Edit tour

Windows Analysis Report
wermgr.exe

Overview

General Information

Sample name:	wermgr.exe
Analysis ID:	1500429
MD5:	1a172e7c669fed8e6dcd1e4941568981
SHA1:	6f31b2c85122be3d8fa17e31baddde8efb443e68
SHA256:	757a6b10bc3560becba2b94182d4eee82db6d0f049d3298da8f5f3d19d69217d
Infos:
Errors Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:	25
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Sigma detected: Suspicious Execution Location Of Wermgr.EXE

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w7x64

wermgr.exe (PID: 3560 cmdline: "C:\Users\user\Desktop\wermgr.exe" MD5: 1A172E7C669FED8E6DCD1E4941568981)

cleanup

Sigma Signatures

System Summary

Sigma detected: Suspicious Execution Location Of Wermgr.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\wermgr.exe", CommandLine: "C:\Users\user\Desktop\wermgr.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\wermgr.exe, NewProcessName: C:\Users\user\Desktop\wermgr.exe, OriginalFileName: C:\Users\user\Desktop\wermgr.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: "C:\Users\user\Desktop\wermgr.exe", ProcessId: 3560, ProcessName: wermgr.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Compliance
• Spreading
• System Summary
• Data Obfuscation
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

Source: wermgr.exe

Static PE information: certificate valid

Source: wermgr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: WerMgr.pdb source: wermgr.exe
Source:	Binary string: WerMgr.pdbGCTL source: wermgr.exe

Source: C:\Users\user\Desktop\wermgr.exe	Code function: 0_2_000000013FC36AE4 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose,		0_2_000000013FC36AE4
Source: C:\Users\user\Desktop\wermgr.exe	Code function: 0_2_000000013FC32A28 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,FindClose,FindClose,		0_2_000000013FC32A28

Source: C:\Users\user\Desktop\wermgr.exe	Code function: 0_2_000000013FC35BCC ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,NtQuerySystemInformation,NtOpenEvent,NtWaitForSingleObject,NtClose,RtlAllocateAndInitializeSid,RtlInitUnicodeString,memset,NtAlpcConnectPort,memset,NtAlpcSendWaitReceivePort,RtlFreeSid,NtClose,	0_2_000000013FC35BCC
Source: C:\Users\user\Desktop\wermgr.exe	Code function: 0_2_000000013FC2DAF0 DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError,	0_2_000000013FC2DAF0
Source: C:\Users\user\Desktop\wermgr.exe	Code function: 0_2_000000013FC37518 LoadLibraryExW,GetProcAddress,NtQueryLicenseValue,FreeLibrary,NtQueryLicenseValue,	0_2_000000013FC37518
Source: C:\Users\user\Desktop\wermgr.exe	Code function: 0_2_000000013FC2DC3C DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError,	0_2_000000013FC2DC3C
Source: C:\Users\user\Desktop\wermgr.exe	Code function: 0_2_000000013FC37840 NtQueryLicenseValue,	0_2_000000013FC37840

Source: C:\Users\user\Desktop\wermgr.exe	Code function: 0_2_000000013FC35BCC	0_2_000000013FC35BCC
Source: C:\Users\user\Desktop\wermgr.exe	Code function: 0_2_000000013FC2BBD4	0_2_000000013FC2BBD4
Source: C:\Users\user\Desktop\wermgr.exe	Code function: 0_2_000000013FC28338	0_2_000000013FC28338
Source: C:\Users\user\Desktop\wermgr.exe	Code function: 0_2_000000013FC2D2A4	0_2_000000013FC2D2A4
Source: C:\Users\user\Desktop\wermgr.exe	Code function: 0_2_000000013FC34278	0_2_000000013FC34278
Source: C:\Users\user\Desktop\wermgr.exe	Code function: 0_2_000000013FC27290	0_2_000000013FC27290
Source: C:\Users\user\Desktop\wermgr.exe	Code function: 0_2_000000013FC3725C	0_2_000000013FC3725C
Source: C:\Users\user\Desktop\wermgr.exe	Code function: 0_2_000000013FC26908	0_2_000000013FC26908
Source: C:\Users\user\Desktop\wermgr.exe	Code function: 0_2_000000013FC37518	0_2_000000013FC37518
Source: C:\Users\user\Desktop\wermgr.exe	Code function: 0_2_000000013FC257F4	0_2_000000013FC257F4

Source: wermgr.exe, 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWerMgrj% vs wermgr.exe
Source: wermgr.exe	Binary or memory string: OriginalFilenameWerMgrj% vs wermgr.exe

Source: classification engine

Classification label: sus25.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\wermgr.exe

Code function: RtlInitUnicodeString,RtlCreateBoundaryDescriptor,RtlInitUnicodeString,RtlCreateServiceSid,GetProcessHeap,HeapAlloc,RtlCreateServiceSid,RtlAddSIDToBoundaryDescriptor,OpenPrivateNamespaceW,GetLastError,GetProcessHeap,HeapFree,RtlDeleteBoundaryDescriptor,

0_2_000000013FC35400

Source: C:\Users\user\Desktop\wermgr.exe

Code function: 0_2_000000013FC25560 CreateToolhelp32Snapshot,GetLastError,Process32FirstW,GetLastError,_wcsicmp,_wcsicmp,GetCurrentProcessId,Process32NextW,CloseHandle,

0_2_000000013FC25560

Source: C:\Users\user\Desktop\wermgr.exe

Code function: 0_2_000000013FC2F3A4 CoInitializeEx,CoCreateInstance,#2,#6,CoUninitialize,

0_2_000000013FC2F3A4

Source: wermgr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: wermgr.exe

Static PE information: certificate valid

Source: initial sample

Static PE information: Valid certificate with Microsoft Issuer

Source: wermgr.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: wermgr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: wermgr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: wermgr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: wermgr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: wermgr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: wermgr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: wermgr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: wermgr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: WerMgr.pdb source: wermgr.exe
Source:	Binary string: WerMgr.pdbGCTL source: wermgr.exe

Source: wermgr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: wermgr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: wermgr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: wermgr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: wermgr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: wermgr.exe	Static PE information: section name: .imrsiv
Source: wermgr.exe	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\wermgr.exe

Code function: 0_2_000000013FC25560 CreateToolhelp32Snapshot,GetLastError,Process32FirstW,GetLastError,_wcsicmp,_wcsicmp,GetCurrentProcessId,Process32NextW,CloseHandle,

0_2_000000013FC25560

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\wermgr.exe

Code function: 0_2_000000013FC2CF20 GetSystemTimeAsFileTime followed by cmp: cmp ebx, 01h and CTI: jne 000000013FC2D04Eh

0_2_000000013FC2CF20

Source: C:\Users\user\Desktop\wermgr.exe	Code function: 0_2_000000013FC36AE4 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose,		0_2_000000013FC36AE4
Source: C:\Users\user\Desktop\wermgr.exe	Code function: 0_2_000000013FC32A28 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,FindClose,FindClose,		0_2_000000013FC32A28

Source: C:\Users\user\Desktop\wermgr.exe

Code function: 0_2_000000013FC2A2C0 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

0_2_000000013FC2A2C0

Source: C:\Users\user\Desktop\wermgr.exe

Code function: 0_2_000000013FC25560 CreateToolhelp32Snapshot,GetLastError,Process32FirstW,GetLastError,_wcsicmp,_wcsicmp,GetCurrentProcessId,Process32NextW,CloseHandle,

0_2_000000013FC25560

Source: C:\Users\user\Desktop\wermgr.exe

Code function: 0_2_000000013FC223AC memset,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

0_2_000000013FC223AC

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\wermgr.exe	Code function: 0_2_000000013FC38338 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_000000013FC38338
Source: C:\Users\user\Desktop\wermgr.exe	Code function: 0_2_000000013FC37D20 SetUnhandledExceptionFilter,		0_2_000000013FC37D20

Source: C:\Users\user\Desktop\wermgr.exe

Code function: 0_2_000000013FC31528 CreateFileW,GetLastError,LocalFree,CloseHandle,CloseHandle,GetKernelObjectSecurity,GetLastError,GetKernelObjectSecurity,GetLastError,GetSecurityDescriptorDacl,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,GetLastError,SetEntriesInAclW,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,SetKernelObjectSecurity,GetLastError,

0_2_000000013FC31528

Source: C:\Users\user\Desktop\wermgr.exe

Code function: 0_2_000000013FC35BCC ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,NtQuerySystemInformation,NtOpenEvent,NtWaitForSingleObject,NtClose,RtlAllocateAndInitializeSid,RtlInitUnicodeString,memset,NtAlpcConnectPort,memset,NtAlpcSendWaitReceivePort,RtlFreeSid,NtClose,

0_2_000000013FC35BCC

Source: C:\Users\user\Desktop\wermgr.exe

Code function: 0_2_000000013FC37EF4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

0_2_000000013FC37EF4

Source: C:\Users\user\Desktop\wermgr.exe

Code function: 0_2_000000013FC27290 IsDebuggerPresent,Sleep,DebugBreak,EtwRegisterTraceGuidsW,SetProcessMitigationPolicy,GetLastError,WerpSetExitListeners,GetModuleFileNameW,GetLastError,CloseHandle,SetLastError,WerpCreateMachineStore,GetCommandLineW,CommandLineToArgvW,GetLastError,wcscmp,WerpOpenMachineQueue,WerpSubmitReportFromStore,wcscmp,WerpOpenMachineQueue,WerpSubmitReportFromStore,WerpCloseStore,wcscmp,WerStorePurge,wcscmp,memset,memset,memset,memset,memset,memset,memset,memset,_wtoi64,_wtoi64,_wtoi64,_wtoi64,_wtoi64,_wtoi64,_wtoi64,_wtoi64,_wtoi64,_wtoi64,_wtoi64,_wtoi,_wcsicmp,wcscmp,WerpOpenMachineQueue,WerpCloseStore,wcscmp,wcscmp,_wtoi64,_wtoi,wcscmp,GetSystemTime,GetSystemTime,WerpCleanWer,wcscmp,wcscmp,_wtoi,wcscmp,wcscmp,WerpCleanWer,LocalFree,CloseHandle,EtwUnregisterTraceGuids,memset,CloseHandle,

0_2_000000013FC27290

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Windows Service	1 Windows Service	Direct Volume Access	OS Credential Dumping	11 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	3 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
wermgr.exe	0%	ReversingLabs
wermgr.exe	0%	Virustotal		Browse

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1500429
Start date and time:	2024-08-28 12:51:20 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wermgr.exe
Detection:	SUS
Classification:	sus25.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 100
Cookbook Comments:	Found application associated with file extension: .exe Unable to launch sample, stop analysis

Errors

Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Execution Graph export aborted for target wermgr.exe, PID 3560 because there are no executed function

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.744106314775916
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	wermgr.exe
File size:	237'424 bytes
MD5:	1a172e7c669fed8e6dcd1e4941568981
SHA1:	6f31b2c85122be3d8fa17e31baddde8efb443e68
SHA256:	757a6b10bc3560becba2b94182d4eee82db6d0f049d3298da8f5f3d19d69217d
SHA512:	c4c9d13460cdbdc666add79ef5aa5b992a0b8abe7125ceb06aa39f6166d1f543b78ad81e053a2c872ceed56281eaff8eba812a2af3d49cacbfee37214a717952
SSDEEP:	6144:X2/mTctCTgfqJkvL7SqPsZO7VJyB60OHyLC7vPM:X2/nkv8tyOZc2Hywc
TLSH:	C4348E1E63E920A9D57A8334C5A10215FB72B8352B129AEF12E0C57C2F236E4FD39F55
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q...5...5...5...<..._...!...6...!.......5...C...!...<...!...>...!.......!.m.4...!...4...Rich5...........PE..d...O..U.........."

File Icon


Icon Hash:	0153e155070b6f2f

Static PE Info

General

Entrypoint:	0x140017a80
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x55DD874F [Wed Aug 26 09:30:55 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	69c608216376ca2d62c0c27fb0b423e6

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	11/16/2023 11:20:09 AM 11/14/2024 11:20:09 AM
Subject Chain	CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	9B7554FFA2D97FE692CB10D7B2E315A7
Thumbprint SHA-1:	D8FB0CC66A08061B42D46D03546F0D42CBC49B7C
Thumbprint SHA-256:	2D7FFCE2C256016291B67285456AA8DA779D711BBF8E6B85C212A157DDFBE77E
Serial:	3300000460CF42A912315F6FB3000000000460

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FE680818A90h
dec eax
add esp, 28h
jmp 00007FE68081862Bh
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], edi
inc ecx
push esi
dec eax
sub esp, 000000B0h
and dword ptr [esp+20h], 00000000h
dec eax
lea ecx, dword ptr [esp+40h]
call dword ptr [00003A25h]
nop
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ebx, dword ptr [eax+08h]
xor edi, edi
xor eax, eax
dec eax
cmpxchg dword ptr [0000F4C2h], ebx
je 00007FE68081862Ch
dec eax
cmp eax, ebx
jne 00007FE68081863Ch
mov edi, 00000001h
mov eax, dword ptr [0000F4B8h]
cmp eax, 01h
jne 00007FE680818639h
lea ecx, dword ptr [eax+1Eh]
call 00007FE680818923h
jmp 00007FE68081869Ch
mov ecx, 000003E8h
call dword ptr [00003B66h]
jmp 00007FE6808185E9h
mov eax, dword ptr [0000F496h]
test eax, eax
jne 00007FE68081867Bh
mov dword ptr [0000F488h], 00000001h
dec esp
lea esi, dword ptr [000040B9h]
dec eax
lea ebx, dword ptr [0000409Ah]
dec eax
mov dword ptr [esp+30h], ebx
mov dword ptr [esp+24h], eax
dec ecx
cmp ebx, esi
jnc 00007FE680818647h
test eax, eax
jne 00007FE680818647h
dec eax
cmp dword ptr [ebx], 00000000h
je 00007FE680818632h
dec eax
mov eax, dword ptr [ebx]
dec eax
mov ecx, dword ptr [00004010h]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x22388	0x334	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2a000	0x13a30	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x28000	0xf00	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x37a00	0x2570	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3e000	0x17c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1fee0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1b190	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1b2a8	0x8a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x22214	0x80	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1801b	0x18200	a83f664d1b3131d3036a83b878b0858c	False	0.5238827720207254	data	6.201367584649599	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.imrsiv	0x1a000	0x4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x1b000	0x9726	0x9800	a45f818c82ceb54eb32d0ef9da1a8e01	False	0.3518194901315789	data	4.933013288945532	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x25000	0x2030	0xc00	005b1c725cc820a94d0204a5f03829d7	False	0.16145833333333334	data	1.797451517506682	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x28000	0xf00	0x1000	5b630396d97be6c86ab34492dd5bb725	False	0.504150390625	data	4.988688162510373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x29000	0x40	0x200	36266f4e77cbc85d878b16f82d74131e	False	0.06640625	data	0.4166859590675565	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2a000	0x13a30	0x13c00	165ec12878d7a38ec85accbb5127b554	False	0.8342192444620253	data	7.303610264094643	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3e000	0x17c	0x200	7de2ecc7d0ae0d77124d42321cbe0a12	False	0.587890625	data	4.383081500990053	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x2a8e0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.4871951219512195
RT_ICON	0x2af48	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.6061827956989247
RT_ICON	0x2b230	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States	0.6372950819672131
RT_ICON	0x2b418	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.6283783783783784
RT_ICON	0x2b540	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.6489872068230277
RT_ICON	0x2c3e8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7802346570397112
RT_ICON	0x2cc90	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.815668202764977
RT_ICON	0x2d358	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.5758670520231214
RT_ICON	0x2d8c0	0xb8dd	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9954569466455362
RT_ICON	0x391a0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.6060165975103734
RT_ICON	0x3b748	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6690900562851783
RT_ICON	0x3c7f0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.7090163934426229
RT_ICON	0x3d178	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6657801418439716
RT_GROUP_ICON	0x3d5e0	0xbc	data	English	United States	0.6170212765957447
RT_VERSION	0x3d6a0	0x390	PGP symmetric key encrypted data - Plaintext or unencrypted data	English	United States	0.45614035087719296
RT_MANIFEST	0x2a370	0x56c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.38760806916426516

Imports

DLL	Import
msvcrt.dll	memset, _onexit, __dllonexit, _unlock, _lock, ?terminate@@YAXXZ, _commode, _fmode, ??1type_info@@UEAA@XZ, memcpy, _callnewh, __C_specific_handler, memcmp, _CxxThrowException, _initterm, __setusermatherr, _ismbblead, malloc, free, ??0exception@@QEAA@AEBV0@@Z, ??0exception@@QEAA@XZ, _cexit, _exit, ??1exception@@UEAA@XZ, exit, __set_app_type, realloc, memmove, _purecall, _XcptFilter, __CxxFrameHandler3, __getmainargs, _amsg_exit, _acmdln, wcscmp
api-ms-win-core-synch-l1-2-0.dll	InitOnceComplete, Sleep, InitOnceBeginInitialize
api-ms-win-core-processthreads-l1-1-0.dll	GetCurrentThreadId, GetStartupInfoW, CreateProcessW, TerminateProcess, GetCurrentProcessId, OpenProcessToken, GetCurrentThread, GetCurrentProcess, OpenThreadToken, GetProcessId
api-ms-win-core-errorhandling-l1-1-0.dll	UnhandledExceptionFilter, GetLastError, SetUnhandledExceptionFilter, SetLastError
api-ms-win-core-libraryloader-l1-2-0.dll	LoadLibraryExW, GetProcAddress, GetModuleHandleExW, GetModuleFileNameW, GetModuleFileNameA, GetModuleHandleW, FreeLibrary
api-ms-win-core-profile-l1-1-0.dll	QueryPerformanceCounter
api-ms-win-core-sysinfo-l1-1-0.dll	GetTickCount, GetSystemDirectoryW, GetSystemTime, GetTickCount64, GetSystemTimeAsFileTime
ntdll.dll	RtlInitUnicodeString, NtOpenEvent, RtlNtStatusToDosError, EtwTraceMessage, EtwGetTraceLoggerHandle, EtwGetTraceEnableLevel, EtwGetTraceEnableFlags, EtwRegisterTraceGuidsW, EtwUnregisterTraceGuids, memcpy_s, memmove_s, _vsnwprintf, _wcsicmp, _wtoi64, _wtoi, _vsnprintf_s, DbgPrintEx, wcsncmp, wcsrchr, _vscwprintf, toupper, RtlFreeSid, NtAlpcSendWaitReceivePort, NtAlpcConnectPort, RtlAllocateAndInitializeSid, NtWaitForSingleObject, EtwEventWriteNoRegistration, ZwUpdateWnfStateData, ZwQueryWnfStateNameInformation, RtlCreateBoundaryDescriptor, RtlCreateServiceSid, RtlAddSIDToBoundaryDescriptor, RtlDeleteBoundaryDescriptor, NtQueryLicenseValue, NtQuerySystemInformation, NtClose, NtQueryInformationProcess, _wcsnicmp
api-ms-win-core-windowserrorreporting-l1-1-0.dll	GetApplicationRecoveryCallback
api-ms-win-core-apiquery-l1-1-0.dll	ApiSetQueryApiSetPresence
api-ms-win-core-delayload-l1-1-1.dll	ResolveDelayLoadedAPI
api-ms-win-core-delayload-l1-1-0.dll	DelayLoadFailureHook
api-ms-win-core-heap-l1-1-0.dll	HeapFree, HeapAlloc, GetProcessHeap
api-ms-win-core-synch-l1-1-0.dll	ReleaseSRWLockShared, CreateEventW, ReleaseSRWLockExclusive, SetEvent, AcquireSRWLockExclusive, LeaveCriticalSection, OpenMutexW, AcquireSRWLockShared, CreateMutexExW, WaitForSingleObjectEx, ReleaseMutex, OpenSemaphoreW, ReleaseSemaphore, WaitForSingleObject, CreateSemaphoreExW, DeleteCriticalSection, InitializeCriticalSectionEx, EnterCriticalSection, CreateMutexW
api-ms-win-core-threadpool-l1-2-0.dll	CloseThreadpoolTimer, WaitForThreadpoolTimerCallbacks, CreateThreadpoolTimer, SetThreadpoolTimer
api-ms-win-core-debug-l1-1-0.dll	DebugBreak, OutputDebugStringW, IsDebuggerPresent
api-ms-win-core-localization-l1-2-0.dll	FormatMessageW
api-ms-win-eventing-provider-l1-1-0.dll	EventUnregister, EventSetInformation, EventRegister, EventWriteTransfer, EventProviderEnabled
api-ms-win-core-handle-l1-1-0.dll	CloseHandle, DuplicateHandle
api-ms-win-core-wow64-l1-1-0.dll	Wow64RevertWow64FsRedirection, IsWow64Process, Wow64DisableWow64FsRedirection
api-ms-win-core-processthreads-l1-1-1.dll	OpenProcess, SetProcessMitigationPolicy
api-ms-win-core-synch-l1-2-1.dll	WaitForMultipleObjects
api-ms-win-core-file-l1-1-0.dll	CreateFileW, GetFileTime, FindFirstFileExW, GetFileSizeEx, ReadFile, SetFileInformationByHandle, GetFinalPathNameByHandleW, SetFileAttributesW, FindClose, FindNextFileW, FindFirstFileW, GetLongPathNameW, GetFileAttributesW
api-ms-win-core-timezone-l1-1-0.dll	FileTimeToSystemTime, SystemTimeToFileTime
api-ms-win-core-com-l1-1-0.dll	CoInitializeSecurity, CoMarshalInterface, CoCreateInstance, CoInitializeEx, CoUninitialize
api-ms-win-core-memory-l1-1-0.dll	ReadProcessMemory, OpenFileMappingW, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW
api-ms-win-core-processenvironment-l1-1-0.dll	GetCommandLineW, ExpandEnvironmentStringsW
api-ms-win-core-heap-l2-1-0.dll	LocalAlloc, LocalFree
api-ms-win-core-registry-l1-1-0.dll	RegCreateKeyExW, RegSetValueExW, RegEnumKeyExW, RegQueryValueExW, RegCloseKey, RegQueryInfoKeyW, RegGetValueW, RegOpenKeyExW
api-ms-win-core-rtlsupport-l1-1-0.dll	RtlLookupFunctionEntry, RtlCaptureContext, RtlVirtualUnwind
OLEAUT32.dll	SysAllocString, SysFreeString
api-ms-win-security-base-l1-1-0.dll	GetSidSubAuthorityCount, FreeSid, GetTokenInformation, AllocateAndInitializeSid, CheckTokenMembership, GetSidSubAuthority, GetKernelObjectSecurity, GetSecurityDescriptorDacl, SetKernelObjectSecurity, SetSecurityDescriptorDacl, InitializeSecurityDescriptor
api-ms-win-service-management-l1-1-0.dll	OpenSCManagerW, CloseServiceHandle, OpenServiceW
api-ms-win-service-management-l2-1-0.dll	QueryServiceStatusEx
api-ms-win-service-winsvc-l1-1-0.dll	ControlService
api-ms-win-security-provider-l1-1-0.dll	SetEntriesInAclW
api-ms-win-core-toolhelp-l1-1-0.dll	Process32FirstW, Process32NextW, CreateToolhelp32Snapshot
api-ms-win-shcore-obsolete-l1-1-0.dll	CommandLineToArgvW
wer.dll	WerReportAddDump, WerReportSubmit, WerpSetCallBack, WerpSetReportInformation, WerpGetReportInformation, WerpGetReportType, WerpGetReportSettings, WerpLoadReportFromBuffer, WerReportCloseHandle, WerpDestroyWerString, WerpCleanWer, WerStorePurge, WerpCloseStore, WerpCreateMachineStore, WerpSetExitListeners, WerpSubmitReportFromStore, WerpGetWerStringData, WerpEnumerateStoreNext, WerpEnumerateStoreStart, WerpOpenMachineQueue, WerpIsOnBattery, WerpIsTransportAvailable
api-ms-win-core-namespace-l1-1-0.dll	OpenPrivateNamespaceW, ClosePrivateNamespace

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• wermgr.exe

Click to jump to process

Memory Usage

• wermgr.exe

Click to jump to process

Target ID:	0
Start time:	06:52:06
Start date:	28/08/2024
Path:	C:\Users\user\Desktop\wermgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\wermgr.exe"
Imagebase:	0x13fc20000
File size:	237'424 bytes
MD5 hash:	1A172E7C669FED8E6DCD1E4941568981
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Function 000000013FC27290 Relevance: 191.6, APIs: 68, Strings: 41, Instructions: 867sleepCOMMON

Download Yara Rule

APIs

IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0(?,?,?,?,?,000000013FC37C38), ref: 000000013FC27361
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,?,000000013FC37C38), ref: 000000013FC273A7
DebugBreak.API-MS-WIN-CORE-DEBUG-L1-1-0(?,?,?,?,?,000000013FC37C38), ref: 000000013FC273B8
EtwRegisterTraceGuidsW.NTDLL ref: 000000013FC27475
SetProcessMitigationPolicy.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(?,?,?,?,?,000000013FC37C38), ref: 000000013FC27496
WerpSetExitListeners.WER(?,?,?,?,?,000000013FC37C38), ref: 000000013FC274EA
GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,000000013FC37C38), ref: 000000013FC27505

Part of subcall function 000000013FC2F334: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC2F365
Part of subcall function 000000013FC2F334: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC2F37D

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,000000013FC37C38), ref: 000000013FC27576
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,?,000000013FC37C38), ref: 000000013FC27587
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,000000013FC37C38), ref: 000000013FC27595
WerpCreateMachineStore.WER(?,?,?,?,?,000000013FC37C38), ref: 000000013FC275A5
GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,000000013FC37C38), ref: 000000013FC275F6
CommandLineToArgvW.API-MS-WIN-SHCORE-OBSOLETE-L1-1-0(?,?,?,?,?,000000013FC37C38), ref: 000000013FC2760A
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,000000013FC37C38), ref: 000000013FC27623
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,000000013FC37C38), ref: 000000013FC274A6

Part of subcall function 000000013FC22024: EtwTraceMessage.NTDLL ref: 000000013FC2204D

LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,000000013FC37C38), ref: 000000013FC280AC
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,?,000000013FC37C38), ref: 000000013FC280C6
EtwUnregisterTraceGuids.NTDLL(?,?,?,?,?,000000013FC37C38), ref: 000000013FC280F0

Strings

COutofProcReportManager::Start failed, xrefs: 000000013FC27B18
-queuereporting_s_machine, xrefs: 000000013FC277A4
-queuereporting_svc, xrefs: 000000013FC276D8
WinMain, xrefs: 000000013FC27524, 000000013FC27B24
-purgestores, xrefs: 000000013FC27877
Wrong number of args for WERMGR_CMDLINE_WAIT_FOR_PENDING_REPORTS, xrefs: 000000013FC27FDB
Wrong number of args for WERMGR_CMDLINE_OUT_PROC_REPORTING, xrefs: 000000013FC27B56
Software\Microsoft\Windows\Windows Error Reporting\Debug, xrefs: 000000013FC2730C, 000000013FC2738A
Initiating live report flush, xrefs: 000000013FC27B96
StartNonElevatedProcessInstance failed., xrefs: 000000013FC27D20
Failed to purge WER stores, xrefs: 000000013FC278A9
Failed to load policy settings., xrefs: 000000013FC276A6
DataCollectorCreate failed, xrefs: 000000013FC27D7A
-datacollectorcreate, xrefs: 000000013FC27D33
Could not get command line arguments., xrefs: 000000013FC2764F
WerpCleanWer failed, xrefs: 000000013FC28047
Wrong number of args WERMGR_CMDLINE_QUEUE_REPORTING_SVC, xrefs: 000000013FC2778E
WerpSubmitReportFromStore failed, xrefs: 000000013FC27778, 000000013FC2781A
Too few arguments, aborting., xrefs: 000000013FC27670
-queuereporting, xrefs: 000000013FC27B6C
Unrecognized argument: %ws, xrefs: 000000013FC2807B
DoQueueReporting failed, xrefs: 000000013FC27CEE
-clean, xrefs: 000000013FC2801E
WerpCreateMachineStore failed, exiting., xrefs: 000000013FC275CC
-outproc, xrefs: 000000013FC278C8
wermgr, xrefs: 000000013FC272D0, 000000013FC28170
-boot, xrefs: 000000013FC27FEE
-upload, xrefs: 000000013FC27DB4
Wrong number of args WERMGR_CMDLINE_QUEUE_REPORTING_SINGLE_MACHINE, xrefs: 000000013FC27861
WaitForPendingReports called with invalid timeout value., xrefs: 000000013FC27FA6
WaitForPending reports failed, xrefs: 000000013FC27FCD
Could not open queue store, xrefs: 000000013FC2773F, 000000013FC277DC
-nonelevated, xrefs: 000000013FC27D08
UpdateLastPesterTime failed, xrefs: 000000013FC27C6D
Starting %ws..., xrefs: 000000013FC2752B
-uploadforce, xrefs: 000000013FC27F38
-waitforpendingreports, xrefs: 000000013FC27F75
DoCoreUpload failed, xrefs: 000000013FC27F27, 000000013FC27F64
Not launching reporting console: pester has not expired, xrefs: 000000013FC27CC6
DoBootActivities failed, xrefs: 000000013FC28010
onecore\windows\feedback\core\wermgr\lib\wermgr.cpp, xrefs: 000000013FC2753A, 000000013FC27832, 000000013FC2789D, 000000013FC27B34, 000000013FC27BA2, 000000013FC27C79, 000000013FC27CD2, 000000013FC27D96, 000000013FC28053, 000000013FC28087

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: ErrorLast$CloseTrace$CommandGuidsHandleLineWerp$ArgvBreakCreateDebugDebuggerExitFileFreeListenersLocalMachineMessageMitigationModuleNameOpenPolicyPresentProcessRegisterSleepStoreUnregister
String ID: -boot$-clean$-datacollectorcreate$-nonelevated$-outproc$-purgestores$-queuereporting$-queuereporting_s_machine$-queuereporting_svc$-upload$-uploadforce$-waitforpendingreports$COutofProcReportManager::Start failed$Could not get command line arguments.$Could not open queue store$DataCollectorCreate failed$DoBootActivities failed$DoCoreUpload failed$DoQueueReporting failed$Failed to load policy settings.$Failed to purge WER stores$Initiating live report flush$Not launching reporting console: pester has not expired$Software\Microsoft\Windows\Windows Error Reporting\Debug$StartNonElevatedProcessInstance failed.$Starting %ws...$Too few arguments, aborting.$Unrecognized argument: %ws$UpdateLastPesterTime failed$WaitForPending reports failed$WaitForPendingReports called with invalid timeout value.$WerpCleanWer failed$WerpCreateMachineStore failed, exiting.$WerpSubmitReportFromStore failed$WinMain$Wrong number of args WERMGR_CMDLINE_QUEUE_REPORTING_SINGLE_MACHINE$Wrong number of args WERMGR_CMDLINE_QUEUE_REPORTING_SVC$Wrong number of args for WERMGR_CMDLINE_OUT_PROC_REPORTING$Wrong number of args for WERMGR_CMDLINE_WAIT_FOR_PENDING_REPORTS$onecore\windows\feedback\core\wermgr\lib\wermgr.cpp$wermgr
API String ID: 2861752363-859412659
Opcode ID: 2db2f6c4aee9c3242bd8360117e08cd3f7accd7b0866914a6553919d8142f5cb
Instruction ID: 6e9b07965d38597ee8850fc0fc25f8d2726242ca28f05282e94d5e754ade9b59
Opcode Fuzzy Hash: 2db2f6c4aee9c3242bd8360117e08cd3f7accd7b0866914a6553919d8142f5cb
Instruction Fuzzy Hash: F392803AA40B4896EB10DB21E890BE977B4F789798F50613ADE4D477A9DF38C746C700

Function 000000013FC2D2A4 Relevance: 67.0, APIs: 37, Strings: 1, Instructions: 462fileCOMMON

Download Yara Rule

APIs

OpenProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1 ref: 000000013FC2D2F3
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC2D30B
SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC2D362
UnmapViewOfFile.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 000000013FC2D37A
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013FC2D392
free.MSVCRT ref: 000000013FC2D3B3
free.MSVCRT ref: 000000013FC2D3C2
CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0 ref: 000000013FC2D3EA
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013FC2D3FF
UnmapViewOfFile.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 000000013FC2D413
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013FC2D427

Part of subcall function 000000013FC22024: EtwTraceMessage.NTDLL ref: 000000013FC2204D

MapViewOfFile.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 000000013FC2D465
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC2D479

Strings

WinMain, xrefs: 000000013FC2D2B1

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: CloseFileHandleView$ErrorLastUnmapfree$EventMessageOpenProcessTraceUninitialize
String ID: WinMain
API String ID: 3617938961-1287201471
Opcode ID: 98a2a61c572a69b1c04668544bc6738cdd7278d3e9a88eac152f9e57c9c90f63
Instruction ID: 8d4981a3b079ed2308526ef02e29125850877def05a51d44960da974dce8a270
Opcode Fuzzy Hash: 98a2a61c572a69b1c04668544bc6738cdd7278d3e9a88eac152f9e57c9c90f63
Instruction Fuzzy Hash: E4227D3AA40B589AEB518F15E494BE8BBE0F798B44F54A12EDE0D43794DF38C647C740

Function 000000013FC31528 Relevance: 51.2, APIs: 28, Strings: 1, Instructions: 457fileCOMMON

Download Yara Rule

APIs

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013FC3158F
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC315A8
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 000000013FC3160F
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013FC31636
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013FC3165D

Strings

WinMain, xrefs: 000000013FC31532

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: CloseHandle$CreateErrorFileFreeLastLocal
String ID: WinMain
API String ID: 489493324-1287201471
Opcode ID: fd036c4e982b65a9661d271841ea61ececc9c7e7ac3e8476a3fc83700d8a20db
Instruction ID: 42e54fa85967a29859c9997006317e39cab071e9ddbcc602a29e76a7047734f6
Opcode Fuzzy Hash: fd036c4e982b65a9661d271841ea61ececc9c7e7ac3e8476a3fc83700d8a20db
Instruction Fuzzy Hash: 6812AD35E80B488EFB518BA1D450BE87BE0FB85B88F54613ACD0A566A1DF7DC74B8740

Function 000000013FC34278 Relevance: 49.6, APIs: 14, Strings: 14, Instructions: 562registryCOMMON

Download Yara Rule

APIs

RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC34495
RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC344ED

Part of subcall function 000000013FC22068: EtwTraceMessage.NTDLL ref: 000000013FC220BD

Strings

DebugApplications, xrefs: 000000013FC3430D
Consent, xrefs: 000000013FC342C9
SOFTWARE\Policies\Microsoft\SQMClient, xrefs: 000000013FC34AD2, 000000013FC34B1E
DefaultConsent, xrefs: 000000013FC34480
IsTest, xrefs: 000000013FC34B17, 000000013FC34B3F
Software\Policies\Microsoft\Windows\Windows Error Reporting, xrefs: 000000013FC3454F, 000000013FC346D6, 000000013FC34895
MSFTInternal, xrefs: 000000013FC34ACB, 000000013FC34AF3
Software\Microsoft\Windows\Windows Error Reporting, xrefs: 000000013FC34610, 000000013FC34775, 000000013FC34924
WinMain, xrefs: 000000013FC3427E
NewUserDefaultConsent, xrefs: 000000013FC344DC
SOFTWARE\Microsoft\SQMClient, xrefs: 000000013FC34AFA, 000000013FC34B46
ExcludedApplications, xrefs: 000000013FC342EF
BrokerUp, xrefs: 000000013FC3432B
Software\Microsoft\Windows\Windows Error Reporting\Consent, xrefs: 000000013FC34487, 000000013FC344E3

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Value$MessageTrace
String ID: BrokerUp$Consent$DebugApplications$DefaultConsent$ExcludedApplications$IsTest$MSFTInternal$NewUserDefaultConsent$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Policies\Microsoft\SQMClient$Software\Microsoft\Windows\Windows Error Reporting$Software\Microsoft\Windows\Windows Error Reporting\Consent$Software\Policies\Microsoft\Windows\Windows Error Reporting$WinMain
API String ID: 3200595266-2927544473
Opcode ID: 3a5497280f1f9d5db03e81602453e5747b25b77ba3b47d52ae16e172b5cbfe5b
Instruction ID: e96e2ca919f50ed5201cae1701153eb1f6df514f47ef5d4b6fcc2147010e6ced
Opcode Fuzzy Hash: 3a5497280f1f9d5db03e81602453e5747b25b77ba3b47d52ae16e172b5cbfe5b
Instruction Fuzzy Hash: 60427D36A80A4896EB20DB11E850FD977A1F785788F50253EDE4953BA9DB3DC707DB00

Function 000000013FC26908 Relevance: 47.6, APIs: 13, Strings: 14, Instructions: 310COMMON

Download Yara Rule

APIs

CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0 ref: 000000013FC26995
WerpIsOnBattery.WER ref: 000000013FC269E5
CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0 ref: 000000013FC26E52

Strings

Uploading report %ws, xrefs: 000000013FC26BBD
Core uploader begin, xrefs: 000000013FC26965
Failed to open machine store, xrefs: 000000013FC26E15
Upload completed for report %ws. (SubmitResult = %d), xrefs: 000000013FC26D6C
DoCoreUpload, xrefs: 000000013FC26979, 000000013FC269AF, 000000013FC26BD1, 000000013FC26C1F
Core uploader complete, xrefs: 000000013FC26DD8
WinMain, xrefs: 000000013FC2690E
WerpEnumerateStoreNext2 failed, xrefs: 000000013FC26DFB
Another instance of wermgr is uploading reports, xrefs: 000000013FC26ABC
Unexpected report with NULL report path, xrefs: 000000013FC26E09
WerpEnumerateStoreNext failed, xrefs: 000000013FC26B74
Upload failed for report %ws, xrefs: 000000013FC26C3A
WerpEnumerateStoreStart failed, xrefs: 000000013FC26B36
onecore\windows\feedback\core\wermgr\lib\wermgr.cpp, xrefs: 000000013FC26980, 000000013FC269B6, 000000013FC26BD8, 000000013FC26C26

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: BatteryInitializeUninitializeWerp
String ID: Another instance of wermgr is uploading reports$Core uploader begin$Core uploader complete$DoCoreUpload$Failed to open machine store$Unexpected report with NULL report path$Upload completed for report %ws. (SubmitResult = %d)$Upload failed for report %ws$Uploading report %ws$WerpEnumerateStoreNext failed$WerpEnumerateStoreNext2 failed$WerpEnumerateStoreStart failed$WinMain$onecore\windows\feedback\core\wermgr\lib\wermgr.cpp
API String ID: 895160077-2650087653
Opcode ID: af2c5d865346362672dc5ee0767c0081ec0d7b715e640381786e4cdfdcc30590
Instruction ID: 6f257a129f971ac2cc7e1d548d748a551a9d8a7e634d1bc70eb7e4f5e689775e
Opcode Fuzzy Hash: af2c5d865346362672dc5ee0767c0081ec0d7b715e640381786e4cdfdcc30590
Instruction Fuzzy Hash: 19E15D3AA44B489AEB10CF20E450BED7BA4F788794F50253ADA8D53B64DF3CC646DB50

Function 000000013FC35BCC Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 221nativememoryCOMMON

Download Yara Rule

APIs

ZwQueryWnfStateNameInformation.NTDLL ref: 000000013FC35C36
ZwUpdateWnfStateData.NTDLL ref: 000000013FC35C6B
EtwEventWriteNoRegistration.NTDLL ref: 000000013FC35C95
NtQuerySystemInformation.NTDLL ref: 000000013FC35CC9
NtOpenEvent.NTDLL ref: 000000013FC35D23
NtWaitForSingleObject.NTDLL ref: 000000013FC35D58
NtClose.NTDLL ref: 000000013FC35D6B
RtlAllocateAndInitializeSid.NTDLL ref: 000000013FC35DC7
RtlInitUnicodeString.NTDLL ref: 000000013FC35E01
memset.MSVCRT ref: 000000013FC35E32
NtAlpcConnectPort.NTDLL ref: 000000013FC35E87
memset.MSVCRT ref: 000000013FC35EB0
NtAlpcSendWaitReceivePort.NTDLL ref: 000000013FC35EED
RtlFreeSid.NTDLL ref: 000000013FC35F22
NtClose.NTDLL ref: 000000013FC35F38

Strings

\KernelObjects\SystemErrorPortReady, xrefs: 000000013FC35CE4
\WindowsErrorReportingServicePort, xrefs: 000000013FC35DF6
WinMain, xrefs: 000000013FC35BD8

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: AlpcCloseEventInformationPortQueryStateWaitmemset$AllocateConnectDataFreeInitInitializeNameObjectOpenReceiveRegistrationSendSingleStringSystemUnicodeUpdateWrite
String ID: WinMain$\KernelObjects\SystemErrorPortReady$\WindowsErrorReportingServicePort
API String ID: 1565259173-3005374935
Opcode ID: 0481423c07e816be0f27b19d8e0689670189e97c71f411254137b787a1c152d9
Instruction ID: 33d2b8a496de5a135ecbca527feeb94bab2e419b9aca8181efa528d73a90b433
Opcode Fuzzy Hash: 0481423c07e816be0f27b19d8e0689670189e97c71f411254137b787a1c152d9
Instruction Fuzzy Hash: 88A17072A50B858BE7108F65E8807DEBBF4F789798F50552AEA8913B58DF3CC245CB40

Function 000000013FC257F4 Relevance: 28.5, APIs: 15, Strings: 1, Instructions: 481sleepCOMMON

Download Yara Rule

APIs

GetTickCount64.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,WinMain,00000000,?,00000000), ref: 000000013FC25825
GetTickCount64.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,WinMain,00000000,?,00000000), ref: 000000013FC25843
OpenProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(?,?,?,?,?,?,?,?,?,?,00000000,00000000,WinMain,00000000,?,00000000), ref: 000000013FC25919
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,WinMain,00000000,?,00000000), ref: 000000013FC25956
new.LIBCMT ref: 000000013FC259D0
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,WinMain,00000000,?,00000000), ref: 000000013FC25A68
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,WinMain,00000000,?,00000000), ref: 000000013FC25B07
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,WinMain,00000000,?,00000000), ref: 000000013FC25B57
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,WinMain,00000000,?,00000000), ref: 000000013FC25B75

Part of subcall function 000000013FC2215C: EtwTraceMessage.NTDLL ref: 000000013FC22191

Part of subcall function 000000013FC281D8: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013FC28227

new.LIBCMT ref: 000000013FC25C14
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,00000000,WinMain,00000000,?,00000000), ref: 000000013FC25C50
WaitForMultipleObjects.API-MS-WIN-CORE-SYNCH-L1-2-1(?,?,?,?,?,?,?,?,?,?,00000000,00000000,WinMain,00000000,?,00000000), ref: 000000013FC25CF3
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,WinMain,00000000,?,00000000), ref: 000000013FC25D92
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,WinMain,00000000,?,00000000), ref: 000000013FC25E20
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,WinMain,00000000,?,00000000), ref: 000000013FC25E71

Part of subcall function 000000013FC22024: EtwTraceMessage.NTDLL ref: 000000013FC2204D

Part of subcall function 000000013FC21FF8: EtwTraceMessage.NTDLL ref: 000000013FC2200B

Strings

WinMain, xrefs: 000000013FC257FE

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: CloseHandle$MessageTrace$Count64ErrorLastTick$MultipleObjectsOpenProcessSleepWaitmemcpy
String ID: WinMain
API String ID: 78726758-1287201471
Opcode ID: 32756e832c57f7232f3da0df6ebe82d51ce793c6d48097e16a802ed82cedd6a2
Instruction ID: c49d4debd94c236208f9b4676097326cff9f105f1d13fe8e47a6bdc666c30854
Opcode Fuzzy Hash: 32756e832c57f7232f3da0df6ebe82d51ce793c6d48097e16a802ed82cedd6a2
Instruction Fuzzy Hash: CD22A03AB91A4895EF14DB25D500BE923A1E741BB8F546B2ACE2D177E6DF38C647C300

Function 000000013FC2BBD4 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 216synchronizationCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000000013FC2BC19

Part of subcall function 000000013FC2A7C8: _vsnwprintf.NTDLL ref: 000000013FC2A808

CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC2BC5C
WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC2BC8A

Part of subcall function 000000013FC29A08: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC29A0C

Strings

Local\SM0:%d:%d:%hs, xrefs: 000000013FC2BC35
wil::details_abi::SemaphoreValue::TryGetPointer, xrefs: 000000013FC2BCEE
wil::details_abi::ProcessLocalStorageData<struct wil::details_abi::ProcessLocalData>::Acquire, xrefs: 000000013FC2BEEE
x, xrefs: 000000013FC2BC2D
wil::details_abi::ProcessLocalStorageData<struct wil::details_abi::ProcessLocalData>::MakeAndInitialize, xrefs: 000000013FC2BDEA, 000000013FC2BE2F
wil, xrefs: 000000013FC2BCD8

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: CreateCurrentErrorLastMutexObjectProcessSingleWait_vsnwprintf
String ID: Local\SM0:%d:%d:%hs$wil$wil::details_abi::ProcessLocalStorageData<struct wil::details_abi::ProcessLocalData>::Acquire$wil::details_abi::ProcessLocalStorageData<struct wil::details_abi::ProcessLocalData>::MakeAndInitialize$wil::details_abi::SemaphoreValue::TryGetPointer$x
API String ID: 3333087404-1316886697
Opcode ID: d99bdec38ab70a44e845008b1ccab3e45bf72a8c17ab162d1956a8a46a44977f
Instruction ID: 9f390652e843f28e42fb3590fb888bbb6d1d2ac352b9ac65762a6fc031600e0d
Opcode Fuzzy Hash: d99bdec38ab70a44e845008b1ccab3e45bf72a8c17ab162d1956a8a46a44977f
Instruction Fuzzy Hash: 25919436A40B4896EB64CF25E840BD9B7A0F788B90F55613AEA4E47B95DF38C747C700

Function 000000013FC28338 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 218synchronizationCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000000013FC2837D

Part of subcall function 000000013FC2A7C8: _vsnwprintf.NTDLL ref: 000000013FC2A808

CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC283C0
WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC283EE

Part of subcall function 000000013FC29A08: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC29A0C

Strings

wil::details_abi::ProcessLocalStorageData<class wil::details_abi::FeatureStateData>::Acquire, xrefs: 000000013FC2866C
Local\SM0:%d:%d:%hs, xrefs: 000000013FC28399
wil::details_abi::SemaphoreValue::TryGetPointer, xrefs: 000000013FC28452
wil::details_abi::ProcessLocalStorageData<class wil::details_abi::FeatureStateData>::MakeAndInitialize, xrefs: 000000013FC28550, 000000013FC28595
wil, xrefs: 000000013FC2843C

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: CreateCurrentErrorLastMutexObjectProcessSingleWait_vsnwprintf
String ID: Local\SM0:%d:%d:%hs$wil$wil::details_abi::ProcessLocalStorageData<class wil::details_abi::FeatureStateData>::Acquire$wil::details_abi::ProcessLocalStorageData<class wil::details_abi::FeatureStateData>::MakeAndInitialize$wil::details_abi::SemaphoreValue::TryGetPointer
API String ID: 3333087404-3178716754
Opcode ID: 295b2124c23aba9c5ca387d96cdca872877062721987756b2596d104bc66219e
Instruction ID: c74c00fa70325c5afd79cd527e3e5eb377aaac9d7590c22139ae559e0d187e02
Opcode Fuzzy Hash: 295b2124c23aba9c5ca387d96cdca872877062721987756b2596d104bc66219e
Instruction Fuzzy Hash: 5B91B236A40B5892EB60CF25E840BE9B7A0F788B90F54613ADE4E47B95DF38C243C700

Function 000000013FC35400 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 176memoryCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL ref: 000000013FC35460
RtlCreateBoundaryDescriptor.NTDLL ref: 000000013FC35472
RtlInitUnicodeString.NTDLL ref: 000000013FC354D2
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC35542
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC35559
RtlCreateServiceSid.NTDLL ref: 000000013FC354E8

Part of subcall function 000000013FC21FF8: EtwTraceMessage.NTDLL ref: 000000013FC2200B

RtlCreateServiceSid.NTDLL ref: 000000013FC355AE
RtlAddSIDToBoundaryDescriptor.NTDLL ref: 000000013FC35609
OpenPrivateNamespaceW.API-MS-WIN-CORE-NAMESPACE-L1-1-0 ref: 000000013FC3564A
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC3565E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC356A9
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC356BD
RtlDeleteBoundaryDescriptor.NTDLL ref: 000000013FC356D2

Strings

WerSvcNameSpaceBoundary, xrefs: 000000013FC35455
WerSvc, xrefs: 000000013FC354C7, 000000013FC35643

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Heap$BoundaryCreateDescriptor$InitProcessServiceStringUnicode$AllocDeleteErrorFreeLastMessageNamespaceOpenPrivateTrace
String ID: WerSvc$WerSvcNameSpaceBoundary
API String ID: 601950081-2784671735
Opcode ID: 938f9ac402e7a40bd8ce8b6c01c721e25dd30f3232cce9975344be847907c830
Instruction ID: 3c1e67edbd3e6b433f39355526039aaa87535e4dbfb3cbca77b84ec45d34a77c
Opcode Fuzzy Hash: 938f9ac402e7a40bd8ce8b6c01c721e25dd30f3232cce9975344be847907c830
Instruction Fuzzy Hash: 27816275A81B4A9AEB168B15D450BE837A0E748788F54683BC90E477A2DF3DCB4BC740

Function 000000013FC32A28 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 266fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013FC32AAF
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC32AC0

Part of subcall function 000000013FC21FF8: EtwTraceMessage.NTDLL ref: 000000013FC2200B

FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013FC32BFA
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC32C0F
FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013FC32DA1
FindClose.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013FC32DB8
FindClose.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013FC32E6F

Strings

., xrefs: 000000013FC32C83
onecore\windows\feedback\core\common\lib\utilitydownlevel.cpp, xrefs: 000000013FC32D88, 000000013FC32E24
W, xrefs: 000000013FC32B55
%s\*, xrefs: 000000013FC32BAB
Could not remove directory '%ws', xrefs: 000000013FC32E15
%s\%s, xrefs: 000000013FC32CA4
Could not delete file '%ws', xrefs: 000000013FC32D79

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Find$File$CloseErrorLast$AttributesFirstMessageNextTrace
String ID: %s\%s$%s\*$.$Could not delete file '%ws'$Could not remove directory '%ws'$W$onecore\windows\feedback\core\common\lib\utilitydownlevel.cpp
API String ID: 3131396492-4013683615
Opcode ID: 6c0b639b3b28f1a2b04030450cbfa29349f8cc01d79473e58cae8f9b1452f678
Instruction ID: cd19cfe65bfbcb594d8ddb30eaadabea625c87e2c70ced145215ce9ad55afa93
Opcode Fuzzy Hash: 6c0b639b3b28f1a2b04030450cbfa29349f8cc01d79473e58cae8f9b1452f678
Instruction Fuzzy Hash: 75C1BB35A80B4886FB608B15E450BE97390E788BD4F50662F9E6A47695CF7CCB47CB40

Function 000000013FC37518 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 215librarynativeloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC37591
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC375AF

Part of subcall function 000000013FC36E44: RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC36E7D

Part of subcall function 000000013FC36F68: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC36F9E
Part of subcall function 000000013FC36F68: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC36FBC
Part of subcall function 000000013FC36F68: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC36FD5
Part of subcall function 000000013FC36F68: FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC3721A

NtQueryLicenseValue.NTDLL ref: 000000013FC375E1
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC37657
NtQueryLicenseValue.NTDLL ref: 000000013FC37809

Strings

Software\Policies\Microsoft\Windows\DataCollection, xrefs: 000000013FC37697
Reserved.PlatformSigned, xrefs: 000000013FC37534
AllowTelemetry_PolicyManager, xrefs: 000000013FC37755
NtQuerySecurityPolicy, xrefs: 000000013FC375A5
AllowTelemetry, xrefs: 000000013FC37689, 000000013FC376BF, 000000013FC3772B, 000000013FC377C2
OptInLevel, xrefs: 000000013FC3755E
ntdll.dll, xrefs: 000000013FC37575
CodeIntegrity.Telemetry, xrefs: 000000013FC37549

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Library$AddressProcValue$FreeLicenseLoadQuery
String ID: AllowTelemetry$AllowTelemetry_PolicyManager$CodeIntegrity.Telemetry$NtQuerySecurityPolicy$OptInLevel$Reserved.PlatformSigned$Software\Policies\Microsoft\Windows\DataCollection$ntdll.dll
API String ID: 1629355636-1971245831
Opcode ID: 0881c55d53cf1f3cbe5b07fd86a35b7b7fd59c04b3ad7db2ced8c7f7fc6d575e
Instruction ID: 4cfddf9d7ddd5d862a1d837f4933e6738b886f1061ccc389406794c9b88b1b11
Opcode Fuzzy Hash: 0881c55d53cf1f3cbe5b07fd86a35b7b7fd59c04b3ad7db2ced8c7f7fc6d575e
Instruction Fuzzy Hash: 96A18E76A44744CAEB158F65D590BE83BB0FB08398F50653BDE0953798EB39C74ACB40

Function 000000013FC25560 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 142processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.API-MS-WIN-CORE-TOOLHELP-L1-1-0 ref: 000000013FC255A1
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC255C0
Process32FirstW.API-MS-WIN-CORE-TOOLHELP-L1-1-0 ref: 000000013FC2560A
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC2561A
_wcsicmp.NTDLL ref: 000000013FC2568B
_wcsicmp.NTDLL ref: 000000013FC256A7
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000000013FC256BB
Process32NextW.API-MS-WIN-CORE-TOOLHELP-L1-1-0 ref: 000000013FC2575E
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013FC25781

Strings

WerFault.exe, xrefs: 000000013FC25684
wermgr.exe, xrefs: 000000013FC256A0

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: ErrorLastProcess32_wcsicmp$CloseCreateCurrentFirstHandleNextProcessSnapshotToolhelp32
String ID: WerFault.exe$wermgr.exe
API String ID: 776072163-1202673992
Opcode ID: 051c83549a57441b0d5ae79c292229e00eec63610ea9b618a6d1cc02b7580b5c
Instruction ID: 5f283e897c88507f4f074c84672d35f523b5f935599bb9006ef355689fb534dc
Opcode Fuzzy Hash: 051c83549a57441b0d5ae79c292229e00eec63610ea9b618a6d1cc02b7580b5c
Instruction Fuzzy Hash: 6661DA3AA80648DAEB508B15E440BEA77A1F785B90F54A63ADE1E437D5CF38CB47C700

Function 000000013FC2DAF0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 74nativeCOMMON

Download Yara Rule

APIs

DbgPrintEx.NTDLL ref: 000000013FC2DB22
NtQueryInformationProcess.NTDLL ref: 000000013FC2DB4D
DbgPrintEx.NTDLL ref: 000000013FC2DB77

Strings

WER/CrashAPI:%u: ERROR NtQueryInformationProcess failed with status 0x%x, xrefs: 000000013FC2DB69
WER/CrashAPI:%u: ERROR No 32 PEB for process, xrefs: 000000013FC2DB9E
WER/CrashAPI:%u: ERROR ReadProcessMemory failed while trying to read Peb32BaseAddress, xrefs: 000000013FC2DBEC
WER/CrashAPI:%u: ERROR Invalid arg, xrefs: 000000013FC2DB16

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Print$InformationProcessQuery
String ID: WER/CrashAPI:%u: ERROR Invalid arg$WER/CrashAPI:%u: ERROR No 32 PEB for process$WER/CrashAPI:%u: ERROR NtQueryInformationProcess failed with status 0x%x$WER/CrashAPI:%u: ERROR ReadProcessMemory failed while trying to read Peb32BaseAddress
API String ID: 213565265-1445663711
Opcode ID: d4aa593247c11e17ed61d0a155f71535fc0cd8f6dfe76947ffd8a2ea230c1a1e
Instruction ID: c7e4c4131df3b1059d388067f297e8789f131d8d83be6595ce43a306efb04972
Opcode Fuzzy Hash: d4aa593247c11e17ed61d0a155f71535fc0cd8f6dfe76947ffd8a2ea230c1a1e
Instruction Fuzzy Hash: 2E318D79A44A48C7F7108B15E814BEABBA0F799BC5F40A53ADA4A47794DF3CC70AC700

Function 000000013FC2DC3C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 68nativeCOMMON

Download Yara Rule

APIs

DbgPrintEx.NTDLL ref: 000000013FC2DC63
NtQueryInformationProcess.NTDLL ref: 000000013FC2DC8C
DbgPrintEx.NTDLL ref: 000000013FC2DCB0

Strings

WER/CrashAPI:%u: ERROR No PEB for process, xrefs: 000000013FC2DCD6
WER/CrashAPI:%u: ERROR ReadProcessMemory failed while trying to read PebBaseAddress, xrefs: 000000013FC2DD24
WER/CrashAPI:%u: ERROR NtQueryInformationProcess failed, xrefs: 000000013FC2DCA2
WER/CrashAPI:%u: ERROR Invalid arg, xrefs: 000000013FC2DC57

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Print$InformationProcessQuery
String ID: WER/CrashAPI:%u: ERROR Invalid arg$WER/CrashAPI:%u: ERROR No PEB for process$WER/CrashAPI:%u: ERROR NtQueryInformationProcess failed$WER/CrashAPI:%u: ERROR ReadProcessMemory failed while trying to read PebBaseAddress
API String ID: 213565265-363347543
Opcode ID: 4e6765e06c038ece9796dfbc595c756e7a7584a0128f5e37a57a2e8e1bba8baf
Instruction ID: 441ae0348cd63591469340e5981709d33eb2c8000c81ea7d782de0768e63557b
Opcode Fuzzy Hash: 4e6765e06c038ece9796dfbc595c756e7a7584a0128f5e37a57a2e8e1bba8baf
Instruction Fuzzy Hash: F4316079B50A48C6F7148B15E810BE9AAA1F799BC5F45A13ADA0A477A4DF3CC30AC710

Function 000000013FC3725C Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 174memoryregistryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000013FC372B7

Part of subcall function 000000013FC36F04: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC36F17
Part of subcall function 000000013FC36F04: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC36F32

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC37319
RegQueryInfoKeyW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC37384
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC373AF
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC373C3
RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC3741E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC374AD
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC374C1
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC374D7

Strings

\Users, xrefs: 000000013FC372DC

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Heap$Process$AddressAllocCloseEnumFreeInfoLibraryLoadOpenProcQuerymemset
String ID: \Users
API String ID: 3246958429-3656258783
Opcode ID: e372c94207f06f0d56d5643725bccbba9d0394d8d9ad1f640ec4a26a4f4ec216
Instruction ID: a9928d498bf5bc1996b245993de4566bb13ae7e43edafe28636435d870d64218
Opcode Fuzzy Hash: e372c94207f06f0d56d5643725bccbba9d0394d8d9ad1f640ec4a26a4f4ec216
Instruction Fuzzy Hash: 52719032A44B8986E7118F65E4807EABAA0FB89784F11512ADF8953B65DB3CD642CF00

Function 000000013FC36AE4 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 212fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013FC36BF6
_wcsicmp.NTDLL ref: 000000013FC36C3E
_wcsicmp.NTDLL ref: 000000013FC36C59
FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013FC36CE0
FindClose.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013FC36DF4

Strings

DeleteCorruptedReportFromStore, xrefs: 000000013FC36AE8
WinMain, xrefs: 000000013FC36AEB

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Find$File_wcsicmp$CloseFirstNext
String ID: DeleteCorruptedReportFromStore$WinMain
API String ID: 3999888431-1897262382
Opcode ID: c3d1ebc399e5858e7334b57b38b7db0edae5d8eae9385908a856f300a8c20d07
Instruction ID: a19dfa545e714d254f835dcbfff1e45ac3de43fd789e34ba557594e640bd68e5
Opcode Fuzzy Hash: c3d1ebc399e5858e7334b57b38b7db0edae5d8eae9385908a856f300a8c20d07
Instruction Fuzzy Hash: AB91DF36A8078886EB94CB50E844FE977A0F7847A8F50623BDE4A43694DF3CCB46D740

Function 000000013FC2CF20 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 85registrytimeCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FC2CEB8: RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC2CEF6

GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 000000013FC2CF8D
RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC2D001
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC2D011
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC2D059

Strings

LastQueuePesterTime, xrefs: 000000013FC2CFDC
LastResponsePesterTime, xrefs: 000000013FC2CFD3
LastQueueNoPesterTime, xrefs: 000000013FC2CFCA
LastLiveReportFlushTime, xrefs: 000000013FC2CFC1

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Time$CloseCreateErrorFileLastSystemValue
String ID: LastLiveReportFlushTime$LastQueueNoPesterTime$LastQueuePesterTime$LastResponsePesterTime
API String ID: 621416076-4033952892
Opcode ID: fe2723e8a8cb04a245c339b66e1846cca8b140ad6f3b25b7e12d9ac6e1d9e920
Instruction ID: 18b00903aebf553ccc7fc527e3064e0e2b648daf407182f76d8ed6bd24f98fe9
Opcode Fuzzy Hash: fe2723e8a8cb04a245c339b66e1846cca8b140ad6f3b25b7e12d9ac6e1d9e920
Instruction Fuzzy Hash: 2131933AA8060899FB50CB25D454FE867A0F754398F54313ADD0E426A4DF79CB8BC340

Function 000000013FC37EF4 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 000000013FC37F24
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000000013FC37F32
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000000013FC37F3E
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 000000013FC37F4A
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 000000013FC37F5A
QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0 ref: 000000013FC37F75

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: 85f95ca271fa4ab8ee4643986c67fb55fee3e1bb3420e4d62aa5825da8483e78
Instruction ID: cc76e12a89f013388a6f357b99b7f837f4f128ace2879a53f0c52998aa327583
Opcode Fuzzy Hash: 85f95ca271fa4ab8ee4643986c67fb55fee3e1bb3420e4d62aa5825da8483e78
Instruction Fuzzy Hash: 94112C32A40F488AEB00DF61E8447A833A4F749798F402A39EA6D87B55DF7CC7A58740

Function 000000013FC223AC Relevance: 9.0, APIs: 7, Instructions: 207memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000013FC223EA

Part of subcall function 000000013FC22248: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC22277
Part of subcall function 000000013FC22248: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC22294

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC22485
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC22499
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC224A5
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC224B9
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2266D
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC22681

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Heap$Process$Free$AddressAllocHandleModuleProcmemset
String ID:
API String ID: 2903015918-0
Opcode ID: 18a34ac9ba03dc433b5d79def7feb9d8f42d12a7b504060b3a8058765f8b67e9
Instruction ID: 613b0cc5056508eb4a6f17ed68bc5ae0da435a878f58415051be05f4e070825f
Opcode Fuzzy Hash: 18a34ac9ba03dc433b5d79def7feb9d8f42d12a7b504060b3a8058765f8b67e9
Instruction Fuzzy Hash: 48916D36A10B589AEB20CF66E400BED7BB0F748B88F44552ADF4E53754DB38C256C710

Function 000000013FC2A2C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 190threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(onecore\windows\feedback\core\wermgr\lib\wermgr.cpp,00000000,000000013FC2A63F,?,000007FF,000000013FC29301), ref: 000000013FC2A3CD
IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0(?,000007FF,000000013FC29301), ref: 000000013FC2A4BA
OutputDebugStringW.API-MS-WIN-CORE-DEBUG-L1-1-0(?,000007FF,000000013FC29301), ref: 000000013FC2A535

Strings

WinMain, xrefs: 000000013FC2A2C7, 000000013FC2A2C9
onecore\windows\feedback\core\wermgr\lib\wermgr.cpp, xrefs: 000000013FC2A2C2

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: CurrentDebugDebuggerOutputPresentStringThread
String ID: WinMain$onecore\windows\feedback\core\wermgr\lib\wermgr.cpp
API String ID: 4268342597-625356647
Opcode ID: 1a47b2924f532c811dd7e603d256db41701892ad73855bcddf02ef7ed207e857
Instruction ID: 9618b59a227bdc516304495055ebe5b4297b5a036f2b596637d0ee92a7847464
Opcode Fuzzy Hash: 1a47b2924f532c811dd7e603d256db41701892ad73855bcddf02ef7ed207e857
Instruction Fuzzy Hash: 3581A536A80B8896FF659F15A840BA9B7A0F785B84F04703EDE4E13759DF38C686D700

Function 000000013FC2F3A4 Relevance: 7.6, APIs: 5, Instructions: 135comCOMMON

Download Yara Rule

APIs

CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0 ref: 000000013FC2F403
CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 000000013FC2F46E
#2.OLEAUT32 ref: 000000013FC2F492

Part of subcall function 000000013FC21FF8: EtwTraceMessage.NTDLL ref: 000000013FC2200B

#6.OLEAUT32 ref: 000000013FC2F56D

Part of subcall function 000000013FC22024: EtwTraceMessage.NTDLL ref: 000000013FC2204D

CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,?,?,?,?,000000013FC27136), ref: 000000013FC2F59A

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: MessageTrace$CreateInitializeInstanceUninitialize
String ID:
API String ID: 1656891210-0
Opcode ID: a3ee06083af8138ce9c3d67d5ebf9c5d9d6ddc77258d78d03a5c4893c1c46e03
Instruction ID: 41035afad73b708c29099ccf72a2a480d0e7c0ded3e7a0adc76be8a65acd6ef7
Opcode Fuzzy Hash: a3ee06083af8138ce9c3d67d5ebf9c5d9d6ddc77258d78d03a5c4893c1c46e03
Instruction Fuzzy Hash: C6514C3AB80A4E96EF11CF15D450BE827A0E784B88F54653ACE0D477A5DF29CB4BC740

Function 000000013FC37840 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FC37518: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC37591
Part of subcall function 000000013FC37518: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC375AF
Part of subcall function 000000013FC37518: NtQueryLicenseValue.NTDLL ref: 000000013FC375E1
Part of subcall function 000000013FC37518: FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC37657

NtQueryLicenseValue.NTDLL ref: 000000013FC3791B

Part of subcall function 000000013FC36F68: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC36F9E
Part of subcall function 000000013FC36F68: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC36FBC
Part of subcall function 000000013FC36F68: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC36FD5
Part of subcall function 000000013FC36F68: FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC3721A

Strings

ConfigureTelemetryOptInSettingsUx, xrefs: 000000013FC3788A
AllowTelemetry, xrefs: 000000013FC378B5

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Library$AddressProc$FreeLicenseLoadQueryValue
String ID: AllowTelemetry$ConfigureTelemetryOptInSettingsUx
API String ID: 1791012833-1228298405
Opcode ID: 18c0934b3e79b02d7490fa70fc1b5d7b82ac4414e43d751aa55300b3fa8581a6
Instruction ID: ca2b7f0e0b8dae71130fd36e0070bf3df76bb94e62d7b283f61babeb1921e9c4
Opcode Fuzzy Hash: 18c0934b3e79b02d7490fa70fc1b5d7b82ac4414e43d751aa55300b3fa8581a6
Instruction Fuzzy Hash: 87318172A54755CEF7508F20C880BD83BA0FB083D8F44613AFB0656A98D778C79ACB41

Function 000000013FC38338 Relevance: 4.5, APIs: 3, Instructions: 13COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC38343
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC3834C
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000000013FC38352

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CurrentProcess
String ID:
API String ID: 1249254920-0
Opcode ID: 0f5b35e69ca74c2459f7070286955c3c245cd016b5471c240a8d4f03bd07b417
Instruction ID: 1a4611afe31e6f547b96f5da7624b30ff9a39e8ac3e5eadc5a1fc3b6a932a99a
Opcode Fuzzy Hash: 0f5b35e69ca74c2459f7070286955c3c245cd016b5471c240a8d4f03bd07b417
Instruction Fuzzy Hash: A6D0C9B2F9090D86FB581B62AC15BB51220F79CB85F09243ADA1746321ED3C874B8344

Function 000000013FC37D20 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC37D2B

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 09dfe366e2d2b1d547c8f0bf59ef6b6911f9491a3180a73a12c60ff976ac70fd
Instruction ID: bb71bc9c49a2236b1ffb258eef88e0a211b694d570ff87bf0c8a39f8eb5e3479
Opcode Fuzzy Hash: 09dfe366e2d2b1d547c8f0bf59ef6b6911f9491a3180a73a12c60ff976ac70fd
Instruction Fuzzy Hash: 66B01230FA140CC1D704AB21EC857E013A0FB9C385FE41437C00980220DE2C83DB8B00

Function 000000013FC24F64 Relevance: 59.8, APIs: 17, Strings: 17, Instructions: 251COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000013FC24FAF
memset.MSVCRT ref: 000000013FC24FBD
memset.MSVCRT ref: 000000013FC24FCE
memset.MSVCRT ref: 000000013FC24FDD
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000000013FC24FFA
IsWow64Process.API-MS-WIN-CORE-WOW64-L1-1-0 ref: 000000013FC2500E
Wow64DisableWow64FsRedirection.API-MS-WIN-CORE-WOW64-L1-1-0 ref: 000000013FC25029
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC25039
GetSystemDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 000000013FC250B4
GetSystemDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 000000013FC2512C
Wow64RevertWow64FsRedirection.API-MS-WIN-CORE-WOW64-L1-1-0 ref: 000000013FC2538E

Strings

"%ws" "%ws", LaunchErcApp -responsepester, xrefs: 000000013FC251BD
Wow64DisableWow64FsRedirection failed., xrefs: 000000013FC25064
Wow64RevertWow64FsRedirection failed., xrefs: 000000013FC253A5
LaunchEventReportingConsole, xrefs: 000000013FC25074, 000000013FC25106, 000000013FC251F5, 000000013FC252E2, 000000013FC2536C
LaunchEventReportingConsole::<lambda_7542f5c39e1a6d4dafe7f67f740f5aca>::operator (), xrefs: 000000013FC253B1
StringCchCat failed (path = %ws)., xrefs: 000000013FC250F3
CreateProcess failed (path = %ws, args = %ws), xrefs: 000000013FC252D2
GetSystemDirectory failed., xrefs: 000000013FC25357
"%ws" "%ws", LaunchErcApp -queuereportingnopester, xrefs: 000000013FC251AB
"%ws" "%ws", LaunchErcApp -queuereporting, xrefs: 000000013FC251C6
\RunDll32.exe, xrefs: 000000013FC250CD
"%ws" "%ws", LaunchErcApp -queuereportingconsentedonly, xrefs: 000000013FC251B4
Cannot launch ERC. ERC is not installed on the system., xrefs: 000000013FC25182
\WerConCpl.dll, xrefs: 000000013FC25145
StringCChPrintf failed., xrefs: 000000013FC25207
onecore\windows\feedback\core\wermgr\lib\wermgr.cpp, xrefs: 000000013FC2507B, 000000013FC250FF, 000000013FC251FC, 000000013FC252E9, 000000013FC25365, 000000013FC253B8
Creating process %ws %ws, xrefs: 000000013FC2522D

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Wow64$memset$DirectoryProcessRedirectionSystem$CurrentDisableErrorLastRevert
String ID: "%ws" "%ws", LaunchErcApp -queuereporting$"%ws" "%ws", LaunchErcApp -queuereportingconsentedonly$"%ws" "%ws", LaunchErcApp -queuereportingnopester$"%ws" "%ws", LaunchErcApp -responsepester$Cannot launch ERC. ERC is not installed on the system.$CreateProcess failed (path = %ws, args = %ws)$Creating process %ws %ws$GetSystemDirectory failed.$LaunchEventReportingConsole$LaunchEventReportingConsole::<lambda_7542f5c39e1a6d4dafe7f67f740f5aca>::operator ()$StringCChPrintf failed.$StringCchCat failed (path = %ws).$Wow64DisableWow64FsRedirection failed.$Wow64RevertWow64FsRedirection failed.$\RunDll32.exe$\WerConCpl.dll$onecore\windows\feedback\core\wermgr\lib\wermgr.cpp
API String ID: 2200579134-2145280080
Opcode ID: 457718cb9f33f34fb197c6424c5d99c6d4346d40be8119738e620f63fd94149e
Instruction ID: 69e2ac6314cbadd6d73aabd4552dec858bc4e93ab4aaaabc4182bf797da8e478
Opcode Fuzzy Hash: 457718cb9f33f34fb197c6424c5d99c6d4346d40be8119738e620f63fd94149e
Instruction Fuzzy Hash: BBD14E36A44B889AEB10CF60E884BEE77A0F788755F40653ADA4D43B69DF38C746C740

Function 000000013FC36F68 Relevance: 54.4, APIs: 14, Strings: 17, Instructions: 188libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC36F9E
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC36FBC
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC36FD5
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC3721A

Strings

System, xrefs: 000000013FC37011
LimitEnhancedDiagnosticDataWindowsAnalytics, xrefs: 000000013FC37064
AllowTelemetry, xrefs: 000000013FC3712C
DisableDeviceDelete, xrefs: 000000013FC370D1
AllowCommercialDataPipeline, xrefs: 000000013FC3710F
DisableOneSettingsDownloads, xrefs: 000000013FC37149
DisableDiagnosticDataViewer, xrefs: 000000013FC370F2
Software\Policies\Microsoft\Windows\DataCollection, xrefs: 000000013FC37193
DisableTelemetryOptInSettingsUx, xrefs: 000000013FC370C5
DisableTelemetryOptInChangeNotification, xrefs: 000000013FC3709F
ConfigureTelemetryOptInSettingsUx, xrefs: 000000013FC370AB
EnableOneSettingsAuditing, xrefs: 000000013FC37166
PolicyManager_GetPolicy, xrefs: 000000013FC36FB2
policymanager.dll, xrefs: 000000013FC36F92
onecore\base\telemetry\permission\lib\telemetrypermission.cpp, xrefs: 000000013FC3722E
ConfigureTelemetryOptInChangeNotification, xrefs: 000000013FC37085
PolicyManager_FreeGetPolicyData, xrefs: 000000013FC36FC8

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: AddressLibraryProc$FreeLoad
String ID: AllowCommercialDataPipeline$AllowTelemetry$ConfigureTelemetryOptInChangeNotification$ConfigureTelemetryOptInSettingsUx$DisableDeviceDelete$DisableDiagnosticDataViewer$DisableOneSettingsDownloads$DisableTelemetryOptInChangeNotification$DisableTelemetryOptInSettingsUx$EnableOneSettingsAuditing$LimitEnhancedDiagnosticDataWindowsAnalytics$PolicyManager_FreeGetPolicyData$PolicyManager_GetPolicy$Software\Policies\Microsoft\Windows\DataCollection$System$onecore\base\telemetry\permission\lib\telemetrypermission.cpp$policymanager.dll
API String ID: 2256533930-4007305814
Opcode ID: cea08709d61a3da69de905f3ac2849ef2d617ca293b3443540fdffee7a38399f
Instruction ID: 2a520a5ec1de6a05abdfaf95ae954c6c13221743d8547286dc7e8d84f05a45f5
Opcode Fuzzy Hash: cea08709d61a3da69de905f3ac2849ef2d617ca293b3443540fdffee7a38399f
Instruction Fuzzy Hash: 32813E72A847499AEB148F11E944BE97BA1FB49BD5F48A13BDD0A47394DB3CC34AC700

Function 000000013FC26EEC Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 206fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FC356F4: memset.MSVCRT ref: 000000013FC35728
Part of subcall function 000000013FC356F4: ClosePrivateNamespace.API-MS-WIN-CORE-NAMESPACE-L1-1-0 ref: 000000013FC35915

MapViewOfFile.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 000000013FC26F79
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC26F91
UnmapViewOfFile.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 000000013FC270C9
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013FC270E3
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013FC270FD

Strings

Invalid size passed in section, xrefs: 000000013FC26FCE
open, xrefs: 000000013FC271BD
MapViewOfFile failed, xrefs: 000000013FC26FB5
Invalid launch type passed, xrefs: 000000013FC2716C
ShellExecuteEx api not present, xrefs: 000000013FC2718B
StartNonElevatedProcessInstance, xrefs: 000000013FC26F37, 000000013FC2714F, 000000013FC27241
explore, xrefs: 000000013FC271C6
CreateProcess failed, xrefs: 000000013FC2708E
Failed to show the help content %ws, xrefs: 000000013FC2713F
UtilGetNonElevationInfo failed, xrefs: 000000013FC26F27
onecore\windows\feedback\core\wermgr\lib\wermgr.cpp, xrefs: 000000013FC26EEF, 000000013FC26F3E, 000000013FC27156, 000000013FC27248
ShellExecuteEx failed, xrefs: 000000013FC27228

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Close$FileHandleView$ErrorLastNamespacePrivateUnmapmemset
String ID: CreateProcess failed$Failed to show the help content %ws$Invalid launch type passed$Invalid size passed in section$MapViewOfFile failed$ShellExecuteEx api not present$ShellExecuteEx failed$StartNonElevatedProcessInstance$UtilGetNonElevationInfo failed$explore$onecore\windows\feedback\core\wermgr\lib\wermgr.cpp$open
API String ID: 2829354640-189962150
Opcode ID: 5f7e1e139702a29dbc970bc9c4df10d76499bb476add4b7ca59d7e13c370fefa
Instruction ID: a649007db9cf7f1a1ac7fc2866cb0762455a445fb6055a5bd04141833ddd5a58
Opcode Fuzzy Hash: 5f7e1e139702a29dbc970bc9c4df10d76499bb476add4b7ca59d7e13c370fefa
Instruction Fuzzy Hash: 5AA15A36B40A49DAEB10CB60E440BED77B1FB897A8F51623ADA0D57798DB38C746C740

Function 000000013FC2F5C4 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 204serviceCOMMON

Download Yara Rule

APIs

GetTickCount64.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,000000013FC2601D), ref: 000000013FC2F5F3
OpenSCManagerW.API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,000000013FC2601D), ref: 000000013FC2F60F
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,000000013FC2601D), ref: 000000013FC2F623

Part of subcall function 000000013FC22024: EtwTraceMessage.NTDLL ref: 000000013FC2204D

OpenServiceW.API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,000000013FC2601D), ref: 000000013FC2F68B
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,000000013FC2601D), ref: 000000013FC2F69F
CloseServiceHandle.API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,000000013FC2601D), ref: 000000013FC2F8D9
CloseServiceHandle.API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,000000013FC2601D), ref: 000000013FC2F8ED

Strings

WerSvc, xrefs: 000000013FC2F681

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Service$CloseErrorHandleLastOpen$Count64ManagerMessageTickTrace
String ID: WerSvc
API String ID: 2338227594-4085872573
Opcode ID: 51e4b90f180dc4f72b93b81aa8eb4e9458f232d204230c34cbac1dde3497cf97
Instruction ID: 9ca8a96ac88532643190f736d4b52cc27d1e114afb009df2fbbafedf7985d022
Opcode Fuzzy Hash: 51e4b90f180dc4f72b93b81aa8eb4e9458f232d204230c34cbac1dde3497cf97
Instruction Fuzzy Hash: 69915139B80B4C9AFB548B65A540BE8B6E1FB49B84F54613ACD0E53750DB39CB4BC710

Function 000000013FC2DD70 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 148COMMON

Download Yara Rule

APIs

DbgPrintEx.NTDLL ref: 000000013FC2DDB1
IsWow64Process.API-MS-WIN-CORE-WOW64-L1-1-0 ref: 000000013FC2DDCB
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000000013FC2DDE5
IsWow64Process.API-MS-WIN-CORE-WOW64-L1-1-0 ref: 000000013FC2DDF8
IsWow64Process.API-MS-WIN-CORE-WOW64-L1-1-0 ref: 000000013FC2DE17

Part of subcall function 000000013FC2DC3C: DbgPrintEx.NTDLL ref: 000000013FC2DC63

DbgPrintEx.NTDLL ref: 000000013FC2DE9C

Strings

WER/CrashAPI:%u: ERROR Invalid arguments, xrefs: 000000013FC2DDA3
WER/CrashAPI:%u: ERROR ReadProcessMemory failed while trying to read WerRegistrationData, xrefs: 000000013FC2DF1E
WER/CrashAPI:%u: ERROR WerpValidatePebHeader failed, xrefs: 000000013FC2DF67
WER/CrashAPI:%u: ERROR WerpNtWow64ReadVirtualMemory64 failed while trying to read PebBaseAddress, xrefs: 000000013FC2DED3
WER/CrashAPI:%u: ERROR Failed to read the peb from the process, xrefs: 000000013FC2DE4E, 000000013FC2DE8E

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Process$PrintWow64$Current
String ID: WER/CrashAPI:%u: ERROR Failed to read the peb from the process$WER/CrashAPI:%u: ERROR Invalid arguments$WER/CrashAPI:%u: ERROR ReadProcessMemory failed while trying to read WerRegistrationData$WER/CrashAPI:%u: ERROR WerpNtWow64ReadVirtualMemory64 failed while trying to read PebBaseAddress$WER/CrashAPI:%u: ERROR WerpValidatePebHeader failed
API String ID: 1037397651-1040282246
Opcode ID: 97eaef00e81cd02fdf4532bada86a1d8216afb93014d22f13344ff96c9e9a3a4
Instruction ID: dbf6a9682e1d451e0f488f92485076838f227fa6dfebd78bb26cefb06bd8ecb4
Opcode Fuzzy Hash: 97eaef00e81cd02fdf4532bada86a1d8216afb93014d22f13344ff96c9e9a3a4
Instruction Fuzzy Hash: 1651C039A80A48DAFB148F25D810FF96BA1F769BC4F54A13DED0A47794DB38C7468340

Function 000000013FC26114 Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 97libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC2613C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC2615B
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC261B8
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC261C9
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC2621A
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC26257

Strings

CheckAndSubmitOfflineCrash, xrefs: 000000013FC261AE
offdmpsvc.dll, xrefs: 000000013FC26135
CheckAndSubmitOfflineCrash failed, xrefs: 000000013FC26234
DoBootActivities, xrefs: 000000013FC2628C
LoadLibraryExW for offdmpsvc failed, xrefs: 000000013FC26180
CollectOfflineCrash, xrefs: 000000013FC26190, 000000013FC26201
GetProcAddress for CheckAndSubmitOfflineCrash failed, xrefs: 000000013FC261E9
onecore\windows\feedback\core\wermgr\lib\wermgr.cpp, xrefs: 000000013FC26197, 000000013FC261FA, 000000013FC26293
CollectOfflineCrash failed, xrefs: 000000013FC2627C

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: ErrorLast$Library$AddressFreeLoadProc
String ID: CheckAndSubmitOfflineCrash$CheckAndSubmitOfflineCrash failed$CollectOfflineCrash$CollectOfflineCrash failed$DoBootActivities$GetProcAddress for CheckAndSubmitOfflineCrash failed$LoadLibraryExW for offdmpsvc failed$offdmpsvc.dll$onecore\windows\feedback\core\wermgr\lib\wermgr.cpp
API String ID: 2084285179-1514942544
Opcode ID: 0f26b040003403b740bf15a8bcb136426a7448a58eb06fffeb1cceed11f72916
Instruction ID: 97b8b6adb898608b5e184181c5704307bfa3d1477af2829cf4b7efbef9bc8b41
Opcode Fuzzy Hash: 0f26b040003403b740bf15a8bcb136426a7448a58eb06fffeb1cceed11f72916
Instruction Fuzzy Hash: FB418D36A80B4986EB108B15E844BE9B7E0F7C97A0F42623AD94E537A4DF3CC746C714

Function 000000013FC33C08 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 240sleepmemoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC33C52
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 000000013FC33C85
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 000000013FC33CA0
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 000000013FC33CD0
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 000000013FC33CEA
toupper.NTDLL ref: 000000013FC33DA5
EventRegister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 000000013FC33DF3
EventProviderEnabled.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 000000013FC33E06
EventUnregister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 000000013FC33E1D
EventUnregister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 000000013FC33E37
EventUnregister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 000000013FC33FBF
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 000000013FC33FD9
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC33FF0

Strings

<unknown>, xrefs: 000000013FC33F0E
%ws\Report.wer, xrefs: 000000013FC33C18

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Event$CountTickUnregister$ExclusiveLock$AcquireAllocEnabledLocalProviderRegisterReleaseSleeptoupper
String ID: %ws\Report.wer$<unknown>
API String ID: 758907732-1460082843
Opcode ID: 2ee26710b7fe8d9abb69062aace16a35be0cc3828ffc643b6f1f6697074a634b
Instruction ID: 88805cecf0edb1992528c75f5c2414d15b005c41853a209cf7e6f4d17e599832
Opcode Fuzzy Hash: 2ee26710b7fe8d9abb69062aace16a35be0cc3828ffc643b6f1f6697074a634b
Instruction Fuzzy Hash: ABC17132A50B888AEB15CF20E444BD97BB4F348B98F44653ADA4A57B58DF3DC746CB00

Function 000000013FC2A054 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 151windowthreadCOMMON

Download Yara Rule

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013FC2A12C
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000000013FC2A1AB

Strings

[%hs], xrefs: 000000013FC2A274
(caller: %p) , xrefs: 000000013FC2A196
, xrefs: 000000013FC2A1FE
LogHr, xrefs: 000000013FC2A0E5
FailFast, xrefs: 000000013FC2A0DC
ReturnHr, xrefs: 000000013FC2A0EE
CallContext:[%hs] , xrefs: 000000013FC2A234
%hs(%d) tid(%x) %08X %ws, xrefs: 000000013FC2A1C4
%hs(%u)\%hs!%p: , xrefs: 000000013FC2A158
%hs!%p: , xrefs: 000000013FC2A176
Exception, xrefs: 000000013FC2A0F7
Msg:[%ws] , xrefs: 000000013FC2A219
[%hs(%hs)], xrefs: 000000013FC2A25B

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: CurrentFormatMessageThread
String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
API String ID: 2411632146-3173542853
Opcode ID: bf36c991a5d741191ca2711893606b844bd178e147a18a92d627e0668f5dcdce
Instruction ID: a8a48d696238e732eb79f5ffb589cc424a828230c1c17b2dd74dc0eaa16b5581
Opcode Fuzzy Hash: bf36c991a5d741191ca2711893606b844bd178e147a18a92d627e0668f5dcdce
Instruction Fuzzy Hash: FA616B79A80B49A5EE64DF51A510BD963A0F748B88F44613EEE4E53798CF3DC742C704

Function 000000013FC2C380 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 269COMMON

Download Yara Rule

APIs

WerpLoadReportFromBuffer.WER ref: 000000013FC2C3E7
WerpGetReportSettings.WER ref: 000000013FC2C44C
WerpGetReportType.WER ref: 000000013FC2C531
WerpGetReportInformation.WER ref: 000000013FC2C576

Strings

WER/CrashAPI:%u: ERROR Invalid arguments, xrefs: 000000013FC2C73B

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: ReportWerp$BufferFromInformationLoadSettingsType
String ID: WER/CrashAPI:%u: ERROR Invalid arguments
API String ID: 132304548-1416122280
Opcode ID: 0003384be6a9d509d514c6680116648da04944c41a85539ea74ada8ca4a70179
Instruction ID: c4cbbc812797d0b43bddf0099e849db1aa1bd8a41ceff84336d12a789edcb4b7
Opcode Fuzzy Hash: 0003384be6a9d509d514c6680116648da04944c41a85539ea74ada8ca4a70179
Instruction Fuzzy Hash: 05D1D53AB80B49A2EF64CB15D490BE927A1F784B94F10A03ACE0D47795DF7ACA47C740

Function 000000013FC350DC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 175fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000013FC35121
memset.MSVCRT ref: 000000013FC35130
CreateFileMappingW.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 000000013FC35151
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC35165

Part of subcall function 000000013FC22024: EtwTraceMessage.NTDLL ref: 000000013FC2204D

MapViewOfFile.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 000000013FC351CE
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC351E2
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013FC353BE

Strings

-k -lcq, xrefs: 000000013FC35201

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: ErrorFileLastmemset$CloseCreateHandleMappingMessageTraceView
String ID: -k -lcq
API String ID: 332472461-3937627094
Opcode ID: ff9a29b02735e598ed9993dc986a321da22127fc163eec3c48c3d8a81d32fd5b
Instruction ID: b260bf1c5247ba1f98f725938f299af4e8289b554997f7fb0791021ee8983a5c
Opcode Fuzzy Hash: ff9a29b02735e598ed9993dc986a321da22127fc163eec3c48c3d8a81d32fd5b
Instruction Fuzzy Hash: 50819C35A8078986EB618B25D850BE83790F788B84F50692BCE0D477A6DF7CC747C700

Function 000000013FC307AC Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 330fileCOMMON

Download Yara Rule

APIs

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013FC30841
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC30856

Part of subcall function 000000013FC220D8: EtwTraceMessage.NTDLL ref: 000000013FC22143

GetFileSizeEx.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013FC308C2
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC308D2
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,WinMain,00000000,80000000,00000000), ref: 000000013FC30CAF

Strings

MetadataHash, xrefs: 000000013FC30AF7
WinMain, xrefs: 000000013FC307B6

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleMessageSizeTrace
String ID: MetadataHash$WinMain
API String ID: 2254475724-687051137
Opcode ID: cfa2983a03634f76d031d06e63ac4829a6e7bee2f2ddfe8453a5d82096b4f182
Instruction ID: 6bdb7c04aa274dee4b9f53b412582d4218f76d37be84ba3a17599325f1d7d58e
Opcode Fuzzy Hash: cfa2983a03634f76d031d06e63ac4829a6e7bee2f2ddfe8453a5d82096b4f182
Instruction Fuzzy Hash: D3E19F36A807089AFB50CB65E450BE933A0EB4479CF50663B8E8946BA5DF3DCB47C740

Function 000000013FC35F78 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 215threadCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FC386A4: ApiSetQueryApiSetPresence.API-MS-WIN-CORE-APIQUERY-L1-1-0 ref: 000000013FC386CD

GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000004,00000000,00000000,000000013FC36413), ref: 000000013FC35FC8
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000004,00000000,00000000,000000013FC36413), ref: 000000013FC36025
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000004,00000000,00000000,000000013FC36413), ref: 000000013FC36059

Part of subcall function 000000013FC22024: EtwTraceMessage.NTDLL ref: 000000013FC2204D

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000004,00000000,00000000,000000013FC36413), ref: 000000013FC36107
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000004,00000000,00000000,000000013FC36413), ref: 000000013FC36160
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000004,00000000,00000000,000000013FC36413), ref: 000000013FC36196
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000004,00000000,00000000,000000013FC36413), ref: 000000013FC3621E

Strings

default, xrefs: 000000013FC36265
WinSta0, xrefs: 000000013FC3624B

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: ErrorLast$CurrentMessagePresenceQueryThreadTrace
String ID: WinSta0$default
API String ID: 3981309833-47315796
Opcode ID: 9ccda75abf4979e0ddfc25628c7bc5777a39f1c702f0b57846d17bcd26e4814b
Instruction ID: cec0801cb9651805d7cef2cd03c4985f604311a4b63b0e7ffaadaf1e607ec57f
Opcode Fuzzy Hash: 9ccda75abf4979e0ddfc25628c7bc5777a39f1c702f0b57846d17bcd26e4814b
Instruction Fuzzy Hash: 78A19E35A80A8886EB909B51E840FE8B7A1FB89BC4F45653ADD0A17791DF3DC74BC740

Function 000000013FC2D078 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 136registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FC2CEB8: RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC2CEF6

RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC2D133
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC2D280

Part of subcall function 000000013FC22024: EtwTraceMessage.NTDLL ref: 000000013FC2204D

Strings

LastQueuePesterTime, xrefs: 000000013FC2D1D3
LastResponsePesterTime, xrefs: 000000013FC2D198
LastQueueNoPesterTime, xrefs: 000000013FC2D161
LastLiveReportFlushTime, xrefs: 000000013FC2D127
onecore\windows\feedback\core\wermgr\lib\wermgr.cpp, xrefs: 000000013FC2D07E

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: CloseCreateMessageQueryTraceValue
String ID: LastLiveReportFlushTime$LastQueueNoPesterTime$LastQueuePesterTime$LastResponsePesterTime$onecore\windows\feedback\core\wermgr\lib\wermgr.cpp
API String ID: 1401813532-3901343400
Opcode ID: 126de78865b738c74b3d641c7c95b53f4e25be96cb3e9ffff01459cfc7ebeab4
Instruction ID: dd66dd34062502d2126903c85d7a7c82842a0ff5742a418a9e6f6078823611c0
Opcode Fuzzy Hash: 126de78865b738c74b3d641c7c95b53f4e25be96cb3e9ffff01459cfc7ebeab4
Instruction Fuzzy Hash: A3514B36B50B599AEF20CF64D4A0BEC37A0F758798F44612ADA0E57B58DF38C64AC740

Function 000000013FC295D0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 97synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000104,000000013FC2982D), ref: 000000013FC295E2

Strings

wil::details_abi::SemaphoreValue::GetValueFromSemaphore, xrefs: 000000013FC295FD, 000000013FC2972D
wil, xrefs: 000000013FC29734

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: ObjectSingleWait
String ID: wil$wil::details_abi::SemaphoreValue::GetValueFromSemaphore
API String ID: 24740636-733574568
Opcode ID: 9d198ae9f94d7e6bdf7cd6dcae442054a1917d12d0994af1fc53d7e351a36dd7
Instruction ID: fc9972dd30d397b74c2661038ca11c359dd41f0a81e740d8260eb3b7df2d2e4c
Opcode Fuzzy Hash: 9d198ae9f94d7e6bdf7cd6dcae442054a1917d12d0994af1fc53d7e351a36dd7
Instruction Fuzzy Hash: CC418135E44A8893FB504F50E400BF9F6A1FB85BD1F50A139D90A86ED4CB7DC6479701

Function 000000013FC356F4 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 137fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000013FC35728
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000000013FC35781
OpenFileMappingW.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 000000013FC357E0
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC357F4
MapViewOfFile.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 000000013FC3584B
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC3585C
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013FC358FA
ClosePrivateNamespace.API-MS-WIN-CORE-NAMESPACE-L1-1-0 ref: 000000013FC35915

Strings

WerSvc\WerSvcNonElevationInfoSectionName%d, xrefs: 000000013FC3578D

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: CloseErrorFileLast$CurrentHandleMappingNamespaceOpenPrivateProcessViewmemset
String ID: WerSvc\WerSvcNonElevationInfoSectionName%d
API String ID: 282122006-3649978101
Opcode ID: a6562bac385d94929223450f40543b178fba901da130d1d38684cbf84efacef2
Instruction ID: f9941631b6c11020e24b2ce009edd64f7805913031705f010cfd2a6987ab173a
Opcode Fuzzy Hash: a6562bac385d94929223450f40543b178fba901da130d1d38684cbf84efacef2
Instruction Fuzzy Hash: 12619F35A80B8986FB568B14E450BE977A0E789B84F54683BCA0D43796DF3DCB4BC740

Function 000000013FC29A6C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 137COMMON

Download Yara Rule

APIs

CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC29B05
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC29B39
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC29B21

Part of subcall function 000000013FC29D6C: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,000000013FC298FE), ref: 000000013FC29D70

CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC29BB3
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC29BD0
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC29BE8

Strings

wil::details_abi::SemaphoreValue::CreateFromValueInternal, xrefs: 000000013FC29B6B
_p0, xrefs: 000000013FC29AC1
wil, xrefs: 000000013FC29B64

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: ErrorLast$CreateSemaphore$CloseHandle
String ID: _p0$wil$wil::details_abi::SemaphoreValue::CreateFromValueInternal
API String ID: 4237752484-2924297125
Opcode ID: abe7b99310e943202b19c85412a4d1373feb65948a9ddf0cdf97c8e83911bdea
Instruction ID: 8a3a38f5ce721ce7110cb0b3af8d4cdad37b4058a19472f036417f178c07ea91
Opcode Fuzzy Hash: abe7b99310e943202b19c85412a4d1373feb65948a9ddf0cdf97c8e83911bdea
Instruction Fuzzy Hash: CF519135B50B8896EF20AF61A454BE9B660F788B90F44613EDE4E07B96CF3CC606D700

Function 000000013FC253FC Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FC36470: AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000013FC2540D), ref: 000000013FC364CE
Part of subcall function 000000013FC36470: FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 000000013FC36598

WerpIsTransportAvailable.WER ref: 000000013FC254BA

Part of subcall function 000000013FC24F64: memset.MSVCRT ref: 000000013FC24FAF
Part of subcall function 000000013FC24F64: memset.MSVCRT ref: 000000013FC24FBD
Part of subcall function 000000013FC24F64: memset.MSVCRT ref: 000000013FC24FCE
Part of subcall function 000000013FC24F64: memset.MSVCRT ref: 000000013FC24FDD
Part of subcall function 000000013FC24F64: GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000000013FC24FFA
Part of subcall function 000000013FC24F64: IsWow64Process.API-MS-WIN-CORE-WOW64-L1-1-0 ref: 000000013FC2500E
Part of subcall function 000000013FC24F64: Wow64DisableWow64FsRedirection.API-MS-WIN-CORE-WOW64-L1-1-0 ref: 000000013FC25029
Part of subcall function 000000013FC24F64: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC25039

Strings

Not launching reporting console: transport is not available, xrefs: 000000013FC254D1
DoQueueReporting, xrefs: 000000013FC2549F, 000000013FC254DD, 000000013FC2552C
FlushLiveReports, xrefs: 000000013FC25450
LaunchEventReportingConsole failed, xrefs: 000000013FC2550A
FlushLiveReports failed, xrefs: 000000013FC25482
UtilLaunchElevatedProcess for live kernel reporting failed., xrefs: 000000013FC25460
Not launching reporting console: current process is not interactive or wer is disabled or not opted in, xrefs: 000000013FC25520
onecore\windows\feedback\core\wermgr\lib\wermgr.cpp, xrefs: 000000013FC25459, 000000013FC25493, 000000013FC254E4, 000000013FC25533

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: memset$Wow64$Process$AllocateAvailableCurrentDisableErrorFreeInitializeLastRedirectionTransportWerp
String ID: DoQueueReporting$FlushLiveReports$FlushLiveReports failed$LaunchEventReportingConsole failed$Not launching reporting console: current process is not interactive or wer is disabled or not opted in$Not launching reporting console: transport is not available$UtilLaunchElevatedProcess for live kernel reporting failed.$onecore\windows\feedback\core\wermgr\lib\wermgr.cpp
API String ID: 1660015665-3059153498
Opcode ID: 3f999e80ee44009990b1e7598160b0cbc8f99d5a952cd3a0bd056220178dec27
Instruction ID: 075849038af529576fc549eefaa6c5d9c6f2b85e468378efc57eeaa78585dd74
Opcode Fuzzy Hash: 3f999e80ee44009990b1e7598160b0cbc8f99d5a952cd3a0bd056220178dec27
Instruction Fuzzy Hash: 0031213AB84B4DA1EB20DB14E881BDA67A1E384394F50253FD94D42666DB3CCB47C705

Function 000000013FC31DB8 Relevance: 15.3, APIs: 10, Instructions: 290fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000013FC31E07
memset.MSVCRT ref: 000000013FC31E18
GetFinalPathNameByHandleW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013FC31E4D
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC31E5D
_wcsicmp.NTDLL ref: 000000013FC31F54
CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013FC31F9E
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC31FB3
GetFinalPathNameByHandleW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013FC32022
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC32032

Part of subcall function 000000013FC220D8: EtwTraceMessage.NTDLL ref: 000000013FC22143

CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013FC32227

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: ErrorHandleLast$FinalNamePathmemset$CloseCreateFileMessageTrace_wcsicmp
String ID:
API String ID: 149412668-0
Opcode ID: de19937c0ff0409280d4329839f81b29ba516e68df93dbb390f174519a265169
Instruction ID: 720ad7529ccd510f44666566ab2b028efc796f430a5077a5bc6264a318dca073
Opcode Fuzzy Hash: de19937c0ff0409280d4329839f81b29ba516e68df93dbb390f174519a265169
Instruction Fuzzy Hash: 8ED1D132A8078882EB65CB15E850BE97790E785BE4F50612BDE4947BE1CB7ECB47C700

Function 000000013FC26844 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC2685F
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC26873
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC2688A
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013FC268E3

Strings

GetGlobalLockForUploadingReports, xrefs: 000000013FC2689B
Could not get lock, xrefs: 000000013FC268C6
Global\WerMgrUploadingLock, xrefs: 000000013FC26851
onecore\windows\feedback\core\wermgr\lib\wermgr.cpp, xrefs: 000000013FC268A5

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: ErrorLast$CloseCreateHandleMutex
String ID: Could not get lock$GetGlobalLockForUploadingReports$Global\WerMgrUploadingLock$onecore\windows\feedback\core\wermgr\lib\wermgr.cpp
API String ID: 3777024946-1891772784
Opcode ID: eb76da4f31d341faa75fa0d1c39a4886d362064260043b5b5cef8a016c33bf99
Instruction ID: baebba27df615137cef73ecd6fcdf69e760352abca8df43d90f18550047d3520
Opcode Fuzzy Hash: eb76da4f31d341faa75fa0d1c39a4886d362064260043b5b5cef8a016c33bf99
Instruction Fuzzy Hash: E6117336640B49D6EB418F55E4407EDB7E0F788780F44653ADA4E42760CF3CC7568750

Function 000000013FC22868 Relevance: 13.6, APIs: 9, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC228A3
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC228BD
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC228D1
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC228EA
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC22910
memcpy_s.NTDLL ref: 000000013FC22933
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2294C
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC22960
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC22981

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Heap$ErrorLastProcess$AllocFreememcpy_s
String ID:
API String ID: 2547873962-0
Opcode ID: 80d12e20d8ab935c5f01536b044eb6181a938d3b592b47654e959696d075913c
Instruction ID: e03d3425e01efc364de31179956a9f4eb8414a5282cb501070163d1e711c40c6
Opcode Fuzzy Hash: 80d12e20d8ab935c5f01536b044eb6181a938d3b592b47654e959696d075913c
Instruction Fuzzy Hash: 55314136640B48C6E7049F65E5047A8BBA0F789FE5F459229CE5D037A8DF38C647C740

Function 000000013FC29760 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 125COMMON

Download Yara Rule

APIs

OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC297D0
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC297E4

Strings

wil::details_abi::SemaphoreValue::TryGetValueInternal, xrefs: 000000013FC29800, 000000013FC2983A, 000000013FC2989E, 000000013FC298CD
wil::details_abi::SemaphoreValue::TryGetValue, xrefs: 000000013FC29924
_p0, xrefs: 000000013FC297B1
wil, xrefs: 000000013FC29841, 000000013FC298D4, 000000013FC2992B

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: ErrorLastOpenSemaphore
String ID: _p0$wil$wil::details_abi::SemaphoreValue::TryGetValue$wil::details_abi::SemaphoreValue::TryGetValueInternal
API String ID: 1909229842-734490441
Opcode ID: a9ed1a3d5cc30feb705bd184089f8c1758fdccde5e389bb2c64480fd67652a04
Instruction ID: 7ad2472e87ead137362695badd2e33f3c36ec195488748e236bc16e31a66a50e
Opcode Fuzzy Hash: a9ed1a3d5cc30feb705bd184089f8c1758fdccde5e389bb2c64480fd67652a04
Instruction Fuzzy Hash: D251C236A84B8D96EF20DB61E410BE9A361F788B84F45203ADA0D57B55DF38C707D340

Function 000000013FC37A80 Relevance: 12.1, APIs: 8, Instructions: 136sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FC37EF4: GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 000000013FC37F24
Part of subcall function 000000013FC37EF4: GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000000013FC37F32
Part of subcall function 000000013FC37EF4: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000000013FC37F3E
Part of subcall function 000000013FC37EF4: GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 000000013FC37F4A
Part of subcall function 000000013FC37EF4: GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 000000013FC37F5A
Part of subcall function 000000013FC37EF4: QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0 ref: 000000013FC37F75

GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000000013FC37AB5
_amsg_exit.MSVCRT ref: 000000013FC37AF0
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 000000013FC37AFC
_initterm.MSVCRT ref: 000000013FC37B8A
_IsNonwritableInCurrentImage.LIBCMT ref: 000000013FC37BB7
exit.MSVCRT ref: 000000013FC37C49
_cexit.MSVCRT ref: 000000013FC37C58
_ismbblead.MSVCRT ref: 000000013FC37C78

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_initterm_ismbbleadexit
String ID:
API String ID: 2995914023-0
Opcode ID: a62d43634b0f3c651714dbef27c51331a25053eeb94658278238fbe42fea21af
Instruction ID: 24e8afa335c23afaadf32a1c57b23686cb556db75e7d0de27f5eb3acc190cdf3
Opcode Fuzzy Hash: a62d43634b0f3c651714dbef27c51331a25053eeb94658278238fbe42fea21af
Instruction Fuzzy Hash: 66512C31A8864C8AFB619B15E880FE973A0FB44788F54243ED949936E5DB3CCB47CB01

Function 000000013FC262C4 Relevance: 12.1, APIs: 8, Instructions: 126filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 000000013FC2632B
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 000000013FC26361

Part of subcall function 000000013FC220D8: EtwTraceMessage.NTDLL ref: 000000013FC22143

GetFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 000000013FC263A0
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 000000013FC263D1
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 000000013FC264C7

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleMessageTimeTrace
String ID:
API String ID: 1081630277-0
Opcode ID: ce1702240bb2c7185c53cd6d649df8cf0be9c409d30eb75ed41e2a84b3c8ddae
Instruction ID: 4506a263bfab43b187e43bf02d1d2fd15f4d3998aa2929598efbc68b003631e2
Opcode Fuzzy Hash: ce1702240bb2c7185c53cd6d649df8cf0be9c409d30eb75ed41e2a84b3c8ddae
Instruction Fuzzy Hash: 73517F3AA40A5996FB10CB21E954BE837A0F798B98F54622ACD4D137A1CF78C74BC750

Function 000000013FC2462C Relevance: 12.1, APIs: 8, Instructions: 97threadtimeCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC24698
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC246E2
CreateThreadpoolTimer.API-MS-WIN-CORE-THREADPOOL-L1-2-0 ref: 000000013FC246FE
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC24716
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC2472E
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC24741
SetThreadpoolTimer.API-MS-WIN-CORE-THREADPOOL-L1-2-0 ref: 000000013FC2476D
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC24785

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: ErrorLast$ExclusiveLockThreadpoolTimer$AcquireCreateRelease
String ID:
API String ID: 512582575-0
Opcode ID: bf8733845a1529b1d1bf382954223045b5e80111ea7d41e7ba56895c240f5d34
Instruction ID: 8298dd202608dd8c65d017176ad86e742d17516f5877d788f6cb044aa2546bac
Opcode Fuzzy Hash: bf8733845a1529b1d1bf382954223045b5e80111ea7d41e7ba56895c240f5d34
Instruction Fuzzy Hash: AF418236A40B48D7FB519B21A550BE8BBA0FB89F94F44612ADE5E03B51DF38C256C700

Function 000000013FC2B424 Relevance: 11.4, APIs: 9, Instructions: 196memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2B463
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2B47B
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2B496
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2B60F
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2B626
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2B63E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2B662
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2B677
memset.MSVCRT ref: 000000013FC2B6D9

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Heap$Process$Alloc$Freememset
String ID:
API String ID: 2565529166-0
Opcode ID: bc977942b2c4069ffb29fb029a247dd63b8b14008a2f81f8448628bf97daca1f
Instruction ID: 891eae74ab07a4ae5bd91c82fe0628a352a54a49461c6835897e59078afb1c27
Opcode Fuzzy Hash: bc977942b2c4069ffb29fb029a247dd63b8b14008a2f81f8448628bf97daca1f
Instruction Fuzzy Hash: D8818E7AA41B4896EF14CF51E444BA9B7A0F748F98F499139DE4E07755EF38C646C300

Function 000000013FC324C8 Relevance: 10.7, APIs: 7, Instructions: 248COMMON

Download Yara Rule

APIs

GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000000013FC3256A
OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000000013FC3258A
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC3259A
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013FC325D6

Part of subcall function 000000013FC22068: EtwTraceMessage.NTDLL ref: 000000013FC220BD

GetLongPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013FC326FB
GetLongPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013FC32744
_wcsicmp.NTDLL ref: 000000013FC327E9

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: LongNamePathProcess$CloseCurrentErrorHandleLastMessageOpenTokenTrace_wcsicmp
String ID:
API String ID: 237106150-0
Opcode ID: ba722099dfc91536869c0e5b1478fa7e291ad130665129c8d9237263288b2707
Instruction ID: 28e7c3d8695be89cfbe02eada874d3645e666f0f7112fca66a0862a8d7ca18b5
Opcode Fuzzy Hash: ba722099dfc91536869c0e5b1478fa7e291ad130665129c8d9237263288b2707
Instruction Fuzzy Hash: B7B1C036A80A4882EE609B15E850BE962A0F785BD4F10613FDE1A477D5DF7DCB8BC740

Function 000000013FC2CAD4 Relevance: 10.7, APIs: 7, Instructions: 170fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 000000013FC2CB0E
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC2CB22
UnmapViewOfFile.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 000000013FC2CB92
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC2CBA2
MapViewOfFile.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 000000013FC2CC1D
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC2CC5D

Part of subcall function 000000013FC22024: EtwTraceMessage.NTDLL ref: 000000013FC2204D

GetProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000000013FC2CD28

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: ErrorFileLastView$MessageProcessTraceUnmap
String ID:
API String ID: 2031883847-0
Opcode ID: 102e52762701df7d14fd437b5f42fa4ef309109847167a3fea75f3ec25472efb
Instruction ID: 912a889b9eda83693944ad577e6b016343c305b307f54abb70d9957c276a3ed4
Opcode Fuzzy Hash: 102e52762701df7d14fd437b5f42fa4ef309109847167a3fea75f3ec25472efb
Instruction Fuzzy Hash: 95819C3AA40B8896EF54CB15E480BE87BA0F788B94F14653ACE4D47760DF79CA97C740

Function 000000013FC3310C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC3314D
RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC331DB
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC33332

Part of subcall function 000000013FC22024: EtwTraceMessage.NTDLL ref: 000000013FC2204D

Strings

StorePath, xrefs: 000000013FC331C0, 000000013FC33276
Software\Microsoft\Windows\Windows Error Reporting, xrefs: 000000013FC33132

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: CloseMessageOpenTraceValue
String ID: Software\Microsoft\Windows\Windows Error Reporting$StorePath
API String ID: 1932785668-806903183
Opcode ID: e5ed9961ab09fda47f192211c175789500b5830723a1b8283b899549d2d0ef50
Instruction ID: 4aa403220f5b00aeae8d7f191dc1522caa0e2a40501a2df2fdc74dde626c7c11
Opcode Fuzzy Hash: e5ed9961ab09fda47f192211c175789500b5830723a1b8283b899549d2d0ef50
Instruction Fuzzy Hash: F751AB35B84B4982FB548B16E450BE92690E788BD4F48A13B994E877E1DF7CC74BC740

Function 000000013FC34EA8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138comlibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FC2F2C4: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC2F30A

CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000013FC269E3), ref: 000000013FC34F0A
CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000013FC269E3), ref: 000000013FC34F3F

Part of subcall function 000000013FC21FF8: EtwTraceMessage.NTDLL ref: 000000013FC2200B

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000013FC269E3), ref: 000000013FC34F81
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000013FC269E3), ref: 000000013FC34FD5
CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000013FC269E3), ref: 000000013FC350B3

Strings

RtlGetCurrentServiceSessionId, xrefs: 000000013FC34F77

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Library$AddressCreateFreeInitializeInstanceLoadMessageProcTraceUninitialize
String ID: RtlGetCurrentServiceSessionId
API String ID: 1900441714-1893921975
Opcode ID: c84686d2d0bc34da045277432ff1025f8ed10e13ab2bb18669ab3424bf13abcc
Instruction ID: e58fe7d71141908deae1d9df99a0869a7c32b5520e5ffb2289cae5f69008075a
Opcode Fuzzy Hash: c84686d2d0bc34da045277432ff1025f8ed10e13ab2bb18669ab3424bf13abcc
Instruction Fuzzy Hash: B4516236B8064D95FA158B25D440FE92B90E785BC4F58683BDD09436A5DF3DCB47CB80

Function 000000013FC2BF20 Relevance: 10.6, APIs: 7, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC2BF72
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC2BFBD
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC2BFD5
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2C00A
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2C01E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2C06A
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2C07E

Part of subcall function 000000013FC2B374: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2B3A9
Part of subcall function 000000013FC2B374: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2B3BD
Part of subcall function 000000013FC2B374: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2B3E1
Part of subcall function 000000013FC2B374: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2B3F5

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Heap$FreeProcess$ErrorLast$ObjectSingleWait
String ID:
API String ID: 2412696089-0
Opcode ID: 2872af90cd8c07d1dd5eab79da0dcb5cca1041836a8f2e52f99af47a3122a743
Instruction ID: 1aef1f65e27e4d8cd9e01a41f4e74e04e68b7be4e71ad8cd0a84c7bbd48b9ed7
Opcode Fuzzy Hash: 2872af90cd8c07d1dd5eab79da0dcb5cca1041836a8f2e52f99af47a3122a743
Instruction Fuzzy Hash: 5041B639A40A4896EF54DF66E440BE9B7A0F789B90F086039DB4E43B95DF39CA578700

Function 000000013FC24C60 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC24D65
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC24D82
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC24DE5
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC24DFB

Strings

RtlNotifyFeatureUsage, xrefs: 000000013FC24D78
ntdll.dll, xrefs: 000000013FC24D5E

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Heap$AddressFreeHandleModuleProcProcess
String ID: RtlNotifyFeatureUsage$ntdll.dll
API String ID: 3729415315-2443152447
Opcode ID: 98d24dd6224ef9aa75e625879381786283c4c29addf656766bd67b7e7c955265
Instruction ID: 2b87b714a60b774ef5cf8ad327a56e9c851f62c9b5daa5b43b211e97e962ebc3
Opcode Fuzzy Hash: 98d24dd6224ef9aa75e625879381786283c4c29addf656766bd67b7e7c955265
Instruction Fuzzy Hash: F6417039E91A4C93FE619B19E450FE9A290EB94745F44643ED90D43796DF38CB47CB00

Function 000000013FC3289C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013FC328CD
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC328E2

Part of subcall function 000000013FC220D8: EtwTraceMessage.NTDLL ref: 000000013FC22143

CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013FC32A02

Strings

DeleteCorruptedReportFromStore, xrefs: 000000013FC328A7

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLastMessageTrace
String ID: DeleteCorruptedReportFromStore
API String ID: 3005582999-1966130119
Opcode ID: c55aac302b49192c4b4f1079c691bb2317b4bf406f5b3ca963d9e0bcbf78d2aa
Instruction ID: 03aa0fc9ee96a0c91fe2218c3936b7691cf59fd2cb431d5d7e465279f788ef45
Opcode Fuzzy Hash: c55aac302b49192c4b4f1079c691bb2317b4bf406f5b3ca963d9e0bcbf78d2aa
Instruction Fuzzy Hash: E641BF35A4078886FB508B55E890BE97790E788BD4F50523ADE49437A9DF7CCB8BC740

Function 000000013FC36320 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000013FC3655D), ref: 000000013FC3637E
CheckTokenMembership.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000013FC3655D), ref: 000000013FC363B6
FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000013FC3655D), ref: 000000013FC363FD
OpenMutexW.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000013FC3655D), ref: 000000013FC36425
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000013FC3655D), ref: 000000013FC3643E

Strings

Global\Microsoft.Windows.Setup, xrefs: 000000013FC36417

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: AllocateCheckCloseFreeHandleInitializeMembershipMutexOpenToken
String ID: Global\Microsoft.Windows.Setup
API String ID: 1217297161-978874613
Opcode ID: 2f9032a306362ab8325a108ed9c9baf5a0e82d2f22b23a2dd4613be8c16e64fa
Instruction ID: f24aa829184119eac96deedd498794e51682a2e8bb0c7f812b23036a544cbcd9
Opcode Fuzzy Hash: 2f9032a306362ab8325a108ed9c9baf5a0e82d2f22b23a2dd4613be8c16e64fa
Instruction Fuzzy Hash: D3413D72A406488AEB908F65D481BED7BA0F788788F44643EDA0D56755DF3CC746CB50

Function 000000013FC24978 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FC22248: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC22277
Part of subcall function 000000013FC22248: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC22294

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC249D5

Part of subcall function 000000013FC22C28: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC22C50
Part of subcall function 000000013FC22C28: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC22C6D

SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC249ED
GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC24A25
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC24A42

Strings

RtlSubscribeWnfStateChangeNotification, xrefs: 000000013FC24A38
ntdll.dll, xrefs: 000000013FC24A1E

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: AddressHandleModuleProc$ErrorLast
String ID: RtlSubscribeWnfStateChangeNotification$ntdll.dll
API String ID: 798792539-2214456325
Opcode ID: 4a54d5417fa0ac0346e3c6d41b5c72e4f95d6a7d007aca6630ab4098aedc74ce
Instruction ID: ceb43211d7259f0d1f59ff1454b075cefa623d3471d3b37d78ba25b37ed612a5
Opcode Fuzzy Hash: 4a54d5417fa0ac0346e3c6d41b5c72e4f95d6a7d007aca6630ab4098aedc74ce
Instruction Fuzzy Hash: 91318936A65B48D6FB018B10E444BEDB7A0F788B95F45213ADA4D07755DF3CCA46CB00

Function 000000013FC2A900 Relevance: 10.6, APIs: 7, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2A93A
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2A94E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2A968
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2A97D
memcpy_s.NTDLL ref: 000000013FC2A9A6
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2A9C6
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2A9DA

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Heap$Process$Free$Allocmemcpy_s
String ID:
API String ID: 3852585984-0
Opcode ID: 247dd0cbccc36e661035348c62936ccf799b8c6c94ec85576f0d36ab15f85adb
Instruction ID: 0bccfa3807107c7f1f41384dd960a39766af418077c3e5ce40d8ef3463a7f556
Opcode Fuzzy Hash: 247dd0cbccc36e661035348c62936ccf799b8c6c94ec85576f0d36ab15f85adb
Instruction Fuzzy Hash: DA315E36941B48CAEB049F56E5007E8BBA0FB8EF91F59D629DB1A83754DF38C652C700

Function 000000013FC36F04 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC36F17
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC36F32

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection, xrefs: 000000013FC36F54
OSDATA\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection, xrefs: 000000013FC36F4B
RtlIsStateSeparationEnabled, xrefs: 000000013FC36F28
ntdll.dll, xrefs: 000000013FC36F0A

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: OSDATA\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection$RtlIsStateSeparationEnabled$Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection$ntdll.dll
API String ID: 2574300362-100155017
Opcode ID: 746eacc51cec90fcc7d63a35a9677f11266f9cae44455eed613abe7dea687b5c
Instruction ID: 391a27d7ea0e7833c5c3f431590fa07a64f89ff5e154c0b85af5e0d4b3a917cd
Opcode Fuzzy Hash: 746eacc51cec90fcc7d63a35a9677f11266f9cae44455eed613abe7dea687b5c
Instruction Fuzzy Hash: 27F0AC34A81A4CD5EE499B01E840BE46760FB4DBD1F88A43FC90D02360DF3C875AD710

Function 000000013FC24090 Relevance: 9.1, APIs: 6, Instructions: 76COMMON

Download Yara Rule

APIs

AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC240B1
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC240D1
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC240F1
AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC24100
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC24158
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC2417D

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Lock$AcquireCriticalExclusiveReleaseSectionShared$EnterLeave
String ID:
API String ID: 3221859647-0
Opcode ID: 05970c9a94b4e07f2e6771bb56f3834ad0ca5cb4f219806fb0e191ded1380b9c
Instruction ID: bffdc7468ea6cd50793692407d850857572bee0964e688ef405828dcaaea813f
Opcode Fuzzy Hash: 05970c9a94b4e07f2e6771bb56f3834ad0ca5cb4f219806fb0e191ded1380b9c
Instruction Fuzzy Hash: 0B315036B44A58D7EB158F11A900BE9BB61F799FD0F49A129DE4E07B15DF38C2868700

Function 000000013FC33358 Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000000013FC33399
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000000013FC333A9
GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000000013FC333F7
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000000013FC33407
GetSidSubAuthorityCount.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000000013FC33429
GetSidSubAuthority.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000000013FC3343F

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: AuthorityErrorInformationLastToken$Count
String ID:
API String ID: 1206861955-0
Opcode ID: ad18aaf7497fd7fc834b1a943064ddfdd57cbc9aacebd8ba86df86c11ee4174b
Instruction ID: e8ac42e77503feafda2129365da6e127d0071c2f4cfef0d84633c09d3d399ca9
Opcode Fuzzy Hash: ad18aaf7497fd7fc834b1a943064ddfdd57cbc9aacebd8ba86df86c11ee4174b
Instruction Fuzzy Hash: B7315E32655B84CBE7549B11E450BEABBA0F7C9B82F44A13ADA8B82754DF3CC645CB10

Function 000000013FC24894 Relevance: 9.1, APIs: 6, Instructions: 54threadtimeCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,000000013FC244BA), ref: 000000013FC248BC
CreateThreadpoolTimer.API-MS-WIN-CORE-THREADPOOL-L1-2-0(?,?,?,000000013FC244BA), ref: 000000013FC248D7
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,000000013FC244BA), ref: 000000013FC248EF

Part of subcall function 000000013FC28A1C: SetThreadpoolTimer.API-MS-WIN-CORE-THREADPOOL-L1-2-0(?,?,?,000000013FC289F1), ref: 000000013FC28A2D
Part of subcall function 000000013FC28A1C: WaitForThreadpoolTimerCallbacks.API-MS-WIN-CORE-THREADPOOL-L1-2-0(?,?,?,000000013FC289F1), ref: 000000013FC28A41

SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,000000013FC244BA), ref: 000000013FC24907
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,000000013FC244BA), ref: 000000013FC24919
SetThreadpoolTimer.API-MS-WIN-CORE-THREADPOOL-L1-2-0(?,?,?,000000013FC244BA), ref: 000000013FC2494B

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: ErrorLastThreadpoolTimer$CallbacksCreateWait
String ID:
API String ID: 3298393655-0
Opcode ID: f960a6146f3846af4e8e9b9bb3a8ce0e0f36c5476ec03b1986a59a594c7fa371
Instruction ID: 571c1f4fa8a5b27c3c8372ccbc79b8aa68d1966ac9f5afcce8d38d784f325103
Opcode Fuzzy Hash: f960a6146f3846af4e8e9b9bb3a8ce0e0f36c5476ec03b1986a59a594c7fa371
Instruction Fuzzy Hash: 1021DF36B40B94D7EB109F25E104BECBBA0F78AF90F44A12ACE0A03B45DF39C6528700

Function 000000013FC34BD4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC34C28
RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC34CAF
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC34D06

Strings

DefaultConsent, xrefs: 000000013FC34C9B
Software\Microsoft\Windows\Windows Error Reporting\Consent, xrefs: 000000013FC34C02

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: CloseCreateValue
String ID: DefaultConsent$Software\Microsoft\Windows\Windows Error Reporting\Consent
API String ID: 1818849710-2204022073
Opcode ID: 8e0954af473beb546ef5adce7551608e624b21ab1249b4cafb87f120ba805b9c
Instruction ID: 6da52177341a0f2b624df3de18c5854c04b7726615e10fdef99242067dc3b267
Opcode Fuzzy Hash: 8e0954af473beb546ef5adce7551608e624b21ab1249b4cafb87f120ba805b9c
Instruction Fuzzy Hash: 32416A36B80B488AEB508B65E494BE936E4E744784F50613BCE4D866A1DF6DCB4BC740

Function 000000013FC31C78 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013FC31CD6
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC31CE7

Part of subcall function 000000013FC22024: EtwTraceMessage.NTDLL ref: 000000013FC2204D

Strings

DeleteCorruptedReportFromStore, xrefs: 000000013FC31C7D

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: AttributesErrorFileLastMessageTrace
String ID: DeleteCorruptedReportFromStore
API String ID: 2626060577-1966130119
Opcode ID: 01e7f570645a68f490c592ebf21ac7c0bdde91546ce90e4634c629c9a8c9d7e3
Instruction ID: 6ee59633f2073bc1ada9aa611ef9252a2396628b4e25b83672532585bcc6634f
Opcode Fuzzy Hash: 01e7f570645a68f490c592ebf21ac7c0bdde91546ce90e4634c629c9a8c9d7e3
Instruction Fuzzy Hash: 8831AF35E807498AFB968769D950BE466D0EB85B84F58653BDD09822A1DF3CCB8BC300

Function 000000013FC23580 Relevance: 7.8, APIs: 5, Instructions: 274COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FC22E0C: memcpy_s.NTDLL ref: 000000013FC22E55
Part of subcall function 000000013FC22E0C: memcpy_s.NTDLL ref: 000000013FC22EBE

memcmp.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000000013FC23613
memcpy_s.NTDLL ref: 000000013FC23692

Part of subcall function 000000013FC232AC: memcpy_s.NTDLL ref: 000000013FC23353
Part of subcall function 000000013FC232AC: memcmp.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,000000013FC237BB), ref: 000000013FC2342E

memmove_s.NTDLL ref: 000000013FC23872
memcpy_s.NTDLL ref: 000000013FC238E7

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: memcpy_s$memcmp$memmove_s
String ID:
API String ID: 2013778500-0
Opcode ID: 5136d7b8b80cbb72197bfb263811bb7595048cfb573ce449efe0f72e6801db36
Instruction ID: da05c7a87f69995c2cde59ebaa92aa4425aebf5167422224fec2f6395a84c7fb
Opcode Fuzzy Hash: 5136d7b8b80cbb72197bfb263811bb7595048cfb573ce449efe0f72e6801db36
Instruction Fuzzy Hash: EFC14B7AF40698AAEF20CFB59540BEC27B1F755B88F50602ADE4D67B88DA35C647C340

Function 000000013FC2397C Relevance: 7.8, APIs: 6, Instructions: 268memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC23CA1
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC23CB5
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC23CEA
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC23CFE

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: e7820525b5eee9abe7ed6c97d051c689e33a76b9392ad850e1e315135c4f1517
Instruction ID: c12c3e2b5e01a96b1564e127017b96d18f13ee8adedb0b8d1e46b2d1e9158347
Opcode Fuzzy Hash: e7820525b5eee9abe7ed6c97d051c689e33a76b9392ad850e1e315135c4f1517
Instruction Fuzzy Hash: F9C1AF3AA44B889AEB20CFA5E4407DD7BB0F749798F14112AEF8C17B58DB78C656C700

Function 000000013FC232AC Relevance: 7.7, APIs: 5, Instructions: 216COMMON

Download Yara Rule

APIs

memcpy_s.NTDLL ref: 000000013FC23353
memcmp.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,000000013FC237BB), ref: 000000013FC233CF
memcmp.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,000000013FC237BB), ref: 000000013FC2342E
memcpy_s.NTDLL ref: 000000013FC234DA
memcpy_s.NTDLL ref: 000000013FC2353B

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: memcpy_s$memcmp
String ID:
API String ID: 3506827942-0
Opcode ID: 38cb20da4f798dd1eb653a2b26e35a340ac705c2d7899a90b9bf6a43e84cd2ff
Instruction ID: 0d2d2a71d51fa8c6a562be0b1aa082733fe12151e9f26b64f8e512a70f3f0983
Opcode Fuzzy Hash: 38cb20da4f798dd1eb653a2b26e35a340ac705c2d7899a90b9bf6a43e84cd2ff
Instruction Fuzzy Hash: 41919E36B406989AEF218F659440BED3B71F758B98F60603ADE5D67B89DB34CA43C310

Function 000000013FC2E0AC Relevance: 7.7, APIs: 5, Instructions: 164registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC2E164
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC2E1B0
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC2E334

Part of subcall function 000000013FC21FF8: EtwTraceMessage.NTDLL ref: 000000013FC2200B

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: CloseMessageOpenQueryTraceValue
String ID:
API String ID: 3821667754-0
Opcode ID: de9f391804e36ff2e8000fa6fbe7346ffd35829f1382003cbd20331f1a530772
Instruction ID: 94ce437c6b9ad30f58e853eeb23d885a984f50d1f9027ae4ac807a837529e04c
Opcode Fuzzy Hash: de9f391804e36ff2e8000fa6fbe7346ffd35829f1382003cbd20331f1a530772
Instruction Fuzzy Hash: C571953AA4064992FF648F15E440BED73A1F78C790F54653ADA4EA7694DB3CC687CB00

Function 000000013FC2EE8C Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000013FC3657F), ref: 000000013FC2EEE3
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000013FC3657F), ref: 000000013FC2EEF3
CheckTokenMembership.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000013FC3657F), ref: 000000013FC2EF25
FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000013FC3657F), ref: 000000013FC2EF67

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: AllocateCheckErrorFreeInitializeLastMembershipToken
String ID:
API String ID: 3835361876-0
Opcode ID: d3b80f5172a6b31af0e5e8ea86c8265eafeaf08d760f03a0e4a669dda6bf8ec4
Instruction ID: 36aac342a16bb75f35c629a2baaa9a2e5cba7122de7eb9caa2de79a0a78ee7a3
Opcode Fuzzy Hash: d3b80f5172a6b31af0e5e8ea86c8265eafeaf08d760f03a0e4a669dda6bf8ec4
Instruction Fuzzy Hash: EA315C72B00B40DBEB548F65A4907EDBBF0F749744F40613EDA4E92B54DB38C2458B10

Function 000000013FC2C1E4 Relevance: 7.5, APIs: 5, Instructions: 43fileCOMMON

Download Yara Rule

APIs

WerReportCloseHandle.WER ref: 000000013FC2C1F9
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013FC2C219
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013FC2C239
UnmapViewOfFile.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 000000013FC2C256
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013FC2C273

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: CloseHandle$FileReportUnmapView
String ID:
API String ID: 3666915389-0
Opcode ID: 8e438bd12c3700c07fca0d537884836d0bf05136f401f76905b3aac47a867b1f
Instruction ID: b7addea5fbe0fd22122b2b585602b2ede95d3bdc8bd43bccb5c66dc4f4d52767
Opcode Fuzzy Hash: 8e438bd12c3700c07fca0d537884836d0bf05136f401f76905b3aac47a867b1f
Instruction Fuzzy Hash: 51212136A41B48C2EF45DFA0D0597F82760FB49F55F08623ACE0A0A355CF798646C360

Function 000000013FC242F0 Relevance: 7.5, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC24311
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC24325
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2433F
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC24353
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2436D
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC24381

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 68bff0599a58b5c4bdba5601216b5d08eac48ed70c4ac418dda0c6d8c42bb2af
Instruction ID: f993fb313f24074b7416ead3a8f0b06d9357aea23956f47f5c960c8e1c418cb7
Opcode Fuzzy Hash: 68bff0599a58b5c4bdba5601216b5d08eac48ed70c4ac418dda0c6d8c42bb2af
Instruction Fuzzy Hash: B611DE36A40B88C7EB458F56A5087E9FAB1F78EFC5F09A129CE0907755DF38C2068600

Function 000000013FC24B14 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC24B56
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC24B73

Strings

RtlRegisterFeatureConfigurationChangeNotification, xrefs: 000000013FC24B69
ntdll.dll, xrefs: 000000013FC24B4F

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlRegisterFeatureConfigurationChangeNotification$ntdll.dll
API String ID: 1646373207-4023217342
Opcode ID: 3d28416368bdfd024cd37a193a725a4d367aa6eb02807f34fa98548f0ecae48a
Instruction ID: 133fa230e7d1f057768a1aef0f4080e0dd44b217cc0b047a06b5eb111fb541aa
Opcode Fuzzy Hash: 3d28416368bdfd024cd37a193a725a4d367aa6eb02807f34fa98548f0ecae48a
Instruction Fuzzy Hash: 72213839A95B4DA2EE008B15A950FE9A3A0F759B84F84603ACA4C47766EB38C757C700

Function 000000013FC222F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC22327
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC22344

Strings

NtUpdateWnfStateData, xrefs: 000000013FC2233A
ntdll.dll, xrefs: 000000013FC22320

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NtUpdateWnfStateData$ntdll.dll
API String ID: 1646373207-3251081820
Opcode ID: ecd69453514b4ea3d5e7a5c1bfb190528005a4cc9e3e1c04f03ec42dd00134ed
Instruction ID: 78eeb81dbb93a76fba15f5ab25f78a96b6998c2a64bddae16737bef2106e2a1d
Opcode Fuzzy Hash: ecd69453514b4ea3d5e7a5c1bfb190528005a4cc9e3e1c04f03ec42dd00134ed
Instruction Fuzzy Hash: 42112E35A44B8C86EB51CB05F540B99B7A4F788BD4F44613ADE4D47B68EB3CC606CB00

Function 000000013FC22248 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC22277
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC22294

Strings

NtQueryWnfStateData, xrefs: 000000013FC2228A
ntdll.dll, xrefs: 000000013FC22270

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NtQueryWnfStateData$ntdll.dll
API String ID: 1646373207-3115237368
Opcode ID: b2ababccd12e2c59c4c5104b39c53c485d3b15c770d6155470b5e7d79c4c9980
Instruction ID: f23e5a682d226a76311b5a7debf8f69758735743571127ab962f32399c305ea1
Opcode Fuzzy Hash: b2ababccd12e2c59c4c5104b39c53c485d3b15c770d6155470b5e7d79c4c9980
Instruction Fuzzy Hash: EB011739A45B4C86EA518B06F900BA5A7A0F748BD4F45613ADE4D03728EF3CC6568B00

Function 000000013FC2BB40 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC2BB76
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC2BB93

Strings

RtlDisownModuleHeapAllocation, xrefs: 000000013FC2BB89
ntdll.dll, xrefs: 000000013FC2BB6F

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlDisownModuleHeapAllocation$ntdll.dll
API String ID: 1646373207-704576883
Opcode ID: 1bdfd7db4ada23238991a70bc9d2ed0d109b53ca7f8a8fd60cb8cda24f49d109
Instruction ID: 399f44bcba8db2ec91cbff557093ddd587fd4c8f41bac4844fbedaeb955b8c3f
Opcode Fuzzy Hash: 1bdfd7db4ada23238991a70bc9d2ed0d109b53ca7f8a8fd60cb8cda24f49d109
Instruction Fuzzy Hash: 7C014B34B41B4882EE058B06F984B99B7A0FB8CBC4F44A13ED94D03728EF3CC6568700

Function 000000013FC2BA40 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC2BA6D
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC2BA8A

Strings

ntdll.dll, xrefs: 000000013FC2BA66
RtlNtStatusToDosErrorNoTeb, xrefs: 000000013FC2BA80

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlNtStatusToDosErrorNoTeb$ntdll.dll
API String ID: 1646373207-1321910969
Opcode ID: a9e4ceb8de375fc10b0d237bac358005d35801cb50ca4a5180a3c5d6a3b932a4
Instruction ID: 8ea73bef5614ff6abedcf554b3e02ad1cfb273ce2465bf445186f3256b9e36e1
Opcode Fuzzy Hash: a9e4ceb8de375fc10b0d237bac358005d35801cb50ca4a5180a3c5d6a3b932a4
Instruction Fuzzy Hash: 5DF01935A91B0C92EF058B09F990BA577A0FB88785F48603EC94D03364EF78C65B8600

Function 000000013FC2BAC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC2BAE7
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC2BB04

Strings

RtlDllShutdownInProgress, xrefs: 000000013FC2BAFA
ntdll.dll, xrefs: 000000013FC2BAE0

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlDllShutdownInProgress$ntdll.dll
API String ID: 1646373207-582119455
Opcode ID: 06caf067f58b016962028e40b33671f4625759f8a04673236febc4002212e7c2
Instruction ID: 281b56b8bfa0cf12c5e1c9532c5d18ad4b1c0a66195c927ef4921e56e52af964
Opcode Fuzzy Hash: 06caf067f58b016962028e40b33671f4625759f8a04673236febc4002212e7c2
Instruction Fuzzy Hash: E3F0F439A92B0C86EE068B44E850BE573A0FB59742F48203EC80D03324EB68875BD610

Function 000000013FC34050 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 26windowCOMMON

Download Yara Rule

APIs

EtwTraceMessage.NTDLL ref: 000000013FC340C8

Strings

NewUserDefaultConsent, xrefs: 000000013FC3405D
v, xrefs: 000000013FC34096
Software\Microsoft\Windows\Windows Error Reporting\Consent, xrefs: 000000013FC3408F

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: MessageTrace
String ID: NewUserDefaultConsent$Software\Microsoft\Windows\Windows Error Reporting\Consent$v
API String ID: 471583391-3250182199
Opcode ID: 2b68e648a6eb304fff3977a68fcf2536b7c7f12a415b48a4ff254aae81c46d1c
Instruction ID: cbf55561cba7aeb72558a6225b639a2543ac3838e944da5d844cbc63167fe39a
Opcode Fuzzy Hash: 2b68e648a6eb304fff3977a68fcf2536b7c7f12a415b48a4ff254aae81c46d1c
Instruction Fuzzy Hash: 9C011D71904F84C2E7609B14F444B8AB7B4F799764F90532AD6D903BA4DB7EC269CB00

Function 000000013FC2ABC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC2ABDF
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC2ABF5

Strings

RaiseFailFastException, xrefs: 000000013FC2ABEE
kernelbase.dll, xrefs: 000000013FC2ABD5

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RaiseFailFastException$kernelbase.dll
API String ID: 1646373207-919018592
Opcode ID: ca8452bc584e9bee3ee9388bf2651e8802da1f0f1cf83f360d63d667a223837e
Instruction ID: a49d96abb53e0737469823ec78d3c516a41572790aff1134f1076c3139364707
Opcode Fuzzy Hash: ca8452bc584e9bee3ee9388bf2651e8802da1f0f1cf83f360d63d667a223837e
Instruction Fuzzy Hash: 68F0FE35B54B98C6EA044B16F9447A9AB60FB49FC0F48A13ADE4E07B18CF3CC696C704

Function 000000013FC22C9C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC22CC4
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC22CE1

Strings

ntdll.dll, xrefs: 000000013FC22CBD
RtlUnregisterFeatureConfigurationChangeNotification, xrefs: 000000013FC22CD7

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlUnregisterFeatureConfigurationChangeNotification$ntdll.dll
API String ID: 1646373207-1836318313
Opcode ID: b1f07f4882574d3ff022e7da0ef5212f00bbd87b0a7a939d10e66d5a93e2c994
Instruction ID: f00156b5f78550ab3e29300c40956e805f3c8babbda26a3b3a81557f36d1596a
Opcode Fuzzy Hash: b1f07f4882574d3ff022e7da0ef5212f00bbd87b0a7a939d10e66d5a93e2c994
Instruction Fuzzy Hash: 6AF01738A82B0C82FE168B55B800BE0A3A0FB49B86F48213EC90D02325EF3C87569600

Function 000000013FC22C28 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC22C50
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FC22C6D

Strings

RtlUnsubscribeWnfNotificationWaitForCompletion, xrefs: 000000013FC22C63
ntdll.dll, xrefs: 000000013FC22C49

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlUnsubscribeWnfNotificationWaitForCompletion$ntdll.dll
API String ID: 1646373207-368597124
Opcode ID: 87f18fa07dfc93275632e1d36cf6f75addc7f0665ffbfae259e9f4f5b968567e
Instruction ID: 694e8b20ef5bbfc17f4aaff9aa9e4daaee2b3d09751e620e1c88a493621d8dff
Opcode Fuzzy Hash: 87f18fa07dfc93275632e1d36cf6f75addc7f0665ffbfae259e9f4f5b968567e
Instruction Fuzzy Hash: C3F0B238A82B0D92FE168B05A850BE467A0FB49B86F48613EC80E06365EF3C87569600

Function 000000013FC2DA7C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

DbgPrintEx.NTDLL ref: 000000013FC2DA99
wcsncmp.NTDLL ref: 000000013FC2DABD

Strings

PEB_SIGNATURE, xrefs: 000000013FC2DAB6
WER/CrashAPI:%u: ERROR Invalid args, xrefs: 000000013FC2DA8B

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Printwcsncmp
String ID: PEB_SIGNATURE$WER/CrashAPI:%u: ERROR Invalid args
API String ID: 2018116966-1795107524
Opcode ID: 03901c4f754d7f59b069b0816f54c77aa431b6b2eba1e338bc2ba2e0f7be5d48
Instruction ID: 72c3ea909db29b851e3005d3259eca55a007c8b89c55c3535c5838858f84d9cb
Opcode Fuzzy Hash: 03901c4f754d7f59b069b0816f54c77aa431b6b2eba1e338bc2ba2e0f7be5d48
Instruction Fuzzy Hash: BFF030B5ED4589D6FB148B60D811FE96AA0E759785F80A179D90E462A4DB3CC306CB00

Function 000000013FC28264 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 22COMMON

Download Yara Rule

APIs

Wow64RevertWow64FsRedirection.API-MS-WIN-CORE-WOW64-L1-1-0 ref: 000000013FC28281

Strings

Wow64RevertWow64FsRedirection failed., xrefs: 000000013FC28296
LaunchEventReportingConsole::<lambda_7542f5c39e1a6d4dafe7f67f740f5aca>::operator (), xrefs: 000000013FC2829D
onecore\windows\feedback\core\wermgr\lib\wermgr.cpp, xrefs: 000000013FC282A9

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Wow64$RedirectionRevert
String ID: LaunchEventReportingConsole::<lambda_7542f5c39e1a6d4dafe7f67f740f5aca>::operator ()$Wow64RevertWow64FsRedirection failed.$onecore\windows\feedback\core\wermgr\lib\wermgr.cpp
API String ID: 949088015-3163385314
Opcode ID: aa21260f493f2addc4b4a3956bc238f17b5324623c1022625ef699d967987a50
Instruction ID: 0738e7d1c75b1c37dbcaa40307bfea5cb74c3de2d29c7b392d877b4dfe7f72e5
Opcode Fuzzy Hash: aa21260f493f2addc4b4a3956bc238f17b5324623c1022625ef699d967987a50
Instruction Fuzzy Hash: 69F03A3AA41E89D5EB008B14E410BED37A0F384B88F50A12BD94E073A0CB3CCB5BC780

Function 000000013FC3227C Relevance: 6.1, APIs: 4, Instructions: 142COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FC382A4: malloc.MSVCRT ref: 000000013FC382C2

GetFinalPathNameByHandleW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013FC322F4
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC32306

Part of subcall function 000000013FC2EE2C: EtwTraceMessage.NTDLL ref: 000000013FC2EE72

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: ErrorFinalHandleLastMessageNamePathTracemalloc
String ID:
API String ID: 1555956524-0
Opcode ID: e6c3a06ddc4550b068502553e32487c8c20fa7efa5a9f49bdc5a07c6f66aabe7
Instruction ID: cce623c345040ea44bc137bf1361be2d948b389d7a59b8f78ac818cb3f610023
Opcode Fuzzy Hash: e6c3a06ddc4550b068502553e32487c8c20fa7efa5a9f49bdc5a07c6f66aabe7
Instruction Fuzzy Hash: 3651DA34B8074985FE658B16A950BE822C1EB84BC4F55643F8E0E877E2DE6DCB878740

Function 000000013FC312E8 Relevance: 6.1, APIs: 4, Instructions: 104COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 000000013FC31321

Part of subcall function 000000013FC382A4: malloc.MSVCRT ref: 000000013FC382C2

ExpandEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 000000013FC313BB
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC313E4
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC3140F

Part of subcall function 000000013FC22024: EtwTraceMessage.NTDLL ref: 000000013FC2204D

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: EnvironmentErrorExpandLastStrings$MessageTracemalloc
String ID:
API String ID: 1992093174-0
Opcode ID: 65a43b6bce79ab9303f37ea85a277d2650cdbd1d2cca929fbe957b0db541c961
Instruction ID: 0fddf7143cb5f84d922d3a630f033a5cbe21c251eaabd093c651bde5c5384a14
Opcode Fuzzy Hash: 65a43b6bce79ab9303f37ea85a277d2650cdbd1d2cca929fbe957b0db541c961
Instruction Fuzzy Hash: 4541CF36E807488AFB65CB15A800BE46691EB88BE0F55663A9E1D477E0DF3CCB478740

Function 000000013FC243A0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FC247B4: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,000000013FC243D2), ref: 000000013FC247D6
Part of subcall function 000000013FC247B4: AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,000000013FC243D2), ref: 000000013FC24836
Part of subcall function 000000013FC247B4: ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,000000013FC243D2), ref: 000000013FC24855
Part of subcall function 000000013FC247B4: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,000000013FC243D2), ref: 000000013FC24863

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC2440D
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC24461
AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC244A6
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC244C2

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$ErrorLast
String ID:
API String ID: 1920527648-0
Opcode ID: f15c6b6bbee8eb764bc223092c669ca1a724eeb09f6d4259893d6eeeeee0ce03
Instruction ID: 500d48ebf409ad4765a78a29c56966c7b1656bb6db032daebbc0cd04648e3af3
Opcode Fuzzy Hash: f15c6b6bbee8eb764bc223092c669ca1a724eeb09f6d4259893d6eeeeee0ce03
Instruction Fuzzy Hash: 0B312D3AA81798A7FE249B12A540FE86790F755B80F587539DA4E43B9ACB29C6478300

Function 000000013FC244F0 Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC24567
AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC24597
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC245C4
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC24600

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: aad503ee9a11d3235f6c044bec39dc7a20501e182ec7f1ec9c907b33ca885c56
Instruction ID: ec40289466ffc99a4727389b871fdd5a6595e1e824825e6c3a6204f7c3945140
Opcode Fuzzy Hash: aad503ee9a11d3235f6c044bec39dc7a20501e182ec7f1ec9c907b33ca885c56
Instruction Fuzzy Hash: 92318F7AA40B8896EF158F11A404BE87BA0F745FD4F496139DE5D07396DF38C64AC300

Function 000000013FC2F1CC Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 000000013FC2F1F7
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FC2F207
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 000000013FC2F24A
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 000000013FC2F287

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: MemoryProcessRead$ErrorLast
String ID:
API String ID: 2521527232-0
Opcode ID: 7316d4f3db0c4aeb6b3a9561390bb0bcb79c1d1591ce0298a10dd43d395fd15d
Instruction ID: 623c0b58577c3db96301dd8f93da27450424faf616ae712c7e6aacb04e577901
Opcode Fuzzy Hash: 7316d4f3db0c4aeb6b3a9561390bb0bcb79c1d1591ce0298a10dd43d395fd15d
Instruction Fuzzy Hash: 72218336B54B4986EF504B12E440BA977A4F34AFD0F456139DE9E43754DF38C642CB00

Function 000000013FC247B4 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,000000013FC243D2), ref: 000000013FC247D6
AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,000000013FC243D2), ref: 000000013FC24836
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,000000013FC243D2), ref: 000000013FC24855
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,000000013FC243D2), ref: 000000013FC24863

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: ErrorExclusiveLastLock$AcquireRelease
String ID:
API String ID: 1101953616-0
Opcode ID: ecf94325aee16241e92dd41a4b58c6e25308b7be180e6f1ca21995ea6c0f0465
Instruction ID: fb205fd794ed16492c787af7dee7019a28905e7e2effb3c7a56a86c112a12a5c
Opcode Fuzzy Hash: ecf94325aee16241e92dd41a4b58c6e25308b7be180e6f1ca21995ea6c0f0465
Instruction Fuzzy Hash: 82214F36954B98C7EB548F11E040BA977A0F389F88F146129DB4E43749CF78CA9AC780

Function 000000013FC23FF0 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC24011
AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC24020
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC24057
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FC2406B

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: CriticalExclusiveLockSection$AcquireEnterLeaveRelease
String ID:
API String ID: 1115728412-0
Opcode ID: 84af41443d82480cbd043fd55c419f485bff14d97d302aca4b96498450c8442b
Instruction ID: db9aff980f73c0af52c027259fc5477ef735f08ebcec3550559f7c1d6c6e12af
Opcode Fuzzy Hash: 84af41443d82480cbd043fd55c419f485bff14d97d302aca4b96498450c8442b
Instruction Fuzzy Hash: 45015E36A54B8883EE148F51A540BB8AB60F78AFC0F18A225DE4E03715DF3CC6828700

Function 000000013FC2920C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

Strings

%hs, xrefs: 000000013FC29269
onecore\windows\feedback\core\wermgr\lib\wermgr.cpp, xrefs: 000000013FC2920F

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID:
String ID: %hs$onecore\windows\feedback\core\wermgr\lib\wermgr.cpp
API String ID: 0-3645322437
Opcode ID: c29e019d071f193bd88736a4423eb271a0abc1987bf6106bf4265e26fd7445be
Instruction ID: 35050cefd86f4bf83d9224e68b792dad9b1a04480d344ead466e5b6d9b363606
Opcode Fuzzy Hash: c29e019d071f193bd88736a4423eb271a0abc1987bf6106bf4265e26fd7445be
Instruction Fuzzy Hash: 7621A336A54B8492EA20DB41E844BDAF364FB89790F415536EE8D43B8ADB7CC246CB00

Function 000000013FC365CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?,-00000074,000000013FC36727), ref: 000000013FC365F5
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,-00000074,000000013FC36727), ref: 000000013FC36605

Strings

gfffffff, xrefs: 000000013FC3665A

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Time$ErrorFileLastSystem
String ID: gfffffff
API String ID: 2781989572-1523873471
Opcode ID: c23cdfdde339303610c170f97c0973c44a0a2ac4f50d1e1d6f58302b15c5a840
Instruction ID: b5ac0591f4838efbe312237a1ed00182c2b85685027e885f5abbad39e0f51b5c
Opcode Fuzzy Hash: c23cdfdde339303610c170f97c0973c44a0a2ac4f50d1e1d6f58302b15c5a840
Instruction Fuzzy Hash: 8921B2B1B4165D87EF958B16F450FD462E0EB44BC4F04A03A9E4A8A794DA3DCB47DB00

Function 000000013FC2F334 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC2F365
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 000000013FC2F37D

Strings

SYSTEM\CurrentControlSet\Control\MiniNT, xrefs: 000000013FC2F357

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: CloseOpen
String ID: SYSTEM\CurrentControlSet\Control\MiniNT
API String ID: 47109696-2757998475
Opcode ID: 1aa0509649b08466248d62b246f635a6a32073eba5adbe7a10c28d39d969ef9e
Instruction ID: 7ee6a3a3a03e0904a12ec7cad30821cce8f51b83ec8399a2a6a4a8ceb65303fa
Opcode Fuzzy Hash: 1aa0509649b08466248d62b246f635a6a32073eba5adbe7a10c28d39d969ef9e
Instruction Fuzzy Hash: 87F09036B10B54C6DB008B65E444BA8B664FB88BD0F959239DA2C43354CF39C645C700

Function 000000013FC23130 Relevance: 5.1, APIs: 4, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FC23580: memmove_s.NTDLL ref: 000000013FC23872

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC231ED
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC23201
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2321D
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC23231

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Heap$FreeProcess$memmove_s
String ID:
API String ID: 2685253353-0
Opcode ID: 7c4fc9d4c1f056bbf0512187e8626be14235c43cf6e0dea7db91d4d6ed9f2cb8
Instruction ID: 813d1435b6bbd72f6c5adb97dbd6e0219798efd3a969cb6d5ba0da9609104bc9
Opcode Fuzzy Hash: 7c4fc9d4c1f056bbf0512187e8626be14235c43cf6e0dea7db91d4d6ed9f2cb8
Instruction Fuzzy Hash: CB41D036A44B8895EB50CF26A404BD9B761F78AFD4F546239EE4D13796CF38C686C700

Function 000000013FC22F0C Relevance: 5.1, APIs: 4, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC22F69
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC22F7D
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC22FAA
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC22FBE

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 65aba273254292906038511034cc27167d4a0edf6d0da5b3677e3341e8f79ed1
Instruction ID: b2df0b4d62fc08fe1a8cefdbec7ea4b487623423ce5bf86062b5fe6c07b14e89
Opcode Fuzzy Hash: 65aba273254292906038511034cc27167d4a0edf6d0da5b3677e3341e8f79ed1
Instruction Fuzzy Hash: A3316B27A14F988AD3418F29A0403ADBB70F79AF98F18A215CF8827715DB34D6E6C740

Function 000000013FC2B374 Relevance: 5.0, APIs: 4, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2B3A9
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2B3BD
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2B3E1
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FC2B3F5

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: c7e1434aefb3133a4a3a5ed56ad085606815da323e4c02e737d0fce77af20e6f
Instruction ID: 05c5e2fcf993259f79a2b771c0a19e5f6d78f2380802a3bbc57e2e2fd43882d4
Opcode Fuzzy Hash: c7e1434aefb3133a4a3a5ed56ad085606815da323e4c02e737d0fce77af20e6f
Instruction Fuzzy Hash: B0111832A00B58D6EB008F56F4402ADBBB0F789F84F99912ADB4E03718DF38D696C740

Function 000000013FC2B168 Relevance: 5.0, APIs: 4, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,000000013FC2B144), ref: 000000013FC2B189
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,000000013FC2B144), ref: 000000013FC2B1A1
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,000000013FC2B144), ref: 000000013FC2B1D5
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,000000013FC2B144), ref: 000000013FC2B1ED

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 7835a39382d65cc18be5b5ef04db1f4405fe8567534659fa7bf19decd2a0d76e
Instruction ID: 46f14c33bd99afad3dca266e609d4d8cfb6646cdea18fab42510812c3d18350e
Opcode Fuzzy Hash: 7835a39382d65cc18be5b5ef04db1f4405fe8567534659fa7bf19decd2a0d76e
Instruction Fuzzy Hash: D2118832A41B48CAEB448F65D4147F877A0F78EF69F199639CE1D4A390CF38814AC340

Function 000000013FC28DF0 Relevance: 5.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,000000013FC2873C), ref: 000000013FC28E22
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,000000013FC2873C), ref: 000000013FC28E0A

Part of subcall function 000000013FC29D6C: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,000000013FC298FE), ref: 000000013FC29D70

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,000000013FC2873C), ref: 000000013FC28E3B
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,000000013FC2873C), ref: 000000013FC28E53

Memory Dump Source

Source File: 00000000.00000002.341246315.000000013FC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FC20000, based on PE: true

Associated: 00000000.00000002.341225145.000000013FC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265643.000000013FC3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341272788.000000013FC45000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341278409.000000013FC48000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341291342.000000013FC4A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fc20000_wermgr.jbxd

Similarity

API ID: ErrorLast$CloseHandle
String ID:
API String ID: 3463825546-0
Opcode ID: caaa7d1490e1722f99487a78ba476ff715a0b5bda7e1e7873057525271b2bc02
Instruction ID: e0b14faa5b8e7b6a807799039bc13321dc952f5e544816d1afe9bb8650956cc6
Opcode Fuzzy Hash: caaa7d1490e1722f99487a78ba476ff715a0b5bda7e1e7873057525271b2bc02
Instruction Fuzzy Hash: A4014F36A40BA493EB445B61E5447ACBB60F789F91F08A53ADB0A07B45CF38C5528700

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wermgr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Errors

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: wermgr.exePID: 3560, Parent PID: 1244

General

Chronological Activities

Disassembly

Analysis Process: wermgr.exePID: 3560, Parent PID: 1244COMMON

Non-executed Functions

Function 000000013FC27290 Relevance: 191.6, APIs: 68, Strings: 41, Instructions: 867sleepCOMMON

Function 000000013FC2D2A4 Relevance: 67.0, APIs: 37, Strings: 1, Instructions: 462fileCOMMON

Function 000000013FC31528 Relevance: 51.2, APIs: 28, Strings: 1, Instructions: 457fileCOMMON

Function 000000013FC34278 Relevance: 49.6, APIs: 14, Strings: 14, Instructions: 562registryCOMMON

Windows Analysis Report
wermgr.exe