaced Attribute %s in '%s' redefined$StartTag: invalid element name$Unexpected change of input$attributes construct error$c$d$dictionary allocation failure$gfff$http://www.w3.org/2000/xmlns/$redefinition of the xmlns prefix is forbidden$reuse of the xmlns namespace name is forbidden$standalone: attribute %s on %s defaulted from external subset$xml namespace URI cannot be the default namespace$xml namespace URI mapped to wrong prefix$xml namespace prefix mapped to wrong URI$xmlParseStartTag: problem parsing attributes$xmlns: '%s' is not a valid URI$xmlns: URI %s is not absolute$xmlns:%s: '%s' is not a valid URI$xmlns:%s: Empty XML namespace is not allowed$xmlns:%s: URI %s is not absolute
  • API String ID: 0-2465701963
  • Opcode ID: 4e2ea5ac40a3d037b9a069a0149efe1d29642291ef33ec0930be7fc7a8bb9482
  • Instruction ID: 9e6ef679062eb94dcc63d0e5be4580f647a13d9d50ed8a35d95fa88c3bfb17c4
  • Opcode Fuzzy Hash: 4e2ea5ac40a3d037b9a069a0149efe1d29642291ef33ec0930be7fc7a8bb9482
  • Instruction Fuzzy Hash: 22B27333649BC685E760AF15E4403A9B7A4FB84B94FA4413ADA9E47F98CF3CD442CB11
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 832 7ff7873d1b70-7ff7873d1ba4 833 7ff7873d22e3 832->833 834 7ff7873d1baa-7ff7873d1bad 832->834 835 7ff7873d22e5-7ff7873d22ff 833->835 834->833 836 7ff7873d1bb3-7ff7873d1bb6 834->836 836->833 837 7ff7873d1bbc-7ff7873d1bd3 836->837 838 7ff7873d1bd5-7ff7873d1bdf 837->838 839 7ff7873d1be1-7ff7873d1be6 837->839 838->839 840 7ff7873d1bec-7ff7873d1bf2 838->840 839->840 841 7ff7873d1c99-7ff7873d1cab call 7ff787522b1c 839->841 842 7ff7873d1bf4-7ff7873d1bfb 840->842 843 7ff7873d1c01-7ff7873d1c82 call 7ff7873cae30 840->843 848 7ff7873d22bf-7ff7873d22cc call 7ff7873e6330 841->848 849 7ff7873d1cb1-7ff7873d1cb4 841->849 842->833 842->843 843->833 851 7ff7873d1c88-7ff7873d1c94 843->851 856 7ff7873d22d6-7ff7873d22d9 848->856 857 7ff7873d22ce-7ff7873d22d1 call 7ff787523918 848->857 852 7ff7873d2316-7ff7873d231d 849->852 853 7ff7873d1cba-7ff7873d1cd1 call 7ff7873e7130 849->853 851->833 852->835 853->852 861 7ff7873d1cd7-7ff7873d1ce8 853->861 856->833 860 7ff7873d22db-7ff7873d22de call 7ff787523918 856->860 857->856 860->833 861->852 863 7ff7873d1cee-7ff7873d1cf8 861->863 863->852 864 7ff7873d1cfe-7ff7873d1d08 863->864 864->852 865 7ff7873d1d0e-7ff7873d1d10 864->865 865->852 866 7ff7873d1d16-7ff7873d1d19 865->866 867 7ff7873d1d1f-7ff7873d1d23 866->867 868 7ff7873d2030-7ff7873d2033 866->868 869 7ff7873d1d25-7ff7873d1d37 call 7ff7873d1790 867->869 870 7ff7873d1d90-7ff7873d1d94 867->870 871 7ff7873d222b-7ff7873d223b 868->871 872 7ff7873d2039-7ff7873d203d 868->872 869->856 885 7ff7873d1d3d-7ff7873d1d55 call 7ff7873e73f0 869->885 870->871 877 7ff7873d1d9a-7ff7873d1dab call 7ff7873f87d0 GetCurrentThreadId 870->877 873 7ff7873d2244-7ff7873d224e call 7ff7873e73f0 871->873 874 7ff7873d223d-7ff7873d2242 871->874 872->871 876 7ff7873d2043-7ff7873d2054 call 7ff7873f87d0 GetCurrentThreadId 872->876 878 7ff7873d2250-7ff7873d2265 873->878 874->878 893 7ff7873d2056-7ff7873d2059 876->893 894 7ff7873d205b-7ff7873d2060 call 7ff7873f8400 876->894 889 7ff7873d1db2-7ff7873d1db7 call 7ff7873f8400 877->889 890 7ff7873d1dad-7ff7873d1db0 877->890 886 7ff7873d228d-7ff7873d2290 878->886 887 7ff7873d2267-7ff7873d2275 878->887 906 7ff7873d2221-7ff7873d2229 885->906 907 7ff7873d1d5b-7ff7873d1d66 885->907 886->852 895 7ff7873d2296-7ff7873d22ad call 7ff7873e7130 886->895 887->848 892 7ff7873d2277-7ff7873d2285 call 7ff787524294 887->892 896 7ff7873d1dbd-7ff7873d1dc0 889->896 890->896 892->848 919 7ff7873d2287 892->919 900 7ff7873d2066-7ff7873d2069 893->900 894->900 895->852 914 7ff7873d22af-7ff7873d22b7 895->914 904 7ff7873d1dc2-7ff7873d1dd3 call 7ff7873f87d0 GetCurrentThreadId 896->904 905 7ff7873d1e28-7ff7873d1e4e call 7ff7873dda90 call 7ff7873ce710 896->905 910 7ff7873d20d1-7ff7873d20f7 call 7ff7873de6f0 call 7ff7873ce710 900->910 911 7ff7873d206b-7ff7873d207c call 7ff7873f87d0 GetCurrentThreadId 900->911 930 7ff7873d1dd5-7ff7873d1ddc 904->930 931 7ff7873d1dde-7ff7873d1de3 call 7ff7873f8400 904->931 943 7ff7873d2219 905->943 946 7ff7873d1e54-7ff7873d1e71 905->946 906->886 917 7ff7873d22bc 907->917 918 7ff7873d1d6c-7ff7873d1d7a call 7ff787524294 907->918 942 7ff7873d20fd-7ff7873d2116 910->942 910->943 927 7ff7873d207e-7ff7873d2085 911->927 928 7ff7873d2087-7ff7873d208c call 7ff7873f8400 911->928 914->861 917->848 918->917 940 7ff7873d1d80-7ff7873d1d8b 918->940 926 7ff7873d228a 919->926 926->886 934 7ff7873d2093-7ff7873d20a4 call 7ff7873f87d0 GetCurrentThreadId 927->934 928->934 937 7ff7873d1dea-7ff7873d1dfb call 7ff7873f87d0 GetCurrentThreadId 930->937 931->937 960 7ff7873d20a6-7ff7873d20ad 934->960 961 7ff7873d20af-7ff7873d20b4 call 7ff7873f8400 934->961 954 7ff7873d1e06-7ff7873d1e0b call 7ff7873f8400 937->954 955 7ff7873d1dfd-7ff7873d1e04 937->955 940->926 948 7ff7873d2153-7ff7873d2185 call 7ff7873d2320 942->948 949 7ff7873d2118-7ff7873d2121 942->949 943->906 951 7ff7873d1e73-7ff7873d1e76 946->951 952 7ff7873d1ed8-7ff7873d1edb 946->952 948->856 986 7ff7873d218b-7ff7873d2193 948->986 956 7ff7873d2123-7ff7873d212c 949->956 957 7ff7873d2148-7ff7873d214e call 7ff7873de320 949->957 963 7ff7873d2300-7ff7873d2314 call 7ff7873cf0a0 951->963 964 7ff7873d1e7c-7ff7873d1e95 call 7ff7873e73f0 951->964 958 7ff7873d1f91-7ff7873d1f9d 952->958 959 7ff7873d1ee1-7ff7873d1f13 call 7ff7873d2320 952->959 965 7ff7873d1e11-7ff7873d1e20 954->965 955->965 956->957 967 7ff7873d212e-7ff7873d2146 call 7ff7873cf170 956->967 957->948 968 7ff7873d1faf-7ff7873d1fc3 958->968 969 7ff7873d1f9f-7ff7873d1fa2 958->969 959->856 994 7ff7873d1f19-7ff7873d1f1e 959->994 971 7ff7873d20ba-7ff7873d20c9 960->971 961->971 963->856 964->943 989 7ff7873d1e9b-7ff7873d1ea6 964->989 965->905 967->948 982 7ff7873d1fc5-7ff7873d1fd0 968->982 983 7ff7873d1ff0-7ff7873d1ff2 968->983 969->968 980 7ff7873d1fa4-7ff7873d1fad 969->980 971->910 980->968 980->980 982->917 995 7ff7873d1fd6-7ff7873d1fe4 call 7ff787524294 982->995 990 7ff7873d2014-7ff7873d202b 983->990 991 7ff7873d1ff4-7ff7873d1ff8 983->991 987 7ff7873d2195 986->987 988 7ff7873d21ff-7ff7873d2217 call 7ff787523918 986->988 997 7ff7873d21a0-7ff7873d21b1 987->997 988->886 989->917 998 7ff7873d1eac-7ff7873d1eba call 7ff787524294 989->998 990->886 999 7ff7873d2000-7ff7873d2012 991->999 994->988 1000 7ff7873d1f24-7ff7873d1f2a 994->1000 995->917 1013 7ff7873d1fea-7ff7873d1fed 995->1013 1003 7ff7873d21b3-7ff7873d21c6 call 7ff7873ce710 997->1003 1004 7ff7873d21f7-7ff7873d21fd 997->1004 998->917 1015 7ff7873d1ec0-7ff7873d1ed3 998->1015 999->990 999->999 1006 7ff7873d1f30-7ff7873d1f3d 1000->1006 1003->857 1018 7ff7873d21cc-7ff7873d21d7 1003->1018 1004->988 1004->997 1011 7ff7873d1f83-7ff7873d1f8a 1006->1011 1012 7ff7873d1f3f-7ff7873d1f52 call 7ff7873ce710 1006->1012 1011->1006 1016 7ff7873d1f8c 1011->1016 1012->857 1020 7ff7873d1f58-7ff7873d1f63 1012->1020 1013->983 1015->926 1016->988 1018->848 1021 7ff7873d21dd-7ff7873d21eb call 7ff787524294 1018->1021 1020->848 1022 7ff7873d1f69-7ff7873d1f77 call 7ff787524294 1020->1022 1021->848 1027 7ff7873d21f1-7ff7873d21f4 1021->1027 1022->848 1028 7ff7873d1f7d-7ff7873d1f80 1022->1028 1027->1004 1028->1011
APIs
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873D1D9F
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873D1DC7
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873D1DEF
    • Part of subcall function 00007FF7873F8400: TlsGetValue.KERNEL32 ref: 00007FF7873F840F
    • Part of subcall function 00007FF7873F8400: GetCurrentThreadId.KERNEL32 ref: 00007FF7873F843F
    • Part of subcall function 00007FF7873F8400: ReleaseMutex.KERNEL32 ref: 00007FF7873F86A6
    • Part of subcall function 00007FF7873F8400: GetCurrentThreadId.KERNEL32 ref: 00007FF7873F86C3
    • Part of subcall function 00007FF7873F8400: CreateMutexW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7873CAE85), ref: 00007FF7873F84D3
    • Part of subcall function 00007FF7873F8400: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF7873CAE85), ref: 00007FF7873F84EB
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread$Mutex$CreateObjectReleaseSingleValueWait
  • String ID: %s$Detected an entity reference loop$String decoding Entity Reference: %.30s$String decoding PE Reference: %.30s$Y$not validating will not read content for PE entity %s$predefined entity has no content
  • API String ID: 2259964185-1842065348
  • Opcode ID: da8702a973b8fd27d9df8c0aae266b3d33484292a40c548091de3d58f9aa4244
  • Instruction ID: a0cff00da31f47c93298d501c201439440c523eb67e46daf1300050215312591
  • Opcode Fuzzy Hash: da8702a973b8fd27d9df8c0aae266b3d33484292a40c548091de3d58f9aa4244
  • Instruction Fuzzy Hash: 0912D621A8C6C285EBA5BB1194883B9AA91BF447C4FE54039D94F17F95DF3CE487C322
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread$MutexReleaseValue
  • String ID: Cannot initialize memory for new link$Memory allocation failed : %s$malloc failed$xmlAddRef: Reference list creation failed!$xmlAddRef: Reference list insertion failed!$xmlAddRef: Table creation failed!
  • API String ID: 2840059946-3576115945
  • Opcode ID: 045b73912309d244f97d1ca342f6139a67ee07d70027e05b8a3734c6b01b8496
  • Instruction ID: 9c08271b344aa94def12bc2ae220f777c803db46d29d32f7017831b26b29380b
  • Opcode Fuzzy Hash: 045b73912309d244f97d1ca342f6139a67ee07d70027e05b8a3734c6b01b8496
  • Instruction Fuzzy Hash: 48B19032B49B8285EB94AF25E550379F3A0FB84B80FA44035DA8E87B55DF7CE456D310
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread
  • String ID: %s$7$7$ContentDecl : ',' '|' or ')' expected$ContentDecl : Name or '(' expected$Element content declaration doesn't start and stop in the same entity$Memory allocation failed : %s$malloc failed$xmlParseElementChildrenContentDecl : '%c' expected$xmlParseElementChildrenContentDecl : depth %d too deep, use XML_PARSE_HUGE
  • API String ID: 2882836952-2217689941
  • Opcode ID: 1a5bfe4d520b2727bdd329406285862909d135eba6ac080968b328e8d7ee101c
  • Instruction ID: 516f37b1e0cee45ca0140530f7e5c2b6d186cf4424e89d76e0417706873a2e24
  • Opcode Fuzzy Hash: 1a5bfe4d520b2727bdd329406285862909d135eba6ac080968b328e8d7ee101c
  • Instruction Fuzzy Hash: 8242717294878296EB60EF25E484379BBA4FB44B48FA44039DA8E17F95CF3CD442D721
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID:
  • String ID: %s$'>' required to close NOTATION declaration$1$1$NOTATION: Name expected here$Notation declaration doesn't start and stop in the same entity$OITATON!$Space required after '<!NOTATION'$Space required after the NOTATION name'$colons are forbidden from notation names '%s'
  • API String ID: 0-2762222150
  • Opcode ID: 14423f58f61c29379fd758bc3c248154913fbf9f7402afda922c9102d1c548e7
  • Instruction ID: acf358e17cf527519603ad5021a8b5404beb8b83c078e1fd805ead2bc4662797
  • Opcode Fuzzy Hash: 14423f58f61c29379fd758bc3c248154913fbf9f7402afda922c9102d1c548e7
  • Instruction Fuzzy Hash: 52C1937294CBC185E760AF15E4843A9FBE4FB81B94FA44139D68E07A94CF7CE486CB11
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID:
  • String ID: #%d$#x%X$%s$Detected an entity reference loop$Entity '%s' failed to parse$Y$Y$invalid entity type found$nbktext
  • API String ID: 0-3591411778
  • Opcode ID: 604d2df9044f1b6fac00568d86bdf29cfaf32aae773ffba9fb1152d3b7595164
  • Instruction ID: 1a2d68cc5c60f43f88810bffc47b9729e825bdb2af2203eafbae98c1210a461d
  • Opcode Fuzzy Hash: 604d2df9044f1b6fac00568d86bdf29cfaf32aae773ffba9fb1152d3b7595164
  • Instruction Fuzzy Hash: 2152847265C7C186EB64AF21D484379BBA0FB44B84FA8413ADA8E47F54CF38E452C752
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID:
  • String ID: %s$E$E$Element content declaration doesn't start and stop in the same entity$Memory allocation failed : %s$MixedContentDecl : '#PCDATA' expected$MixedContentDecl : '|' or ')*' expected$malloc failed$xmlParseElementMixedContentDecl : Name expected
  • API String ID: 0-2556748111
  • Opcode ID: 9bf76fa8126e906ebf3fb8c614a8b0c9b67c776d86e4724efe3749f2e2798eb4
  • Instruction ID: 380db030f639bd03b468c79561b1ffa3c0ac6e9a41dcf534c39fe6c391000f82
  • Opcode Fuzzy Hash: 9bf76fa8126e906ebf3fb8c614a8b0c9b67c776d86e4724efe3749f2e2798eb4
  • Instruction Fuzzy Hash: 77F1C172948BC18AE7609F10E584769BBE4FB84B84FA44138DE8E07B95CF3CD852D761
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID:
  • String ID: %s$%s: %s$+$+$2$Name too long use XML_PARSE_HUGE option$Public ID$SystemLiteral " or ' expected$Unfinished System or Public ID " or ' expected
  • API String ID: 0-1568619456
  • Opcode ID: 2199bdc79e52f5ef61badbc6bf9a020bfd06743070bcd4f856994e81c2b22385
  • Instruction ID: a256f6b9cc95d36205fe445fb796a64c5d6800db848f18e0500436f56fdad3b0
  • Opcode Fuzzy Hash: 2199bdc79e52f5ef61badbc6bf9a020bfd06743070bcd4f856994e81c2b22385
  • Instruction Fuzzy Hash: 82D1C1325487C1C6EB609F25E4843ADBBA4F746B84FA44139EA8E07B95CF3CD586CB11
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID:
  • String ID: %s$'$AttValue length too long$AttValue: " or ' expected$AttValue: ' expected$Memory allocation failed$Unescaped '<' not allowed in attributes values$invalid character in attribute value
  • API String ID: 0-698441893
  • Opcode ID: 2fcd9bfdac137e2bf46f62490538c9dcdff5323e361b72439ea4c857055f0e8e
  • Instruction ID: 01016674ac39da5924d3cacb10cca5fc9f31c6f68835c9e482936fccd868dbe1
  • Opcode Fuzzy Hash: 2fcd9bfdac137e2bf46f62490538c9dcdff5323e361b72439ea4c857055f0e8e
  • Instruction Fuzzy Hash: 8042E532A4E6C186EB60EB15D0883B9BBD1FB45784FE44139DA8E42B84EF7CD546C712
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID:
  • String ID: %s$%s: %s$+$+$Name too long use XML_PARSE_HUGE option$SystemLiteral$SystemLiteral " or ' expected$Unfinished System or Public ID " or ' expected
  • API String ID: 0-3796757011
  • Opcode ID: bde0e636a5d9ed29cb633d751c949b0749b099de2826396e07d0495536cab9dc
  • Instruction ID: d14ad925e4a6705401ccb5924fde7d3fb7983822e46a25aece9db5c9b35473d3
  • Opcode Fuzzy Hash: bde0e636a5d9ed29cb633d751c949b0749b099de2826396e07d0495536cab9dc
  • Instruction Fuzzy Hash: 7BE1A332A4978186E760EF15D0843BDBBA4FB84744FB40139DA8E47A95CF7CE496CB21
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID:
  • String ID: No declaration for attribute %s of element %s$Value "%s" for attribute %s of %s is not a declared Notation$Value "%s" for attribute %s of %s is not among the enumerated notations$Value "%s" for attribute %s of %s is not among the enumerated set$Value for attribute %s of %s is different from default "%s"$Value for attribute %s of %s must be "%s"$building QName
  • API String ID: 0-1675084365
  • Opcode ID: 44596e3b82a7af38f12895bb026e6e4b98f998e8bdb6b7037274866a01f89c5a
  • Instruction ID: 72832e4f50669351ee612a024c4ffd8e291365865db96c0fb57c2a6211c288b0
  • Opcode Fuzzy Hash: 44596e3b82a7af38f12895bb026e6e4b98f998e8bdb6b7037274866a01f89c5a
  • Instruction Fuzzy Hash: C202B262B89B86C2EAA4EF2194506B9A391FF45BC5FA44435DE4F07B85DF3CE402D320
Uniqueness

Uniqueness Score: -1.00%

APIs
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
  • String ID:
  • API String ID: 1239891234-0
  • Opcode ID: 94b72c7a668df9febbccddd268a292bb738cdee44e718c57e73d112e7d317cd2
  • Instruction ID: 72453bd7a61a3486df7f87e18d346b04a12a10378b8dd1cd96af0c9ba6eeefa7
  • Opcode Fuzzy Hash: 94b72c7a668df9febbccddd268a292bb738cdee44e718c57e73d112e7d317cd2
  • Instruction Fuzzy Hash: CF31AB32654F8186D760DF25E8402ADB3A4FB85794FE40135EA8E47B55DF3CD546C710
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID:
  • String ID: !$!$%s$String not closed expecting " or '$String not started expecting ' or "$expected '='$standalone accepts only 'yes' or 'no'
  • API String ID: 0-1553304489
  • Opcode ID: 8604505bd627378029169a71a0161d1c940d4e907bfd7350effc7091bf89dd40
  • Instruction ID: 2c908b1680c522e01c31f54a6ed45d761f9be163c15b98629d3ec3a65f5aa23b
  • Opcode Fuzzy Hash: 8604505bd627378029169a71a0161d1c940d4e907bfd7350effc7091bf89dd40
  • Instruction Fuzzy Hash: E4E17D73848BC186E7609F25E440369FBE4FB90B58F648139D68E06EA4CF7CD896CB51
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID:
  • String ID: %s: %s$Memory allocation failed$Name too long use XML_PARSE_HUGE option$NmToken$n$n
  • API String ID: 0-2032728247
  • Opcode ID: a79e2d7193fbd1b5bd6efb855e67a608ef4dae53a8966eda43b02c934f521380
  • Instruction ID: 0749b2e2d8fc87b26dd4a0c444cb1e9cc0bca94555dcf5e296999588961e5cc1
  • Opcode Fuzzy Hash: a79e2d7193fbd1b5bd6efb855e67a608ef4dae53a8966eda43b02c934f521380
  • Instruction Fuzzy Hash: 8CC1C472A487C185EB60AF15E4843B9ABA4FB85B84FA00039DE8F47B95DF3CD442C751
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID:
  • String ID: %s: %s$Memory allocation failed$NCName$Name too long use XML_PARSE_HUGE option$d$n
  • API String ID: 0-698477125
  • Opcode ID: 5f1cb61db0f1a11a409675970bbbad990f3ef345e5bfe1f267e07a117b318252
  • Instruction ID: 4f996ead10c508115b93298425bed320cf33b796cf385521ba20dd14544f4010
  • Opcode Fuzzy Hash: 5f1cb61db0f1a11a409675970bbbad990f3ef345e5bfe1f267e07a117b318252
  • Instruction Fuzzy Hash: 26B1A132A4C7C186E760AB21B4843BAF6D5FB95784FA44039DA8E42E95DF7CE043CB11
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF7874FA473
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: DebugDebuggerErrorLastOutputPresentString
  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
  • API String ID: 389471666-631824599
  • Opcode ID: 085a76700e68d6dc8880249fdf21faf02338f6a026c6726e02a72d3c5b7c09a2
  • Instruction ID: 23621d0ee0fe1b3a6f5ef994815cfbb7ef06c72fd698b3c50a1c1195a2e8634c
  • Opcode Fuzzy Hash: 085a76700e68d6dc8880249fdf21faf02338f6a026c6726e02a72d3c5b7c09a2
  • Instruction Fuzzy Hash: 14113D32B94B8297E704AB22E654379B3A5FB44344FA44135C64E87A50EF7CE165C721
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID:
  • String ID: :$:$:$Memory allocation failed$Name %s is not XML Namespace compliant
  • API String ID: 0-941754222
  • Opcode ID: afe7a0dc4685e906880020aaee8dc5bcc5ca7da6581f330677f2b925e4710e4b
  • Instruction ID: 35eb401e5eeca30df91f1abc1dcc90b92764462e4682edf3815e2bed6c644faf
  • Opcode Fuzzy Hash: afe7a0dc4685e906880020aaee8dc5bcc5ca7da6581f330677f2b925e4710e4b
  • Instruction Fuzzy Hash: 43E1D361A4C7C241EB34AB21A188279FA91FF45794FA40038DA8F63E95DF7CE483D721
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread
  • String ID: Internal: ELEMENT content corrupted invalid type$Memory allocation failed : %s$malloc failed$xmlNewElementContent : name != NULL !$xmlNewElementContent : name == NULL !
  • API String ID: 2882836952-2621422465
  • Opcode ID: a25bd16bf9fe5ebb5a795bbf91fdd7e442d2b5f280a0dcd38adae93917c81017
  • Instruction ID: e1cfa47b7e42eade6e987177cc414a7a9432461ac6743599d9ce8f97368b3e63
  • Opcode Fuzzy Hash: a25bd16bf9fe5ebb5a795bbf91fdd7e442d2b5f280a0dcd38adae93917c81017
  • Instruction Fuzzy Hash: CC816D32648B8186E7A0EF25A44036AF7E5FB89744FA84138D68F47B95CF3DD452CB11
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread
  • String ID: MAX_ENCODING_HANDLERS$xmlNewCharEncodingHandler : no name !$xmlNewCharEncodingHandler : out of memory !$xmlRegisterCharEncodingHandler: NULL handler !$xmlRegisterCharEncodingHandler: Too many handler registered, see %s
  • API String ID: 2882836952-4198703406
  • Opcode ID: ba01218149bb0ae67f87552a1933e45c05369aabd5e8109c04f630b4089aa241
  • Instruction ID: a3dab924abcafc5a5e75c5f026246780634c0db725e3d4bc40f4c56a598813ee
  • Opcode Fuzzy Hash: ba01218149bb0ae67f87552a1933e45c05369aabd5e8109c04f630b4089aa241
  • Instruction Fuzzy Hash: B9613F3264CB8186E7609B14F84136AF6E8FB94794FA40139EA8E47FA5DF3CD052CB10
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID:
  • String ID: Failed to parse QName '%s'$Failed to parse QName '%s:%s:'$Failed to parse QName '%s:'$building QName
  • API String ID: 0-3501110172
  • Opcode ID: b9f32c71e7a8cd57ce99ede81e384d55a23856a7550b5d3ec8192fbe59243a31
  • Instruction ID: dd4f54de69c5551a5dd830051e7113a088d83766b3692c049cb3e8dd60da7853
  • Opcode Fuzzy Hash: b9f32c71e7a8cd57ce99ede81e384d55a23856a7550b5d3ec8192fbe59243a31
  • Instruction Fuzzy Hash: 6BB1E8326487C285FA64AB11A4843AAF694FB85BD4FA44239EA9E07FD5DF3CD013C711
Uniqueness

Uniqueness Score: -1.00%

APIs
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: Version
  • String ID:
  • API String ID: 1889659487-0
  • Opcode ID: 746e6eb2d1a1117aad8b087402c01110a686746222bb28c3391cc06e53fde1b0
  • Instruction ID: eb4b14137ab5fb7f8dfd7ffbab1d8c1975db6138eb24f63de847045e2f9844f2
  • Opcode Fuzzy Hash: 746e6eb2d1a1117aad8b087402c01110a686746222bb28c3391cc06e53fde1b0
  • Instruction Fuzzy Hash: A8016236E4858186FB71BB11A4213F9A390BBC8754FE40135D64E06685DF3CD106DA21
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: _invalid_parameter_noinfo
  • String ID: 0
  • API String ID: 3215553584-4108050209
  • Opcode ID: d474f519e288bebb3776aadca59e4aa65866eb36760e48044dc48b216662f6dd
  • Instruction ID: 703c4dd16683c4d8ff81d06cb9401f59381ee835bcefa8c2025257f4645c57d5
  • Opcode Fuzzy Hash: d474f519e288bebb3776aadca59e4aa65866eb36760e48044dc48b216662f6dd
  • Instruction Fuzzy Hash: FC71D025A5930246EBB8BA1980806B9A291FF40769FE45432DD4F1B6D9CF2DFC43C778
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: _invalid_parameter_noinfo
  • String ID: 0
  • API String ID: 3215553584-4108050209
  • Opcode ID: de94bfaff3a5cf4e8a59df0cc0368c3989eeaee540664849dc8fced3b32465d0
  • Instruction ID: c8716d6baccdccde34b32024fd906e22bfd774c2a266738d8e4497f30098a13e
  • Opcode Fuzzy Hash: de94bfaff3a5cf4e8a59df0cc0368c3989eeaee540664849dc8fced3b32465d0
  • Instruction Fuzzy Hash: 1471A421A8C64646FB64AA3D40003B9E792BB41F45FF81931DD8B0779ACE2DE84BC771
Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: 46693dbf9f6a397b1457424d35a50aa5f9b6751634194fc1e4ea554f06a55c7d
  • Instruction ID: 73048587fba5c4642936e7c81f38142e0382f5911509539d65f5600479422d9a
  • Opcode Fuzzy Hash: 46693dbf9f6a397b1457424d35a50aa5f9b6751634194fc1e4ea554f06a55c7d
  • Instruction Fuzzy Hash: B7B1FC62B486C687EB68EA119040739E691BBB07A0FB4503DDE5F47BD0DE7DE852C312
Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: 0155d063973d59419c7893cdb7d0c22d835bbcd046b73ffc3a9d8a7082f90e11
  • Instruction ID: 5cac8d92dc7ffdb255652339b01d2e9e1b400fa6d99d313132ce943ae0dbda96
  • Opcode Fuzzy Hash: 0155d063973d59419c7893cdb7d0c22d835bbcd046b73ffc3a9d8a7082f90e11
  • Instruction Fuzzy Hash: 5691D632A0878182E758DF25D51033DB7A4F798BA4F658139DE4E87785DF38D892C361
Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: _invalid_parameter_noinfo
  • String ID:
  • API String ID: 3215553584-0
  • Opcode ID: bd8cb441ee8899db3f14b329389a3467cdf09f4d8e94e00437460040d27086d6
  • Instruction ID: 44237ebe4a6768f3c4845a2d611e6fc08e4fb5127dcde7cb1d3dc54eb8aa88e6
  • Opcode Fuzzy Hash: bd8cb441ee8899db3f14b329389a3467cdf09f4d8e94e00437460040d27086d6
  • Instruction Fuzzy Hash: 9F811325A9820282FBB8BA1580806B9A291FF40765FE45136DD4F53698CF2DF843C772
Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: _invalid_parameter_noinfo
  • String ID:
  • API String ID: 3215553584-0
  • Opcode ID: c9744b62ff630c810a024247eba52f3b77e7e111ef789983f0bc06c712269dff
  • Instruction ID: 9f869fa453ac3dfa10751b0ea74cb97ea917100d39c5ed2aaec7d54c020cfd6f
  • Opcode Fuzzy Hash: c9744b62ff630c810a024247eba52f3b77e7e111ef789983f0bc06c712269dff
  • Instruction Fuzzy Hash: F6812425E5860686EBB8BA1984802BDA290FF4076AFE85535DD4F47689CF3DF847C234
Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: ErrorFreeHeapLast
  • String ID:
  • API String ID: 485612231-0
  • Opcode ID: 9c6990047df265be31c9680ac5459c0bcf8dacae1a5d0e388159ad14d4fc73dd
  • Instruction ID: 98fd2fae3593839bd35ed23fef7cc646df924546828a00eace106884407e00a8
  • Opcode Fuzzy Hash: 9c6990047df265be31c9680ac5459c0bcf8dacae1a5d0e388159ad14d4fc73dd
  • Instruction Fuzzy Hash: B341D662754A5442EF44DF26D9152A9B3A1FB4CFD4BA99436EE0E87B58DF3CD442C300
Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: 6cb1f743ac1ef8f95b1eda17f2a4fba62b59e07d82c91b03d918f4b14817b188
  • Instruction ID: faaccf71e3bedd3ed9e3896ae9f3aebc602633c8f22ee82873db6683e6ae38aa
  • Opcode Fuzzy Hash: 6cb1f743ac1ef8f95b1eda17f2a4fba62b59e07d82c91b03d918f4b14817b188
  • Instruction Fuzzy Hash: 4931F6B3F495D203D75DCE38586027AA9E3A7C1741B8DC53EDA8BC2B89EE398911C340
Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: 9bd2c9ad6f66a0e37362a675495163433ebd724a795661b71147279716215bd4
  • Instruction ID: 24d100f30f4f20e4de1c256f306ef08a65f9cddecee3ee9e149648492357ec4b
  • Opcode Fuzzy Hash: 9bd2c9ad6f66a0e37362a675495163433ebd724a795661b71147279716215bd4
  • Instruction Fuzzy Hash: 10316A22E9C14285FBA57668C55457AD242FF83740FF4863CC50F06AB9CD2EB84BE520
Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: 590e65582da1ece30385956d2c99742cf1de0fc0112662a95effe2d7524acb7b
  • Instruction ID: 99d51f7e934d3e87285d0c64bcf51b2e228fa4bebacf522f619f5b04dcaa2320
  • Opcode Fuzzy Hash: 590e65582da1ece30385956d2c99742cf1de0fc0112662a95effe2d7524acb7b
  • Instruction Fuzzy Hash: 7121A4B3F49A9703D75E8E38586013BE5E3ABC1341B99C53AE94BC1B99EF398911C350
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: QueryValue$File$InfoVersion$HandleModuleNameSizeType
  • String ID: %s v%s - %s%s%s$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$\VarFileInfo\Translation
  • API String ID: 1763495592-3823988196
  • Opcode ID: 59e0e0438944b33c2a9cde6bba76fb07b4b6ebd65a71f3af95fb5b98ed3aec2f
  • Instruction ID: a7c6b2090de8c0f229bce8898dd9b2612ba1a509ffd361c4534367d33e7f2379
  • Opcode Fuzzy Hash: 59e0e0438944b33c2a9cde6bba76fb07b4b6ebd65a71f3af95fb5b98ed3aec2f
  • Instruction Fuzzy Hash: 11717E26649B8282D710EF55F4802AAB3B5FB85BD4FA00136EB8E07B64DF3DD15AC710
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

APIs
    • Part of subcall function 00007FF7873F87D0: TlsAlloc.KERNEL32(?,?,?,?,00007FF7873CAE69), ref: 00007FF7873F87F1
    • Part of subcall function 00007FF7873F87D0: GetCurrentThreadId.KERNEL32 ref: 00007FF7873F87FD
  • TlsGetValue.KERNEL32 ref: 00007FF7873F840F
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873F843F
  • CreateMutexW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7873CAE85), ref: 00007FF7873F84D3
  • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF7873CAE85), ref: 00007FF7873F84EB
  • ReleaseMutex.KERNEL32 ref: 00007FF7873F86A6
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873F86C3
    • Part of subcall function 00007FF7873F87D0: Sleep.KERNEL32(?,?,?,?,00007FF7873CAE69), ref: 00007FF7873F8828
  • GetCurrentProcess.KERNEL32 ref: 00007FF7873F870F
  • GetCurrentThread.KERNEL32 ref: 00007FF7873F8718
  • GetCurrentProcess.KERNEL32 ref: 00007FF7873F8721
  • DuplicateHandle.KERNEL32 ref: 00007FF7873F874B
  • TlsSetValue.KERNEL32 ref: 00007FF7873F875A
    • Part of subcall function 00007FF78752460C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF787524628
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: Current$Thread$MutexProcessValue$AllocCreateDuplicateHandleObjectReleaseSingleSleepWait_invalid_parameter_noinfo
  • String ID: 20910$xmlGetGlobalState: out of memory
  • API String ID: 2647883383-3156977938
  • Opcode ID: 17a640fbf34f9c5a2ac778d59e486bb6deea208b404d879d0bf2743d061012a3
  • Instruction ID: b654428b62cdf88d47ca00d358185d7ed63315a35a9965a6db245fb049feb426
  • Opcode Fuzzy Hash: 17a640fbf34f9c5a2ac778d59e486bb6deea208b404d879d0bf2743d061012a3
  • Instruction Fuzzy Hash: E3A16435A49B8287EB14EF20E8442A9B3A5FB48784FA44135DA5F43761DF3CF196C721
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 1080 7ff7873ca960-7ff7873ca9aa 1081 7ff7873ca9b0-7ff7873ca9bb 1080->1081 1082 7ff7873cad8d-7ff7873cadad call 7ff7874c7120 1080->1082 1084 7ff7873caa16-7ff7873caa2d 1081->1084 1085 7ff7873ca9bd-7ff7873ca9ce call 7ff7873f87d0 GetCurrentThreadId 1081->1085 1087 7ff7873caa33-7ff7873caa3a 1084->1087 1088 7ff7873cad7d-7ff7873cad85 1084->1088 1094 7ff7873ca9d0-7ff7873ca9d7 1085->1094 1095 7ff7873ca9d9-7ff7873ca9de call 7ff7873f8400 1085->1095 1091 7ff7873caa46-7ff7873caa49 1087->1091 1092 7ff7873caa3c-7ff7873caa40 1087->1092 1088->1082 1096 7ff7873caa4b-7ff7873caa52 1091->1096 1097 7ff7873caaad-7ff7873caab0 1091->1097 1092->1091 1093 7ff7873caa42 1092->1093 1093->1091 1098 7ff7873ca9e4-7ff7873ca9f8 call 7ff7873f87d0 GetCurrentThreadId 1094->1098 1095->1098 1100 7ff7873caae7-7ff7873caaea 1096->1100 1101 7ff7873caa58-7ff7873caa5d 1096->1101 1102 7ff7873caac3-7ff7873caac5 1097->1102 1103 7ff7873caab2-7ff7873caac1 1097->1103 1121 7ff7873caa03-7ff7873caa08 call 7ff7873f8400 1098->1121 1122 7ff7873ca9fa-7ff7873caa01 1098->1122 1109 7ff7873caafb-7ff7873cab02 1100->1109 1110 7ff7873caaec-7ff7873caaf6 1100->1110 1106 7ff7873caa5f-7ff7873caa66 1101->1106 1107 7ff7873caa82-7ff7873caa89 1101->1107 1102->1100 1104 7ff7873caac7-7ff7873caacb 1102->1104 1103->1100 1104->1100 1112 7ff7873caacd-7ff7873caad6 1104->1112 1106->1107 1113 7ff7873caa68-7ff7873caa7c 1106->1113 1115 7ff7873caa8b-7ff7873caa9b 1107->1115 1116 7ff7873caa9d-7ff7873caa9f 1107->1116 1117 7ff7873cabfb-7ff7873cabfd 1109->1117 1118 7ff7873cab08-7ff7873cab18 1109->1118 1110->1109 1112->1100 1119 7ff7873caad8 1112->1119 1113->1100 1120 7ff7873caa7e 1113->1120 1115->1100 1116->1100 1123 7ff7873caaa1-7ff7873caaa5 1116->1123 1124 7ff7873cabff-7ff7873cac02 1117->1124 1125 7ff7873cac20 1117->1125 1118->1117 1127 7ff7873caadb-7ff7873caae2 1119->1127 1120->1107 1128 7ff7873caa0e-7ff7873caa11 1121->1128 1122->1128 1123->1100 1131 7ff7873caaa7-7ff7873caaab 1123->1131 1132 7ff7873cac04-7ff7873cac07 1124->1132 1133 7ff7873cac17-7ff7873cac1e 1124->1133 1126 7ff7873cac27 1125->1126 1137 7ff7873cac2c-7ff7873cac2f 1126->1137 1127->1100 1128->1084 1131->1127 1134 7ff7873cac0e-7ff7873cac15 1132->1134 1135 7ff7873cac09-7ff7873cac0c 1132->1135 1133->1126 1134->1126 1135->1134 1135->1137 1138 7ff7873cac31-7ff7873cac3c 1137->1138 1139 7ff7873cac7c-7ff7873cac8f 1137->1139 1140 7ff7873cac6b-7ff7873cac7a 1138->1140 1141 7ff7873cac3e 1138->1141 1145 7ff7873cac91-7ff7873cac97 1139->1145 1140->1145 1143 7ff7873cac40-7ff7873cac49 1141->1143 1143->1143 1146 7ff7873cac4b-7ff7873cac4d 1143->1146 1148 7ff7873cacf7-7ff7873cacfb 1145->1148 1149 7ff7873cac99-7ff7873cacaf call 7ff7873ca770 1145->1149 1146->1140 1147 7ff7873cac4f-7ff7873cac58 1146->1147 1147->1140 1151 7ff7873cac5a-7ff7873cac69 1147->1151 1148->1088 1150 7ff7873cad01-7ff7873cad08 1148->1150 1149->1148 1155 7ff7873cacb1-7ff7873cacb8 1149->1155 1150->1088 1154 7ff7873cad0a-7ff7873cad11 1150->1154 1151->1145 1154->1088 1156 7ff7873cad13-7ff7873cad1c 1154->1156 1158 7ff7873caccc-7ff7873cacd1 1155->1158 1159 7ff7873cacba-7ff7873cacca 1155->1159 1160 7ff7873cad2b-7ff7873cad2d 1156->1160 1161 7ff7873cad1e 1156->1161 1162 7ff7873cacd3-7ff7873cacd7 1158->1162 1163 7ff7873cace9-7ff7873cacf2 call 7ff7873ca770 1158->1163 1159->1163 1160->1088 1165 7ff7873cad2f-7ff7873cad41 1160->1165 1164 7ff7873cad20-7ff7873cad29 1161->1164 1162->1163 1168 7ff7873cacd9-7ff7873cace4 1162->1168 1163->1148 1164->1160 1164->1164 1170 7ff7873cad43-7ff7873cad4f call 7ff7874fcff0 1165->1170 1171 7ff7873cad54-7ff7873cad65 1165->1171 1168->1163 1170->1171 1173 7ff7873cadae-7ff7873cade0 call 7ff7874c7248 1171->1173 1174 7ff7873cad67-7ff7873cad78 1171->1174 1173->1082 1178 7ff7873cade2-7ff7873cae08 1173->1178 1174->1088
APIs
    • Part of subcall function 00007FF7873F87D0: TlsAlloc.KERNEL32(?,?,?,?,00007FF7873CAE69), ref: 00007FF7873F87F1
    • Part of subcall function 00007FF7873F87D0: GetCurrentThreadId.KERNEL32 ref: 00007FF7873F87FD
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873CA9C2
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873CA9EC
    • Part of subcall function 00007FF7873F8400: TlsGetValue.KERNEL32 ref: 00007FF7873F840F
    • Part of subcall function 00007FF7873F8400: GetCurrentThreadId.KERNEL32 ref: 00007FF7873F843F
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread$AllocValue
  • String ID: %s$%s:%d: $%s:%d: $Entity: line %d: $Entity: line %d: $^$element %s: $error : $out of memory error$warning :
  • API String ID: 3461179012-3702862348
  • Opcode ID: d4e8f76f1f956a65195a3d747291fe41469c4e53c99c211f4d6d467ec98e605d
  • Instruction ID: 06cb092fdf4e03ed4cbb19be01359bf6bbf631e6bdff45693621dda16b991bee
  • Opcode Fuzzy Hash: d4e8f76f1f956a65195a3d747291fe41469c4e53c99c211f4d6d467ec98e605d
  • Instruction Fuzzy Hash: 49C12922A4D7C245EB65EB10D55437DA760BF81B94FE9803ACA4F43B91DF2CE846D322
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread
  • String ID: %s$Detected an entity reference loop$Internal: %%%s; is not a parameter entity$PEReference: %%%s; not found$PEReference: %s$PEReference: expecting ';'$PEReference: no name$Y$Y
  • API String ID: 2882836952-114631651
  • Opcode ID: 9378d22c01893fcf21cf10bc1e63450b383dcc82cfcab1859742a64802999641
  • Instruction ID: 56800603cf34148e2d8325b04cd8dd9232c95a934fc5da144aef4c42409a1901
  • Opcode Fuzzy Hash: 9378d22c01893fcf21cf10bc1e63450b383dcc82cfcab1859742a64802999641
  • Instruction Fuzzy Hash: C8E1A67298C7C285EB54BF21D4883B9BAA0FB45B44FA44039D94F16AA5CF3CE457C722
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: Item$MessageSend$BrushColorDialogTextWindow
  • String ID: %s License Agreement
  • API String ID: 1092124246-1285993597
  • Opcode ID: e65ede458fc0a3f5f314a5a8bcb1a629bf2c95977582fef719601ff82180c112
  • Instruction ID: f71bba1406a8dd4f5cd901532613bc16c39e3f44c7657f2fd5413c55f2aa4674
  • Opcode Fuzzy Hash: e65ede458fc0a3f5f314a5a8bcb1a629bf2c95977582fef719601ff82180c112
  • Instruction Fuzzy Hash: B751B020A9DAC281FB55AB25A9543BAA250FBC5BA0FE04234D94F17FD5CE3CD583C721
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: File$InfoQueryValueVersion$HandleModuleNameSizeType
  • String ID: %s v%s - %s%s%s$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright
  • API String ID: 4213512751-3661493233
  • Opcode ID: ddbe9d75366782137882ea54602471a268f4138fcc54bce7e62a5a480a17ba78
  • Instruction ID: c56e7714c849dd61cc8a965ba9e1dba9ade4101d63ab0a0cc033b8be1d585328
  • Opcode Fuzzy Hash: ddbe9d75366782137882ea54602471a268f4138fcc54bce7e62a5a480a17ba78
  • Instruction Fuzzy Hash: F1419065A58B8282EB10FB51E8892A9E395FF85BD0FE44139D94F07B95DF3CE106C720
Uniqueness

Uniqueness Score: -1.00%

APIs
    • Part of subcall function 00007FF7873F87D0: TlsAlloc.KERNEL32(?,?,?,?,00007FF7873CAE69), ref: 00007FF7873F87F1
    • Part of subcall function 00007FF7873F87D0: GetCurrentThreadId.KERNEL32 ref: 00007FF7873F87FD
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873CAE69
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873CAEA5
    • Part of subcall function 00007FF7873F8400: TlsGetValue.KERNEL32 ref: 00007FF7873F840F
    • Part of subcall function 00007FF7873F8400: GetCurrentThreadId.KERNEL32 ref: 00007FF7873F843F
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873CAF51
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873CAF88
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873CB26A
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873CB2A0
    • Part of subcall function 00007FF7873F87D0: Sleep.KERNEL32(?,?,?,?,00007FF7873CAE69), ref: 00007FF7873F8828
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873CB2F2
    • Part of subcall function 00007FF7873F8400: ReleaseMutex.KERNEL32 ref: 00007FF7873F86A6
    • Part of subcall function 00007FF7873F8400: GetCurrentThreadId.KERNEL32 ref: 00007FF7873F86C3
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873CB34B
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873CB37F
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread$AllocMutexReleaseSleepValue
  • String ID: No error message provided
  • API String ID: 1567288208-2316238207
  • Opcode ID: 639cb6ce21f7da558f7f775564c39e798a02aeace90cf1bd9860c7af86f788d3
  • Instruction ID: 4031dfea2f3e1bd8054934b55830c8a76122505b3b205c4bd51cdee1cb0c4c76
  • Opcode Fuzzy Hash: 639cb6ce21f7da558f7f775564c39e798a02aeace90cf1bd9860c7af86f788d3
  • Instruction Fuzzy Hash: B4026021A896C295EE64BB11A480379A391FF847A8FE44039DA4F47F91DF3CE546C732
Uniqueness

Uniqueness Score: -1.00%

APIs
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873DE364
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873DE38F
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873DE3B7
    • Part of subcall function 00007FF7873F8400: TlsGetValue.KERNEL32 ref: 00007FF7873F840F
    • Part of subcall function 00007FF7873F8400: GetCurrentThreadId.KERNEL32 ref: 00007FF7873F843F
    • Part of subcall function 00007FF7873F8400: ReleaseMutex.KERNEL32 ref: 00007FF7873F86A6
    • Part of subcall function 00007FF7873F8400: GetCurrentThreadId.KERNEL32 ref: 00007FF7873F86C3
    • Part of subcall function 00007FF7873F8400: CreateMutexW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7873CAE85), ref: 00007FF7873F84D3
    • Part of subcall function 00007FF7873F8400: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF7873CAE85), ref: 00007FF7873F84EB
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread$Mutex$CreateObjectReleaseSingleValueWait
  • String ID: Reading %s entity content input$xmlLoadEntityContent input error$xmlLoadEntityContent parameter error$xmlLoadEntityContent: invalid char value %d
  • API String ID: 2259964185-1959987939
  • Opcode ID: b0b000a91367ae14f95b23648544a78075539547c159ebb8f462d266a2663628
  • Instruction ID: 0f603c3efd1e71897e8e6154d5a735553453881cca1e02980ad0a49059a763d6
  • Opcode Fuzzy Hash: b0b000a91367ae14f95b23648544a78075539547c159ebb8f462d266a2663628
  • Instruction Fuzzy Hash: 1BB1AB71AC969285EA60BB55D488678AF61FF40B94FF40039D50F47AE1DF2CE493C322
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread
  • String ID: error:
  • API String ID: 2882836952-2884437635
  • Opcode ID: d0159070469704058cf5e7706f6300e6281debd0f83d208a983135a5a57aafed
  • Instruction ID: 1c39c30585cb63a393c4fed823b6b5d637729a6cd67348c79f32b0c48a3f1dc4
  • Opcode Fuzzy Hash: d0159070469704058cf5e7706f6300e6281debd0f83d208a983135a5a57aafed
  • Instruction Fuzzy Hash: 2B618021E8C6C295EE50BB11D4453B9E290BF80BE8FE54039D90F46AA1DE3CE587C332
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread
  • String ID: warning:
  • API String ID: 2882836952-990315431
  • Opcode ID: 0470ec2a24b305d315f576fff2691a3bea6c1cf8d0a7a8806b06a47bf6bbfea5
  • Instruction ID: 1e97ccbe80a97b0a2d8a73913f1379a515267530ef358cfd289f1522aaeb8fb8
  • Opcode Fuzzy Hash: 0470ec2a24b305d315f576fff2691a3bea6c1cf8d0a7a8806b06a47bf6bbfea5
  • Instruction Fuzzy Hash: 7A618121E8D6C695EE50BB11A4453B9E250BF80BE8FF54039D94F46AA1DE3CA587C232
Uniqueness

Uniqueness Score: -1.00%

APIs
  • GetProcAddress.KERNEL32 ref: 00007FF7873C308F
  • GetCommandLineW.KERNEL32 ref: 00007FF7873C30A7
    • Part of subcall function 00007FF787522054: _invalid_parameter_noinfo.LIBCMT ref: 00007FF787522071
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: AddressCommandLineProc_invalid_parameter_noinfo
  • String ID: -accepteula$/accepteula$CommandLineToArgvW$Shell32.dll
  • API String ID: 1655280681-2252253654
  • Opcode ID: 8810968ca1d4bd5888414cc0080fec073e82111f81f4927d60697030f544e4c5
  • Instruction ID: 3a11026de73144ef549048705669bb8e962186c31f26266dd762d2cde94bc56d
  • Opcode Fuzzy Hash: 8810968ca1d4bd5888414cc0080fec073e82111f81f4927d60697030f544e4c5
  • Instruction Fuzzy Hash: 38518032A4978696E700BF01E9801B9B391BF84B94FA04039DE1F53755DF7DE496C362
Uniqueness

Uniqueness Score: -1.00%

APIs
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873CE301
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873CE329
    • Part of subcall function 00007FF7873F8400: TlsGetValue.KERNEL32 ref: 00007FF7873F840F
    • Part of subcall function 00007FF7873F8400: GetCurrentThreadId.KERNEL32 ref: 00007FF7873F843F
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873CE39A
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873CE3C2
    • Part of subcall function 00007FF7873F87D0: TlsAlloc.KERNEL32(?,?,?,?,00007FF7873CAE69), ref: 00007FF7873F87F1
    • Part of subcall function 00007FF7873F87D0: GetCurrentThreadId.KERNEL32 ref: 00007FF7873F87FD
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread$AllocValue
  • String ID: Cannot initialize memory for list$Cannot initialize memory for sentinel
  • API String ID: 3461179012-1086957842
  • Opcode ID: 12c87320a915eb4173dda38ece05783319f2f95a58f9afabbd8c051ec05f138e
  • Instruction ID: eefafc49b4a6db9ca354c2596447d1c509289f644a3b47a2521233151834dc1a
  • Opcode Fuzzy Hash: 12c87320a915eb4173dda38ece05783319f2f95a58f9afabbd8c051ec05f138e
  • Instruction Fuzzy Hash: FE416231E98A8285EF44BB14E4852B8B3A1FF44B94FE54035D20F426A5EF3CE596C721
Uniqueness

Uniqueness Score: -1.00%

APIs
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873CA692
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873CA6BA
    • Part of subcall function 00007FF7873F8400: TlsGetValue.KERNEL32 ref: 00007FF7873F840F
    • Part of subcall function 00007FF7873F8400: GetCurrentThreadId.KERNEL32 ref: 00007FF7873F843F
    • Part of subcall function 00007FF7873F8400: ReleaseMutex.KERNEL32 ref: 00007FF7873F86A6
    • Part of subcall function 00007FF7873F8400: GetCurrentThreadId.KERNEL32 ref: 00007FF7873F86C3
    • Part of subcall function 00007FF7873F8400: CreateMutexW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7873CAE85), ref: 00007FF7873F84D3
    • Part of subcall function 00007FF7873F8400: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF7873CAE85), ref: 00007FF7873F84EB
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873CA700
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873CA728
    • Part of subcall function 00007FF7873F87D0: TlsAlloc.KERNEL32(?,?,?,?,00007FF7873CAE69), ref: 00007FF7873F87F1
    • Part of subcall function 00007FF7873F87D0: GetCurrentThreadId.KERNEL32 ref: 00007FF7873F87FD
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread$Mutex$AllocCreateObjectReleaseSingleValueWait
  • String ID: %s:%d: $Entity: line %d:
  • API String ID: 2417299850-3495040061
  • Opcode ID: c3c4c060acccb9bc1dbdbfafe9495c64fd32d18d52f71b8bd1deeec13a32323f
  • Instruction ID: b74343d445619da553803e34aa5d36345ba382aa1cc36cedbb5640830461e425
  • Opcode Fuzzy Hash: c3c4c060acccb9bc1dbdbfafe9495c64fd32d18d52f71b8bd1deeec13a32323f
  • Instruction Fuzzy Hash: 6721FE21E98586C6FF54BB60E4857B8A261FF40794FF44035D60F129A1DF2CA497D732
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CloseOpenQueryValue_invalid_parameter_noinfo
  • String ID: ProductName$Software\Microsoft\windows nt\currentversion$iotuap
  • API String ID: 1583418253-312185779
  • Opcode ID: 0973e7db58ccba645885ec6ba6b06478c82442a14c6d38ece9f8fd8e0640c410
  • Instruction ID: 24a2376c76658a898f251172f959cb845183bfa4d7e82c00edd417841d5b3df2
  • Opcode Fuzzy Hash: 0973e7db58ccba645885ec6ba6b06478c82442a14c6d38ece9f8fd8e0640c410
  • Instruction Fuzzy Hash: D011337165DB8582EB50DF14E884366B3A0FBC8754FD01135E68F86A58EF3CD54ACB50
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread$MutexReleaseValue
  • String ID: validity error:
  • API String ID: 2840059946-3630159132
  • Opcode ID: 4d96cfd1eccfd620eb7493c1feb5770219781f7950464fd403cc7c3c9c2ad804
  • Instruction ID: 9925d71f7e0afb4b0a8035d71639a3b01d6bb52cafaad6d5a905e13007d1e2c4
  • Opcode Fuzzy Hash: 4d96cfd1eccfd620eb7493c1feb5770219781f7950464fd403cc7c3c9c2ad804
  • Instruction Fuzzy Hash: 3561A421A886C295EB50BB119445379F394FF84BD4FA94039DA8F43B95DF3CE546C321
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread
  • String ID: validity warning:
  • API String ID: 2882836952-3523503534
  • Opcode ID: b2ab466dd6d0467266276de83911bd55b650172457de475c5a2f45d08fe6271e
  • Instruction ID: 8768a29d1dccf2b40059cac2915717280110eb5769103589827eab2e572068db
  • Opcode Fuzzy Hash: b2ab466dd6d0467266276de83911bd55b650172457de475c5a2f45d08fe6271e
  • Instruction Fuzzy Hash: 8B518322A88AC295EB50BF11A44437DA7A0FF84BD4FA54039DA4F43B95DF3CE546C721
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread
  • String ID: new input from entity: %s$xmlNewEntityInputStream entity = NULL
  • API String ID: 2882836952-972125157
  • Opcode ID: 2f6558647664a530bdd548ccb30aac2b30fc9ffc8b46766f0aaccdfbc6a3813e
  • Instruction ID: 9b09085f1ffd1dfbd169c38e71362a34fe8b4f787c2dbe9d6dca637c25c931ec
  • Opcode Fuzzy Hash: 2f6558647664a530bdd548ccb30aac2b30fc9ffc8b46766f0aaccdfbc6a3813e
  • Instruction Fuzzy Hash: FD413D22E49B8695EF54AB24D484378A3A1FF44B84FE45439D60E42F95DF3CE887C322
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CloseOpenQueryValue
  • String ID: NanoServer$Software\Microsoft\Windows NT\CurrentVersion\Server\ServerLevels
  • API String ID: 3677997916-218722125
  • Opcode ID: 9de69367eb79942b6999c6a22687235655297ca43ad7d4f859e2aba061d7b515
  • Instruction ID: 88c86ec555c0f762bffecad17d27e50a4ae87999efa49e34348b5bb8e16d7256
  • Opcode Fuzzy Hash: 9de69367eb79942b6999c6a22687235655297ca43ad7d4f859e2aba061d7b515
  • Instruction Fuzzy Hash: 63014871618B4587DB10DF54E48025AF7B0FBC53A1FA00135E68E46A68EF7DD549CB11
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: Mutex$CreateObjectReleaseSingleWait
  • String ID: 20910
  • API String ID: 1430916145-651562331
  • Opcode ID: 0ff2e438b55700f3966b6345843ab6c5399d50f66c6b88b259071fa36c712247
  • Instruction ID: 698af1ef1bdc473d01d823890bf662101c18789f1a4c4aacd00161e12124556e
  • Opcode Fuzzy Hash: 0ff2e438b55700f3966b6345843ab6c5399d50f66c6b88b259071fa36c712247
  • Instruction Fuzzy Hash: D551DD35B45B8197EB49DF25E9842A8B3A9FB48754FA04135DB6D43320EF38A1B5C710
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread
  • String ID: 1.0$building doc
  • API String ID: 2882836952-1485071487
  • Opcode ID: ab748a1eb382fa2a6644bf2e2e9bd5702e9b59f06130db8c70fc9ed90bb2961b
  • Instruction ID: 038318b6e0a012054535b190de2364e1e7baf56d96f3c5f43ead7c4beb74e699
  • Opcode Fuzzy Hash: ab748a1eb382fa2a6644bf2e2e9bd5702e9b59f06130db8c70fc9ed90bb2961b
  • Instruction Fuzzy Hash: 1031C221B8978286FF14BF24E505379A291BF45794FE84138DA0E07BD5DF3CA486C762
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread
  • String ID: creating buffer
  • API String ID: 2882836952-1293518637
  • Opcode ID: 3aeccfd6cbc0167159185b6e5c41b63c20093ff1370626c4eb80ff635688e309
  • Instruction ID: db956f80aa5e4f5073ff7d3bbebe1ea2f71e2500efe148af82843796fa53f334
  • Opcode Fuzzy Hash: 3aeccfd6cbc0167159185b6e5c41b63c20093ff1370626c4eb80ff635688e309
  • Instruction Fuzzy Hash: AD319532D587828AEB50BF20E441669B3A4FF44B58FE40039D64E07B95DF3CE592CB21
Uniqueness

Uniqueness Score: -1.00%

APIs
  • ReadConsoleInputW.KERNEL32(?,?,00000001,00007FF7875234DB,?,?,?,?,?,?,?,?,?,?,00000000,00007FF78752341E), ref: 00007FF787558424
  • GetLastError.KERNEL32(?,?,00000001,00007FF7875234DB,?,?,?,?,?,?,?,?,?,?,00000000,00007FF78752341E), ref: 00007FF787558430
  • CloseHandle.KERNEL32(?,?,00000001,00007FF7875234DB,?,?,?,?,?,?,?,?,?,?,00000000,00007FF78752341E), ref: 00007FF787558448
  • ReadConsoleInputW.KERNEL32(?,?,00000001,00007FF7875234DB,?,?,?,?,?,?,?,?,?,?,00000000,00007FF78752341E), ref: 00007FF787558463
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: ConsoleInputRead$CloseErrorHandleLast
  • String ID:
  • API String ID: 1281600104-0
  • Opcode ID: 5dadf27e18cd4d24055bb03c872bde3c924215dc274fff9c63ed01f8c75272c4
  • Instruction ID: ee51aab550f8c2098d2c004494357dfe9a902e7f49463f428d94953fb36a7141
  • Opcode Fuzzy Hash: 5dadf27e18cd4d24055bb03c872bde3c924215dc274fff9c63ed01f8c75272c4
  • Instruction Fuzzy Hash: 03015E21B48A4185E700AB56A880025E260FF49BF0FE84230FE6F8B7A5DE2CE942C750
Uniqueness

Uniqueness Score: -1.00%

APIs
  • SetConsoleMode.KERNEL32(?,?,00000001,00007FF7875234C9,?,?,?,?,?,?,?,?,?,?,00000000,00007FF78752341E), ref: 00007FF787558499
  • GetLastError.KERNEL32(?,?,00000001,00007FF7875234C9,?,?,?,?,?,?,?,?,?,?,00000000,00007FF78752341E), ref: 00007FF7875584A5
  • CloseHandle.KERNEL32(?,?,00000001,00007FF7875234C9,?,?,?,?,?,?,?,?,?,?,00000000,00007FF78752341E), ref: 00007FF7875584BD
  • SetConsoleMode.KERNEL32(?,?,00000001,00007FF7875234C9,?,?,?,?,?,?,?,?,?,?,00000000,00007FF78752341E), ref: 00007FF7875584D1
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: ConsoleMode$CloseErrorHandleLast
  • String ID:
  • API String ID: 281222627-0
  • Opcode ID: 5042438b5366288b93bd0864bfd035a793b8a9d63f17b5ec7a6471537c82c5a3
  • Instruction ID: 7afa19786445571a8b829be3e7dd848d772e7da9dfc3269b122fa24f03e14e28
  • Opcode Fuzzy Hash: 5042438b5366288b93bd0864bfd035a793b8a9d63f17b5ec7a6471537c82c5a3
  • Instruction Fuzzy Hash: CDF03620F4854282E744B755F880139A391BF887B5BF44230E93FCA2D0DE2CF957C220
Uniqueness

Uniqueness Score: -1.00%

APIs
  • GetConsoleMode.KERNEL32(?,?,00000001,00007FF7875234C2,?,?,?,?,?,?,?,?,?,?,00000000,00007FF78752341E), ref: 00007FF7875581EF
  • GetLastError.KERNEL32(?,?,00000001,00007FF7875234C2,?,?,?,?,?,?,?,?,?,?,00000000,00007FF78752341E), ref: 00007FF7875581FB
  • CloseHandle.KERNEL32(?,?,00000001,00007FF7875234C2,?,?,?,?,?,?,?,?,?,?,00000000,00007FF78752341E), ref: 00007FF787558213
  • GetConsoleMode.KERNEL32(?,?,00000001,00007FF7875234C2,?,?,?,?,?,?,?,?,?,?,00000000,00007FF78752341E), ref: 00007FF787558228
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: ConsoleMode$CloseErrorHandleLast
  • String ID:
  • API String ID: 281222627-0
  • Opcode ID: dac8c2fd57bab7397dc3a524215fcff2247686e978ec7c66e2154c916769b172
  • Instruction ID: b184f01c033eb29837682c08c6bd58423da7f3fab023e5175fae585b786e9e5d
  • Opcode Fuzzy Hash: dac8c2fd57bab7397dc3a524215fcff2247686e978ec7c66e2154c916769b172
  • Instruction Fuzzy Hash: 29F0D010B9894241EB44BB66E895139E251BF49BF0BE45230F93FCA6E5DE2CF856C360
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread
  • String ID: building internal subset
  • API String ID: 2882836952-240863968
  • Opcode ID: 4c1a31863fc6b3aadb37eb0f2a7540e603e17eb7b52021f1597a21d9cb033087
  • Instruction ID: 1835a419a5439574edadcf375bab7fc885689c6b2a4771c1968a5ea56fc84f85
  • Opcode Fuzzy Hash: 4c1a31863fc6b3aadb37eb0f2a7540e603e17eb7b52021f1597a21d9cb033087
  • Instruction Fuzzy Hash: 9E918322E4979286FF54AF209540339A394FF86B84FA55538CA4F07B91DF3CE492D361
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: _invalid_parameter_noinfo
  • String ID:
  • API String ID: 3215553584-3916222277
  • Opcode ID: 77b0b188abfd7b2aedc0283303e3e1dbd78a6c9f1d6d28293b1eec24a1065b90
  • Instruction ID: 9fd388690488ea0550ca5f9130bd7a139eced8e99935c949b8f8dd4840b285e3
  • Opcode Fuzzy Hash: 77b0b188abfd7b2aedc0283303e3e1dbd78a6c9f1d6d28293b1eec24a1065b90
  • Instruction Fuzzy Hash: 43619732D8820286E765AF25846D37CB7A1FB05B1AFB41135CA0F462D9CF6DE486C731
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread
  • String ID: building DTD
  • API String ID: 2882836952-2361942712
  • Opcode ID: 4303e45bbc63322dd7f58113ce6327ccf85abe55264047bfdbc902003f13b17a
  • Instruction ID: b9b71520d05032778eb65c6dc35f3e43a539a4c2ffcf4f542a49db794b1fa586
  • Opcode Fuzzy Hash: 4303e45bbc63322dd7f58113ce6327ccf85abe55264047bfdbc902003f13b17a
  • Instruction Fuzzy Hash: 2A41C422E487C286FF11BB209500379A790FF92B84FA55539DA4E03B95DF3DE492D321
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread
  • String ID: creating input buffer
  • API String ID: 2882836952-2602446255
  • Opcode ID: c022fb5a8756524c400c47d06227659890f228532e2265ff224b550d53ee020b
  • Instruction ID: 8558f56dce78f8a4d97207e94e7ba572db0696b9fd11f37e9703e9f23c43e2d4
  • Opcode Fuzzy Hash: c022fb5a8756524c400c47d06227659890f228532e2265ff224b550d53ee020b
  • Instruction Fuzzy Hash: 8A41BD32A48B468AEB54FF24E440268B3A4FB44B58BB90038D65E073A6DF3CE552C764
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread
  • String ID: Cannot initialize memory for new link
  • API String ID: 2882836952-724543864
  • Opcode ID: 050659ae8c563cc180d2929fa796e15dc129a8107f1aa0e3442f35d5325e88d5
  • Instruction ID: f0ce57c307abf3e4e92677b95de2a2b56d118271006b215514b991ffedfc0ae0
  • Opcode Fuzzy Hash: 050659ae8c563cc180d2929fa796e15dc129a8107f1aa0e3442f35d5325e88d5
  • Instruction Fuzzy Hash: 05216432A88A9281EF54EB65E440178A3A0FF84B94FE88035E60F47B65DF3CD493C321
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread
  • String ID: creating buffer
  • API String ID: 2882836952-1293518637
  • Opcode ID: bb8fb26a39d48453f9ce6118874c6c63b0587de29636e1f59bb805740746dd28
  • Instruction ID: 16e0fef8afce3b15c498c4d3db908099b51f08349ba9b6c714f33f4779dd4057
  • Opcode Fuzzy Hash: bb8fb26a39d48453f9ce6118874c6c63b0587de29636e1f59bb805740746dd28
  • Instruction Fuzzy Hash: 97218E26E99742C6FB54BB70A041379A2A1BF80759FE44038C90F47BA6EF3CA553C721
Uniqueness

Uniqueness Score: -1.00%

APIs
    • Part of subcall function 00007FF7873F87D0: TlsAlloc.KERNEL32(?,?,?,?,00007FF7873CAE69), ref: 00007FF7873F87F1
    • Part of subcall function 00007FF7873F87D0: GetCurrentThreadId.KERNEL32 ref: 00007FF7873F87FD
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873D0451
  • GetCurrentThreadId.KERNEL32 ref: 00007FF7873D0479
    • Part of subcall function 00007FF7873F8400: TlsGetValue.KERNEL32 ref: 00007FF7873F840F
    • Part of subcall function 00007FF7873F8400: GetCurrentThreadId.KERNEL32 ref: 00007FF7873F843F
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: CurrentThread$AllocValue
  • String ID: Pbm popping %d NS
  • API String ID: 3461179012-3384865362
  • Opcode ID: 300f315ece6cdcca9d52b372e8d7d5dc13757ca01bc2bafbd6ecdef82d1418a3
  • Instruction ID: d6e84e6d87a05ca2cd33855846d7f987bef16f4b5e0b35fe29b831573537997d
  • Opcode Fuzzy Hash: 300f315ece6cdcca9d52b372e8d7d5dc13757ca01bc2bafbd6ecdef82d1418a3
  • Instruction Fuzzy Hash: 8021E432A885D286EB50AB14E4887BCA7A1FF84B44FE54035DA5E47A54CF3CE483CB21
Uniqueness

Uniqueness Score: -1.00%

APIs
  • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7874C8653), ref: 00007FF7874FD244
  • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7874C8653), ref: 00007FF7874FD28A
Strings
Memory Dump Source
  • Source File: 00000006.00000002.1358807065.00007FF7873C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7873C0000, based on PE: true
  • Associated: 00000006.00000002.1358785469.00007FF7873C0000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1358939313.00007FF787575000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359013716.00007FF787647000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359043480.00007FF787649000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359059163.00007FF78764A000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000006.00000002.1359090448.00007FF787651000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_6_2_7ff7873c0000_Sysmon64.jbxd
Similarity
  • API ID: ExceptionFileHeaderRaise
  • String ID: csm
  • API String ID: 2573137834-1018135373
  • Opcode ID: a7f2795f6af1119c039d5f38bd16a65c8875edd74830c5d1113c4df41eff2b6b
  • Instruction ID: c730071880d11e0e59c1540f8f92148421866c6f4ea81dfcd945a7f65b9d2075
  • Opcode Fuzzy Hash: a7f2795f6af1119c039d5f38bd16a65c8875edd74830c5d1113c4df41eff2b6b
  • Instruction Fuzzy Hash: BA114F32A0CB4182EB109F15E840269B7A1FB88B94FA94230EF8E07B64DF3DD552CB40
Uniqueness

Uniqueness Score: -1.00%