Edit tour

Windows Analysis Report
3GNEyUm2j4.exe

Overview

General Information

Sample name:	3GNEyUm2j4.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:	416ed19e022360adc33e72f89538dbff240a37cfc153fa6499ec4316b63546a1
Analysis ID:	1447774
MD5:	2689116ca367a1eb71a4b6b1b84a990b
SHA1:	05d12a0a9de6220703bc7d2ec68c6bf869d5bf91
SHA256:	416ed19e022360adc33e72f89538dbff240a37cfc153fa6499ec4316b63546a1

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Detected potential crypto function

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

3GNEyUm2j4.exe (PID: 1696 cmdline: "C:\Users\user\Desktop\3GNEyUm2j4.exe" MD5: 2689116CA367A1EB71A4B6B1B84A990B)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 3GNEyUm2j4.exe

Virustotal: Detection: 9%

Perma Link

Source: 3GNEyUm2j4.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\4shawty\Desktop\Alcatraz-master\x64\Release\Alcatraz-gui.pdbR source: 3GNEyUm2j4.exe
Source:	Binary string: : genericsystem: "", "existsfile_sizeSymInitialize failed!.pdbNo linked pdb file.Couldn't find linked pdb file.SymLoadModuleEx failed!unexpected error during pdbparser setupcouldn't enum symbolsinvalid string positioniostreambad castbad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setbinary path doesn't exist!couldn't open input binary!input binary isn't a valid pe file!Alcatraz doesn't support 32bit binaries!section name can't be longer than 8 characters!couldn't open output binary!couldn't write output binary! source: 3GNEyUm2j4.exe
Source:	Binary string: C:\Users\4shawty\Desktop\Alcatraz-master\x64\Release\Alcatraz-gui.pdb source: 3GNEyUm2j4.exe

Source: C:\Users\user\Desktop\3GNEyUm2j4.exe

Code function: 0_2_00007FF7F0CCC1EC GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,

0_2_00007FF7F0CCC1EC

Source: C:\Users\user\Desktop\3GNEyUm2j4.exe

Code function: 0_2_00007FF7F0CAAB40 OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

0_2_00007FF7F0CAAB40

Source: C:\Users\user\Desktop\3GNEyUm2j4.exe

Code function: 0_2_00007FF7F0CAACA0 OpenClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

0_2_00007FF7F0CAACA0

Source: C:\Users\user\Desktop\3GNEyUm2j4.exe

Code function: 0_2_00007FF7F0CAAB40 OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

0_2_00007FF7F0CAAB40

Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CBDE10 GetClientRect,QueryPerformanceCounter,GetForegroundWindow,ClientToScreen,SetCursorPos,GetCursorPos,ScreenToClient,GetKeyState,GetKeyState,GetKeyState,GetKeyState,		0_2_00007FF7F0CBDE10
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CBE757 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,		0_2_00007FF7F0CBE757

Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0C991F0	0_2_00007FF7F0C991F0
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CCC1EC	0_2_00007FF7F0CCC1EC
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CA9210	0_2_00007FF7F0CA9210
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0C841A0	0_2_00007FF7F0C841A0
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CE99CC	0_2_00007FF7F0CE99CC
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CA21C0	0_2_00007FF7F0CA21C0
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CA7170	0_2_00007FF7F0CA7170
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CCA170	0_2_00007FF7F0CCA170
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0C81960	0_2_00007FF7F0C81960
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0C89180	0_2_00007FF7F0C89180
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CAE920	0_2_00007FF7F0CAE920
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0C84120	0_2_00007FF7F0C84120
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CE393C	0_2_00007FF7F0CE393C
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CAFB10	0_2_00007FF7F0CAFB10
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CED308	0_2_00007FF7F0CED308
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0C9130E	0_2_00007FF7F0C9130E
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0C9EAD0	0_2_00007FF7F0C9EAD0
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CDBAC4	0_2_00007FF7F0CDBAC4
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CB3270	0_2_00007FF7F0CB3270
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CCA260	0_2_00007FF7F0CCA260
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CF4260	0_2_00007FF7F0CF4260
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CAD290	0_2_00007FF7F0CAD290
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CC4A20	0_2_00007FF7F0CC4A20
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CA8A40	0_2_00007FF7F0CA8A40
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CA7B90	0_2_00007FF7F0CA7B90
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CBC390	0_2_00007FF7F0CBC390
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0C84B40	0_2_00007FF7F0C84B40
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CDE4EC	0_2_00007FF7F0CDE4EC
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CDFCF8	0_2_00007FF7F0CDFCF8
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CC8CA0	0_2_00007FF7F0CC8CA0
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0C8245E	0_2_00007FF7F0C8245E
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CB2480	0_2_00007FF7F0CB2480
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0C99610	0_2_00007FF7F0C99610
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CBDE10	0_2_00007FF7F0CBDE10
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CDADD0	0_2_00007FF7F0CDADD0
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0C9B5C0	0_2_00007FF7F0C9B5C0
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CBC580	0_2_00007FF7F0CBC580
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CC2520	0_2_00007FF7F0CC2520
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CB2D20	0_2_00007FF7F0CB2D20
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CBAD40	0_2_00007FF7F0CBAD40
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CB9D40	0_2_00007FF7F0CB9D40
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CC76E0	0_2_00007FF7F0CC76E0
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CB1F10	0_2_00007FF7F0CB1F10
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0C986B0	0_2_00007FF7F0C986B0
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0C90EB0	0_2_00007FF7F0C90EB0
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CC6EB0	0_2_00007FF7F0CC6EB0
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0C8AED0	0_2_00007FF7F0C8AED0
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CDDED0	0_2_00007FF7F0CDDED0
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CA3690	0_2_00007FF7F0CA3690
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CA2E30	0_2_00007FF7F0CA2E30
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CBCFF0	0_2_00007FF7F0CBCFF0
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CC8010	0_2_00007FF7F0CC8010
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CB4810	0_2_00007FF7F0CB4810
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CE4804	0_2_00007FF7F0CE4804
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CB7FB0	0_2_00007FF7F0CB7FB0
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CCAFB0	0_2_00007FF7F0CCAFB0
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CD17B0	0_2_00007FF7F0CD17B0
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CB2FD0	0_2_00007FF7F0CB2FD0
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CBD7C0	0_2_00007FF7F0CBD7C0
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CDBFBC	0_2_00007FF7F0CDBFBC
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CBE757	0_2_00007FF7F0CBE757
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0C84F80	0_2_00007FF7F0C84F80
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CC1F30	0_2_00007FF7F0CC1F30
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0C9D080	0_2_00007FF7F0C9D080
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0C8E030	0_2_00007FF7F0C8E030
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CB1830	0_2_00007FF7F0CB1830

Source: classification engine

Classification label: mal48.winEXE@1/0@0/0

Source: 3GNEyUm2j4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\3GNEyUm2j4.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 3GNEyUm2j4.exe

Virustotal: Detection: 9%

Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Section loaded: zydis.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Section loaded: asmjit.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Section loaded: dxgi.dll	Jump to behavior

Source: 3GNEyUm2j4.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 3GNEyUm2j4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 3GNEyUm2j4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 3GNEyUm2j4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 3GNEyUm2j4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 3GNEyUm2j4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 3GNEyUm2j4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 3GNEyUm2j4.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 3GNEyUm2j4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\4shawty\Desktop\Alcatraz-master\x64\Release\Alcatraz-gui.pdbR source: 3GNEyUm2j4.exe
Source:	Binary string: : genericsystem: "", "existsfile_sizeSymInitialize failed!.pdbNo linked pdb file.Couldn't find linked pdb file.SymLoadModuleEx failed!unexpected error during pdbparser setupcouldn't enum symbolsinvalid string positioniostreambad castbad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setbinary path doesn't exist!couldn't open input binary!input binary isn't a valid pe file!Alcatraz doesn't support 32bit binaries!section name can't be longer than 8 characters!couldn't open output binary!couldn't write output binary! source: 3GNEyUm2j4.exe
Source:	Binary string: C:\Users\4shawty\Desktop\Alcatraz-master\x64\Release\Alcatraz-gui.pdb source: 3GNEyUm2j4.exe

Source: 3GNEyUm2j4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 3GNEyUm2j4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 3GNEyUm2j4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 3GNEyUm2j4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 3GNEyUm2j4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\3GNEyUm2j4.exe

Code function: 0_2_00007FF7F0CCAFB0 GetModuleHandleW,RegisterClassExW,CreateWindowExW,D3D11CreateDeviceAndSwapChain,UnregisterClassW,ShowWindow,ShowWindow,UpdateWindow,QueryPerformanceFrequency,QueryPerformanceCounter,LoadLibraryA,GetProcAddress,GetProcAddress,PeekMessageW,TranslateMessage,DispatchMessageW,PeekMessageW,FreeLibrary,DestroyWindow,UnregisterClassW,

0_2_00007FF7F0CCAFB0

Source: 3GNEyUm2j4.exe

Static PE information: section name: _RDATA

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\3GNEyUm2j4.exe

0_2_00007FF7F0CCC1EC

Source: C:\Users\user\Desktop\3GNEyUm2j4.exe

Code function: 0_2_00007FF7F0CCE424 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7F0CCE424

Source: C:\Users\user\Desktop\3GNEyUm2j4.exe

0_2_00007FF7F0CCAFB0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CCD9A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7F0CCD9A0
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CCE424 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7F0CCE424
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CCE608 SetUnhandledExceptionFilter,	0_2_00007FF7F0CCE608
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: 0_2_00007FF7F0CD40B4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7F0CD40B4

Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF7F0CF22AC
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: EnumSystemLocalesW,	0_2_00007FF7F0CF1BC4
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: GetLocaleInfoW,	0_2_00007FF7F0CE8B90
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: EnumSystemLocalesW,	0_2_00007FF7F0CF1C94
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: GetLocaleInfoEx,FormatMessageA,	0_2_00007FF7F0CCBEF0
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: EnumSystemLocalesW,	0_2_00007FF7F0CE87A0
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF7F0CF20D0
Source: C:\Users\user\Desktop\3GNEyUm2j4.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00007FF7F0CF1878

Source: C:\Users\user\Desktop\3GNEyUm2j4.exe

Code function: 0_2_00007FF7F0CDF450 GetSystemTimeAsFileTime,

0_2_00007FF7F0CDF450

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
3GNEyUm2j4.exe	3%	ReversingLabs
3GNEyUm2j4.exe	9%	Virustotal		Browse

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447774
Start date and time:	2024-05-27 02:02:56 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	3GNEyUm2j4.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:	416ed19e022360adc33e72f89538dbff240a37cfc153fa6499ec4316b63546a1
Detection:	MAL
Classification:	mal48.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 127

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 3GNEyUm2j4.exe, PID 1696 because there are no executed function
Not all processes where analyzed, report is missing behavior information

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.542025477611427
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	3GNEyUm2j4.exe
File size:	665'600 bytes
MD5:	2689116ca367a1eb71a4b6b1b84a990b
SHA1:	05d12a0a9de6220703bc7d2ec68c6bf869d5bf91
SHA256:	416ed19e022360adc33e72f89538dbff240a37cfc153fa6499ec4316b63546a1
SHA512:	5e4e5d43baab4b4093bb135885e4feb40e830fe5fe7a79a4e9a01be8a3a2d9ec174fb31ccefad79673a59d57baf356e936d30a1f1bdf568784f4797e0ea54a7d
SSDEEP:	12288:wHK0zojp/Q/ndQJzlceT2LrVW5mPQF4YZhbDo26E864L:wHKlJQFQJz7CLrfQF4YzDj86
TLSH:	86E49E87B2A404FDE077903A8897661BF775381607204BDF23E446662FA77E06E7E361
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.'...t...t...tVe.u...tVe.u?..tVe.u...t:k.u...t:k.u...t:k.u...tRj.u...tVe.u...t...th..tRj.u...tRj.t...tRj.u...tRich...t.......

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14004e0cc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x63FBA3DE [Sun Feb 26 18:24:30 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	601c335fb4df627f2476046a8944a0ae

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F7E8143EE64h
dec eax
add esp, 28h
jmp 00007F7E8143E73Fh
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F7E8143E8D2h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F7E8143E8D5h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F7E8143E8CDh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F7E8143DE2Ah
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push edi
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc ebp
xor ebx, ebx
inc esp
mov edx, edx
inc ecx
xor eax, 6C65746Eh
inc ecx
xor edx, 49656E69h
inc esp
mov ecx, ebx
mov esi, eax
xor ecx, ecx
inc ecx
lea eax, dword ptr [ebx+01h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9a744	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa7000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xa0000	0x5820	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa8000	0xb3c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x91010	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x91080	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x90ed0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7b000	0x550	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x79928	0x79a00	88d5be280cc5205487993cf68cbd3dff	False	0.5448455967368961	data	6.540004335519969	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7b000	0x20b76	0x20c00	03fe22a762871de2306786f7f810b5a1	False	0.49982108778625955	data	5.76658499624341	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9c000	0x35b4	0x1400	d86fdc78b16ffa1b3552f75b18896448	False	0.1734375	DOS executable (block device driver)	2.9784599249819825	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xa0000	0x5820	0x5a00	387b07162cfc0cde5459fbd156019f25	False	0.4748263888888889	PEX Binary Archive	5.79752190489588	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0xa6000	0x15c	0x200	e354c048797acfbe5f3068b395922efe	False	0.392578125	data	3.3045335526458866	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xa7000	0x1e0	0x200	7549a2a71f9861120168bc80ee285d91	False	0.52734375	data	4.7082365148683625	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa8000	0xb3c	0xc00	2cdaa12a6a4c21661ec97e74bbaaee4e	False	0.4449869791666667	data	5.296186538350536	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xa7060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	QueryPerformanceCounter, GetModuleHandleW, WriteConsoleW, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, HeapReAlloc, DeleteFileW, ReadConsoleW, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, GlobalFree, FreeLibrary, HeapAlloc, HeapFree, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, SetFilePointerEx, GetFileSizeEx, GetFileType, WriteFile, GetProcAddress, QueryPerformanceFrequency, LoadLibraryA, GlobalAlloc, MultiByteToWideChar, GetStdHandle, GetModuleFileNameW, ExitProcess, ReadFile, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, CreateThread, RtlUnwind, LoadLibraryExW, TlsFree, TlsSetValue, GlobalUnlock, WideCharToMultiByte, GlobalLock, GetCurrentProcess, TlsGetValue, TlsAlloc, SetLastError, RaiseException, RtlPcToFileHeader, RtlUnwindEx, InitializeSListHead, GetCurrentProcessId, GetStartupInfoW, IsDebuggerPresent, CreateEventW, InitializeCriticalSectionAndSpinCount, IsProcessorFeaturePresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, LocalFree, FormatMessageA, GetLocaleInfoEx, CreateFileW, FindClose, FindFirstFileW, FindFirstFileExW, FindNextFileW, GetFileAttributesExW, AreFileApisANSI, CloseHandle, GetLastError, GetFileInformationByHandleEx, GetCurrentThreadId, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, GetSystemTimeAsFileTime, GetStringTypeW, GetCPInfo, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetEndOfFile
USER32.dll	SetClipboardData, GetClipboardData, EmptyClipboard, CloseClipboard, OpenClipboard, GetCursorPos, SetCursorPos, ReleaseCapture, IsWindowUnicode, GetClientRect, SetCursor, SetCapture, LoadCursorW, GetForegroundWindow, TrackMouseEvent, ClientToScreen, GetCapture, ScreenToClient, GetKeyState, UpdateWindow, PostQuitMessage, TranslateMessage, PeekMessageW, DispatchMessageW, ShowWindow, RegisterClassExW, UnregisterClassW, CreateWindowExW, DefWindowProcW, DestroyWindow
COMDLG32.dll	GetOpenFileNameA
Zydis.dll	ZydisFormatterInit, ZydisCalcAbsoluteAddress, ZydisGetInstructionSegments, ZydisDecoderDecodeBuffer, ZydisDecoderInit
dbghelp.dll	SymEnumSymbols, SymCleanup, SymLoadModuleEx, SymGetTypeInfo, SymInitialize
IMM32.dll	ImmSetCandidateWindow, ImmSetCompositionWindow, ImmReleaseContext, ImmGetContext
D3DCOMPILER_47.dll	D3DCompile
d3d11.dll	D3D11CreateDeviceAndSwapChain
asmjit.dll	?_emitI@BaseEmitter@_abi_1_10@asmjit@@QEAAII@Z, ?_emitI@BaseEmitter@_abi_1_10@asmjit@@QEAAIIAEBUOperand_@23@0@Z, ?_emitI@BaseEmitter@_abi_1_10@asmjit@@QEAAIIAEBUOperand_@23@@Z, ?reset@CodeHolder@_abi_1_10@asmjit@@QEAAXW4ResetPolicy@23@@Z, ?codeSize@CodeHolder@_abi_1_10@asmjit@@QEBA_KXZ, ??0CodeHolder@_abi_1_10@asmjit@@QEAA@PEBUTemporary@Support@12@@Z, ??1CodeHolder@_abi_1_10@asmjit@@QEAA@XZ, ?init@CodeHolder@_abi_1_10@asmjit@@QEAAIAEBVEnvironment@23@_K@Z, ?attach@CodeHolder@_abi_1_10@asmjit@@QEAAIPEAVBaseEmitter@23@@Z, ??1JitRuntime@_abi_1_10@asmjit@@UEAA@XZ, ??0Assembler@x86@_abi_1_10@asmjit@@QEAA@PEAVCodeHolder@23@@Z, ??1Assembler@x86@_abi_1_10@asmjit@@UEAA@XZ, ??0JitRuntime@_abi_1_10@asmjit@@QEAA@PEBUCreateParams@JitAllocator@12@@Z

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	20:03:42
Start date:	26/05/2024
Path:	C:\Users\user\Desktop\3GNEyUm2j4.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\3GNEyUm2j4.exe"
Imagebase:	0x7ff7f0c80000
File size:	665'600 bytes
MD5 hash:	2689116CA367A1EB71A4B6B1B84A990B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00007FF7F0C8AED0 Relevance: 81.4, APIs: 39, Strings: 7, Instructions: 950COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7F0C8AF06
SymInitialize.DBGHELP ref: 00007FF7F0C8AF14
__std_fs_code_page.LIBCPMT ref: 00007FF7F0C8AFA0
__std_fs_code_page.LIBCPMT ref: 00007FF7F0C8B0F5
__std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF7F0C8B141
__std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF7F0C8B17F
__std_fs_code_page.LIBCPMT ref: 00007FF7F0C8B1FB
__std_fs_code_page.LIBCPMT ref: 00007FF7F0C8AF80

Part of subcall function 00007FF7F0CCBF8C: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF7F0C8A3E6), ref: 00007FF7F0CCBF9E

Part of subcall function 00007FF7F0C8A060: __std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7F0C8A0CE
Part of subcall function 00007FF7F0C8A060: __std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7F0C8A176

__std_fs_code_page.LIBCPMT ref: 00007FF7F0C8B469
__std_fs_code_page.LIBCPMT ref: 00007FF7F0C8B4F7
__std_fs_code_page.LIBCPMT ref: 00007FF7F0C8B51D
__std_fs_code_page.LIBCPMT ref: 00007FF7F0C8B67C
__std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF7F0C8B6CA
__std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF7F0C8B70B
__std_fs_code_page.LIBCPMT ref: 00007FF7F0C8B788
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8BD2A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8BD30
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8BD36
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8BD3C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8BD42
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8BD6B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8BD87
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8BD8D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8BD93
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8BD99
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8BD9F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8BDA5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8BDC1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8BDC7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8BDCD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8BDD3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8BDD9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8BDDF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8BDE5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8BDEB
GetCurrentProcess.KERNEL32 ref: 00007FF7F0C8BE04

Strings

No linked pdb file., xrefs: 00007FF7F0C8B279
.pdb, xrefs: 00007FF7F0C8AFA5, 00007FF7F0C8B522
SymInitialize failed!, xrefs: 00007FF7F0C8BD48
Couldn't find linked pdb file., xrefs: 00007FF7F0C8B801
unexpected error during pdbparser setup, xrefs: 00007FF7F0C8B3F0
SymLoadModuleEx failed!, xrefs: 00007FF7F0C8BA91
file_size, xrefs: 00007FF7F0C8AD0E

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_fs_code_page$__std_fs_convert_wide_to_narrow$CurrentProcess__std_fs_convert_narrow_to_wide$ApisFileInitialize
String ID: .pdb$Couldn't find linked pdb file.$No linked pdb file.$SymInitialize failed!$SymLoadModuleEx failed!$file_size$unexpected error during pdbparser setup
API String ID: 2223292382-2900892432
Opcode ID: 9fe40a4ae8d39cd8210ad67d2c302816bef2fe9b222cc3fc7ee51919160616d7
Instruction ID: 37900b4c0ea62554e484b6a3d0dde027385caeaac089addfacbd994aa8680ff7
Opcode Fuzzy Hash: 9fe40a4ae8d39cd8210ad67d2c302816bef2fe9b222cc3fc7ee51919160616d7
Instruction Fuzzy Hash: F5926F62B14A9285FB00ABA5D4453EDA3A1FF447A4F905632EA7D13BD9DF78F080C394

Function 00007FF7F0CCA170 Relevance: 63.7, APIs: 31, Strings: 5, Instructions: 681memoryCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0CCA257
__std_fs_code_page.LIBCPMT ref: 00007FF7F0CCA30F
__std_fs_code_page.LIBCPMT ref: 00007FF7F0CCA453
__std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF7F0CCA4A2
__std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF7F0CCA4E4
__std_fs_code_page.LIBCPMT ref: 00007FF7F0CCA50F
??0JitRuntime@_abi_1_10@asmjit@@QEAA@PEBUCreateParams@JitAllocator@12@@Z.ASMJIT ref: 00007FF7F0CCA768
??0CodeHolder@_abi_1_10@asmjit@@QEAA@PEBUTemporary@Support@12@@Z.ASMJIT ref: 00007FF7F0CCA778
??0Assembler@x86@_abi_1_10@asmjit@@QEAA@PEAVCodeHolder@23@@Z.ASMJIT ref: 00007FF7F0CCA788
ZydisDecoderInit.ZYDIS ref: 00007FF7F0CCA7BC
ZydisFormatterInit.ZYDIS ref: 00007FF7F0CCA7D6
__std_fs_code_page.LIBCPMT ref: 00007FF7F0CCA838
__std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF7F0CCA884
__std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF7F0CCA8C2
__std_fs_code_page.LIBCPMT ref: 00007FF7F0CCA8F1
??1Assembler@x86@_abi_1_10@asmjit@@UEAA@XZ.ASMJIT ref: 00007FF7F0CCAAB0
??1CodeHolder@_abi_1_10@asmjit@@QEAA@XZ.ASMJIT ref: 00007FF7F0CCAABD
??1JitRuntime@_abi_1_10@asmjit@@UEAA@XZ.ASMJIT ref: 00007FF7F0CCAACA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0CCAB6F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0CCAB75
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0CCAB91
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0CCAB97
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0CCAB9D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0CCABA3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0CCABA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0CCAC09
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0CCAC0F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0CCAC15
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0CCAC1B
??1Assembler@x86@_abi_1_10@asmjit@@UEAA@XZ.ASMJIT ref: 00007FF7F0CCAC4C
??1CodeHolder@_abi_1_10@asmjit@@QEAA@XZ.ASMJIT ref: 00007FF7F0CCAC56

Strings

.obf, xrefs: 00007FF7F0CCA54F, 00007FF7F0CCA92D
G, xrefs: 00007FF7F0CCA476
failed to init decoder, xrefs: 00007FF7F0CCABAF
.0Dev, xrefs: 00007FF7F0CCA726
failed to init formatter, xrefs: 00007FF7F0CCABD0

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_fs_code_page$Code__std_fs_convert_wide_to_narrow$Assembler@x86@_abi_1_10@asmjit@@Holder@_abi_1_10@asmjit@@$InitRuntime@_abi_1_10@asmjit@@Zydis$Allocator@12@@CreateDecoderFormatterHolder@23@@Params@Support@12@@Temporary@
String ID: .0Dev$.obf$G$failed to init decoder$failed to init formatter
API String ID: 3594690684-3721320865
Opcode ID: 231616763a731a1bf4f9c0facdf80e31b01c873aaec5b87f6c287decd17ee1bc
Instruction ID: 93008f85670446679b65c848885f9336e04fcec3be90d78a9d242a7e7bfab0ce
Opcode Fuzzy Hash: 231616763a731a1bf4f9c0facdf80e31b01c873aaec5b87f6c287decd17ee1bc
Instruction Fuzzy Hash: 1452A122A146C285EB10AB74D8543EDE361FF84798F90A231EA6D47BD9DF7CE580C390

Function 00007FF7F0CCAFB0 Relevance: 58.3, APIs: 20, Strings: 13, Instructions: 506registryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7F0CCAFF3
RegisterClassExW.USER32 ref: 00007FF7F0CCB020
CreateWindowExW.USER32 ref: 00007FF7F0CCB06D
D3D11CreateDeviceAndSwapChain.D3D11 ref: 00007FF7F0CCB126
UnregisterClassW.USER32 ref: 00007FF7F0CCB13D
ShowWindow.USER32 ref: 00007FF7F0CCB16D
ShowWindow.USER32 ref: 00007FF7F0CCB17B
UpdateWindow.USER32 ref: 00007FF7F0CCB184

Strings

xinput1_1.dll, xrefs: 00007FF7F0CCB558
xinput1_2.dll, xrefs: 00007FF7F0CCB54D
d, xrefs: 00007FF7F0CCB065
d, xrefs: 00007FF7F0CCB05D
DARK OBFUSCATOR, xrefs: 00007FF7F0CCB008
XInputGetCapabilities, xrefs: 00007FF7F0CCB58E
xinput9_1_0.dll, xrefs: 00007FF7F0CCB542
xinput1_4.dll, xrefs: 00007FF7F0CCB52A
xinput1_3.dll, xrefs: 00007FF7F0CCB536
imgui_impl_win32, xrefs: 00007FF7F0CCB4E3
XInputGetState, xrefs: 00007FF7F0CCB5A2
<, xrefs: 00007FF7F0CCB0E0
imgui_impl_dx11, xrefs: 00007FF7F0CCB623

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: Window$ClassCreateShow$ChainDeviceHandleModuleRegisterSwapUnregisterUpdate
String ID: <$DARK OBFUSCATOR$XInputGetCapabilities$XInputGetState$d$d$imgui_impl_dx11$imgui_impl_win32$xinput1_1.dll$xinput1_2.dll$xinput1_3.dll$xinput1_4.dll$xinput9_1_0.dll
API String ID: 1232786793-2972135713
Opcode ID: 567ea85af07ada0efa5f4203f7aeab45db1ed47b1cfb2f8d36c17d62549b5141
Instruction ID: 61fd1e605cad57e02fc448f31af9240b92045819ce22c4102d4bf9e10b3268af
Opcode Fuzzy Hash: 567ea85af07ada0efa5f4203f7aeab45db1ed47b1cfb2f8d36c17d62549b5141
Instruction Fuzzy Hash: AE525C62A08B96C6F701EF24E8402A9B7A4FF98758F559235DE5C037A1DF38B194C7A0

Function 00007FF7F0C81960 Relevance: 50.1, APIs: 25, Strings: 3, Instructions: 1061COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C833B1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C833B7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C833BD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C833C3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C833C9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C833CF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C833D5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C833DB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C833E1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C833E7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C833ED
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C833F3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C833F9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C833FF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C83405
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8340B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C83411
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C83417
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8341D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C83423
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C83429
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8342F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C83435
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8343B

Strings

gfffffff, xrefs: 00007FF7F0C8332D
=, xrefs: 00007FF7F0C81E12
P, xrefs: 00007FF7F0C81C40

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: =$P$gfffffff
API String ID: 3668304517-2666131937
Opcode ID: bf9551945293e783c1a14c63041d3d36da20755880c4cbb5ea0353c04244e499
Instruction ID: d54c8cb6d953169d685bfbbf9598ff09b0c44f3d17585ba490fe05a9d1471914
Opcode Fuzzy Hash: bf9551945293e783c1a14c63041d3d36da20755880c4cbb5ea0353c04244e499
Instruction Fuzzy Hash: E4B2A562A15BC185EB10EF35D8842EDA3A1FF85784F945232EA6D57BD9DF38E180C390

Function 00007FF7F0CCA260 Relevance: 49.6, APIs: 23, Strings: 5, Instructions: 582COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F0C8D900: __std_fs_code_page.LIBCPMT ref: 00007FF7F0C8D9A0

__std_fs_code_page.LIBCPMT ref: 00007FF7F0CCA30F

Part of subcall function 00007FF7F0CCBF8C: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF7F0C8A3E6), ref: 00007FF7F0CCBF9E

Part of subcall function 00007FF7F0C8A060: __std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7F0C8A0CE
Part of subcall function 00007FF7F0C8A060: __std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7F0C8A176

__std_fs_code_page.LIBCPMT ref: 00007FF7F0CCA453
__std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF7F0CCA4A2
__std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF7F0CCA4E4
__std_fs_code_page.LIBCPMT ref: 00007FF7F0CCA50F

Strings

.obf, xrefs: 00007FF7F0CCA54F, 00007FF7F0CCA92D
G, xrefs: 00007FF7F0CCA476
failed to init decoder, xrefs: 00007FF7F0CCABAF
.0Dev, xrefs: 00007FF7F0CCA726
failed to init formatter, xrefs: 00007FF7F0CCABD0

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: __std_fs_code_page$__std_fs_convert_narrow_to_wide__std_fs_convert_wide_to_narrow$ApisFile
String ID: .0Dev$.obf$G$failed to init decoder$failed to init formatter
API String ID: 397563111-3721320865
Opcode ID: 95026de14b309d60215c385b137f53859499b4a16fca141539b098b3199a3e5d
Instruction ID: 51303878c12e60e5858ff7df893867d739ad792def2e978986511dff2c4f9d25
Opcode Fuzzy Hash: 95026de14b309d60215c385b137f53859499b4a16fca141539b098b3199a3e5d
Instruction Fuzzy Hash: EB429222A146C285EB10AB75D8543EDE361FF85798F80A231EA6D47BD9DF7CE580C390

Function 00007FF7F0CDBFBC Relevance: 47.4, APIs: 24, Strings: 2, Instructions: 1877COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F0CDC2F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F0CDC54F
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F0CDC815
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F0CDCA5C
memcpy_s.LIBCPMT ref: 00007FF7F0CDCCC2
memcpy_s.LIBCPMT ref: 00007FF7F0CDCF4A
memcpy_s.LIBCPMT ref: 00007FF7F0CDD163
memcpy_s.LIBCPMT ref: 00007FF7F0CDD1DE
memcpy_s.LIBCPMT ref: 00007FF7F0CDD213
memcpy_s.LIBCPMT ref: 00007FF7F0CDD24E
memcpy_s.LIBCPMT ref: 00007FF7F0CDD37A
memcpy_s.LIBCPMT ref: 00007FF7F0CDD49F
memcpy_s.LIBCPMT ref: 00007FF7F0CDD54A
memcpy_s.LIBCPMT ref: 00007FF7F0CDD595
memcpy_s.LIBCPMT ref: 00007FF7F0CDD662
memcpy_s.LIBCPMT ref: 00007FF7F0CDD7EB
memcpy_s.LIBCPMT ref: 00007FF7F0CDD862
memcpy_s.LIBCPMT ref: 00007FF7F0CDD8A7
memcpy_s.LIBCPMT ref: 00007FF7F0CDD959
memcpy_s.LIBCPMT ref: 00007FF7F0CDDA86
memcpy_s.LIBCPMT ref: 00007FF7F0CDCD5E

Part of subcall function 00007FF7F0CDF0C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F0CDF0FA

memcpy_s.LIBCPMT ref: 00007FF7F0CDDC40

Strings

, xrefs: 00007FF7F0CDDA06
, xrefs: 00007FF7F0CDDB33

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: memcpy_s$_invalid_parameter_noinfo
String ID: $
API String ID: 2880407647-227171996
Opcode ID: be4dd63becae09b6955cb2a9512e7352784169ffa3184c5585f969b57fbd2943
Instruction ID: 4e43f836759af5b26ea3cddb9cf3ef4dc2bdc83b7b1d1e2789f0622cff0af27e
Opcode Fuzzy Hash: be4dd63becae09b6955cb2a9512e7352784169ffa3184c5585f969b57fbd2943
Instruction Fuzzy Hash: E203B472A191C28BE7759E24D940BF9B791FF84788F805135EB2A57B84DB38F901CB90

Function 00007FF7F0C9130E Relevance: 41.3, APIs: 1, Strings: 22, Instructions: 1050COMMON

Download Yara Rule

Strings

Address : %x, xrefs: 00007FF7F0C923C7
Protection, xrefs: 00007FF7F0C915E9
Added functions, xrefs: 00007FF7F0C91984, 00007FF7F0C9199A, 00007FF7F0C919B0
LEA obfuscation, xrefs: 00007FF7F0C92533
Size : %i bytes, xrefs: 00007FF7F0C9240F
optionpanel, xrefs: 00007FF7F0C918A2, 00007FF7F0C918B8, 00007FF7F0C918DA
selectionpanel, xrefs: 00007FF7F0C914BA, 00007FF7F0C914D0, 00007FF7F0C914F2
Control flow flattening, xrefs: 00007FF7F0C92458
Obfuscate entry point, xrefs: 00007FF7F0C91D66
Output, xrefs: 00007FF7F0C9174D
Name : %s, xrefs: 00007FF7F0C9237F
Obfuscating: %.40s, xrefs: 00007FF7F0C92F5D
Immediate MOV obfuscation, xrefs: 00007FF7F0C924A1
functionpanel, xrefs: 00007FF7F0C9222B, 00007FF7F0C92241, 00007FF7F0C92266
Misc, xrefs: 00007FF7F0C91D1F, 00007FF7F0C91D35, 00007FF7F0C91D4B
Anti disassembly, xrefs: 00007FF7F0C9257C
Compile, xrefs: 00007FF7F0C9203C
Functions, xrefs: 00007FF7F0C91AFD, 00007FF7F0C91B13, 00007FF7F0C91B29
Add all, xrefs: 00007FF7F0C91DC8
obfuscating, xrefs: 00007FF7F0C92EA0, 00007FF7F0C92EB6, 00007FF7F0C92EDB
Mutate, xrefs: 00007FF7F0C924EA
outputpanel, xrefs: 00007FF7F0C92C63, 00007FF7F0C92C79, 00007FF7F0C92C9E

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID: Add all$Added functions$Address : %x$Anti disassembly$Compile$Control flow flattening$Functions$Immediate MOV obfuscation$LEA obfuscation$Misc$Mutate$Name : %s$Obfuscate entry point$Obfuscating: %.40s$Output$Protection$Size : %i bytes$functionpanel$obfuscating$optionpanel$outputpanel$selectionpanel
API String ID: 0-18884276
Opcode ID: c591691bcff93aeb4505d5ecfba26dc8add773d2e306e919ac9413e629737268
Instruction ID: 3ecddba83c89938de872e1fcb7c6af68de7717785e98e79bd8cd0f7ec0665ae4
Opcode Fuzzy Hash: c591691bcff93aeb4505d5ecfba26dc8add773d2e306e919ac9413e629737268
Instruction Fuzzy Hash: EBD28F72A08AC685EB11EB25D4402E9B761FF99B48F899231CA5D073D5EF3DF184C7A0

Function 00007FF7F0C8245E Relevance: 35.9, APIs: 19, Strings: 1, Instructions: 933COMMON

Download Yara Rule

APIs

ZydisDecoderDecodeBuffer.ZYDIS ref: 00007FF7F0C82657
ZydisDecoderDecodeBuffer.ZYDIS ref: 00007FF7F0C82ACC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C833F9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C833FF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C83405
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8340B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C83411
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C83417
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8341D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C83423
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C83429
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8342F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C83435
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8343B

Part of subcall function 00007FF7F0C87100: ZydisDecoderDecodeBuffer.ZYDIS ref: 00007FF7F0C87151

Part of subcall function 00007FF7F0C837B0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C838D7

Strings

gfffffff, xrefs: 00007FF7F0C8332D

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$BufferDecodeDecoderZydis
String ID: gfffffff
API String ID: 2066269895-1523873471
Opcode ID: 87d9a804340332291e89209cdb9b5a279f06fdcbf84256744d3abeb23b087117
Instruction ID: 4591e13ddf7f8458e77c6ea67f44db795fba02e9f273825679b2dcfacb8d6579
Opcode Fuzzy Hash: 87d9a804340332291e89209cdb9b5a279f06fdcbf84256744d3abeb23b087117
Instruction Fuzzy Hash: 80929C62A25BC186EB10DF35D8842EDA361FF85794F909322E66D57BD9DF38E180C390

Function 00007FF7F0C90EB0 Relevance: 32.2, APIs: 1, Strings: 17, Instructions: 660COMMON

Download Yara Rule

Strings

Address : %x, xrefs: 00007FF7F0C926C6
Add to list, xrefs: 00007FF7F0C92992
LEA obfuscation, xrefs: 00007FF7F0C92835
Size : %i bytes, xrefs: 00007FF7F0C9270E
optionpanel, xrefs: 00007FF7F0C918A2, 00007FF7F0C918DA
selectionpanel, xrefs: 00007FF7F0C914BA, 00007FF7F0C914F2
Control flow flattening, xrefs: 00007FF7F0C92757
Output, xrefs: 00007FF7F0C9174D
DARK OBFUSCATOR, xrefs: 00007FF7F0C90F40
Name : %s, xrefs: 00007FF7F0C9267E
Obfuscating: %.40s, xrefs: 00007FF7F0C92F5D
Immediate MOV obfuscation, xrefs: 00007FF7F0C927A3
functionpanel, xrefs: 00007FF7F0C9222B, 00007FF7F0C92266
Anti disassembly, xrefs: 00007FF7F0C9287E
obfuscating, xrefs: 00007FF7F0C92EA0, 00007FF7F0C92EB6, 00007FF7F0C92EDB
Mutate, xrefs: 00007FF7F0C927EC
outputpanel, xrefs: 00007FF7F0C92C63, 00007FF7F0C92C79, 00007FF7F0C92C9E

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID: Add to list$Address : %x$Anti disassembly$Control flow flattening$DARK OBFUSCATOR$Immediate MOV obfuscation$LEA obfuscation$Mutate$Name : %s$Obfuscating: %.40s$Output$Size : %i bytes$functionpanel$obfuscating$optionpanel$outputpanel$selectionpanel
API String ID: 0-720664816
Opcode ID: 63c92ec0462d5c6803efeedfa425d86e7233887557f1698fdb5d0ec676561262
Instruction ID: a9809803a56484315d6839405848f3e7272e2b96049833731df216f1990fe8d2
Opcode Fuzzy Hash: 63c92ec0462d5c6803efeedfa425d86e7233887557f1698fdb5d0ec676561262
Instruction Fuzzy Hash: 49829C32A08BC585E711EF25D4402E9BBA1FF99B48F899231CA5C173A5DF79F184C7A0

Function 00007FF7F0CCC1EC Relevance: 27.2, APIs: 18, Instructions: 229fileCOMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32 ref: 00007FF7F0CCC299
GetLastError.KERNEL32 ref: 00007FF7F0CCC2A3
FindFirstFileW.KERNEL32 ref: 00007FF7F0CCC2BA
GetLastError.KERNEL32 ref: 00007FF7F0CCC2C6
FindClose.KERNEL32 ref: 00007FF7F0CCC2D4
__std_fs_open_handle.LIBCPMT ref: 00007FF7F0CCC367
CloseHandle.KERNEL32 ref: 00007FF7F0CCC37D
CloseHandle.KERNEL32 ref: 00007FF7F0CCC4F0

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: Close$ErrorFileFindHandleLast$AttributesFirst__std_fs_open_handle
String ID:
API String ID: 2398595512-0
Opcode ID: 556a30c3791edddbeed03aa28162205a3ff0b04145f04999e7aa9fce6b3978f9
Instruction ID: de4a10858efce564c6888a33440af6076aada352fab0e831c2f1f60ea4eace04
Opcode Fuzzy Hash: 556a30c3791edddbeed03aa28162205a3ff0b04145f04999e7aa9fce6b3978f9
Instruction Fuzzy Hash: 7491A732A08A8286E764AB15E4546F9A290AF457B4FD4D334DA7E877E4DF3CF401C7A0

Function 00007FF7F0C84F80 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 388COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C854DF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C854E5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C854EB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C854F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C854F7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C854FD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8556A

Strings

.text, xrefs: 00007FF7F0C84FE2
couldn't find .text section, xrefs: 00007FF7F0C8500D

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: .text$couldn't find .text section
API String ID: 3668304517-1573356304
Opcode ID: baf1d34167c65d3952c4bc47106d3a3ca3fa3e3d2055a1d799f796e888a936a6
Instruction ID: 1fa3e83d04bc2219c3d527a979fb342b68331332322d6a9fa465e53ab1027069
Opcode Fuzzy Hash: baf1d34167c65d3952c4bc47106d3a3ca3fa3e3d2055a1d799f796e888a936a6
Instruction Fuzzy Hash: 1202BE62B1868189EB10EF75D4403EDA7A1FF44798F904232EA6D47BD9DE78E480C3A4

Function 00007FF7F0CBCFF0 Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 273COMMON

Download Yara Rule

APIs

D3DCompile.D3DCOMPILER_47 ref: 00007FF7F0CBD0AD
D3DCompile.D3DCOMPILER_47 ref: 00007FF7F0CBD29B

Strings

COLOR, xrefs: 00007FF7F0CBD15D
main, xrefs: 00007FF7F0CBD074
ps_4_0, xrefs: 00007FF7F0CBD275
vs_4_0, xrefs: 00007FF7F0CBD080
struct PS_INPUT { float4 pos : SV_POSITION; float4 col : COLOR0; float2 uv : TEXCOORD0; }; sampler sampler0; Texture2D texture0; float4 main(PS_INPUT input) : , xrefs: 00007FF7F0CBD269
TEXCOORD, xrefs: 00007FF7F0CBD14F
@, xrefs: 00007FF7F0CBD22B
POSITION, xrefs: 00007FF7F0CBD141
cbuffer vertexBuffer : register(b0) { float4x4 ProjectionMatrix; }; struct VS_INPUT { float2 pos : POSITION; float4 col : COLOR0; float2 uv : TEXCOORD0; , xrefs: 00007FF7F0CBD08C

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: Compile
String ID: @$COLOR$POSITION$TEXCOORD$cbuffer vertexBuffer : register(b0) { float4x4 ProjectionMatrix; }; struct VS_INPUT { float2 pos : POSITION; float4 col : COLOR0; float2 uv : TEXCOORD0; $main$ps_4_0$struct PS_INPUT { float4 pos : SV_POSITION; float4 col : COLOR0; float2 uv : TEXCOORD0; }; sampler sampler0; Texture2D texture0; float4 main(PS_INPUT input) : $vs_4_0
API String ID: 2821087142-1668656389
Opcode ID: d54abd56004c615e4cf7b21d47fd2e7ceb15692e959b9551ed0da55de7f5786d
Instruction ID: c45bee0af5b21ad8d2de15e3278aba35af4e27128d675ab1d5895babbb996e20
Opcode Fuzzy Hash: d54abd56004c615e4cf7b21d47fd2e7ceb15692e959b9551ed0da55de7f5786d
Instruction Fuzzy Hash: A0E1F8B2604B858AE720DF25E8447DD77B4F788B88F514126DB9C17B68DF79D188CB40

Function 00007FF7F0C89180 Relevance: 17.0, APIs: 11, Instructions: 499COMMON

Download Yara Rule

APIs

?_emitI@BaseEmitter@_abi_1_10@asmjit@@QEAAII@Z.ASMJIT ref: 00007FF7F0C896C4
?_emitI@BaseEmitter@_abi_1_10@asmjit@@QEAAIIAEBUOperand_@23@@Z.ASMJIT ref: 00007FF7F0C896D7
?_emitI@BaseEmitter@_abi_1_10@asmjit@@QEAAIIAEBUOperand_@23@0@Z.ASMJIT ref: 00007FF7F0C89708
?_emitI@BaseEmitter@_abi_1_10@asmjit@@QEAAIIAEBUOperand_@23@0@Z.ASMJIT ref: 00007FF7F0C8973A
?_emitI@BaseEmitter@_abi_1_10@asmjit@@QEAAIIAEBUOperand_@23@0@Z.ASMJIT ref: 00007FF7F0C89769
?_emitI@BaseEmitter@_abi_1_10@asmjit@@QEAAII@Z.ASMJIT ref: 00007FF7F0C89777
?codeSize@CodeHolder@_abi_1_10@asmjit@@QEBA_KXZ.ASMJIT ref: 00007FF7F0C897A8
?reset@CodeHolder@_abi_1_10@asmjit@@QEAAXW4ResetPolicy@23@@Z.ASMJIT ref: 00007FF7F0C898D8
?init@CodeHolder@_abi_1_10@asmjit@@QEAAIAEBVEnvironment@23@_K@Z.ASMJIT ref: 00007FF7F0C898ED
?attach@CodeHolder@_abi_1_10@asmjit@@QEAAIPEAVBaseEmitter@23@@Z.ASMJIT ref: 00007FF7F0C898FE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8993F

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: Base$?_emitEmitter@_abi_1_10@asmjit@@$CodeHolder@_abi_1_10@asmjit@@$Operand_@23@0@$?attach@?code?init@?reset@Emitter@23@@Environment@23@_Operand_@23@@Policy@23@@ResetSize@_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3880921607-0
Opcode ID: 1c92b07a243f14546bfe38d342bfef651743b5121dc699902a489ab880ffa4d6
Instruction ID: e811cc087a7debe14b7e8dcafabdbe676589feaa508e67fb67d41e2bf3166229
Opcode Fuzzy Hash: 1c92b07a243f14546bfe38d342bfef651743b5121dc699902a489ab880ffa4d6
Instruction Fuzzy Hash: C3221432B0868686EB14AB24D4603FDB7A1FF89755F885132EA6E437D5DE3CE440C794

Function 00007FF7F0CBDE10 Relevance: 16.7, APIs: 11, Instructions: 194keyboardCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00007FF7F0CBDE64
QueryPerformanceCounter.KERNEL32 ref: 00007FF7F0CBDE9C
GetForegroundWindow.USER32 ref: 00007FF7F0CBDEE2
ClientToScreen.USER32 ref: 00007FF7F0CBDF1A
SetCursorPos.USER32 ref: 00007FF7F0CBDF2C
GetCursorPos.USER32 ref: 00007FF7F0CBDF46
ScreenToClient.USER32 ref: 00007FF7F0CBDF58
GetKeyState.USER32 ref: 00007FF7F0CBDFA1
GetKeyState.USER32 ref: 00007FF7F0CBE00A
GetKeyState.USER32 ref: 00007FF7F0CBE073
GetKeyState.USER32 ref: 00007FF7F0CBE0DC

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: State$Client$CursorScreen$CounterForegroundPerformanceQueryRectWindow
String ID:
API String ID: 1576454153-0
Opcode ID: 67cdfa7d6e13d5ecea1ba159cc5c0d5ffdd03561c514973ea66b2d357845b62c
Instruction ID: 3ecf0077d331a0269b67881934f6ad2415bb5c387611f9044e1255e760dce59b
Opcode Fuzzy Hash: 67cdfa7d6e13d5ecea1ba159cc5c0d5ffdd03561c514973ea66b2d357845b62c
Instruction Fuzzy Hash: 20A1D0B2A186868AF711EB34D4443AAB7A1EF55B54F884131EA6D077D5CF3CF480C7A0

Function 00007FF7F0C84120 Relevance: 16.4, APIs: 6, Strings: 3, Instructions: 696COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF7F0C84402
gfffffff, xrefs: 00007FF7F0C846FF
vector too long, xrefs: 00007FF7F0C841A4

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: gfffffff$gfffffff$vector too long
API String ID: 73155330-2429944370
Opcode ID: e9bb243612e3ecdce7b93a85475026ad5bd8db662cb0380eb6a1aa64fdac379a
Instruction ID: 74413d56ef4157cb7014da5299a793dcc56ff74b2317cf21b3286c01b1067a8d
Opcode Fuzzy Hash: e9bb243612e3ecdce7b93a85475026ad5bd8db662cb0380eb6a1aa64fdac379a
Instruction Fuzzy Hash: 5342BC72B05B8586DB14DF16E4446ADB3A5FB48BD0F948236EBAC47794EF38E191C380

Function 00007FF7F0CD17B0 Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 464COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF7F0CD194E
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7F0CD1C71
EncodePointer.KERNEL32 ref: 00007FF7F0CD1CF8
_CallSETranslator.LIBVCRUNTIME ref: 00007FF7F0CD1D47

Strings

RCC, xrefs: 00007FF7F0CD1D15
csm, xrefs: 00007FF7F0CD1895
MOC, xrefs: 00007FF7F0CD1D0C
csm, xrefs: 00007FF7F0CD18F7
csm, xrefs: 00007FF7F0CD1975

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: CallEncodeIs_bad_exception_allowedPointerTranslatorstd::bad_alloc::bad_alloc
String ID: MOC$RCC$csm$csm$csm
API String ID: 1255833062-4235121399
Opcode ID: 9e2b7eb6ebb1a70af68928fdae08731d1273c1b30690e8c0d1845b7517b5d9bb
Instruction ID: 92879dc74ac4fe522bf4f8a19a8e09c8015109655007b3353081fa1a6b18c60d
Opcode Fuzzy Hash: 9e2b7eb6ebb1a70af68928fdae08731d1273c1b30690e8c0d1845b7517b5d9bb
Instruction Fuzzy Hash: 92229D72A09A829AE720AF65D4803EDB7A0FF45B88F544135EEAD177D5CF38E481C790

Function 00007FF7F0CBE757 Relevance: 15.2, APIs: 10, Instructions: 236keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 00007FF7F0CBE779
GetKeyState.USER32 ref: 00007FF7F0CBE7B7
GetKeyState.USER32 ref: 00007FF7F0CBE7ED
GetKeyState.USER32 ref: 00007FF7F0CBE823
GetKeyState.USER32 ref: 00007FF7F0CBE8D3
GetKeyState.USER32 ref: 00007FF7F0CBE92B
GetKeyState.USER32 ref: 00007FF7F0CBE993
GetKeyState.USER32 ref: 00007FF7F0CBE9EB
GetKeyState.USER32 ref: 00007FF7F0CBEA53
GetKeyState.USER32 ref: 00007FF7F0CBEAAB

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 6923c34951276dfbf3c8755c281cfc77a63564390a1a4af25545defa21915cee
Instruction ID: 30bfe61909a346946135812c99a4cb701439cd65a45ebcb4ec81c1a03f98bc38
Opcode Fuzzy Hash: 6923c34951276dfbf3c8755c281cfc77a63564390a1a4af25545defa21915cee
Instruction Fuzzy Hash: C7A105A1E5865645F761AB3894003FAA783DF61B09FC94234D97A0A3D2CF3CB486C3B1

Function 00007FF7F0CAACA0 Relevance: 15.0, APIs: 10, Instructions: 50clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF7F0CAACAB
MultiByteToWideChar.KERNEL32 ref: 00007FF7F0CAACDC
GlobalAlloc.KERNEL32 ref: 00007FF7F0CAACF0
GlobalLock.KERNEL32 ref: 00007FF7F0CAAD01
MultiByteToWideChar.KERNEL32 ref: 00007FF7F0CAAD20
GlobalUnlock.KERNEL32 ref: 00007FF7F0CAAD29
EmptyClipboard.USER32 ref: 00007FF7F0CAAD2F
SetClipboardData.USER32 ref: 00007FF7F0CAAD3D
GlobalFree.KERNEL32 ref: 00007FF7F0CAAD4B
CloseClipboard.USER32 ref: 00007FF7F0CAAD51

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: ClipboardGlobal$ByteCharMultiWide$AllocCloseDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 1965520120-0
Opcode ID: 50d3c90d03c05fb39721fd83ad05cb178b2775614142aa0e0ca0ec944b190966
Instruction ID: 7c50279f66ab26986d6b6e9ee01bcec4491379b2cd81d190a483a31e58803c24
Opcode Fuzzy Hash: 50d3c90d03c05fb39721fd83ad05cb178b2775614142aa0e0ca0ec944b190966
Instruction Fuzzy Hash: 93114225A09B02C6E7146B25B828169E2A1BF89BD2F444139DA7E437E4DF3CE404C761

Function 00007FF7F0C99610 Relevance: 13.5, Strings: 10, Instructions: 1047COMMON

Download Yara Rule

Strings

Remap w/ Ctrl+Shift: click anywhere to select new mouse button., xrefs: 00007FF7F0C9A638
Left, xrefs: 00007FF7F0C9A60C
Right, xrefs: 00007FF7F0C9A618
HoveredId: 0x%08X, xrefs: 00007FF7F0C9A5F4
Press ESC to abort picking., xrefs: 00007FF7F0C9A600
NewFrame(): ClearActiveID() because it isn't marked alive anymore!, xrefs: 00007FF7F0C99CC1
333?, xrefs: 00007FF7F0C9A5E2
Debug##Default, xrefs: 00007FF7F0C9A79A
Click %s Button to break in debugger! (remap w/ Ctrl+Shift), xrefs: 00007FF7F0C9A66E
Middle, xrefs: 00007FF7F0C9A624

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID: 333?$Click %s Button to break in debugger! (remap w/ Ctrl+Shift)$Debug##Default$HoveredId: 0x%08X$Left$Middle$NewFrame(): ClearActiveID() because it isn't marked alive anymore!$Press ESC to abort picking.$Remap w/ Ctrl+Shift: click anywhere to select new mouse button.$Right
API String ID: 0-212355080
Opcode ID: 53446a65b70e1e73e7f4dde2674854ed5fdc39741acebfde992de7aaf1300980
Instruction ID: 2ab84cfd65ea99b1479b4188436fef55fda8070fcff70f9eaadeb7590bb02030
Opcode Fuzzy Hash: 53446a65b70e1e73e7f4dde2674854ed5fdc39741acebfde992de7aaf1300980
Instruction Fuzzy Hash: 4AB20572A086C286E715EF3994402F9FBA4EF55B84F488236DE29573D5EF38B540C7A0

Function 00007FF7F0CAAB40 Relevance: 12.1, APIs: 8, Instructions: 95clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF7F0CAAB80
GetClipboardData.USER32 ref: 00007FF7F0CAABA4
CloseClipboard.USER32 ref: 00007FF7F0CAABB2
GlobalLock.KERNEL32 ref: 00007FF7F0CAABC7
WideCharToMultiByte.KERNEL32 ref: 00007FF7F0CAAC02
WideCharToMultiByte.KERNEL32 ref: 00007FF7F0CAAC65
GlobalUnlock.KERNEL32 ref: 00007FF7F0CAAC73
CloseClipboard.USER32 ref: 00007FF7F0CAAC79

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: Clipboard$ByteCharCloseGlobalMultiWide$DataLockOpenUnlock
String ID:
API String ID: 846020896-0
Opcode ID: 19e8ccd9569f1f0b17618b3ce0bcabcfa573447303b8c366774cec393d853aae
Instruction ID: 79c9e040840ef5604c51ef71fc0c061cec7ac6af79c1f3779d9e921576a8660d
Opcode Fuzzy Hash: 19e8ccd9569f1f0b17618b3ce0bcabcfa573447303b8c366774cec393d853aae
Instruction Fuzzy Hash: DE31B332609B8186EB14AF25B8205A9B791FF88791F844534EE7E47794DF3CF461C760

Function 00007FF7F0C841A0 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 496COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7F0C84227
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8422D

Strings

gfffffff, xrefs: 00007FF7F0C84402
gfffffff, xrefs: 00007FF7F0C846FF
vector too long, xrefs: 00007FF7F0C841A4

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: gfffffff$gfffffff$vector too long
API String ID: 73155330-2429944370
Opcode ID: bbda6e47cf7bd7e38fe3f3c9b11f18ee896af07c845f89ab680a8aa308c893bb
Instruction ID: 0bb70cb37106c3a91af14a34b4bbf42c6893bd004bd2d8d49d4ab9861ad7e92e
Opcode Fuzzy Hash: bbda6e47cf7bd7e38fe3f3c9b11f18ee896af07c845f89ab680a8aa308c893bb
Instruction Fuzzy Hash: F4F1CE72B05B8982DF14DB16E4446A9A3A5FB48BD0F958232EE6D477D4EF3CE091C344

Function 00007FF7F0CE99CC Relevance: 10.8, APIs: 7, Instructions: 286COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F0CE9DFE

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 58cf4629b5e2b21b69aa6f5df3b1d4d874e6aaad1e1eda1ad18fcb59a8f94b30
Instruction ID: 00a2e6cf4be98734d7f355e08c92c2851851c32d9ee1bea9ec2eb6213a0d1809
Opcode Fuzzy Hash: 58cf4629b5e2b21b69aa6f5df3b1d4d874e6aaad1e1eda1ad18fcb59a8f94b30
Instruction Fuzzy Hash: 62C1AF22A0C68696E760BB2598403FDA690EF80B94FD54131DE6E073D2CF7CF454E7A2

Function 00007FF7F0CF1878 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F0CE697C: GetLastError.KERNEL32 ref: 00007FF7F0CE698B
Part of subcall function 00007FF7F0CE697C: FlsGetValue.KERNEL32 ref: 00007FF7F0CE69A0
Part of subcall function 00007FF7F0CE697C: SetLastError.KERNEL32 ref: 00007FF7F0CE6A2B

TranslateName.LIBCMT ref: 00007FF7F0CF18E5
TranslateName.LIBCMT ref: 00007FF7F0CF1920
GetACP.KERNEL32(?,?,?,00000000,00000092,00007FF7F0CE49BC), ref: 00007FF7F0CF1965
IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,00007FF7F0CE49BC), ref: 00007FF7F0CF198D

Strings

utf8, xrefs: 00007FF7F0CF1A71

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodePageValidValue
String ID: utf8
API String ID: 1791977518-905460609
Opcode ID: d7be9ac9765bf7989d9f252e20b81aa7e44886b4b86db1b5cc1b30c58b9a4eb9
Instruction ID: 499e93af3588e8f5d27e957b340446c9af3952ca6da87742671c76b0f46ce6d1
Opcode Fuzzy Hash: d7be9ac9765bf7989d9f252e20b81aa7e44886b4b86db1b5cc1b30c58b9a4eb9
Instruction Fuzzy Hash: 89916B32A087428AEB24AF2194612F9A2A4AF84B81F848131DE7D477D5DF7CF551C7B2

Function 00007FF7F0CF22AC Relevance: 10.7, APIs: 7, Instructions: 171COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F0CE697C: GetLastError.KERNEL32 ref: 00007FF7F0CE698B
Part of subcall function 00007FF7F0CE697C: FlsGetValue.KERNEL32 ref: 00007FF7F0CE69A0
Part of subcall function 00007FF7F0CE697C: SetLastError.KERNEL32 ref: 00007FF7F0CE6A2B

Part of subcall function 00007FF7F0CE697C: FlsSetValue.KERNEL32 ref: 00007FF7F0CE69C1

GetUserDefaultLCID.KERNEL32(?,00000000,00000092,?), ref: 00007FF7F0CF241C

Part of subcall function 00007FF7F0CE697C: FlsSetValue.KERNEL32 ref: 00007FF7F0CE69EE
Part of subcall function 00007FF7F0CE697C: FlsSetValue.KERNEL32 ref: 00007FF7F0CE69FF
Part of subcall function 00007FF7F0CE697C: FlsSetValue.KERNEL32 ref: 00007FF7F0CE6A10

EnumSystemLocalesW.KERNEL32(?,00000000,00000092,?,?,00000000,?,00007FF7F0CE49B5), ref: 00007FF7F0CF2403
ProcessCodePage.LIBCMT ref: 00007FF7F0CF2446
IsValidCodePage.KERNEL32 ref: 00007FF7F0CF2458
IsValidLocale.KERNEL32 ref: 00007FF7F0CF246E
GetLocaleInfoW.KERNEL32 ref: 00007FF7F0CF24CA
GetLocaleInfoW.KERNEL32 ref: 00007FF7F0CF24E6

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 2591520935-0
Opcode ID: 1f77c649bc745e829dd22fe419b132594a5e43db553539f3ac95198d1adca337
Instruction ID: d49082fdc70e726539697ff2d6e8e80d970ade85e4bfe6f85122adc1c92771b5
Opcode Fuzzy Hash: 1f77c649bc745e829dd22fe419b132594a5e43db553539f3ac95198d1adca337
Instruction Fuzzy Hash: 1B716762B086028EEB11AB61D8606FCA6A4BF48B45FC44435CA3D537D5EF3CB945C3B2

Function 00007FF7F0CCE424 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7F0CCE440
RtlCaptureContext.KERNEL32 ref: 00007FF7F0CCE46D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7F0CCE487
RtlVirtualUnwind.KERNEL32 ref: 00007FF7F0CCE4C8
IsDebuggerPresent.KERNEL32 ref: 00007FF7F0CCE51C
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7F0CCE53D
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7F0CCE548

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1a6df3984f3110434142438908917ef07307b1cddfd6d9efadd3af9d554f9eab
Instruction ID: 9baa0b56fa221af77f0f609a2c89b8eb754068d43e1c414c59cb475c06f5c4d5
Opcode Fuzzy Hash: 1a6df3984f3110434142438908917ef07307b1cddfd6d9efadd3af9d554f9eab
Instruction Fuzzy Hash: C6316E72609B818AEB64AF60E8503EEB361FF84744F84403ADA5D57B94DF38E548C760

Function 00007FF7F0CD40B4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7F0CD412D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7F0CD4145
RtlVirtualUnwind.KERNEL32 ref: 00007FF7F0CD4180
IsDebuggerPresent.KERNEL32 ref: 00007FF7F0CD41B9
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7F0CD41C3
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7F0CD41CE

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 6ae21932cb7a97d53740c23d0c4f85c1026cb3176bfacdf7162a53a3465ab5be
Instruction ID: a8391193643a0d8b5a62ca93b46d42f8096db02650ba6510e019cdbd8b4ae97a
Opcode Fuzzy Hash: 6ae21932cb7a97d53740c23d0c4f85c1026cb3176bfacdf7162a53a3465ab5be
Instruction Fuzzy Hash: BB318236608B8186DB60DF24E8402EEB3A4FF88754F940135EAAD43BA5DF3CE145CB50

Function 00007FF7F0CDDED0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 329COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF7F0CDDF3A
memcpy_s.LIBCPMT ref: 00007FF7F0CDDF65

Strings

, xrefs: 00007FF7F0CDE098

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-3916222277
Opcode ID: c189e61e2e72d2e657dfa138cac3f051b3b394d8c1f9b1e9ee39e2261f4c1dc3
Instruction ID: 4bed57dce7e2305fd958d5f15b7f6178b8a8f6cc998c2c8f8b6723542bf3980b
Opcode Fuzzy Hash: c189e61e2e72d2e657dfa138cac3f051b3b394d8c1f9b1e9ee39e2261f4c1dc3
Instruction Fuzzy Hash: 67C1E872B1A68687D720EF15E048AAEF792FB84784F848135DB6A43784DB3CF805CB50

Function 00007FF7F0CB7FB0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 180COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F0C95180: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF7F0CB7FF6), ref: 00007FF7F0C951B1
Part of subcall function 00007FF7F0C95180: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF7F0CB7FF6), ref: 00007FF7F0C951D5
Part of subcall function 00007FF7F0C95180: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF7F0CB7FF6), ref: 00007FF7F0C9522C
Part of subcall function 00007FF7F0C95180: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF7F0CB7FF6), ref: 00007FF7F0C95254

_fread_nolock.LIBCMT ref: 00007FF7F0CB8092

Strings

%s, %.0fpx, xrefs: 00007FF7F0CB81CC
c:\Windows\Fonts\Calibri.ttf, xrefs: 00007FF7F0CB7FE4

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: ByteCharMultiWide$_fread_nolock
String ID: %s, %.0fpx$c:\Windows\Fonts\Calibri.ttf
API String ID: 1219376219-2921679513
Opcode ID: a7bbf21b755e24299ed032e2cae9432c80471b97a6b17aeb4a3c8518893c46ff
Instruction ID: e8987b66a30ffd25bd8a38413770aaf190beadff477ceb088263d986ed667326
Opcode Fuzzy Hash: a7bbf21b755e24299ed032e2cae9432c80471b97a6b17aeb4a3c8518893c46ff
Instruction Fuzzy Hash: D681EC11D08AC585F7226F7D98012F9E3B0AF99359F485331FEA8127E1EF39B186C650

Function 00007FF7F0C8E030 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8E27C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8E282

Strings

section name can't be longer than 8 characters!, xrefs: 00007FF7F0C8E288

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: section name can't be longer than 8 characters!
API String ID: 3668304517-2769080867
Opcode ID: 36cc6d4e5f0e871da9977d2c057e21283161131bdd663b60e2de2d7fd3442298
Instruction ID: 68502f98792692d5199d19c60b2143a94ec081d75bd39e86a8dcc3df6902a7ee
Opcode Fuzzy Hash: 36cc6d4e5f0e871da9977d2c057e21283161131bdd663b60e2de2d7fd3442298
Instruction Fuzzy Hash: 70719272B1468186DB18EF2AD4402AEB3A2FF88794F849135EA5D43F99DF7CE441C780

Function 00007FF7F0CC2520 Relevance: 5.4, Strings: 4, Instructions: 372COMMON

Download Yara Rule

Strings

[~], xrefs: 00007FF7F0CC29A1
[ ], xrefs: 00007FF7F0CC29B5
%*s%.*s, xrefs: 00007FF7F0CC2AF0
[x], xrefs: 00007FF7F0CC29AE

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID: %*s%.*s$[ ]$[x]$[~]
API String ID: 0-3061654056
Opcode ID: f50ef21067df5ab3122723480133d917b0c6a7929ee7f93807dfd413165000fe
Instruction ID: f7915450abb0eb02063bc30210206b51d576bd3a9df1c26dc90e376678643093
Opcode Fuzzy Hash: f50ef21067df5ab3122723480133d917b0c6a7929ee7f93807dfd413165000fe
Instruction Fuzzy Hash: F3020622A08BC985E711EB36D4012F9F7A0EF59398F549331EA6D273E1DF28B181DB50

Function 00007FF7F0CCBEF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32 ref: 00007FF7F0CCBF16
FormatMessageA.KERNEL32 ref: 00007FF7F0CCBF45

Strings

!x-sys-default-locale, xrefs: 00007FF7F0CCBF09

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: bb49675d284ff88675509a62b22b8f5fdcfc5a76647b3f06f9b9530de80d0dd5
Instruction ID: 946e5b4e61871bf376147312f294db299dfe42a8d5f3d4f87cd23a6d0a73aaca
Opcode Fuzzy Hash: bb49675d284ff88675509a62b22b8f5fdcfc5a76647b3f06f9b9530de80d0dd5
Instruction Fuzzy Hash: E101D272B08B85C6E7109B61F4507B9A7A1FB887C5F808135E66C02BD4CF3CE505CB50

Function 00007FF7F0CA7B90 Relevance: 4.3, Strings: 3, Instructions: 542COMMON

Download Yara Rule

Strings

<NULL>, xrefs: 00007FF7F0CA810D
[nav] NavInitRequest: from move, window "%s", layer=%d, xrefs: 00007FF7F0CA811B
[nav] NavMoveRequestForward %d, xrefs: 00007FF7F0CA7C36

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID: <NULL>$[nav] NavInitRequest: from move, window "%s", layer=%d$[nav] NavMoveRequestForward %d
API String ID: 0-568746515
Opcode ID: 4d556e60c6d83469c912f4075f90b648310c69bef54f7160f0fd6c00ac8736bc
Instruction ID: 6092cf66d97b94c974b958dbaf254a01ccfbb261651100468b893b4d697c8e13
Opcode Fuzzy Hash: 4d556e60c6d83469c912f4075f90b648310c69bef54f7160f0fd6c00ac8736bc
Instruction Fuzzy Hash: 4742F632D0878A46E362BA3794511F9E290FF19744F59CF31DA78223E1DF297864C7A0

Function 00007FF7F0CF4260 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7F0CF42C3

Part of subcall function 00007FF7F0CE3FDC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F0CE3FF0

Strings

c:\Windows\Fonts\Calibri.ttf, xrefs: 00007FF7F0CF4272

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo
String ID: c:\Windows\Fonts\Calibri.ttf
API String ID: 474895018-752844498
Opcode ID: 115a73dd0eb5c04365a0f29384615747c5823dd88459d6e9a549e3b0fa46d0e0
Instruction ID: 25dd2ab7868537fdc4660e0413bcb0e28e7f01aaf858711e7bc52d55bbaa1c4b
Opcode Fuzzy Hash: 115a73dd0eb5c04365a0f29384615747c5823dd88459d6e9a549e3b0fa46d0e0
Instruction Fuzzy Hash: D761F622F081924AFB74AD6884607BCE681AF80772F950235DA7D977D1DE6CF844C7B2

Function 00007FF7F0CE8B90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,00007FF7F0CE4B8E), ref: 00007FF7F0CE8C04

Strings

GetLocaleInfoEx, xrefs: 00007FF7F0CE8BAC, 00007FF7F0CE8BBD

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: f1906cb0d06f437f8db94787fe66fd1aee2005009694e7fbbe75e63b633c9c7c
Instruction ID: ab2b4277ae8f7260ac05b6581d1747052c8a18bf50cc880f8702caedf0e17497
Opcode Fuzzy Hash: f1906cb0d06f437f8db94787fe66fd1aee2005009694e7fbbe75e63b633c9c7c
Instruction Fuzzy Hash: 36018F21B08B8185E710AB56A4411E6F761BF84BC0F988036DE6D03BE9CE3CE545C3E1

Function 00007FF7F0CC4A20 Relevance: 3.5, Strings: 1, Instructions: 2269COMMON

Download Yara Rule

Strings

%*s%.*s, xrefs: 00007FF7F0CC6C0D

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID: %*s%.*s
API String ID: 0-469019970
Opcode ID: 21657def14d3cd0357e55c82ed31c753e062e5223d7758f13140cbae8f6aabcd
Instruction ID: 3acfb9010a47867a9aa785ffac62b1ac465027f396c62c8f4528282acb7371d1
Opcode Fuzzy Hash: 21657def14d3cd0357e55c82ed31c753e062e5223d7758f13140cbae8f6aabcd
Instruction Fuzzy Hash: BD230022E082C58AEB15AB36C1402FDABA0FF55744F88E635DA69177D5DF38F490C7A0

Function 00007FF7F0C9EAD0 Relevance: 3.3, Strings: 1, Instructions: 2059COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF7F0CA0413

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 37a53ceff0fd10f6618d593dd09805f781573433be25ff80a284570445af80b5
Instruction ID: d0ea91b7685d2879addf118900c19dc0149a584430065049758714a37cc0e9c6
Opcode Fuzzy Hash: 37a53ceff0fd10f6618d593dd09805f781573433be25ff80a284570445af80b5
Instruction Fuzzy Hash: 2B23E433A087859AE71ADB3685403E9F7A0FF59344F588725DB68237E1DB38B4A1CB50

Function 00007FF7F0CED308 Relevance: 3.2, APIs: 2, Instructions: 232COMMON

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF7F0CED557
RaiseException.KERNEL32 ref: 00007FF7F0CED568

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 14ebb103fd3efdafb4f927f1ef24bcf687669f94a7fa6cdc7d76d8b3040d7ffb
Instruction ID: 50b8b968f4df137a68cc61035effd5a487085b1c25608dcfae5bb5a768295357
Opcode Fuzzy Hash: 14ebb103fd3efdafb4f927f1ef24bcf687669f94a7fa6cdc7d76d8b3040d7ffb
Instruction Fuzzy Hash: A3B17D73601B858BEB15DF29C4823AC77A0FB84B48F548821DB6D877E8CB39E451DB51

Function 00007FF7F0CC8CA0 Relevance: 3.2, Strings: 2, Instructions: 708COMMON

Download Yara Rule

Strings

File, xrefs: 00007FF7F0CC8CFF, 00007FF7F0CC8E73, 00007FF7F0CC8F9E, 00007FF7F0CC9796, 00007FF7F0CC9815
[popup] OpenPopup("%s" -> 0x%08X, xrefs: 00007FF7F0CC97DF, 00007FF7F0CC985F

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID: File$[popup] OpenPopup("%s" -> 0x%08X
API String ID: 0-1316461107
Opcode ID: b9b0ab2efd0ea8d0e4f76c2daf82e0710ba98479bf2ab9e2532b37984d7b7b99
Instruction ID: d3291859b934254876f7b19ca54407c0fed0b72a62a02eaf0596ae0380363e61
Opcode Fuzzy Hash: b9b0ab2efd0ea8d0e4f76c2daf82e0710ba98479bf2ab9e2532b37984d7b7b99
Instruction Fuzzy Hash: 6072D322A186C586E716AB32D0412F9F7A0FF59744F48D736EE68267E1DF39B090CB50

Function 00007FF7F0CA3690 Relevance: 2.9, Strings: 2, Instructions: 351COMMON

Download Yara Rule

Strings

Remaining, xrefs: 00007FF7F0CA3AB5
Processed, xrefs: 00007FF7F0CA3A94

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID: Processed$Remaining
API String ID: 0-3602939160
Opcode ID: ee7875d9215efb25dcddab2f9f2458b15bd3776dfb4ba02da97b660e1c16c792
Instruction ID: 61cc04cd8aed7cd38d19e87744d3b6562107dcdbd78f34ec1f427f638a550026
Opcode Fuzzy Hash: ee7875d9215efb25dcddab2f9f2458b15bd3776dfb4ba02da97b660e1c16c792
Instruction Fuzzy Hash: 8FF103B3A0868186DB20AF3982703F9B7A0FF55B44F945535EA9D473C4CB39E464CBA0

Function 00007FF7F0CA2E30 Relevance: 2.8, Strings: 2, Instructions: 338COMMON

Download Yara Rule

Strings

NULL, xrefs: 00007FF7F0CA2EF7
LockWheelingWindow() "%s", xrefs: 00007FF7F0CA2EFE, 00007FF7F0CA3006, 00007FF7F0CA3315, 00007FF7F0CA33FA

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID: LockWheelingWindow() "%s"$NULL
API String ID: 0-912864583
Opcode ID: 341f4dc102f9bf62c890e7c26d903bb2c0823e9f91b3fbce4102d702b4a09237
Instruction ID: 81fa44536441e45764ba59fcce15d1804f70501099070695415568f0af967f0a
Opcode Fuzzy Hash: 341f4dc102f9bf62c890e7c26d903bb2c0823e9f91b3fbce4102d702b4a09237
Instruction Fuzzy Hash: 7702D5329186C986E327DB3691511A9F3A0FF5D344F588B31EA68323E1DF38B4A1DB50

Function 00007FF7F0C9B5C0 Relevance: 2.8, Strings: 2, Instructions: 322COMMON

Download Yara Rule

Strings

##Foreground, xrefs: 00007FF7F0C9B8DE
##Background, xrefs: 00007FF7F0C9B6BC

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID: ##Background$##Foreground
API String ID: 0-2279909735
Opcode ID: ac77ab35f061d4d30b7afcde8150bd7037bbd0c452de879adbf3ebc4e19dcd37
Instruction ID: f11a7411ae642e11f5fbec50983b4822721067d170c28936d21a91f2bd71991f
Opcode Fuzzy Hash: ac77ab35f061d4d30b7afcde8150bd7037bbd0c452de879adbf3ebc4e19dcd37
Instruction Fuzzy Hash: E2E1E172A08685CAEB64AF25D5402E9BBA1FF44B84F944135DB6E437D4DF38F881C7A0

Function 00007FF7F0C9D080 Relevance: 1.9, Strings: 1, Instructions: 614COMMON

Download Yara Rule

Strings

#RESIZE, xrefs: 00007FF7F0C9D1DB

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID: #RESIZE
API String ID: 0-1383961720
Opcode ID: 42db388ffd24624a8aad05ea3834fd8a77f770947c02f20e95204d9c091474aa
Instruction ID: cd1dac4ba7868783b6577aed1f387b42a3c40e4c50c0371f636716270ac719c1
Opcode Fuzzy Hash: 42db388ffd24624a8aad05ea3834fd8a77f770947c02f20e95204d9c091474aa
Instruction Fuzzy Hash: 3762C672D1868986E312EB3790411F9B760EF6E384F598722EE58377E1DF28B184DB50

Function 00007FF7F0CDADD0 Relevance: 1.8, APIs: 1, Instructions: 336COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F0CDAE14

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8cf02fa5c74bdeeaa14dcc52b7e67b4e1e9ab074500a7dd3d1ca177c227fc3a5
Instruction ID: 6c34114871be9d4c958202d3aed92a4166aaab31b6c91c40628d1d4ee757c613
Opcode Fuzzy Hash: 8cf02fa5c74bdeeaa14dcc52b7e67b4e1e9ab074500a7dd3d1ca177c227fc3a5
Instruction Fuzzy Hash: 93D17062A0AB46C6EB64AE25C4512BEE390EF04B94F944536CA7E477D4DF38F851C3E0

Function 00007FF7F0CA7170 Relevance: 1.8, Strings: 1, Instructions: 569COMMON

Download Yara Rule

Strings

[nav] NavInitRequest: ApplyResult: NavID 0x%08X in Layer %d Window "%s", xrefs: 00007FF7F0CA7341

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID: [nav] NavInitRequest: ApplyResult: NavID 0x%08X in Layer %d Window "%s"
API String ID: 0-1553127323
Opcode ID: f4bf9159a56db52fc1892f1bd2cfa8e9be0dca9a5b37046564cf3310391550b3
Instruction ID: 4f21c8cb1c14fe423ca4cc28a101cdaf982b7366643c2f9ae6b080b09e4bc105
Opcode Fuzzy Hash: f4bf9159a56db52fc1892f1bd2cfa8e9be0dca9a5b37046564cf3310391550b3
Instruction Fuzzy Hash: 1252B1629082C189E771AE3694243F9A7D0FF45748F898B35DB68163D5DF7C78A0C7A0

Function 00007FF7F0CC1F30 Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

#SCROLLY, xrefs: 00007FF7F0CC1F35

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID: #SCROLLY
API String ID: 0-1064663049
Opcode ID: 52c13d9a158ad6a94ecd357d29eb1e18a1331171fae5e680d7f28f320cdf3e33
Instruction ID: 16de8016c77558adae0d37ca2b16f60f96da5de0d2b20edb13bbcc0929a6ba7d
Opcode Fuzzy Hash: 52c13d9a158ad6a94ecd357d29eb1e18a1331171fae5e680d7f28f320cdf3e33
Instruction Fuzzy Hash: 80F1C622D18BCC85E312E637A4411B9F750EFAE384F58D722FA58327A5DB39B091CB50

Function 00007FF7F0CF1BC4 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F0CE697C: GetLastError.KERNEL32 ref: 00007FF7F0CE698B
Part of subcall function 00007FF7F0CE697C: FlsGetValue.KERNEL32 ref: 00007FF7F0CE69A0
Part of subcall function 00007FF7F0CE697C: SetLastError.KERNEL32 ref: 00007FF7F0CE6A2B

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF7F0CF23AF,?,00000000,00000092,?,?,00000000,?,00007FF7F0CE49B5), ref: 00007FF7F0CF1C62

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: fab8bc8943deb334fd0dde9203fce411bcb73dad92ca38314fb46cf8529947fc
Instruction ID: 1d3ed04bc92e7de9c5dba6f16ad7ad7a157efef27ca145929528fdb747aee580
Opcode Fuzzy Hash: fab8bc8943deb334fd0dde9203fce411bcb73dad92ca38314fb46cf8529947fc
Instruction Fuzzy Hash: 7C11D5A7A08645CEEB14AF16D4506F8B7A1EF50FA1F844135CA79433C0DB38E5D1C7A1

Function 00007FF7F0CC8010 Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

##LOGS, xrefs: 00007FF7F0CC80AB

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID: ##LOGS
API String ID: 0-1371895579
Opcode ID: f090e213f4029d8550642d6b5e84232f738e8c2b08accca6c593ca662f51d664
Instruction ID: 129f190ea33764f6a0deae384c4937fa86e297cb340b6ea5226a86aad5677f3e
Opcode Fuzzy Hash: f090e213f4029d8550642d6b5e84232f738e8c2b08accca6c593ca662f51d664
Instruction Fuzzy Hash: 0DE1E732D08AC985E302EB36D0452F9B3A0EF6A784F59D731EA68273E1DF297585C750

Function 00007FF7F0CF1C94 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F0CE697C: GetLastError.KERNEL32 ref: 00007FF7F0CE698B
Part of subcall function 00007FF7F0CE697C: FlsGetValue.KERNEL32 ref: 00007FF7F0CE69A0
Part of subcall function 00007FF7F0CE697C: SetLastError.KERNEL32 ref: 00007FF7F0CE6A2B

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF7F0CF236B,?,00000000,00000092,?,?,00000000,?,00007FF7F0CE49B5), ref: 00007FF7F0CF1D12

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: f377955cc4d4568865be7a14fc5253b34fbd45c228b96fc48a7f4a62e65a1777
Instruction ID: e89cd02e86700aca3df0b21092f95cbbe658d08cddabc9ec9a573de490415ff7
Opcode Fuzzy Hash: f377955cc4d4568865be7a14fc5253b34fbd45c228b96fc48a7f4a62e65a1777
Instruction Fuzzy Hash: F501B572F082858AE7146F16E4507F9B6A2EF40BA5F858231DA79473C4CF78B485C761

Function 00007FF7F0CE87A0 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF7F0CE8B5F,?,?,?,?,?,?,?,?,00000000,00007FF7F0CF1210), ref: 00007FF7F0CE87EF

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: f1931d5c01ab281f3f2a183936ae6cd068da8129d148c38a08cb91497ef8ce5d
Instruction ID: cf82846c0f3243b3854a75e54a94bee8d5f43f1f4c790568713c480ba09aa583
Opcode Fuzzy Hash: f1931d5c01ab281f3f2a183936ae6cd068da8129d148c38a08cb91497ef8ce5d
Instruction Fuzzy Hash: 2EF06D71704B4183E714EB25F8501A5B362EB887D0F989135EA6D833A5CF3CE565C390

Function 00007FF7F0CDF450 Relevance: 1.5, APIs: 1, Instructions: 27timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7F0CDF464

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 84330f5009353de786b84c56eee034762e61f08c4cd4909023a6552fc9ad65f0
Instruction ID: 34d63898f681c8974729b32870277816c49ca46384c4c9e5de42b14b3aa85062
Opcode Fuzzy Hash: 84330f5009353de786b84c56eee034762e61f08c4cd4909023a6552fc9ad65f0
Instruction Fuzzy Hash: 37F0E992B2A54D43EE0497159454375A241AF58BF5F445730EE3D0E7D5EF1CE0468350

Function 00007FF7F0CB9D40 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

- -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX - XX XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X -X..X X..X--- -XXX.X, xrefs: 00007FF7F0CB9D74

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID: - -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX - XX XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X -X..X X..X--- -XXX.X
API String ID: 0-1177099622
Opcode ID: 77848ed441ca29de349b72a92794b054f5337af9bc313508bb1e430695facb69
Instruction ID: 8d39d2bc361925ffaf5ae032af90a131c68db35cb245dfd5ff124bd7b0305802
Opcode Fuzzy Hash: 77848ed441ca29de349b72a92794b054f5337af9bc313508bb1e430695facb69
Instruction Fuzzy Hash: 15C162F3A182997FEF0DCF3A45A216DBFAAE791E40B49856FC24783751D660C4B08B05

Function 00007FF7F0CB4810 Relevance: .9, Instructions: 880COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 492835b4ac8b2f767d7327b1ac87d3a567a37d8a6406dcfc42c4e81b26f4b426
Instruction ID: 2e53a8e9e3ebdab0fc9f32a24749c011122a893ac9508cced7dd442fef9ccc25
Opcode Fuzzy Hash: 492835b4ac8b2f767d7327b1ac87d3a567a37d8a6406dcfc42c4e81b26f4b426
Instruction Fuzzy Hash: FDA26D33924B8886C716CF3BD4811ACB760FFADB84B19D716EA1823765EB35E494DB40

Function 00007FF7F0CAE920 Relevance: .8, Instructions: 828COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8449e2a9c8a3b9b7c99cb69011fe9234064858cd66ffdf57d9009132928f2b6
Instruction ID: 9347423312fad6e9dd36005978fdbcbf13db148492ed9aec7d9d74729bf846c5
Opcode Fuzzy Hash: e8449e2a9c8a3b9b7c99cb69011fe9234064858cd66ffdf57d9009132928f2b6
Instruction Fuzzy Hash: D372DC12E287E845D312A73650422BAF7D1AF6E784F18C733ED59A27A1EB3DE442C750

Function 00007FF7F0CBC580 Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 242bf11db2d9e58eddceb0a5e71cdc6e62d79639f497f787d166ec2412b1e223
Instruction ID: e5fc2dbb3556c110581d210ef14c885bde9f5aec95371ed7949b3efd5e4dc3d4
Opcode Fuzzy Hash: 242bf11db2d9e58eddceb0a5e71cdc6e62d79639f497f787d166ec2412b1e223
Instruction Fuzzy Hash: 5C625776604B85C6DB20DF2AD9846EDB7A1FB89B88F458222DF5E17B68CF38D544C700

Function 00007FF7F0CA9210 Relevance: .5, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea87a2358af7a9229e8d7e42847638d1066c582b4616dbde108a91b464b67bf
Instruction ID: ddd4a34874377de616f8b085cd0cb0eba3c401acd0c40908c5e779d0ef77af34
Opcode Fuzzy Hash: 9ea87a2358af7a9229e8d7e42847638d1066c582b4616dbde108a91b464b67bf
Instruction Fuzzy Hash: 5442F672A086C586EB69AA3680523F9F390EF55700F888A35DF68933D1DF2D7474C7A4

Function 00007FF7F0CC76E0 Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79897941db21579002b271c4c60a0e1911b5a646965fcc5c2c81b090c9f345cf
Instruction ID: e330a543b3a136712a15d4abdee76792c305434d95ea5f0cc766b33309267805
Opcode Fuzzy Hash: 79897941db21579002b271c4c60a0e1911b5a646965fcc5c2c81b090c9f345cf
Instruction Fuzzy Hash: EC429D32908BC58AE721DB3BC0842E9B7A0FF99744F549335EA68167E5DB38B490DB50

Function 00007FF7F0CBD7C0 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95e8ddb19ce61ea2fd18a1f9f927a756592d53deca95f8acd83817c5db2cf3c5
Instruction ID: e6e994c67b5a72bda2c630a50806711c2ad37556a992e2dcc1962b0e12390ee8
Opcode Fuzzy Hash: 95e8ddb19ce61ea2fd18a1f9f927a756592d53deca95f8acd83817c5db2cf3c5
Instruction Fuzzy Hash: 91021742E1C6AA85F716A63954403FDA290CF6A349F5C8332EC7936BD5FF6C7481C2A0

Function 00007FF7F0CB3270 Relevance: .4, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c675e10b8c707a25d392db53d6d0f00cd1842e2ecbdc2d96955659e41766f8ed
Instruction ID: c493b72f063233e4e3b3d3f6868b9e0cb3bac1cf22b40c526659c5eb185be825
Opcode Fuzzy Hash: c675e10b8c707a25d392db53d6d0f00cd1842e2ecbdc2d96955659e41766f8ed
Instruction Fuzzy Hash: 1912D473A18B948AE311DB39D5806ADB7A4FF9D340F558336EE5863794EB38E481CB40

Function 00007FF7F0CA21C0 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2452e11af7eaa556cc0a608f367381101c90d828b02b31602553452627ae983a
Instruction ID: 6751be3057cbfabd297d8303d1e075151141f69135c122e281e62d8391005750
Opcode Fuzzy Hash: 2452e11af7eaa556cc0a608f367381101c90d828b02b31602553452627ae983a
Instruction Fuzzy Hash: 5712E433C096E48BD393DB3A44501EDBBD4AF66340F598765D655133E2CA2872B0EF62

Function 00007FF7F0CC6EB0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 357437ced6a78f0804adef4af37eb8edcaf081983be7d8ddc58528e2e09b7cb3
Instruction ID: 65207646e488306aa81a94048c7b54874b662fdac8a35525d82f62f25cd0d93f
Opcode Fuzzy Hash: 357437ced6a78f0804adef4af37eb8edcaf081983be7d8ddc58528e2e09b7cb3
Instruction Fuzzy Hash: 20F1D432908BC596E3229B3694413F9F3A0FF5A354F54A721EA98223E1DF39B094DB50

Function 00007FF7F0CE4804 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodePageValidValue_invalid_parameter_noinfo
String ID:
API String ID: 4023145424-0
Opcode ID: 7c7651ed066d4d7ba86e6799d76528fdfaa9fa4a8c94ba599eec7b30be4ad2ed
Instruction ID: dd9a3b096ec62d7e77642bd1854525d8282d650c982cc6132e31e1c9acc295d9
Opcode Fuzzy Hash: 7c7651ed066d4d7ba86e6799d76528fdfaa9fa4a8c94ba599eec7b30be4ad2ed
Instruction Fuzzy Hash: 90C1D626B0868285EB60AF6194103FAA7A4FF84B88F904031DE6D97BD5DF3CF545D351

Function 00007FF7F0CB1830 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 170c56f69e4a0627572a25e9877ed1d96c215c83d197789f1693d82c9952f215
Instruction ID: d778b0758c61680ab0bacc1edc569f3e1b10bc7589e9ef6493fa003c160b1113
Opcode Fuzzy Hash: 170c56f69e4a0627572a25e9877ed1d96c215c83d197789f1693d82c9952f215
Instruction Fuzzy Hash: 86D1D472A097C586E7159B2AE0412B9F3A4FF98B84F998231DF9813790EF38F551CB50

Function 00007FF7F0CDBAC4 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1a75063e8a1ae49f8a2045e162b47dffa9609bba9e43a9ad2773260f61dd85
Instruction ID: 8b407afd1a63e9124a0d8f8315fe1acd3dc0156dc1dc20def82f0d25d17e4f7c
Opcode Fuzzy Hash: 0b1a75063e8a1ae49f8a2045e162b47dffa9609bba9e43a9ad2773260f61dd85
Instruction Fuzzy Hash: A3914722B2A642C6FB296E2594503FAD681BF90794F840139DE7E4B7C8CD2CF905D7A0

Function 00007FF7F0C991F0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7778c6f0cc7de673acc9c8f5dafb7e27282f9adcb678beb38540b4110af1ce
Instruction ID: a15bf7c8f01bb687d17e5e17d825441cac4858528a6fd69f4327f43b84caef2d
Opcode Fuzzy Hash: bd7778c6f0cc7de673acc9c8f5dafb7e27282f9adcb678beb38540b4110af1ce
Instruction Fuzzy Hash: 38C1C25290D6C2A5FB73AE3940402FAAF98EF11B54F880671DD6C0A7C5EE2DB542D3B0

Function 00007FF7F0CA8A40 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2332de41d0ab3350f613ff858abee45f9d33e0b2c8c4ce10db18dd2d39c581d8
Instruction ID: b2559cc9d2d4e02b419d374d075fad0d295a74b6dde0cdbc333c975b10a91698
Opcode Fuzzy Hash: 2332de41d0ab3350f613ff858abee45f9d33e0b2c8c4ce10db18dd2d39c581d8
Instruction Fuzzy Hash: A6D19572C0828687E7A5AA3691143F9E6A0AF15754F588F35CB78223D1DF387468CBA1

Function 00007FF7F0CB2480 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c20bad7efb989e5b421968c5d16cebccc1ed1bad37cf89f02b375d81eedd0ceb
Instruction ID: 561452d6b217cfe46f4ca5f117f04d54bca9a936d563f93872d8fbd3c2baea4e
Opcode Fuzzy Hash: c20bad7efb989e5b421968c5d16cebccc1ed1bad37cf89f02b375d81eedd0ceb
Instruction Fuzzy Hash: 93B1A422E28BCC41E223A63750821F9E250AF7F3C5F2DDB23F994757B29B2571D19550

Function 00007FF7F0CB1F10 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a69584a1cfcd7dde3c4c2a750b0f50528e8cdb786fd8cf5f8b3c9bbae0d088da
Instruction ID: 74870f431524bc7609d82aba6a6d25b48870ad7310a12dcc10d937c736f34910
Opcode Fuzzy Hash: a69584a1cfcd7dde3c4c2a750b0f50528e8cdb786fd8cf5f8b3c9bbae0d088da
Instruction Fuzzy Hash: 3E911172A1968586EB11DB3E94007BAB3A0FF99784F948331DE5962792EF38F081C750

Function 00007FF7F0CAFB10 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a82fb603bbb60f5297ce8f561ca12e2a1cb854710bd6a837a5d284c3a42ece
Instruction ID: be87d3d76a64b236961486abc80d30c2a0897a9dd3e716bdff89495a90f68dc8
Opcode Fuzzy Hash: e9a82fb603bbb60f5297ce8f561ca12e2a1cb854710bd6a837a5d284c3a42ece
Instruction Fuzzy Hash: 6BA10733A18A988AE301EB3E84412FDB7B0FF99349F554325EF95227A5DB38B445CB50

Function 00007FF7F0CDFCF8 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 4d4ed93b6b0142d225354b051bd6e03ba2f207c2085fa78f88b2e81558353445
Instruction ID: 4425c1f396d9df133e97ba8d1328f5e2f72e3aa74fda75c1116473319ab21c1b
Opcode Fuzzy Hash: 4d4ed93b6b0142d225354b051bd6e03ba2f207c2085fa78f88b2e81558353445
Instruction Fuzzy Hash: 23819122B05A1186EB60AF65D4813BD63A1FF44B94F904636EE3E977D5CF38E042C390

Function 00007FF7F0CB2FD0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807233b254af940f77b75d8e7d505163e323dcaac8fdead07f67d47f26008811
Instruction ID: d162e35760391d7287839db594a7e9c01b9dc6d27134b2a9eb2e03c6af77eeed
Opcode Fuzzy Hash: 807233b254af940f77b75d8e7d505163e323dcaac8fdead07f67d47f26008811
Instruction Fuzzy Hash: 86617EE761C2E202E3565B3C65412BDEED4BF49344F5C9234FA9AC2BC1C93DE604C6A0

Function 00007FF7F0CB2D20 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c94c5e503a2f05a1ef9edfffe16f34d85c2a46f22c7db17186f702543d5b7594
Instruction ID: 97e1a390c53f08c062b5379af95b3218e24b0715b5cdc35ca5d438fb61c96fb5
Opcode Fuzzy Hash: c94c5e503a2f05a1ef9edfffe16f34d85c2a46f22c7db17186f702543d5b7594
Instruction Fuzzy Hash: 676116B3B1C6E186D7118B3CE405AB9FFA4EB99305F498275DA9CC7B84CA2EE401C750

Function 00007FF7F0CAD290 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 512c292fdddac8fadd8bee25fcce6216da02647fedf7223a0dbb6b8c96daeb65
Instruction ID: 77ea5c72f733ab8d0b4ec0a7f923f32e4ddd28518361d2d78f493fef256863c8
Opcode Fuzzy Hash: 512c292fdddac8fadd8bee25fcce6216da02647fedf7223a0dbb6b8c96daeb65
Instruction Fuzzy Hash: 715127A6A244B183DF109F2AE8D16BC7790E74AB43FD48476D66982FA1C13DD11ADF30

Function 00007FF7F0CE393C Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: e840059d140e0ed461d9669d3a5e3ce609a810f502e18d3ff3af7384079b8b0b
Instruction ID: 1d0f38878fde2b5aaae2f0525f3ff012a7df34c77fbf5d5748c32bec8ea5beab
Opcode Fuzzy Hash: e840059d140e0ed461d9669d3a5e3ce609a810f502e18d3ff3af7384079b8b0b
Instruction Fuzzy Hash: 2B413332714A5482FF08DF3AE9141A9B391EB48FD4B89A132DE5D97B98DE3CE046D340

Function 00007FF7F0CBC390 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8064ea59af274db430a06af7c8d0a131887b7a87760b62c114027aeff832fd11
Instruction ID: c35a7b147df8d5fae3c47de95ab13be967fbc2b19222d893a59f5147b03edb3c
Opcode Fuzzy Hash: 8064ea59af274db430a06af7c8d0a131887b7a87760b62c114027aeff832fd11
Instruction Fuzzy Hash: D6512376614A8482DB50CF2AE690BAE77A2FB89FD4F459122DF5D03B64CF38D064CB00

Function 00007FF7F0CBAD40 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4166815871d0a319c293eeb76fc735a4efbd95e001cd454d12d525d2777da696
Instruction ID: 696ba786c22f9d9589a40e9a9fd075a5e6b8aaa4a7a353d0f418338c84416fe8
Opcode Fuzzy Hash: 4166815871d0a319c293eeb76fc735a4efbd95e001cd454d12d525d2777da696
Instruction Fuzzy Hash: 9F413E51E0C29946EB21A53B90401F9F651AF6AB80FDDC732ED6817BD4DB3CF491C690

Function 00007FF7F0C84B40 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c983a2938cf48172002bf867be787710d5e0ba9960fdfd4591bd0f51ee9138b
Instruction ID: c6ef5cacf41938ca76534c098263bc519d4a7e1fea56cc763437972c47e11b41
Opcode Fuzzy Hash: 1c983a2938cf48172002bf867be787710d5e0ba9960fdfd4591bd0f51ee9138b
Instruction Fuzzy Hash: 5C4192337115508BD78CCF39C865AED33A6F798304F86C23AD62987785DA369906CB84

Function 00007FF7F0CDE4EC Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea4b42018c8693cb59bc895b7ce97f640f01fe3889388d1c44a4878c8444c1bf
Instruction ID: e70f0e74cafd894d14fa68c54e8d7ac6ff3d9c8951f907522f47c32742de5a70
Opcode Fuzzy Hash: ea4b42018c8693cb59bc895b7ce97f640f01fe3889388d1c44a4878c8444c1bf
Instruction Fuzzy Hash: 24319C32E1E05285F7B5B92DA5542F9D2839F82388FE48131D13D02BD9FC2AF842D6B1

Function 00007FF7F0C986B0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6099f936b42194be98f2f845ce2a651f2b1d9662d06a3842f41271a4f05efb33
Instruction ID: a7428fe471a4b463444539f897554982174fedb10e92070a253bd8e8c3330283
Opcode Fuzzy Hash: 6099f936b42194be98f2f845ce2a651f2b1d9662d06a3842f41271a4f05efb33
Instruction Fuzzy Hash: 8A01F2E1A0029A87EB48D6E68CE94BD3351E795346FC95037EF494B385C93CA11BD3B0

Function 00007FF7F0CCE608 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1782a02534af2d6822040639daebda6d8780c5fb6af90152f001b10279be4aad
Instruction ID: 9001243efc3753bfbfa2b594fd15b2847b84d0d5ccd41bc4e4d23f41ab31e92f
Opcode Fuzzy Hash: 1782a02534af2d6822040639daebda6d8780c5fb6af90152f001b10279be4aad
Instruction Fuzzy Hash: 7AA0012191DC4AD4E705AB00E8A00A5A232AF61301B805071D02D917A19F3CB440D2A5

Function 00007FF7F0CCDD7C Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF7F0CCDD92
GetModuleHandleW.KERNEL32 ref: 00007FF7F0CCDD9F
GetModuleHandleW.KERNEL32 ref: 00007FF7F0CCDDB4
GetProcAddress.KERNEL32 ref: 00007FF7F0CCDDCC
GetProcAddress.KERNEL32 ref: 00007FF7F0CCDDDF
CreateEventW.KERNEL32 ref: 00007FF7F0CCDE0B
DeleteCriticalSection.KERNEL32 ref: 00007FF7F0CCDE57
CloseHandle.KERNEL32 ref: 00007FF7F0CCDE69

Strings

WakeAllConditionVariable, xrefs: 00007FF7F0CCDDD2
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF7F0CCDD98
SleepConditionVariableCS, xrefs: 00007FF7F0CCDDC2
kernel32.dll, xrefs: 00007FF7F0CCDDAD

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 69b1fd502fa08849ec4443aeb95f7285edeb0079f40926defc7a396a945fbe3e
Instruction ID: 22dd0125fe5a00bfd6cdfca89b60e1b2fb0e5e20ef33dc9b37d47fd7de341324
Opcode Fuzzy Hash: 69b1fd502fa08849ec4443aeb95f7285edeb0079f40926defc7a396a945fbe3e
Instruction Fuzzy Hash: 4821FB24B19A4385FB54BB60E8642B8E291AF58742FC45435C93E06BE1EF2CB449C2B1

Function 00007FF7F0C8D900 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 347COMMON

Download Yara Rule

APIs

__std_fs_code_page.LIBCPMT ref: 00007FF7F0C8D9A0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8DD69
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8DD6F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8DD75

Strings

ios_base::eofbit set, xrefs: 00007FF7F0C8DDD9
ios_base::failbit set, xrefs: 00007FF7F0C8DDD2
ios_base::badbit set, xrefs: 00007FF7F0C8DDC6
input binary isn't a valid pe file!, xrefs: 00007FF7F0C8DE1B
Alcatraz doesn't support 32bit binaries!, xrefs: 00007FF7F0C8DE3E
couldn't open input binary!, xrefs: 00007FF7F0C8DD9E
binary path doesn't exist!, xrefs: 00007FF7F0C8DD7B

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_fs_code_page
String ID: Alcatraz doesn't support 32bit binaries!$binary path doesn't exist!$couldn't open input binary!$input binary isn't a valid pe file!$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4261731725-2182915325
Opcode ID: 6e4e502083c0f059d6266290e5b652bef14f999c3e570fc1849fba4aef81878d
Instruction ID: 0760747d318953088551b5e6171a4b06d3e8ae5ce44bb14dca01585f34facf3b
Opcode Fuzzy Hash: 6e4e502083c0f059d6266290e5b652bef14f999c3e570fc1849fba4aef81878d
Instruction Fuzzy Hash: 2BE1AF62B15B8285EB10EB64E4443EDB3A1FF84788F809132DA6D47BD9EF78E544C390

Function 00007FF7F0CF48F8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 276fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F0CF44D8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F0CF4519
Part of subcall function 00007FF7F0CF44D8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F0CF4599
Part of subcall function 00007FF7F0CF44D8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F0CF45ED
Part of subcall function 00007FF7F0CF44D8: _get_daylight.LIBCMT ref: 00007FF7F0CF4645

CreateFileW.KERNEL32 ref: 00007FF7F0CF49FE
CreateFileW.KERNEL32 ref: 00007FF7F0CF4A4E
GetLastError.KERNEL32 ref: 00007FF7F0CF4A7E
GetFileType.KERNEL32 ref: 00007FF7F0CF4A93
GetLastError.KERNEL32 ref: 00007FF7F0CF4A9D
CloseHandle.KERNEL32 ref: 00007FF7F0CF4AD0
CloseHandle.KERNEL32 ref: 00007FF7F0CF4C34
CreateFileW.KERNEL32 ref: 00007FF7F0CF4C69
GetLastError.KERNEL32 ref: 00007FF7F0CF4C78

Strings

c:\Windows\Fonts\Calibri.ttf, xrefs: 00007FF7F0CF4912

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
String ID: c:\Windows\Fonts\Calibri.ttf
API String ID: 1330151763-752844498
Opcode ID: ccc6b2a2b50cf47db6a32f233c6f87d4a95695d44e2924a691e43b7d493ec8eb
Instruction ID: cd0024174f97fe97e6b2b756adceac3d8fe2c0d8397fe270f83b825da534e92e
Opcode Fuzzy Hash: ccc6b2a2b50cf47db6a32f233c6f87d4a95695d44e2924a691e43b7d493ec8eb
Instruction Fuzzy Hash: C8C1C232B14A428AEB10DFA5C4902AD7761EB48BA8B415235DB3E573E4CF38E051C3A1

Function 00007FF7F0C8A780 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 368COMMON

Download Yara Rule

APIs

__std_fs_code_page.LIBCPMT ref: 00007FF7F0C8A7DF

Part of subcall function 00007FF7F0CCBF8C: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF7F0C8A3E6), ref: 00007FF7F0CCBF9E

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8A9DE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8A9E4
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF7F0C8AB01
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8AB2C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8AC59
__std_exception_copy.LIBVCRUNTIME ref: 00007FF7F0C8AC8D

Strings

", ", xrefs: 00007FF7F0C8A8CD
: ", xrefs: 00007FF7F0C8A89A

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ApisFile__std_exception_copy__std_exception_destroy__std_fs_code_page
String ID: ", "$: "
API String ID: 4080386414-747220369
Opcode ID: 734fcb318d9e4dffeca336c6bad47712943d2058f90183dd2b8f39ace41a6252
Instruction ID: 81c6dcb6d2fcf5eab664292eb8b10cfa8db3c7a23e0a2c1c547604895329564e
Opcode Fuzzy Hash: 734fcb318d9e4dffeca336c6bad47712943d2058f90183dd2b8f39ace41a6252
Instruction Fuzzy Hash: BEE18E72B05A8185EB04EF29D0843ECA362FF44B88F909131DB6D17B99EF38E495C394

Function 00007FF7F0C867D0 Relevance: 16.1, APIs: 3, Strings: 6, Instructions: 302COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F0C855E0: ZydisCalcAbsoluteAddress.ZYDIS ref: 00007FF7F0C85BA0

?init@CodeHolder@_abi_1_10@asmjit@@QEAAIAEBVEnvironment@23@_K@Z.ASMJIT ref: 00007FF7F0C86882
?attach@CodeHolder@_abi_1_10@asmjit@@QEAAIPEAVBaseEmitter@23@@Z.ASMJIT ref: 00007FF7F0C86893
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C86C7C

Strings

couldn't analyze functions, xrefs: 00007FF7F0C86815
couldn't apply relocs, xrefs: 00007FF7F0C86C1B
VUUU, xrefs: 00007FF7F0C86AB8
P%, xrefs: 00007FF7F0C86AEA
couldn't convert relative jmps, xrefs: 00007FF7F0C86C27
Obfuscating.., xrefs: 00007FF7F0C86899

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: CodeHolder@_abi_1_10@asmjit@@$?attach@?init@AbsoluteAddressBaseCalcEmitter@23@@Environment@23@_Zydis_invalid_parameter_noinfo_noreturn
String ID: Obfuscating..$P%$VUUU$couldn't analyze functions$couldn't apply relocs$couldn't convert relative jmps
API String ID: 3111725066-1444523530
Opcode ID: 4052e880c4213c3468be2179c6ce4460f74217b4db10b465e115caaafe0fffcc
Instruction ID: 178a05de8a015830af7b475480f8c927d874b572ff9941b10d887ce58816f8fd
Opcode Fuzzy Hash: 4052e880c4213c3468be2179c6ce4460f74217b4db10b465e115caaafe0fffcc
Instruction Fuzzy Hash: 06D1CE72A08A8186EB50EB15E4403E9A7A1FF85B94F944132EBAD037E5DF3DE481C794

Function 00007FF7F0CCD648 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7F0CCD655
GetProcAddress.KERNEL32 ref: 00007FF7F0CCD668
GetProcAddress.KERNEL32 ref: 00007FF7F0CCD67F
GetProcAddress.KERNEL32 ref: 00007FF7F0CCD696

Strings

GetCurrentPackageId, xrefs: 00007FF7F0CCD65E
GetTempPath2W, xrefs: 00007FF7F0CCD685
GetSystemTimePreciseAsFileTime, xrefs: 00007FF7F0CCD66E
kernel32.dll, xrefs: 00007FF7F0CCD64E

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: c64202763b5cc2ee62e0b3989d856a9a21812e12adf921a933c464cc7bad10ff
Instruction ID: 3a83548675da98cb9d23ae558283c1af58fdd2c1d6fdd53c0ab5581e093592ca
Opcode Fuzzy Hash: c64202763b5cc2ee62e0b3989d856a9a21812e12adf921a933c464cc7bad10ff
Instruction Fuzzy Hash: DEF0DA60A09B07C9EB04FB61B8641A5B3A4BF59792BC04031C83E427A0EF3CB098C3B1

Function 00007FF7F0CE5AC4 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 489COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F0CE5B08
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F0CE5EE0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F0CE618B

Strings

p, xrefs: 00007FF7F0CE5BBA
f, xrefs: 00007FF7F0CE5C2A
0, xrefs: 00007FF7F0CE5F30
p, xrefs: 00007FF7F0CE5C32

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0$f$p$p
API String ID: 3215553584-1202675169
Opcode ID: 7877ad18cfb62de8340394824632f08a3c7d8772ee283250a48dfe22028356b1
Instruction ID: cb2d41e14a6a8a9cd615e521fd5bc09ba0a597df6ee8c4d26af0647914ce8777
Opcode Fuzzy Hash: 7877ad18cfb62de8340394824632f08a3c7d8772ee283250a48dfe22028356b1
Instruction Fuzzy Hash: 0112AC22E1C24386FF24BA1491246F9F661EF40794FD44135E6A947BC4DB3CF980EBA6

Function 00007FF7F0CE881C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF7F0CE9068,?,?,?,?,00007FF7F0CDFC95,?,?,?,?,00007FF7F0CCC618), ref: 00007FF7F0CE899B
GetProcAddress.KERNEL32(?,?,?,00007FF7F0CE9068,?,?,?,?,00007FF7F0CDFC95,?,?,?,?,00007FF7F0CCC618), ref: 00007FF7F0CE89A7

Strings

ext-ms-, xrefs: 00007FF7F0CE88F8
api-ms-, xrefs: 00007FF7F0CE88E5

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 5928ba817ccbafb2def43d96f5b2a85606c57bdbbebf7724b2db7f74f181dcbc
Instruction ID: 77969b7917fb993488fd3599f475271883048b4ee28ef6835cbf1a9db90d6bcf
Opcode Fuzzy Hash: 5928ba817ccbafb2def43d96f5b2a85606c57bdbbebf7724b2db7f74f181dcbc
Instruction Fuzzy Hash: 3C41EC21B1964285FB15AB16A8502F5A291BF45BE0F884135DD2E877C4DE3CF448D3A2

Function 00007FF7F0C855E0 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 442COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C859BA
ZydisCalcAbsoluteAddress.ZYDIS ref: 00007FF7F0C85BA0

Strings

.sys, xrefs: 00007FF7F0C858F0
File type doesn't support custom entry!, xrefs: 00007FF7F0C85955
.dll, xrefs: 00007FF7F0C85830
.exe, xrefs: 00007FF7F0C8565E, 00007FF7F0C856B3

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: AbsoluteAddressCalcZydis_invalid_parameter_noinfo_noreturn
String ID: .dll$.exe$.sys$File type doesn't support custom entry!
API String ID: 3006515703-2073831736
Opcode ID: b2cda06d613e2dd3b5a5fd65617da9605751d0752a212bd9a3cd2c43d07ceb0f
Instruction ID: 52e2de3509e17c5861d4b98a15a221a753fd6ad1c8d707d51123f3b46b0db2ba
Opcode Fuzzy Hash: b2cda06d613e2dd3b5a5fd65617da9605751d0752a212bd9a3cd2c43d07ceb0f
Instruction Fuzzy Hash: 2F12A062B19A8186EF209B25D0442FDA7E1FF49BA4F844232DA6D077C9DE7CF441C7A4

Function 00007FF7F0C8E2B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 229COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8E5A0

Strings

ios_base::eofbit set, xrefs: 00007FF7F0C8E564, 00007FF7F0C8E5BE
ios_base::failbit set, xrefs: 00007FF7F0C8E55D, 00007FF7F0C8E5B7
ios_base::badbit set, xrefs: 00007FF7F0C8E552, 00007FF7F0C8E5AB
couldn't open output binary!, xrefs: 00007FF7F0C8E5FA
couldn't write output binary!, xrefs: 00007FF7F0C8E626

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: couldn't open output binary!$couldn't write output binary!$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3668304517-3245769834
Opcode ID: 93edb1a42aee6d678c9fb1ce6000c5c5bb3fefd4590160fc829520f6c949ede8
Instruction ID: 10674b9b0c1c4a860102f3f1c08fe7b54087630e346a9ff0bf45d619635568ff
Opcode Fuzzy Hash: 93edb1a42aee6d678c9fb1ce6000c5c5bb3fefd4590160fc829520f6c949ede8
Instruction Fuzzy Hash: D4B17072704A8599EB10EF24D8803EDB7A2FF84788F854136DA1C57BA9EF78E545C390

Function 00007FF7F0CC9F70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F0CDF450: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7F0CDF464

GetCurrentProcess.KERNEL32 ref: 00007FF7F0CCA042
SymEnumSymbols.DBGHELP ref: 00007FF7F0CCA061
GetCurrentProcess.KERNEL32 ref: 00007FF7F0CCA0E3
SymCleanup.DBGHELP ref: 00007FF7F0CCA0EC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0CCA169

Strings

couldn't enum symbols, xrefs: 00007FF7F0CCA06B

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: CurrentProcessTime$CleanupEnumFileSymbolsSystem_invalid_parameter_noinfo_noreturn
String ID: couldn't enum symbols
API String ID: 2665264371-1225720269
Opcode ID: c5380e398786b7d51f7d1fad7e720c147e3012aafc782c788861922811cce662
Instruction ID: acbe24308ff667b4ea6a641538f8e808398dada8bdc27fcea90b22a3d456f8dc
Opcode Fuzzy Hash: c5380e398786b7d51f7d1fad7e720c147e3012aafc782c788861922811cce662
Instruction Fuzzy Hash: 8F515D32B09B8186E710EF61E4442EDB371FB44788F809135DA9D27B95DF38E1A5C390

Function 00007FF7F0CD3B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF7F0CD3E2E,?,?,?,00007FF7F0CD3A98,?,?,00000001,00007FF7F0CD0591), ref: 00007FF7F0CD3C01
GetLastError.KERNEL32(?,?,?,00007FF7F0CD3E2E,?,?,?,00007FF7F0CD3A98,?,?,00000001,00007FF7F0CD0591), ref: 00007FF7F0CD3C0F
LoadLibraryExW.KERNEL32(?,?,?,00007FF7F0CD3E2E,?,?,?,00007FF7F0CD3A98,?,?,00000001,00007FF7F0CD0591), ref: 00007FF7F0CD3C39
FreeLibrary.KERNEL32(?,?,?,00007FF7F0CD3E2E,?,?,?,00007FF7F0CD3A98,?,?,00000001,00007FF7F0CD0591), ref: 00007FF7F0CD3C7F
GetProcAddress.KERNEL32(?,?,?,00007FF7F0CD3E2E,?,?,?,00007FF7F0CD3A98,?,?,00000001,00007FF7F0CD0591), ref: 00007FF7F0CD3C8B

Strings

api-ms-, xrefs: 00007FF7F0CD3C21

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 0e7877a7e9097bc56d02e7adc7fcca462e638d20237442fa42a8b8ee29fca037
Instruction ID: 62b83b2756699dd919617043cf6d7be53df9455c68da4ed5a6679a6b6eee187b
Opcode Fuzzy Hash: 0e7877a7e9097bc56d02e7adc7fcca462e638d20237442fa42a8b8ee29fca037
Instruction Fuzzy Hash: B731A121B2B64295EB15AB02A9506F5E394BF84BA0F994635DD3D1A3D0DF3CF444C3A0

Function 00007FF7F0CE697C Relevance: 10.6, APIs: 7, Instructions: 62COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F0CE698B
FlsGetValue.KERNEL32 ref: 00007FF7F0CE69A0
FlsSetValue.KERNEL32 ref: 00007FF7F0CE69C1
FlsSetValue.KERNEL32 ref: 00007FF7F0CE69EE
FlsSetValue.KERNEL32 ref: 00007FF7F0CE69FF
FlsSetValue.KERNEL32 ref: 00007FF7F0CE6A10
SetLastError.KERNEL32 ref: 00007FF7F0CE6A2B

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: a04fc1526bedf0b0fbfd82468cc949d71fd65b4f89d777f910669b34ece8d024
Instruction ID: 0de5feaa878aea92adf0e4dff9496a1fe035f531d384d125ea4f75f5b58961ff
Opcode Fuzzy Hash: a04fc1526bedf0b0fbfd82468cc949d71fd65b4f89d777f910669b34ece8d024
Instruction Fuzzy Hash: 7F216820E1C24282FB687772A9511BDE2424F447F0FD84B34E8BE167D6DE3CB441E2A2

Function 00007FF7F0CAAD70 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

ImmGetContext.IMM32 ref: 00007FF7F0CAADB7
ImmSetCompositionWindow.IMM32 ref: 00007FF7F0CAADF0
ImmSetCandidateWindow.IMM32 ref: 00007FF7F0CAAE29
ImmReleaseContext.IMM32 ref: 00007FF7F0CAAE35

Strings

, xrefs: 00007FF7F0CAADCA
@, xrefs: 00007FF7F0CAAE08

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: ContextWindow$CandidateCompositionRelease
String ID: $@
API String ID: 3969737024-1077428164
Opcode ID: 18067f0fab7612acb33d883e6785ba237a6e599e77a684ba726dcd808564ae81
Instruction ID: 5d10afec3b45d08f610242a60c1999fd59f0d963f8310b20af6bb81ce7e68053
Opcode Fuzzy Hash: 18067f0fab7612acb33d883e6785ba237a6e599e77a684ba726dcd808564ae81
Instruction Fuzzy Hash: 56215C72A187818AEB25DF21E05426AB3A1FF89B94F544135DAAD07B54DF3CE440CE50

Function 00007FF7F0CF60AC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF7F0CF60DD
GetLastError.KERNEL32 ref: 00007FF7F0CF60E9
CloseHandle.KERNEL32 ref: 00007FF7F0CF6101
CreateFileW.KERNEL32 ref: 00007FF7F0CF612C
WriteConsoleW.KERNEL32 ref: 00007FF7F0CF614B

Strings

CONOUT$, xrefs: 00007FF7F0CF610D

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5907009f4644b8c0f495927f752ddc9e93e0afd893660df4d451436d21109526
Instruction ID: 39282063f2d9265ff07ef2fc1250d15dc0c0dc1111eae87285c5e1059526ade5
Opcode Fuzzy Hash: 5907009f4644b8c0f495927f752ddc9e93e0afd893660df4d451436d21109526
Instruction Fuzzy Hash: C0118121B18A418AE750AB12E854369E3A4FF88BF5F904234DA7D877D4DF3CE844C7A1

Function 00007FF7F0CCD310 Relevance: 9.2, APIs: 6, Instructions: 200COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF7F0CCD382
MultiByteToWideChar.KERNEL32 ref: 00007FF7F0CCD42A
LCMapStringEx.KERNEL32 ref: 00007FF7F0CCD461
LCMapStringEx.KERNEL32 ref: 00007FF7F0CCD4BA
LCMapStringEx.KERNEL32 ref: 00007FF7F0CCD567
WideCharToMultiByte.KERNEL32 ref: 00007FF7F0CCD5A9

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 6315f2c4463de244182837184a42190fdf08933a2cc678d60e3dd248b3a09698
Instruction ID: 03bbb895a2246149f5748884765fd1e3513f72b492fb04369d561d7b59248aa7
Opcode Fuzzy Hash: 6315f2c4463de244182837184a42190fdf08933a2cc678d60e3dd248b3a09698
Instruction Fuzzy Hash: F5819272B0878286EB209F11E4403B9A2A1FF847A8F849635EA6D57BD4DF3CF445C760

Function 00007FF7F0C8BE20 Relevance: 9.2, APIs: 6, Instructions: 178COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7F0C8BE89
SymGetTypeInfo.DBGHELP ref: 00007FF7F0C8BEA7
GetCurrentProcess.KERNEL32 ref: 00007FF7F0C8BEB8
SymGetTypeInfo.DBGHELP ref: 00007FF7F0C8BED6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8C066
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8C06C

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: CurrentInfoProcessType_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 4020693216-0
Opcode ID: 47592e6e3a92439bafed7ed8249c9ca111d8b75176cb5b1b86709fc10d3ac88c
Instruction ID: d3fbd9037a23bc663a77cb786b8a2ec1d7a24bdb44b33c9291268f76c683f7bb
Opcode Fuzzy Hash: 47592e6e3a92439bafed7ed8249c9ca111d8b75176cb5b1b86709fc10d3ac88c
Instruction Fuzzy Hash: 5B718D62B05681CAE710DF75D4806ECB7A1EB08B98F854232EB6C537C9DE38E584C754

Function 00007FF7F0C905E0 Relevance: 9.1, APIs: 6, Instructions: 108COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7F0C90627
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7F0C9064C
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7F0C90676
std::_Facet_Register.LIBCPMT ref: 00007FF7F0C906F0
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7F0C9070A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7F0C90764

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: c5edb41724daaf9351f84785965e4cbac90310c76643512cad25f786b2e75755
Instruction ID: 25c58f5a0a18c06c7c254dcfbbb529656d4dc65c88a2b283b545bc30651a83eb
Opcode Fuzzy Hash: c5edb41724daaf9351f84785965e4cbac90310c76643512cad25f786b2e75755
Instruction Fuzzy Hash: 9F417F22A08B4285FB10EF25E4401A9B761FF85B94F995132EAAE037E5EF3CF451C790

Function 00007FF7F0C90770 Relevance: 9.1, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7F0C9079B
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7F0C907C0
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7F0C907EA
std::_Facet_Register.LIBCPMT ref: 00007FF7F0C90861
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7F0C9087B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7F0C908A3

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 881319bcdc9aa94efee01588d47b492faa991f7d0dff4b36ae23722347c75482
Instruction ID: 4c96e7b2e1deaba5a0291ede784d0a8e340cb9cc42554ac04b5c14c910a96f7d
Opcode Fuzzy Hash: 881319bcdc9aa94efee01588d47b492faa991f7d0dff4b36ae23722347c75482
Instruction Fuzzy Hash: E7317122B08A4184FB24AF25E8401BAB760FF88BA4F995531DA6D437E5EE3CF451C794

Function 00007FF7F0CE6AF4 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7F0CE03D9,?,?,?,?,00007FF7F0CED77A,?,?,00000000,00007FF7F0CEF49B,?,?,?), ref: 00007FF7F0CE6B03
FlsSetValue.KERNEL32(?,?,?,00007FF7F0CE03D9,?,?,?,?,00007FF7F0CED77A,?,?,00000000,00007FF7F0CEF49B,?,?,?), ref: 00007FF7F0CE6B39
FlsSetValue.KERNEL32(?,?,?,00007FF7F0CE03D9,?,?,?,?,00007FF7F0CED77A,?,?,00000000,00007FF7F0CEF49B,?,?,?), ref: 00007FF7F0CE6B66
FlsSetValue.KERNEL32(?,?,?,00007FF7F0CE03D9,?,?,?,?,00007FF7F0CED77A,?,?,00000000,00007FF7F0CEF49B,?,?,?), ref: 00007FF7F0CE6B77
FlsSetValue.KERNEL32(?,?,?,00007FF7F0CE03D9,?,?,?,?,00007FF7F0CED77A,?,?,00000000,00007FF7F0CEF49B,?,?,?), ref: 00007FF7F0CE6B88
SetLastError.KERNEL32(?,?,?,00007FF7F0CE03D9,?,?,?,?,00007FF7F0CED77A,?,?,00000000,00007FF7F0CEF49B,?,?,?), ref: 00007FF7F0CE6BA3

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: edb80d4156bd12064b13579ad04553297744a1b0ce822564395a8c2d5176d606
Instruction ID: 0db775ab7c9d284f8d18f9c83532d524dc081317c0d6ae8c39ef79bcf20608d4
Opcode Fuzzy Hash: edb80d4156bd12064b13579ad04553297744a1b0ce822564395a8c2d5176d606
Instruction Fuzzy Hash: 88115820A1828283FB54773159510BDF2425F447F0FD80734E87E467D6DE7CB441E2A2

Function 00007FF7F0C8D490 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7F0C8D4FA
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF7F0C8D542
_Getctype.LIBCPMT ref: 00007FF7F0C8D55A
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7F0C8D5EA

Strings

bad locale name, xrefs: 00007FF7F0C8D60D

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2967684691-1405518554
Opcode ID: f4f2f63dee7c73b07baafed99fbd023be47181821832e97e66f77681994466fa
Instruction ID: b0da8f2673dcad30c313df2d01a4396217555400f4df80f2cdcd2f463b5bbb40
Opcode Fuzzy Hash: f4f2f63dee7c73b07baafed99fbd023be47181821832e97e66f77681994466fa
Instruction Fuzzy Hash: C2416E26B0AB4189FB14EF70D4902FC63A4EF80748F844035DE6D66B95DF38E51AD3A4

Function 00007FF7F0CD0BA8 Relevance: 7.8, APIs: 5, Instructions: 290COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FF7F0CD0CCB
__AdjustPointer.LIBCMT ref: 00007FF7F0CD0D16

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 31aa84b8d39c184d15615d9339bb0521a9c74836e6e8685b5479a93c921db91f
Instruction ID: ac08a8ced6d2ee54708980ce28ae9d274e0a2a245e94f2d0d444700a06a037b2
Opcode Fuzzy Hash: 31aa84b8d39c184d15615d9339bb0521a9c74836e6e8685b5479a93c921db91f
Instruction Fuzzy Hash: B1B1A821A0B68291EB65AB59D8403F9E291EF44B80FAA8436DE7D077D5DE3CF441C3A0

Function 00007FF7F0C899E0 Relevance: 7.7, APIs: 5, Instructions: 188COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C89B28
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C89B2E

Part of subcall function 00007FF7F0C899E0: __std_exception_copy.LIBVCRUNTIME ref: 00007FF7F0C89BBB

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C89C35
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF7F0C89C5D

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy__std_exception_destroy
String ID:
API String ID: 2138705365-0
Opcode ID: fe4e3f3e73d9847b35ff44f84368fd11ac1701639c43dc974375caaf9cc1d675
Instruction ID: aca3d4a70ad62a91490d8de3add923dd0319bf6a8524de77d28c363886db2792
Opcode Fuzzy Hash: fe4e3f3e73d9847b35ff44f84368fd11ac1701639c43dc974375caaf9cc1d675
Instruction Fuzzy Hash: E9718222A08B8581EB14AF25E4513A9A361FF85B94F949231EBAC037D9DF7CF1D0C750

Function 00007FF7F0CD6150 Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F0CD6174
CreateThread.KERNEL32 ref: 00007FF7F0CD61B5
GetLastError.KERNEL32 ref: 00007FF7F0CD61C3
CloseHandle.KERNEL32 ref: 00007FF7F0CD61E0
FreeLibrary.KERNEL32 ref: 00007FF7F0CD61EF

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 2067211477-0
Opcode ID: ecde96d317ea06dafda8512c3aaa8687ecc6a3885092ad06fda0ff3c5563e2ab
Instruction ID: d5dece72e26b62c0686f1644a3e0e7e04b17f66ff10a93cbfa0494b0a44311b4
Opcode Fuzzy Hash: ecde96d317ea06dafda8512c3aaa8687ecc6a3885092ad06fda0ff3c5563e2ab
Instruction Fuzzy Hash: 5E212C75E0E74286EF18AB65A4201BDE2A4AF84B90F844435DEBE477D6DF7CF440C6A0

Function 00007FF7F0CF5328 Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7F0CF5350
_set_statfp.LIBCMT ref: 00007FF7F0CF536B
_set_statfp.LIBCMT ref: 00007FF7F0CF5387
_set_statfp.LIBCMT ref: 00007FF7F0CF53C3

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: dde82c4cc078ff75314f9838c7980d762dd7bfcbb4b50dba0f0282a22db24e26
Instruction ID: 76ad6092991b835386f43de2daea55e73c51faa92e40c8e9f187485887bc8595
Opcode Fuzzy Hash: dde82c4cc078ff75314f9838c7980d762dd7bfcbb4b50dba0f0282a22db24e26
Instruction Fuzzy Hash: B9116036E5CA030AFB54312DE4653F991406F543B6FC81A34EB7E163EA8E9C7845D1B2

Function 00007FF7F0CE6BBC Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF7F0CD4043,?,?,00000000,00007FF7F0CD42DE,?,?,?,?,?,00007FF7F0CD426A), ref: 00007FF7F0CE6BDB
FlsSetValue.KERNEL32(?,?,?,00007FF7F0CD4043,?,?,00000000,00007FF7F0CD42DE,?,?,?,?,?,00007FF7F0CD426A), ref: 00007FF7F0CE6BFA
FlsSetValue.KERNEL32(?,?,?,00007FF7F0CD4043,?,?,00000000,00007FF7F0CD42DE,?,?,?,?,?,00007FF7F0CD426A), ref: 00007FF7F0CE6C22
FlsSetValue.KERNEL32(?,?,?,00007FF7F0CD4043,?,?,00000000,00007FF7F0CD42DE,?,?,?,?,?,00007FF7F0CD426A), ref: 00007FF7F0CE6C33
FlsSetValue.KERNEL32(?,?,?,00007FF7F0CD4043,?,?,00000000,00007FF7F0CD42DE,?,?,?,?,?,00007FF7F0CD426A), ref: 00007FF7F0CE6C44

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 24bad791a95cb82e5839b6627e96dfa598830f2d76431bf65a5dde747205c608
Instruction ID: 98a377704c1041fbfb958e20eb72fb3b858d75cfb6f64d551788dab9c159c8ba
Opcode Fuzzy Hash: 24bad791a95cb82e5839b6627e96dfa598830f2d76431bf65a5dde747205c608
Instruction Fuzzy Hash: CF116A60F1824242FB58B331A9511B9B2419F447F0FE85734E8BE167D6DE2CB442E2A2

Function 00007FF7F0CE6A50 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF7F0CE6A61
FlsSetValue.KERNEL32 ref: 00007FF7F0CE6A80
FlsSetValue.KERNEL32 ref: 00007FF7F0CE6AA8
FlsSetValue.KERNEL32 ref: 00007FF7F0CE6AB9
FlsSetValue.KERNEL32 ref: 00007FF7F0CE6ACA

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: affcd599414dc3b01a08814ae295b72f4ba230efdc10e5e13fdd4a446afdc9db
Instruction ID: 65a4cb11b402d4270452ee6a1acbdeb0ae38a2dbc789ffde0dfb2925614b4ae9
Opcode Fuzzy Hash: affcd599414dc3b01a08814ae295b72f4ba230efdc10e5e13fdd4a446afdc9db
Instruction Fuzzy Hash: 5A11D650E1920242FB68B27158511F9B2414F453B0FD89734D97E2A3D2DE3DB485F2A2

Function 00007FF7F0CEB6E4 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F0CEB9C3

Part of subcall function 00007FF7F0CF3DF4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F0CF3E11

Strings

UTF-16LEUNICODE, xrefs: 00007FF7F0CEB961
ccs, xrefs: 00007FF7F0CEB8FE
UTF-8, xrefs: 00007FF7F0CEB942

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 812eb25467f9820539b398c36a735b3501e1e64eb46c7dcd0e4f1d8058d8722f
Instruction ID: 56b24201836f6acd23b2968f7c7e81ae55599da0f2b7f2089b6b14ae93f44da4
Opcode Fuzzy Hash: 812eb25467f9820539b398c36a735b3501e1e64eb46c7dcd0e4f1d8058d8722f
Instruction Fuzzy Hash: 3C819E32E08202C5FB756E2582902FAA6A4EF11B44FD58035CA2E577D5CA2DF801E7B3

Function 00007FF7F0CD1EC8 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF7F0CD1F38
_CallSETranslator.LIBVCRUNTIME ref: 00007FF7F0CD1F83

Strings

MOC, xrefs: 00007FF7F0CD1F4C
RCC, xrefs: 00007FF7F0CD1F54

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: dce48fa94725f1348cb7e931ff04f9eb17a58d871517a82b4b9601186a21fbde
Instruction ID: 688feb554856b952036d7b08826826819189e800c2a83d46f9f70aad9bcdd32d
Opcode Fuzzy Hash: dce48fa94725f1348cb7e931ff04f9eb17a58d871517a82b4b9601186a21fbde
Instruction Fuzzy Hash: B3919F73A097818AE710EF64E8402EDBBA0FB44788F54412AEFAD17795DF38E195C750

Function 00007FF7F0C87E10 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7F0C88036
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C88042

Strings

gfffffff, xrefs: 00007FF7F0C87FBD
gfffffff, xrefs: 00007FF7F0C87E36

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: gfffffff$gfffffff
API String ID: 73155330-161084747
Opcode ID: 9535f60613c05ac0dea49951758a6fb14fcafb3cc98fb6e714fbf2d9a2b921a9
Instruction ID: 8e3d6b2fd26546aa4f66becce2bf1f234235c22f0320d7730a2d336c836eb3d6
Opcode Fuzzy Hash: 9535f60613c05ac0dea49951758a6fb14fcafb3cc98fb6e714fbf2d9a2b921a9
Instruction Fuzzy Hash: 1651C2A271568682DE249F47B4441AAE391BF48BD4F948635EFAD8BB84EF3CF044C345

Function 00007FF7F0C908B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7F0C9091A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF7F0C90962
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7F0C909F2

Strings

bad locale name, xrefs: 00007FF7F0C90A15

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2775327233-1405518554
Opcode ID: 56238975b7008c1294f02d6721903e0a671990cde60117e6599f272cc170f006
Instruction ID: 6ee6d562deaab5a88ecab6514916197fcc3050f97e26ceefa2ea6b2eca31f3c5
Opcode Fuzzy Hash: 56238975b7008c1294f02d6721903e0a671990cde60117e6599f272cc170f006
Instruction Fuzzy Hash: 30416A26B0AA41C9FB14EF60D8903FC63A4EF44708F954034DE6D62B96DE38E525D3A4

Function 00007FF7F0CE741C Relevance: 6.3, APIs: 4, Instructions: 305fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF7F0CE74A3
WriteFile.KERNEL32 ref: 00007FF7F0CE776A
WriteFile.KERNEL32 ref: 00007FF7F0CE77B3
GetLastError.KERNEL32 ref: 00007FF7F0CE7874

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 4cc15e357e8da9ed31a71ff707b5a830b81914658899ddeeaa60d0cf56c3670e
Instruction ID: 2dc4d91f15e1e04e98daf9586ddc1e3f81ca72f46fd9c3caa393e8c4a6f6ae9d
Opcode Fuzzy Hash: 4cc15e357e8da9ed31a71ff707b5a830b81914658899ddeeaa60d0cf56c3670e
Instruction Fuzzy Hash: DFD1E432B08A8189E721DF7AD4401EC77B5FB54798B904232DE6D97BD9DE38E406C790

Function 00007FF7F0CE7DF8 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,00000000,?,?,?,00000000,00000000,00000000,00007FF7F0CE7D98), ref: 00007FF7F0CE7F1B
GetLastError.KERNEL32(?,?,?,?,?,00000000,?,?,?,00000000,00000000,00000000,00007FF7F0CE7D98), ref: 00007FF7F0CE7FA5

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: c253c82df69583d9a535e948a740caa155e297b412250f6899f0eeed2be34f61
Instruction ID: 7df135064410be09fb64ff4c5eb7d31be1732852c41f9565afdc3065627f4f0e
Opcode Fuzzy Hash: c253c82df69583d9a535e948a740caa155e297b412250f6899f0eeed2be34f61
Instruction Fuzzy Hash: 4C91D122E1865289FB60AB66C4406FCA7A0BF04798F844235DE2E177D4CF38F449D362

Function 00007FF7F0C87100 Relevance: 6.2, APIs: 4, Instructions: 176COMMON

Download Yara Rule

APIs

ZydisDecoderDecodeBuffer.ZYDIS ref: 00007FF7F0C87151
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C871DA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8727D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C872E5

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$BufferDecodeDecoderZydis
String ID:
API String ID: 2066269895-0
Opcode ID: 41d0acfcda3a52eddaa6c9a267025eeceff25d2a18f8de79ab22474a0cdac6b2
Instruction ID: 99a076bf0850ce9a72e062f7ec22be6c2c1d9b64d21c868bd3decb767b4a7fdb
Opcode Fuzzy Hash: 41d0acfcda3a52eddaa6c9a267025eeceff25d2a18f8de79ab22474a0cdac6b2
Instruction Fuzzy Hash: 70519D32705A8182EB14EF66E4542ADA3A1FF48B90F948231DB6D43BD5DF3CE4A0C354

Function 00007FF7F0CF44D8 Relevance: 6.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F0CF4519
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F0CF4599
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F0CF45ED
_get_daylight.LIBCMT ref: 00007FF7F0CF4645

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_get_daylight
String ID:
API String ID: 72036449-0
Opcode ID: acc0c49b95afa11154f1f8224afdd9ed8ffbd972de1ca6ac8f90368ee3a4d9aa
Instruction ID: dd6c3d5ae094dad7ed2adb48328580a40e7f6f0306f08104e41f58feb279a426
Opcode Fuzzy Hash: acc0c49b95afa11154f1f8224afdd9ed8ffbd972de1ca6ac8f90368ee3a4d9aa
Instruction Fuzzy Hash: 8651C132D086028BF7697A2895203F9E6809F4171AF994535EA3D873D6DE6CF840C6F3

Function 00007FF7F0C87700 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7F0C87832
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C87838
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C87878
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C878BC

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID:
API String ID: 3936042273-0
Opcode ID: b413f7275a712219487b0467a72294f2ff91547d92b77756e3ffe40d717cda2b
Instruction ID: 99d80e63a59e686fdf434aa7841efc3883e9a40162ed16ca2e07267e0b55d205
Opcode Fuzzy Hash: b413f7275a712219487b0467a72294f2ff91547d92b77756e3ffe40d717cda2b
Instruction Fuzzy Hash: E0410362B4678641EE24AB5AD1483BCA291AF05BF0F904731DA7D17BC4EE7CF081C3A4

Function 00007FF7F0C8A3B0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

__std_fs_code_page.LIBCPMT ref: 00007FF7F0C8A3E1
__std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF7F0C8A423
__std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF7F0C8A45B

Part of subcall function 00007FF7F0C8A060: __std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7F0C8A0CE
Part of subcall function 00007FF7F0C8A060: __std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7F0C8A176

Part of subcall function 00007FF7F0C89D40: __std_exception_copy.LIBVCRUNTIME ref: 00007FF7F0C89DA8

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8A4FB

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: __std_fs_convert_narrow_to_wide__std_fs_convert_wide_to_narrow$__std_exception_copy__std_fs_code_page_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3220548644-0
Opcode ID: a7e1cca379cee030a44dceb08a4f54abe45a1b446d0429cb740a8fdbb6127253
Instruction ID: 8b0c120c599dd5778be264f11f67a16aeffef52b4cfcac4b3674d68f2b669275
Opcode Fuzzy Hash: a7e1cca379cee030a44dceb08a4f54abe45a1b446d0429cb740a8fdbb6127253
Instruction Fuzzy Hash: A6310022A1478682FB14AF66E5483A9E291FF80BC4F945035EB6C07BC5DF7CE491C384

Function 00007FF7F0CCDF58 Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF7F0CCDF67

Part of subcall function 00007FF7F0CCD78C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF7F0CCD7AE

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7F0CCDF7C
__scrt_release_startup_lock.LIBCMT ref: 00007FF7F0CCDFEA
__scrt_get_show_window_mode.LIBCMT ref: 00007FF7F0CCE03D

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: e6934de51c2b2bae3df47ee85e6f41e3aea96d65be008bac5245aa0133e70fae
Instruction ID: 42e782ea065f2fdd131247902f3382a4e62ba265e7eb500f7396e69a05ab21ba
Opcode Fuzzy Hash: e6934de51c2b2bae3df47ee85e6f41e3aea96d65be008bac5245aa0133e70fae
Instruction Fuzzy Hash: 32312720E0C28385FB24BB65D5553F99292AF42384FC4A038E56E5B3D3DE6CB445D2F2

Function 00007FF7F0CCC120 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF7F0CCC169
GetLastError.KERNEL32 ref: 00007FF7F0CCC177
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF7F0C8C309), ref: 00007FF7F0CCC1AC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF7F0C8C309), ref: 00007FF7F0CCC1BA

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 1c760b6fd9242d41b3e51c37def06f79daeda7f0f1128119a90eeeffc14c952b
Instruction ID: d5ead45df620180f21dc21397bec34ab37a6d773b9b33014313c13a0bf2991a0
Opcode Fuzzy Hash: 1c760b6fd9242d41b3e51c37def06f79daeda7f0f1128119a90eeeffc14c952b
Instruction Fuzzy Hash: D1218172A18B81C7E3109F12E44436EBAB4FB88B90F544134DB9893B95CF3CE441CB50

Function 00007FF7F0CD2674 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7F0CD269E

Strings

csm, xrefs: 00007FF7F0CD26C3
csm, xrefs: 00007FF7F0CD2832

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: 65915f2f727e1eb12431b49ad19f94855aa0d8175cc09c66a3dbcc6c89989db6
Instruction ID: ed36b8004f5295f785a9949e6394ff9313b3e8b645187338a785e6368cfa076b
Opcode Fuzzy Hash: 65915f2f727e1eb12431b49ad19f94855aa0d8175cc09c66a3dbcc6c89989db6
Instruction Fuzzy Hash: FC71B07290968186DB60AF25D8407B9FBA0EF10B88F948136EABC57BC5CF3CE451D790

Function 00007FF7F0C84CE0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C84DA5

Strings

v, xrefs: 00007FF7F0C84DFD
.0De, xrefs: 00007FF7F0C84E06

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: .0De$v
API String ID: 3668304517-1067552365
Opcode ID: 8f41abd41c15922c40b838b9056fae7ec7493938f46ec423d09435f2f29a67fb
Instruction ID: 8447759b258140ee74e4e9eec17e8696fef53d34e5d3458717afdeaeb73e5450
Opcode Fuzzy Hash: 8f41abd41c15922c40b838b9056fae7ec7493938f46ec423d09435f2f29a67fb
Instruction Fuzzy Hash: EC41B233618B9582DB14CF25E5401A9B7A5FB89FC8F448122EB9C07B99DF3CE9A1C750

Function 00007FF7F0CF7448 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7F0CF74C3

Strings

!, xrefs: 00007FF7F0CF74F4
acosf, xrefs: 00007FF7F0CF74D6

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: _set_statfp
String ID: !$acosf
API String ID: 1156100317-101895715
Opcode ID: af424e1b7a8c2175dcaef02e16e50669e983c151059dcd3882a3126324527eee
Instruction ID: dc9e692e255b0df86b08558dd84359eef7bc7a18f92822fcf6b003effff3ece5
Opcode Fuzzy Hash: af424e1b7a8c2175dcaef02e16e50669e983c151059dcd3882a3126324527eee
Instruction Fuzzy Hash: EC51F821D2C6498AF322A7375851075EA50AFAA351FA8C732F929357F1DF2CB0819DA0

Function 00007FF7F0CF69B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F0CE86F4: HeapAlloc.KERNEL32(?,?,00000000,00007FF7F0CE6B56,?,?,?,00007FF7F0CE03D9,?,?,?,?,00007FF7F0CED77A,?,?,00000000), ref: 00007FF7F0CE8749

SetEndOfFile.KERNEL32(c:\Windows\Fonts\Calibri.ttf,?,?,00007FF7F0CF6961), ref: 00007FF7F0CF6AD7
GetLastError.KERNEL32 ref: 00007FF7F0CF6AE1

Strings

c:\Windows\Fonts\Calibri.ttf, xrefs: 00007FF7F0CF69C7

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: AllocErrorFileHeapLast
String ID: c:\Windows\Fonts\Calibri.ttf
API String ID: 1557988362-752844498
Opcode ID: cc6fbfd0209f3bf1ef9e84e05ef29c2f8e9d91f21c1725123a76c43d7df32479
Instruction ID: 2a2dc35a73aaf7d7df268117be72b6a756263dca09ab50fb887b91b08f874882
Opcode Fuzzy Hash: cc6fbfd0209f3bf1ef9e84e05ef29c2f8e9d91f21c1725123a76c43d7df32479
Instruction Fuzzy Hash: C241E721A182828FE774AB2194102A9E691BF447A0F894335DABE57BC1CF3DF841D772

Function 00007FF7F0CF3DF4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F0CF3E11
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F0CF3E72

Strings

c:\Windows\Fonts\Calibri.ttf, xrefs: 00007FF7F0CF3E53

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: c:\Windows\Fonts\Calibri.ttf
API String ID: 3215553584-752844498
Opcode ID: 0c5c1a25d9a154308abda6c76db06d7480e2072fe31189a3c4d22f5ea09afdae
Instruction ID: 798b45157656e8f92f193cec2bebb845f831b8d73f668202a5b8c9bbca2c0f6f
Opcode Fuzzy Hash: 0c5c1a25d9a154308abda6c76db06d7480e2072fe31189a3c4d22f5ea09afdae
Instruction Fuzzy Hash: E9412562E087429AEB64A71585603F9F6A0AF14B91FD44131EABD0B7D5CE7CF481C3B1

Function 00007FF7F0CE7AC8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF7F0CE7BDF
GetLastError.KERNEL32 ref: 00007FF7F0CE7C01

Strings

U, xrefs: 00007FF7F0CE7B8B

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: f5186c1c668c2e4c9d001ce5da686a6b98d9946d0f06d3dedc3f96824a1df05a
Instruction ID: 44fe774ce18c51c8bc5612f0a85972b3adf6b300eeb32015e54b8ccb8b932c62
Opcode Fuzzy Hash: f5186c1c668c2e4c9d001ce5da686a6b98d9946d0f06d3dedc3f96824a1df05a
Instruction Fuzzy Hash: A941C522B18A8186DB20AF26E4443E9A761FB88794F904131EE5D877D4DF3CE541D791

Function 00007FF7F0C8D7A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F0C8D84F
__std_exception_copy.LIBVCRUNTIME ref: 00007FF7F0C8D888

Strings

ios_base::failbit set, xrefs: 00007FF7F0C8D7A0

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: __std_exception_copy_invalid_parameter_noinfo_noreturn
String ID: ios_base::failbit set
API String ID: 1109970293-3924258884
Opcode ID: 2dae5f259ea02f5800dd0fb95cc0902cc7ff92c4566ec65b08107df136b6acb7
Instruction ID: e75308ca5b7f2803d46affbc5d861481acfeb55ba25f3a33503ee14655995566
Opcode Fuzzy Hash: 2dae5f259ea02f5800dd0fb95cc0902cc7ff92c4566ec65b08107df136b6acb7
Instruction Fuzzy Hash: FD21B562E18BC581EB009B24E5411FAA360FF997A4F94A331EABC127D5EF2CE1D4C350

Function 00007FF7F0CCF8DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7F0C8188F), ref: 00007FF7F0CCF920
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7F0C8188F), ref: 00007FF7F0CCF966

Strings

csm, xrefs: 00007FF7F0CCF953

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 1a44634526b3016f394f355693c1c03c81eeb4f643c6e4adb53ce8f3033d8422
Instruction ID: ece7eb8a0225fe1297fd3b7b9680335abbb6b99009da724cb63f6e3ee1e5e47f
Opcode Fuzzy Hash: 1a44634526b3016f394f355693c1c03c81eeb4f643c6e4adb53ce8f3033d8422
Instruction Fuzzy Hash: 48114F32608B8582EB149F15F4402A9B7A1FF88B84F989234DE9D077A4DF3CE556C750

Function 00007FF7F0C95180 Relevance: 5.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF7F0CB7FF6), ref: 00007FF7F0C951B1
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF7F0CB7FF6), ref: 00007FF7F0C951D5
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF7F0CB7FF6), ref: 00007FF7F0C9522C
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF7F0CB7FF6), ref: 00007FF7F0C95254

Memory Dump Source

Source File: 00000000.00000002.2887520980.00007FF7F0C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F0C80000, based on PE: true

Associated: 00000000.00000002.2887507301.00007FF7F0C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887577332.00007FF7F0CFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887591370.00007FF7F0CFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887615642.00007FF7F0D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887629309.00007FF7F0D1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2887643060.00007FF7F0D20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f0c80000_3GNEyUm2j4.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 1c4ed7749a9ac3fe65df5828eef9af0ee08b4bdd10fc7c134e850e95be4edd88
Instruction ID: 4b8305f0b1cf0b6d8014d42bb4e54299562ed0e7a14638cb0c75b3f86144969e
Opcode Fuzzy Hash: 1c4ed7749a9ac3fe65df5828eef9af0ee08b4bdd10fc7c134e850e95be4edd88
Instruction Fuzzy Hash: 8E318831B09B4286EB24AF56A5501BAF7A2FF88790F984235DA6D47BE4DF3CE101C750

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3GNEyUm2j4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: 3GNEyUm2j4.exePID: 1696, Parent PID: 2580

General

Chronological Activities

Disassembly

Analysis Process: 3GNEyUm2j4.exePID: 1696, Parent PID: 2580COMMON

Non-executed Functions

Function 00007FF7F0C8AED0 Relevance: 81.4, APIs: 39, Strings: 7, Instructions: 950COMMON

Function 00007FF7F0CCA170 Relevance: 63.7, APIs: 31, Strings: 5, Instructions: 681memoryCOMMON

Function 00007FF7F0CCAFB0 Relevance: 58.3, APIs: 20, Strings: 13, Instructions: 506registryCOMMON

Function 00007FF7F0C81960 Relevance: 50.1, APIs: 25, Strings: 3, Instructions: 1061COMMON

Function 00007FF7F0CCA260 Relevance: 49.6, APIs: 23, Strings: 5, Instructions: 582COMMON

Function 00007FF7F0CDBFBC Relevance: 47.4, APIs: 24, Strings: 2, Instructions: 1877COMMON

Windows Analysis Report
3GNEyUm2j4.exe