Edit tour

Windows Analysis Report
6Pk1nTmcHN.exe

Overview

General Information

Sample name:	6Pk1nTmcHN.exe renamed because original name is a hash value
Original sample name:	21f77e85724543222e6cd3089fc7c741373b4b4362d25b103490c7ce84d20cda.exe
Analysis ID:	1509585
MD5:	d0d55a8f4965a4d3f661b3ea268f578b
SHA1:	a063be1a85bba3ffc65554d3b4c0ae1a45638451
SHA256:	21f77e85724543222e6cd3089fc7c741373b4b4362d25b103490c7ce84d20cda
Tags:	62-192-173-45exe
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Modifies the context of a thread in another process (thread injection)

Sets debug register (to hijack the execution of another thread)

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to debug other processes

Contains functionality to delete services

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query network adapater information

Detected potential crypto function

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

6Pk1nTmcHN.exe (PID: 2308 cmdline: "C:\Users\user\Desktop\6Pk1nTmcHN.exe" MD5: D0D55A8F4965A4D3F661B3EA268F578B)

WerFault.exe (PID: 1184 cmdline: C:\Windows\system32\WerFault.exe -u -p 2308 -s 1292 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 6Pk1nTmcHN.exe

ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.2% probability

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

Code function: 0_2_000000014005A7A0 RegOpenKeyExW,GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GlobalMemoryStatusEx,GetDiskFreeSpaceExW,GetSystemTimes,QueryPerformanceCounter,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

0_2_000000014005A7A0

Source:

Binary string: C:\BUILD\work\e0dd96435fde7cb0\BUILDS\Release\x64\avDump.pdb source: 6Pk1nTmcHN.exe

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: weblineinfo.com

Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: 6Pk1nTmcHN.exe, 00000000.00000002.2455368009.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/
Source: 6Pk1nTmcHN.exe, 00000000.00000002.2455368009.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, 6Pk1nTmcHN.exe, 00000000.00000002.2455368009.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues
Source: 6Pk1nTmcHN.exe, 00000000.00000002.2455368009.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues0
Source: 6Pk1nTmcHN.exe, 00000000.00000002.2455368009.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues?K
Source: 6Pk1nTmcHN.exe, 00000000.00000002.2455368009.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesrue

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_3_0053D65A NtAllocateVirtualMemory,	0_3_0053D65A
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_3_0053D6CA NtProtectVirtualMemory,	0_3_0053D6CA
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_00000001400026F0 GetFileAttributesW,CreateFileW,NtSystemDebugControl,CloseHandle,DeleteFileW,GetLastError,_invalid_parameter_noinfo_noreturn,	0_2_00000001400026F0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_00000001400597D0 NtOpenKey,NtQueryKey,NtDeleteKey,NtClose,RegCloseKey,SetLastError,	0_2_00000001400597D0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140059900 NtQueryKey,NtDeleteKey,NtClose,RegCloseKey,SetLastError,	0_2_0000000140059900
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140059C10 RegCloseKey,SetLastError,RegSetValueExW,RegCloseKey,SetLastError,NtClose,	0_2_0000000140059C10
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_02317A50 NtSetContextThread,	0_2_02317A50
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_02334360 NtCreateThreadEx,	0_2_02334360
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_02334740 NtFreeVirtualMemory,	0_2_02334740
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0231F3A0 CreateToolhelp32Snapshot,Thread32First,NtSuspendThread,NtResumeThread,Thread32Next,NtClose,	0_2_0231F3A0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_02334FF0 NtQueueApcThread,	0_2_02334FF0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_02318149 NtSetContextThread,	0_2_02318149
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_023071B0 NtClose,	0_2_023071B0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_023345F0 NtDuplicateObject,	0_2_023345F0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_023351C0 NtReadVirtualMemory,	0_2_023351C0

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

Code function: 0_2_0000000140029200: CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle,

0_2_0000000140029200

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

Code function: 0_2_0000000140030ED0 QueryServiceConfig2W,ChangeServiceConfig2W,GetLastError,SetDllDirectoryW,GetModuleHandleW,GetProcAddress,GetFileAttributesW,StartServiceCtrlDispatcherW,GetLastError,OpenSCManagerW,OpenServiceW,DeleteService,GetLastError,GetLastError,CloseServiceHandle,GetLastError,CloseServiceHandle,SetConsoleCtrlHandler,WaitForSingleObject,RpcServerUnregisterIf,RpcServerUnregisterIf,RpcServerUnregisterIf,OpenSCManagerW,GetModuleFileNameW,CreateServiceW,OpenServiceW,QueryServiceConfig2W,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW,CloseServiceHandle,CloseServiceHandle,ChangeServiceConfigW,OpenSCManagerW,OpenServiceW,ControlService,GetLastError,GetLastError,CloseServiceHandle,GetLastError,CloseServiceHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,GetLastError,GetLastError,_invalid_parameter_noinfo_noreturn,GetLastError,GetLastError,GetLastError,

0_2_0000000140030ED0

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_000000014006F0E0	0_2_000000014006F0E0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140099110	0_2_0000000140099110
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_000000014000C200	0_2_000000014000C200
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140048230	0_2_0000000140048230
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_00000001400263B0	0_2_00000001400263B0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_000000014005F3E0	0_2_000000014005F3E0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140091420	0_2_0000000140091420
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140014470	0_2_0000000140014470
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_000000014000B5C0	0_2_000000014000B5C0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140089608	0_2_0000000140089608
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140001670	0_2_0000000140001670
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140014699	0_2_0000000140014699
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140008700	0_2_0000000140008700
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_000000014009A738	0_2_000000014009A738
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140099790	0_2_0000000140099790
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_000000014005A7A0	0_2_000000014005A7A0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_00000001400367A0	0_2_00000001400367A0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_00000001400597D0	0_2_00000001400597D0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_00000001400897F0	0_2_00000001400897F0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_000000014001D7F0	0_2_000000014001D7F0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140076810	0_2_0000000140076810
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140015860	0_2_0000000140015860
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_000000014000F8D0	0_2_000000014000F8D0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_000000014002D940	0_2_000000014002D940
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_00000001400429D0	0_2_00000001400429D0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_00000001400899DC	0_2_00000001400899DC
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_000000014008BA28	0_2_000000014008BA28
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_000000014008AA44	0_2_000000014008AA44
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140040A50	0_2_0000000140040A50
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140048AC0	0_2_0000000140048AC0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140018AF0	0_2_0000000140018AF0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140032B00	0_2_0000000140032B00
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_000000014000CB80	0_2_000000014000CB80
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140089BC4	0_2_0000000140089BC4
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140097BEC	0_2_0000000140097BEC
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140098C60	0_2_0000000140098C60
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_000000014002FD10	0_2_000000014002FD10
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140089DB0	0_2_0000000140089DB0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_000000014008BDF4	0_2_000000014008BDF4
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_000000014005EE20	0_2_000000014005EE20
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140092E14	0_2_0000000140092E14
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140094E30	0_2_0000000140094E30
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140030ED0	0_2_0000000140030ED0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_00000001400A3F0C	0_2_00000001400A3F0C
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140072F20	0_2_0000000140072F20
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140042F80	0_2_0000000140042F80
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140089F98	0_2_0000000140089F98
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_000000014000AFE0	0_2_000000014000AFE0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_02327220	0_2_02327220
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_02330210	0_2_02330210
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_023116A0	0_2_023116A0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_023142A0	0_2_023142A0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_023282A0	0_2_023282A0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_023266E0	0_2_023266E0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0231BED0	0_2_0231BED0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_023066C0	0_2_023066C0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0230A730	0_2_0230A730
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_02332F60	0_2_02332F60
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_02331F40	0_2_02331F40
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_02322BB0	0_2_02322BB0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_023213A3	0_2_023213A3
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0231CBE0	0_2_0231CBE0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0232FBC0	0_2_0232FBC0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_02332812	0_2_02332812
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_02331490	0_2_02331490
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0231B4E0	0_2_0231B4E0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_02319120	0_2_02319120
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_02309500	0_2_02309500
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0231A100	0_2_0231A100
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_02305D60	0_2_02305D60
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_02324550	0_2_02324550
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_02314DB0	0_2_02314DB0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0232B5E0	0_2_0232B5E0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_023255E0	0_2_023255E0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_023099D0	0_2_023099D0
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_023155C0	0_2_023155C0

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

Code function: String function: 00000001400142A0 appears 74 times

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2308 -s 1292

Source: 6Pk1nTmcHN.exe	Binary or memory string: OriginalFilename vs 6Pk1nTmcHN.exe
Source: 6Pk1nTmcHN.exe	Binary or memory string: OriginalFilenameavDump.exe* vs 6Pk1nTmcHN.exe

Source: 6Pk1nTmcHN.exe

Binary string: Unable to retrieve the path of the module!Unable to store the path of the module!Unable to get the path of the module!SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon AppDataUnable to retrieve a path of the known folder ({})!%LOCALAPPDATA%%APPDATA%ProgramFilesSOFTWARE\Microsoft\Windows\CurrentVersionProgramFilesDirCommonProgramFilesCommonFilesDir\\?\Unable to convert NT path '{}' to a volume GUID path!Unable to enumerate volumes!\Device\LanmanRedirector\Unable to retrieve volume paths for volume '{}'!\SystemRoot\\Device\Mup\WSL ProcessString environment expansion failed due to unexpected buffer sizeString environment expansion failedCannot open registry keyCannot create registry keyUnable to open registry key handle using NtOpenKeyCannot delete registry keyCannot query kernel mode registry key pathCannot delete registry valueCannot delete registry key treeCannot write key valueCannot query registry valueCannot query registry value dataCannot query registry value sizeCannot query registry data due to value changed too oftenbad variant access0

Source: classification engine

Classification label: mal60.evad.winEXE@2/5@1/1

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

0_2_000000014005A7A0

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

Code function: QueryServiceConfig2W,ChangeServiceConfig2W,GetLastError,SetDllDirectoryW,GetModuleHandleW,GetProcAddress,GetFileAttributesW,StartServiceCtrlDispatcherW,GetLastError,OpenSCManagerW,OpenServiceW,DeleteService,GetLastError,GetLastError,CloseServiceHandle,GetLastError,CloseServiceHandle,SetConsoleCtrlHandler,WaitForSingleObject,RpcServerUnregisterIf,RpcServerUnregisterIf,RpcServerUnregisterIf,OpenSCManagerW,GetModuleFileNameW,CreateServiceW,OpenServiceW,QueryServiceConfig2W,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW,CloseServiceHandle,CloseServiceHandle,ChangeServiceConfigW,OpenSCManagerW,OpenServiceW,ControlService,GetLastError,GetLastError,CloseServiceHandle,GetLastError,CloseServiceHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,GetLastError,GetLastError,_invalid_parameter_noinfo_noreturn,GetLastError,GetLastError,GetLastError,

0_2_0000000140030ED0

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

Code function: 0_2_0231F3A0 CreateToolhelp32Snapshot,Thread32First,NtSuspendThread,NtResumeThread,Thread32Next,NtClose,

0_2_0231F3A0

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

Code function: 0_2_0000000140048AC0 OpenSCManagerW,OpenServiceW,QueryServiceStatus,RegCloseKey,SetLastError,RegCloseKey,SetLastError,RegCloseKey,SetLastError,RegCloseKey,SetLastError,RegCloseKey,SetLastError,ControlService,StartServiceW,GetLastError,Sleep,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,

0_2_0000000140048AC0

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

0_2_0000000140030ED0

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2308

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\ad21202d-ad89-4eb7-8a6e-56a08869d5a2

Jump to behavior

Source: 6Pk1nTmcHN.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 6Pk1nTmcHN.exe

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Users\user\Desktop\6Pk1nTmcHN.exe "C:\Users\user\Desktop\6Pk1nTmcHN.exe"
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2308 -s 1292

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: 6Pk1nTmcHN.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 6Pk1nTmcHN.exe

Static file information: File size 1461248 > 1048576

Source: 6Pk1nTmcHN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 6Pk1nTmcHN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 6Pk1nTmcHN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 6Pk1nTmcHN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 6Pk1nTmcHN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 6Pk1nTmcHN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 6Pk1nTmcHN.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\BUILD\work\e0dd96435fde7cb0\BUILDS\Release\x64\avDump.pdb source: 6Pk1nTmcHN.exe

Source: 6Pk1nTmcHN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 6Pk1nTmcHN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 6Pk1nTmcHN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 6Pk1nTmcHN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 6Pk1nTmcHN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: 6Pk1nTmcHN.exe

Static PE information: real checksum: 0x12d7e1 should be: 0x168df2

Source: 6Pk1nTmcHN.exe	Static PE information: section name: .didat
Source: 6Pk1nTmcHN.exe	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

0_2_0000000140048AC0

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

Code function: 0_2_000000014005A7A0 rdtsc

0_2_000000014005A7A0

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

Code function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,

0_2_02324D00

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-52210

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

API coverage: 3.4 %

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: 6Pk1nTmcHN.exe, 00000000.00000002.2455368009.0000000000627000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWw
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: 6Pk1nTmcHN.exe, 00000000.00000002.2455368009.0000000000599000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: 6Pk1nTmcHN.exe, 00000000.00000002.2455368009.0000000000627000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: 6Pk1nTmcHN.exe, 00000000.00000002.2455730810.0000000002439000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: 9VmcI
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

Code function: 0_2_000000014005A7A0 rdtsc

0_2_000000014005A7A0

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

Code function: 0_2_0230CCE0 LdrGetProcedureAddress,

0_2_0230CCE0

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

Code function: 0_2_0000000140088100 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0000000140088100

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

Code function: 0_2_0000000140015860 OpenProcess,K32GetProcessImageFileNameW,CloseHandle,DebugActiveProcess,DebugSetProcessKillOnExit,WaitForDebugEvent,SetEvent,RtlEnterCriticalSection,RtlLeaveCriticalSection,CloseHandle,RtlEnterCriticalSection,RtlLeaveCriticalSection,OpenProcess,DebugBreakProcess,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle,ContinueDebugEvent,CloseHandle,OpenProcess,ReadProcessMemory,OpenThread,GetThreadContext,DebugSetProcessKillOnExit,CloseHandle,CloseHandle,OpenThread,SetThreadToken,CloseHandle,GetThreadContext,GetSystemTimeAsFileTime,GetFileAttributesExW,CloseHandle,DebugActiveProcessStop,_invalid_parameter_noinfo_noreturn,GetLastError,GetLastError,_invalid_parameter_noinfo_noreturn,

0_2_0000000140015860

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140088100 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0000000140088100
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Code function: 0_2_0000000140079AD8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_0000000140079AD8

HIPS / PFW / Operating System Protection Evasion

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Thread register set: target process: unknown			Jump to behavior
Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe	Thread register set: target process: unknown			Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

Thread register set: unknown 1

Jump to behavior

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

Code function: 0_2_0000000140079FFC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0000000140079FFC

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

Code function: 0_2_02324D00 GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,

0_2_02324D00

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\6Pk1nTmcHN.exe

0_2_0000000140030ED0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Service Execution	14 Windows Service	14 Windows Service	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	22 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	21 Process Injection	21 Process Injection	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Image File Execution Options Injection	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Image File Execution Options Injection	1 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	3 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
6Pk1nTmcHN.exe	16%	ReversingLabs	Win64.Trojan.Generic

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
https://weblineinfo.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
weblineinfo.com	62.192.173.45	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.6.dr	false	URL Reputation: safe	unknown
https://weblineinfo.com/	6Pk1nTmcHN.exe, 00000000.00000002.2455368009.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
62.192.173.45	weblineinfo.com	Lithuania		25780	HUGESERVER-NETWORKSUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1509585
Start date and time:	2024-09-11 20:26:33 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	6Pk1nTmcHN.exe renamed because original name is a hash value
Original Sample Name:	21f77e85724543222e6cd3089fc7c741373b4b4362d25b103490c7ce84d20cda.exe
Detection:	MAL
Classification:	mal60.evad.winEXE@2/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 83% Number of executed functions: 19 Number of non-executed functions: 187
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 6Pk1nTmcHN.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
62.192.173.45	49GqFpn1V8.exe	Get hash	malicious	BruteRatel	Browse
	sGfciyumij.exe	Get hash	malicious	BruteRatel	Browse
	10kmr9d7.dll	Get hash	malicious	Unknown	Browse
	10kmr9d7.dll	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
weblineinfo.com	49GqFpn1V8.exe	Get hash	malicious	BruteRatel	Browse	62.192.173.45
	sGfciyumij.exe	Get hash	malicious	BruteRatel	Browse	62.192.173.45
	10kmr9d7.dll	Get hash	malicious	Unknown	Browse	62.192.173.45
	10kmr9d7.dll	Get hash	malicious	Unknown	Browse	62.192.173.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HUGESERVER-NETWORKSUS	49GqFpn1V8.exe	Get hash	malicious	BruteRatel	Browse	62.192.173.45
	sGfciyumij.exe	Get hash	malicious	BruteRatel	Browse	62.192.173.45
	sbuvJk8Zn8.exe	Get hash	malicious	XenoRAT	Browse	2.58.85.196
	10kmr9d7.dll	Get hash	malicious	Unknown	Browse	62.192.173.45
	10kmr9d7.dll	Get hash	malicious	Unknown	Browse	62.192.173.45
	mirai.spc.elf	Get hash	malicious	Mirai	Browse	171.22.79.159
	ClientAny.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	2.58.84.229
	https://denizfirsatgsmtektikbuo.xyz/	Get hash	malicious	HTMLPhisher	Browse	2.58.85.5
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	107.161.53.91

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_6Pk1nTmcHN.exe_391e34d76b9d88a1aa9c20e1d1785e9c3c5c724c_505b6263_f3129ac0-c9d0-4e92-929c-882be24afc23\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9442687486897229
Encrypted:	false
SSDEEP:	192:CWgoCmkcAnq2Qy0FfeciIYj4v2zuiFSZ24lO82w0:DCmInq2Q5FfeciIYj5zuiFSY4lO82w0
MD5:	A704680D33C2B55469E937988833680B
SHA1:	EC08D41C16E0BA536D6F0AEAA17C5E1F02C522B0
SHA-256:	4284D4F79FF4769401CE5B08950CC959788971B7044706348EF287C77B621750
SHA-512:	6DF99488EA426A03C1A72D42386007A3CBCF61A1727A3BA83E3F3CDD74C94557D2D126A08FBB373C5AA16FCEC78189D6E54F174D383773433A7D68BFEDF62E68
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.0.5.5.2.8.8.1.7.2.5.9.8.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.0.5.5.2.8.8.2.2.7.2.8.6.2.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.3.1.2.9.a.c.0.-.c.9.d.0.-.4.e.9.2.-.9.2.9.c.-.8.8.2.b.e.2.4.a.f.c.2.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.8.5.4.8.4.4.e.-.3.a.4.e.-.4.f.a.b.-.a.7.b.d.-.1.d.0.a.3.4.4.8.6.0.e.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.6.P.k.1.n.T.m.c.H.N...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.v.D.u.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.0.4.-.0.0.0.1.-.0.0.1.4.-.0.e.f.0.-.3.7.4.0.7.8.0.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.8.9.d.6.e.4.a.b.5.e.c.c.d.1.6.a.2.8.7.1.6.a.6.4.f.2.6.2.0.f.2.0.0.0.0.0.9.0.4.!.0.0.0.0.a.0.6.3.b.e.1.a.8.5.b.b.a.3.f.f.c.6.5.5.5.4.d.3.b.4.c.0.a.e.1.a.4.5.6.3.8.4.5.1.!.6.P.k.1.n.T.m.c.H.N...e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD980.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Sep 11 18:28:02 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	135962
Entropy (8bit):	1.4462114707591813
Encrypted:	false
SSDEEP:	384:X6bFnqjJ3K3xmw7nK71U+6W+B0qdgC8Uzl:X6bFnqNK3pbhek0qdgZ8
MD5:	6574B40254ED32EC8BA3AE5970A2A304
SHA1:	26FB01C14CF4A85D0799311FB46E6E03C580E9CA
SHA-256:	6F4FC60140A346B5303D6F61510DAC3693A5D9DC4C32A12E43EACBD4DC96EBB0
SHA-512:	EDC6A90BC0E0E8BB20ADE8E08690422423F11A8BEA912AE9B3AC825EA5BA7B0A7960D7D3AD98989A2B951D2F8A09B6D552CDB9203E5408174E7D7FF446C91A36
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......2..f........................D...............8U..........T.......8...........T............2..B.......................................................................................................eJ..............Lw......................T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAF8.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8790
Entropy (8bit):	3.703100657028306
Encrypted:	false
SSDEEP:	192:R6l7wVeJMXt5Vne6Y9+qPOgmf6Hc+YprM89bONcflam:R6lXJMdK6YUqPOgmf6Hc+EOGfJ
MD5:	953FA0AF94B710BCE49E142B4CBB56B3
SHA1:	2BA5E6424FEB5BD745DF3F66E4BD2E1EEEC9A1D4
SHA-256:	B278EDCF2397F116213D6557C4AC563A48B32993193B54689971AAF73F13F6E8
SHA-512:	AC4A687B2310D18E7A43ED9DFB4209A017AB49EAADF7DEB92AF87498D71A84D5FFC429CEFB1CF40BC9827FE70D68570AD8B24B909567EDEDA7BD33B7B509700D
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.3.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB28.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4717
Entropy (8bit):	4.463971182618637
Encrypted:	false
SSDEEP:	48:cvIwWl8zs+NJg771I9nwayWpW8VY4Ym8M4JASHFUmyq85qZg2UIaWKGd:uIjf+nI70wW7VMJAKJK2UIaWKGd
MD5:	A823F268BDEBE9D56851C635534FA045
SHA1:	E468AA61073D6597EAAB5D498F51B321FA95640E
SHA-256:	CEBE97C00228F5E98C5EE2B9997FEBE9D7CBD353939412324B4E769B8E0D7E22
SHA-512:	C2E846609E6A5BAE74079F5A496C68FBABC5BCDAFF26208324A768DBE316F3E71410F49C2ACB4E2E653AF484170F75E6097C264ACF6AEA0810F37DE766AF3BB9
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="495930" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.46605234047467
Encrypted:	false
SSDEEP:	6144:aIXfpi67eLPU9skLmb0b4dWSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSbt:vXD94dWlLZMM6YFHt+t
MD5:	3B66E24B9E30B7C8CF680F88389E6C10
SHA1:	D094AED64E6F503D82C8A4C65BF60D9C0AB75CBF
SHA-256:	0975A274933F53C0CB4A330D0EB2E84ED813B25688A0E8E7679596E8E80E88FA
SHA-512:	41C7337152D7F13961F412DF1236F071AE341F3B5E2DB462AE075F7A3359BC6332A5A0206833880CB9E018FA97B567A7ED7ED62E621E045C0EC415AF8AFA1588
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..Ux..................................................................................................................................................................................................................................................................................................................................................a........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.9455237392770535
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	6Pk1nTmcHN.exe
File size:	1'461'248 bytes
MD5:	d0d55a8f4965a4d3f661b3ea268f578b
SHA1:	a063be1a85bba3ffc65554d3b4c0ae1a45638451
SHA256:	21f77e85724543222e6cd3089fc7c741373b4b4362d25b103490c7ce84d20cda
SHA512:	3f63e14ba2b4dfee860ca307a9e5b18cc7119cda03a474f8820cdfd1ac15d003a7f3e6d95af26e08f2d367c7f9b38f64028a234fadb6b54b5c5d5582a45a3a07
SSDEEP:	24576:tCAMa2xF/U2MtmHZD+4of1c2OhTP4KOqh0lhSMXlCTgnbGJkdV4KN7zc01Octq:VMa2xFs2MgHo4of1cPhbLeKgnbGJIV4w
TLSH:	E065BE1A7BAC00F8D1BEC0B88D67591AEA72785543219BDF57E0DE161F63AE05E3E700
File Content Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........i.;..oh..oh..oh.zli..oh.zjix.oh.zki..oh...h..oh..ki..oh..li..oh.\|ji..oh..ji..oh.p.h..oh..oh..oh.zni..oh..nhX.oh..fi..oh..oi..o

File Icon


Icon Hash:	cc8d0d191e1e107c

Static PE Info

General

Entrypoint:	0x14005e280
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, GUARD_CF
Time Stamp:	0x65BBAE0A [Thu Feb 1 14:43:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	30c7d68b242fb27be994b0b3521d918b

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F3891024528h
dec eax
add esp, 28h
jmp 00007F38910085F3h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+08h], ecx
push edi
dec eax
sub esp, 20h
dec eax
mov edi, dword ptr [esp+30h]
dec eax
lea edx, dword ptr [0008B7E5h]
dec eax
mov ecx, edi
call 00007F3891009B92h
dec eax
lea eax, dword ptr [0008B856h]
dec eax
mov dword ptr [edi], eax
dec eax
lea ecx, dword ptr [edi+28h]
xor eax, eax
dec eax
mov dword ptr [edi+28h], eax
dec eax
mov dword ptr [edi+30h], eax
call 00007F389100C531h
dec eax
lea ecx, dword ptr [edi+28h]
call 00007F389100C534h
dec eax
mov ebx, dword ptr [esp+38h]
dec eax
mov eax, edi
dec eax
add esp, 20h
pop edi
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 68h
dec eax
mov eax, dword ptr [esp+70h]
dec eax
mov ecx, dword ptr [eax+38h]
dec eax
test ecx, ecx
je 00007F38910087C5h
dec eax
mov eax, dword ptr [ecx]
dec eax
mov eax, dword ptr [eax+10h]
call dword ptr [000553ACh]
nop
dec eax
add esp, 68h
ret
call 00007F389100B526h
nop
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov dword ptr [esp+10h], edx
dec eax
mov dword ptr [esp+00h], ecx

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x101750	0xe4	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x101834	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x119000	0x530cc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x10e000	0x8538	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x127448	0x2978	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x16d000	0x14c0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xe9dd4	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xea000	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xd4ae0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb3000	0x6c0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x1014bc	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb145c	0xb1600	1eaabf70aff8e3cc929bbdbf2e5aad9d	False	0.46967219432699087	data	6.381906257673845	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xb3000	0x50028	0x50200	ff07adedf636d6bc3ffbc263edcd3727	False	0.40760591361154447	data	5.894067518653125	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x104000	0x91f8	0x5e00	91ca1c15198d6861a02e90789db46d34	False	0.14261968085106383	DOS executable (block device driver)	4.538365175655119	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x10e000	0x8538	0x8600	d733668419143445c8b94be87defbb16	False	0.49577308768656714	data	5.949404504623925	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x117000	0x50	0x200	701067eceeac6e2ef2c50b8ee0c87575	False	0.080078125	data	0.68918657910872	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x118000	0x1f4	0x200	0683c4b4834a30f99b0319cb260168db	False	0.53515625	data	4.234704000558715	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x119000	0x530cc	0x53200	4a91685c811c0b0ca3dacd69b1653b02	False	0.9509163533834587	data	7.921776188107435	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x16d000	0x14c0	0x1600	fe11f6a0fd50e632ba0e66abf1859a99	False	0.3915127840909091	data	5.329570431313898	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x119328	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.3108108108108108
RT_ICON	0x119450	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colors	English	United States	0.8648843930635838
RT_ICON	0x1199b8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.25806451612903225
RT_ICON	0x119ca0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colors	English	United States	0.7454873646209387
RT_ICON	0x11a548	0xb6d0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.999423076923077
RT_ICON	0x125c18	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.7659574468085106
RT_ICON	0x126080	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.7971311475409836
RT_ICON	0x126a08	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.7448405253283302
RT_ICON	0x127ab0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.6373443983402489
RT_ICON	0x12a058	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.5634152102031176
RT_GROUP_ICON	0x12e280	0x92	data	English	United States	0.6917808219178082
RT_VERSION	0x12e314	0x374	data	English	United States	0.4592760180995475
RT_ANICURSOR	0x12e688	0x3d74a	data			0.9980295723059566
RT_MANIFEST	0x16bdd4	0x2f6	XML 1.0 document, ASCII text, with very long lines (719)	English	United States	0.5158311345646438

Imports

DLL	Import
RPCRT4.dll	NdrClientCall3, NdrServerCall2, RpcStringBindingComposeW, RpcServerUnregisterIf, RpcServerRegisterIfEx, RpcServerUseProtseqEpW, I_RpcBindingInqLocalClientPID, RpcStringFreeW, RpcBindingFromStringBindingW, NdrServerCallAll
SHELL32.dll	SHGetFolderPathW
ntdll.dll	NtSystemDebugControl, VerSetConditionMask, RtlPcToFileHeader, RtlCaptureContext, NtClose, NtOpenKey, NtQueryKey, RtlNtStatusToDosError, NtDeleteKey, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlUnwindEx, RtlUnwind
KERNEL32.dll	GetProcessHeap, HeapFree, SetLastError, GetModuleHandleExW, GetCurrentThreadId, Sleep, LocalFree, SetFilePointerEx, UnlockFileEx, LockFileEx, GetFileSizeEx, ReadFile, CompareStringW, GetCurrentThread, WriteFile, InitializeCriticalSectionEx, FlushFileBuffers, GetFileInformationByHandle, GetFullPathNameW, OutputDebugStringA, FileTimeToSystemTime, GetCurrentProcessId, TlsAlloc, TlsGetValue, TlsSetValue, FreeLibrary, GetSystemInfo, QueryPerformanceFrequency, QueryPerformanceCounter, ExpandEnvironmentStringsW, GetFileAttributesW, LoadLibraryExW, GetWindowsDirectoryW, GetSystemDirectoryW, HeapAlloc, VirtualProtect, HeapReAlloc, GlobalMemoryStatusEx, GetExitCodeThread, TlsFree, MoveFileExW, FindClose, CreateDirectoryW, FindFirstFileExW, FindNextFileW, QueryDosDeviceW, GetEnvironmentVariableW, ReleaseSRWLockExclusive, SetFileInformationByHandle, GetDiskFreeSpaceExW, K32GetMappedFileNameW, FindFirstVolumeW, FindNextVolumeW, GetVolumePathNamesForVolumeNameW, FindVolumeClose, VirtualQuery, GetSystemTimes, GetTickCount64, RaiseException, SleepConditionVariableSRW, GetCommandLineA, GetStdHandle, FreeLibraryAndExitThread, ExitThread, CreateThread, InitializeCriticalSectionAndSpinCount, InterlockedPushEntrySList, GetStartupInfoW, IsDebuggerPresent, InitializeSListHead, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetModuleFileNameW, SetConsoleCtrlHandler, SetDllDirectoryW, WaitForSingleObject, GetProcessId, GetNamedPipeServerProcessId, GetFileTime, MultiByteToWideChar, ContinueDebugEvent, DebugActiveProcessStop, GetFileAttributesExW, GetSystemTimeAsFileTime, ReadProcessMemory, OpenThread, DebugBreakProcess, SetEvent, WaitForDebugEvent, DebugSetProcessKillOnExit, DebugActiveProcess, WideCharToMultiByte, VirtualQueryEx, GetThreadContext, K32GetProcessImageFileNameW, K32GetModuleBaseNameW, K32EnumProcessModules, WaitForMultipleObjects, CreateEventW, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, DeleteFileW, VerifyVersionInfoW, K32GetPerformanceInfo, DeviceIoControl, CreateFileW, GetLastError, CloseHandle, OpenProcess, GetProcAddress, GetModuleHandleW, GetCurrentProcess, TerminateProcess, GetCommandLineW, ExitProcess, GetFileType, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetConsoleOutputCP, GetConsoleMode, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, HeapSize, WriteConsoleW, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, GetLocaleInfoEx, LCMapStringEx, EncodePointer, DecodePointer, WakeAllConditionVariable, WakeConditionVariable, GetCPInfo, LoadLibraryExA, GetStringTypeW, WaitForSingleObjectEx, FormatMessageA
USER32.dll	RegisterClassExW, GetClassInfoExW
ADVAPI32.dll	CryptReleaseContext, CryptGenRandom, CryptAcquireContextW, RegDeleteTreeW, RegQueryInfoKeyW, RegDeleteValueW, RegSetValueExW, RegCreateKeyExW, RegQueryValueExW, RegOpenKeyExW, StartServiceW, QueryServiceStatus, RevertToSelf, ImpersonateSelf, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, CloseServiceHandle, ControlService, ChangeServiceConfigW, CreateServiceW, DeleteService, OpenServiceW, OpenSCManagerW, StartServiceCtrlDispatcherW, ChangeServiceConfig2W, QueryServiceConfig2W, RegisterServiceCtrlHandlerExW, SetServiceStatus, SetThreadToken

Exports

Name	Ordinal	Address
asw_process_storage_allocate_connector	1	0x14005cbe0
asw_process_storage_deallocate_connector	2	0x14005cc10
on_avast_dll_unload	3	0x140056660
onexit_register_connector_avast_2	4	0x14005c9e0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 11, 2024 20:27:30.357014894 CEST	49730	443	192.168.2.4	62.192.173.45
Sep 11, 2024 20:27:30.357105017 CEST	443	49730	62.192.173.45	192.168.2.4
Sep 11, 2024 20:27:30.357225895 CEST	49730	443	192.168.2.4	62.192.173.45
Sep 11, 2024 20:27:30.365940094 CEST	49730	443	192.168.2.4	62.192.173.45
Sep 11, 2024 20:27:30.365974903 CEST	443	49730	62.192.173.45	192.168.2.4
Sep 11, 2024 20:28:02.483127117 CEST	49730	443	192.168.2.4	62.192.173.45

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 11, 2024 20:27:30.177025080 CEST	54675	53	192.168.2.4	1.1.1.1
Sep 11, 2024 20:27:30.351072073 CEST	53	54675	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 11, 2024 20:27:30.177025080 CEST	192.168.2.4	1.1.1.1	0x9bbb	Standard query (0)	weblineinfo.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 11, 2024 20:27:30.351072073 CEST	1.1.1.1	192.168.2.4	0x9bbb	No error (0)	weblineinfo.com		62.192.173.45	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	14:27:25
Start date:	11/09/2024
Path:	C:\Users\user\Desktop\6Pk1nTmcHN.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\6Pk1nTmcHN.exe"
Imagebase:	0x140000000
File size:	1'461'248 bytes
MD5 hash:	D0D55A8F4965A4D3F661B3EA268F578B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:28:01
Start date:	11/09/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 2308 -s 1292
Imagebase:	0x7ff7f81a0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	99.2%
Signature Coverage:	29.9%
Total number of Nodes:	923
Total number of Limit Nodes:	36

Executed Functions

Function 02324D00 Relevance: 10.8, APIs: 7, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32 ref: 02324D92
GetComputerNameExW.KERNELBASE ref: 02324DA7
GetComputerNameExW.KERNELBASE ref: 02324DD6
GetTokenInformation.KERNELBASE ref: 02324E12
GetNativeSystemInfo.KERNELBASE ref: 02324EC4
GetAdaptersInfo.IPHLPAPI ref: 02324FB0
GetAdaptersInfo.IPHLPAPI ref: 02324FF5

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID: InfoName$AdaptersComputer$InformationNativeSystemTokenUser
String ID:
API String ID: 1596153048-0
Opcode ID: 734901508a68811e876b4a3c5d65e8c7476ff381839600de737bf5e9afc0d482
Instruction ID: d2cbb88933b55a9fa0dfc3f03c848f18925cf3217a285f7feb5c1ab8f47b4862
Opcode Fuzzy Hash: 734901508a68811e876b4a3c5d65e8c7476ff381839600de737bf5e9afc0d482
Instruction Fuzzy Hash: 93917431218B488FEB65EB14D8557DAB7E6FBD4700F40852DE94AC3290DB78EA45CB83

Function 0231F3A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 215
threadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0231F406
Thread32First.KERNEL32 ref: 0231F42B
Thread32Next.KERNEL32 ref: 0231F602

Strings

0, xrefs: 0231F47E

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID: Thread32$CreateFirstNextSnapshotToolhelp32
String ID: 0
API String ID: 3779972765-4108050209
Opcode ID: 6a3b6698b668788de6e2e14965d81c56222b994650be3d337df0d4b3b48050f1
Instruction ID: d0b5504f88d9410a2ed689bf480ca039c756c17d3046b3f12396c9270f57f476
Opcode Fuzzy Hash: 6a3b6698b668788de6e2e14965d81c56222b994650be3d337df0d4b3b48050f1
Instruction Fuzzy Hash: 51619130218B888FD7A4EF29D854BAAF7E6FB88304F50456DE58EC3251DB74E545CB42

Function 0230CCE0 Relevance: 1.6, APIs: 1, Instructions: 114
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrGetProcedureAddress.NTDLL ref: 0230CDB2

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID: AddressProcedure
String ID:
API String ID: 3653107232-0
Opcode ID: 64a4c363e66e8fcb324c2d013a85a570e217f1f41a485886b1e3891cf8e103dc
Instruction ID: e679209bb6d31c641c2fbb3017cb23a4c125bcc92ba805a45e2b082802dc3d99
Opcode Fuzzy Hash: 64a4c363e66e8fcb324c2d013a85a570e217f1f41a485886b1e3891cf8e103dc
Instruction Fuzzy Hash: 7631C471128B488BC7689F08DC866BAB7E4FB85311F50162FE58AC3651E630F8468BD7

Function 023071B0 Relevance: .1, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d6cbcc5dfeb1084a9cc122a67364a682b6f2504e530092aaea3ef2afdda240
Instruction ID: 73e9ac730e88868a771b08ed5845479a74c0e6ece9d6cf64f39870defdeafa7f
Opcode Fuzzy Hash: 62d6cbcc5dfeb1084a9cc122a67364a682b6f2504e530092aaea3ef2afdda240
Instruction Fuzzy Hash: 0A418670128B488FE358DF28D8997AAB7E1FB48315F50466DE45AC32D5CB78D846CB81

Function 02334360 Relevance: .1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246b04183441d9db0d4c236240df2ca26f18e78107733016fa740d2a375581b5
Instruction ID: 9c3064f493beb86f2150d1a5c71e44ffe6b4acf3a78e770ee7c7df0d8eeec614
Opcode Fuzzy Hash: 246b04183441d9db0d4c236240df2ca26f18e78107733016fa740d2a375581b5
Instruction Fuzzy Hash: CA411DB151CB488FD7749F0CA8466EAB7E0FB99720F00492FD5C983211DB75A4428BC3

Function 023345F0 Relevance: .1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7425b9f205f2e48f6743ce85b3d4803992b94f2dd7c42288ff67dbf43d2a16d5
Instruction ID: a2e7de945c38aed6485feb77d58f6e9f9b03894b33f8e6dd0d03b94b153358fb
Opcode Fuzzy Hash: 7425b9f205f2e48f6743ce85b3d4803992b94f2dd7c42288ff67dbf43d2a16d5
Instruction Fuzzy Hash: 7B21817161DB489FE714DF08D846AAAB7E5FB88725F20091FE589C3320D7749480CB83

Function 023351C0 Relevance: .1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9efb2dc69225788838bd08ce1b571aed7e5ff7df66dff9cf99eed66fee9a7a8
Instruction ID: 27e89f9916e18db6f7560ec66f0224b2a347e887c9110e14b0509c7180a0e8be
Opcode Fuzzy Hash: c9efb2dc69225788838bd08ce1b571aed7e5ff7df66dff9cf99eed66fee9a7a8
Instruction Fuzzy Hash: 8E110670668B488FDB14DF089846ABAB3E4F78C315F80481EE889C3650D775D580CB83

Function 02317A50 Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb11d53fe8240a521e5f77f5ce288efeffd0a38eebd87c38d9030f26bb6a810
Instruction ID: 1857e25dfa6faaa42e188918da49d1e5e642649d571089b4d7cc6abbcd192cbe
Opcode Fuzzy Hash: 5bb11d53fe8240a521e5f77f5ce288efeffd0a38eebd87c38d9030f26bb6a810
Instruction Fuzzy Hash: CB110270128B885FE7289B1CD84A376B3D5F789314F58051DE989C23C0DBB592888A83

Function 02334FF0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b493b046dda1831e3ac93b31f1d57d2ffdedc147415695421c0937c946fff3
Instruction ID: d3a11c2e6be095b0b74aa1088ef2b7726dd592dad5b65d2d588163ccda2b882d
Opcode Fuzzy Hash: a3b493b046dda1831e3ac93b31f1d57d2ffdedc147415695421c0937c946fff3
Instruction Fuzzy Hash: 34117370618B498FDB149F589846BAAB7E4F75C755F80081EE889C2650D7769580CAC3

Function 02334740 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c2dce99591ed636752d02e92fb4e83679b8b4534c19c070d62bd12e62a70ad
Instruction ID: 827d51592c9d65258b527738403e58bc58772cf8a1453ecb3757dd93434e7533
Opcode Fuzzy Hash: c6c2dce99591ed636752d02e92fb4e83679b8b4534c19c070d62bd12e62a70ad
Instruction Fuzzy Hash: 9D01B530628B458FEB08EB1894576B677F2FB89714F10491EE59AC3750DB39EA418B83

Function 0053D65A Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1717833671.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_500000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e753f29fc521fa2d0b6c7a6994e588844e22f1070003091da851a212630d82
Instruction ID: 4ea7449681efce282d2670d86deeb029b1950ded4b223f0d262e585cfb931f00
Opcode Fuzzy Hash: d7e753f29fc521fa2d0b6c7a6994e588844e22f1070003091da851a212630d82
Instruction Fuzzy Hash: 80F044B0628B448BD744DF2984CA6357BE1FBDC755F24452EE899C7361CB359842CB43

Function 0053D6CA Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1717833671.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_500000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03d8a45eb9b0d3ccc835ff03553e770b46152858ebd01b16508ffef1a6f20c3
Instruction ID: addb20d51f7e1123cb2fe26cb62f261bcd7b5fe4b925cc89dce0e44594c390fd
Opcode Fuzzy Hash: c03d8a45eb9b0d3ccc835ff03553e770b46152858ebd01b16508ffef1a6f20c3
Instruction Fuzzy Hash: 59F08270A28F444BCB04AF2C884A63A77E1FBE8645F54462EE848D7361DB35E942CB43

Function 02318149 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a87759f1dbb7da0b31a2215c550786eb7d616866bd4ea5bb0906d9c5e547a0c
Instruction ID: 9cab7961c947c0c4920e7d91043c74581c24ec598b89dad951f2ed48e57c2e44
Opcode Fuzzy Hash: 3a87759f1dbb7da0b31a2215c550786eb7d616866bd4ea5bb0906d9c5e547a0c
Instruction Fuzzy Hash: B7D0A97248DB188EE7309AA8F8833E8B3D0F780328F80482EC18CC2002D63E40468B06

Function 02307830 Relevance: 7.8, APIs: 5, Instructions: 340
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET ref: 0230788A
InternetConnectW.WININET ref: 023078CB
HttpOpenRequestW.WININET ref: 0230791F
HttpSendRequestA.WININET ref: 023079DA
InternetCloseHandle.WININET ref: 02307B11

Part of subcall function 0232B4E0: RtlFreeHeap.NTDLL ref: 0232B51D

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID: Internet$HttpOpenRequest$CloseConnectFreeHandleHeapSend
String ID:
API String ID: 3224957877-0
Opcode ID: d9666d6ee9cc84210a5d48bfb43a1b93f204f5f1cab97c350c418fdf5ba67fc7
Instruction ID: fa8515a770b55e0f3191c72cb9c9c2d6d16f5cbe46f6099685f7caa55802a448
Opcode Fuzzy Hash: d9666d6ee9cc84210a5d48bfb43a1b93f204f5f1cab97c350c418fdf5ba67fc7
Instruction Fuzzy Hash: E9A1B630228A098FDB24EF19D8A576BF7E5FB98344F04456DD84AC3291DF74E845CB92

Function 0053C24A Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

, xrefs: 0053C4B4

Memory Dump Source

Source File: 00000000.00000003.1717833671.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_500000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e1b5f217ab961a454b36722efd1ce63e8d0791c74eab14a614d4f9e3fc2a9a33
Instruction ID: 942d3d408808ab8b33129023ebd1494536d369ce030809ab161135f4121942f5
Opcode Fuzzy Hash: e1b5f217ab961a454b36722efd1ce63e8d0791c74eab14a614d4f9e3fc2a9a33
Instruction Fuzzy Hash: D5A1953161CB088FDB54EF1CD885BAABBE1FB98710F50456DE48AC7265DB34E845CB82

Function 02308ED0 Relevance: 1.9, APIs: 1, Instructions: 410
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExA.KERNELBASE ref: 02308F00

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 6f5cb151aadba70b4aa6e5bafaf7101ce807ceecab62b3beafb4f2b699b4b3ec
Instruction ID: ea25e62750799ec1ad0867afdb4d48029559ea1d52fff70e0dab5d1c0f7255c3
Opcode Fuzzy Hash: 6f5cb151aadba70b4aa6e5bafaf7101ce807ceecab62b3beafb4f2b699b4b3ec
Instruction Fuzzy Hash: 37E10071518A0D8FE751EF14E894BA6BBF4F768340F60467BE84EC3264DB389245CB86

Function 02318C60 Relevance: 1.7, APIs: 1, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFiber.KERNELBASE ref: 02318E01

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID: CreateFiber
String ID:
API String ID: 3765768292-0
Opcode ID: 93f026081dbdd0704688566a40b49887aa3b7977c0bffc28660abc2339b77c2a
Instruction ID: e831167a29fcd7a46cac08c4adab1b257d45c0532a2f53e3f5a488d3fd229990
Opcode Fuzzy Hash: 93f026081dbdd0704688566a40b49887aa3b7977c0bffc28660abc2339b77c2a
Instruction Fuzzy Hash: 4A51F731618E184FEB6CAF289C5976573D5FB58310F20032AE99BC31E1DB3498428BC6

Function 000000014009A1B0 Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,0000000140098926,?,?,?,000000014008808F,?,?,00000000,000000014008832A), ref: 000000014009A205

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9f54f83c219c4149c215936c9b1e3b5a93792f556c5099100a8e44297067ea87
Instruction ID: feed11c58d774232235c950f9d55905fdae63acc7960014812c9abe5af6e187b
Opcode Fuzzy Hash: 9f54f83c219c4149c215936c9b1e3b5a93792f556c5099100a8e44297067ea87
Instruction Fuzzy Hash: B2F0BEB034260040FE9B9BA799013E612946B9EBC4F4C44307F0A873F2EE3CC8808260

Function 0232B4E0 Relevance: 1.5, APIs: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL ref: 0232B51D

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d9c8acccb119fdf6d5691a0567f94fa179966e421fbccb122f962e3160943c6c
Instruction ID: d1295094617ef2e9d0083dfd8bf41cb798ec88147c495ff06539f0c078a8e757
Opcode Fuzzy Hash: d9c8acccb119fdf6d5691a0567f94fa179966e421fbccb122f962e3160943c6c
Instruction Fuzzy Hash: 33F03030310A188FEB18E7BAACC877177E7FB9C3457448054A445CA154DB38D445CB41

Non-executed Functions

Function 0000000140030ED0 Relevance: 148.2, APIs: 49, Strings: 35, Instructions: 1153servicelibraryloaderCOMMON

Download Yara Rule

APIs

QueryServiceConfig2W.ADVAPI32 ref: 0000000140030F0F
ChangeServiceConfig2W.ADVAPI32 ref: 0000000140030F35
GetLastError.KERNEL32 ref: 0000000140030F52
SetDllDirectoryW.KERNEL32 ref: 0000000140030FD0
GetModuleHandleW.KERNEL32 ref: 0000000140030FDD
GetProcAddress.KERNEL32 ref: 0000000140030FED
GetFileAttributesW.KERNEL32 ref: 0000000140031081
StartServiceCtrlDispatcherW.ADVAPI32 ref: 0000000140031539
GetLastError.KERNEL32 ref: 0000000140031547
OpenSCManagerW.ADVAPI32 ref: 00000001400315EE
OpenServiceW.ADVAPI32 ref: 0000000140031624
DeleteService.ADVAPI32 ref: 000000014003163D
GetLastError.KERNEL32 ref: 000000014003164B

Part of subcall function 000000014008D5A4: _invalid_parameter_noinfo.LIBCMT ref: 000000014008D5C1

GetLastError.KERNEL32 ref: 00000001400316A2
CloseServiceHandle.ADVAPI32 ref: 000000014003173A
GetLastError.KERNEL32 ref: 0000000140031745
CloseServiceHandle.ADVAPI32 ref: 00000001400317D9
SetConsoleCtrlHandler.KERNEL32 ref: 0000000140031904
WaitForSingleObject.KERNEL32 ref: 0000000140031926
RpcServerUnregisterIf.RPCRT4 ref: 0000000140031939
RpcServerUnregisterIf.RPCRT4 ref: 000000014003194C
RpcServerUnregisterIf.RPCRT4 ref: 000000014003195F
OpenSCManagerW.ADVAPI32 ref: 0000000140031A4A
GetModuleFileNameW.KERNEL32 ref: 0000000140031AD5
CreateServiceW.ADVAPI32 ref: 0000000140031DA9
RpcStringBindingComposeW.RPCRT4 ref: 0000000140031FF9
RpcBindingFromStringBindingW.RPCRT4 ref: 0000000140032014
RpcStringFreeW.RPCRT4 ref: 000000014003202F
CloseServiceHandle.ADVAPI32 ref: 0000000140032096
CloseServiceHandle.ADVAPI32 ref: 00000001400320B3

Part of subcall function 0000000140030ED0: OpenServiceW.ADVAPI32 ref: 0000000140031E09
Part of subcall function 0000000140030ED0: QueryServiceConfig2W.ADVAPI32 ref: 0000000140031E4D

OpenSCManagerW.ADVAPI32 ref: 000000014003217D
OpenServiceW.ADVAPI32 ref: 00000001400321B3
ControlService.ADVAPI32 ref: 00000001400321DD
GetLastError.KERNEL32 ref: 00000001400321EB
CloseServiceHandle.ADVAPI32 ref: 0000000140032313

Part of subcall function 00000001400128B0: VerSetConditionMask.NTDLL ref: 0000000140012922
Part of subcall function 00000001400128B0: VerSetConditionMask.NTDLL ref: 0000000140012931
Part of subcall function 00000001400128B0: VerSetConditionMask.NTDLL ref: 0000000140012940
Part of subcall function 00000001400128B0: VerifyVersionInfoW.KERNEL32 ref: 0000000140012961

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003258D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140032593
GetLastError.KERNEL32 ref: 0000000140032599
GetLastError.KERNEL32 ref: 00000001400325CA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140032600
GetLastError.KERNEL32 ref: 0000000140032606
GetLastError.KERNEL32 ref: 0000000140032656
GetLastError.KERNEL32 ref: 00000001400326FB

Strings

Unable to create service '{}'!, xrefs: 000000014003260C
/unregister, xrefs: 0000000140032146
" /runassvc, xrefs: 0000000140031C5C
Unable to open service '{}'!, xrefs: 000000014003265C
StartServer failure: retval={}, xrefs: 00000001400319C0
AvDumper, xrefs: 000000014003123B, 0000000140031E9B
Logs, xrefs: 000000014003102A
Debugger app is starting., xrefs: 000000014003187B
RpcSS, xrefs: 0000000140031D63
StartServiceCtrlDispatcher failure: gle={}, xrefs: 000000014003159A
ncalrpc, xrefs: 0000000140031FF0
/runasapp, xrefs: 00000001400317F4
Unable to modify debugger service binary path!, xrefs: 0000000140032703
:, xrefs: 000000014003224D
6373, xrefs: 0000000140032333
DeleteService(self) failure: gle={}, xrefs: 000000014003168D
ProfSvc_Group, xrefs: 0000000140031D74, 0000000140032111
OpenSCManager failure: gle={}, xrefs: 0000000140031798, 0000000140032371
E502, xrefs: 0000000140031439
OpenService failure: gle={}, xrefs: 00000001400316E4, 00000001400322CE
kernel32.dll, xrefs: 0000000140030FD6
Unable to modify debugger service configuration using c_ChangeConfig!, xrefs: 00000001400326D0
RpcSs, xrefs: 0000000140032100
Unable to set debug service as antimalware process!, xrefs: 0000000140030F5A
ServicesActive, xrefs: 00000001400315E5, 0000000140031A41, 0000000140032174
SetDefaultDllDirectories, xrefs: 0000000140030FE6
/register, xrefs: 0000000140031A12
SYSTEM\CurrentControlSet\Services\, xrefs: 0000000140032407
Unable to create debugger rpc endpoint!, xrefs: 00000001400326A6
Unable to query own process module path!, xrefs: 00000001400325D2
ControlService(SERVICE_CONTROL_UNREGISTER) failure: gle={}, xrefs: 000000014003223E
Debugger service is starting., xrefs: 000000014003147A
/runassvc, xrefs: 00000001400313F3
Unable to open the service control manager!, xrefs: 00000001400325A1
*, xrefs: 00000001400315A9

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: Service$ErrorLast$HandleOpen$Close$BindingConditionConfig2ManagerMaskServerStringUnregister_invalid_parameter_noinfo_noreturn$CtrlFileModuleQuery$AddressAttributesChangeComposeConsoleControlCreateDeleteDirectoryDispatcherFreeFromHandlerInfoNameObjectProcSingleStartVerifyVersionWait_invalid_parameter_noinfo
String ID: " /runassvc$*$/register$/runasapp$/runassvc$/unregister$6373$:$AvDumper$ControlService(SERVICE_CONTROL_UNREGISTER) failure: gle={}$Debugger app is starting.$Debugger service is starting.$DeleteService(self) failure: gle={}$E502$Logs$OpenSCManager failure: gle={}$OpenService failure: gle={}$ProfSvc_Group$RpcSS$RpcSs$SYSTEM\CurrentControlSet\Services\$ServicesActive$SetDefaultDllDirectories$StartServer failure: retval={}$StartServiceCtrlDispatcher failure: gle={}$Unable to create debugger rpc endpoint!$Unable to create service '{}'!$Unable to modify debugger service binary path!$Unable to modify debugger service configuration using c_ChangeConfig!$Unable to open service '{}'!$Unable to open the service control manager!$Unable to query own process module path!$Unable to set debug service as antimalware process!$kernel32.dll$ncalrpc
API String ID: 3192065050-1795711860
Opcode ID: ea9b68894bb3cbd4bb5cf007b3b3174e66252b921e17b0a0989a0938eb955c47
Instruction ID: 932e22e956f5bd5acfd8ba59a66f833d8126d0bb355dcdbcc5ae485dd3a19278
Opcode Fuzzy Hash: ea9b68894bb3cbd4bb5cf007b3b3174e66252b921e17b0a0989a0938eb955c47
Instruction Fuzzy Hash: 3BD24D72619BC496EB62DF26E8503DA73A0F78DB80F508115EB8D43AB9DF38C585CB40

Function 0000000140015860 Relevance: 132.8, APIs: 40, Strings: 35, Instructions: 1543threadCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000000014001592C
K32GetProcessImageFileNameW.KERNEL32 ref: 000000014001597C
CloseHandle.KERNEL32 ref: 000000014001599E
DebugActiveProcess.KERNEL32 ref: 0000000140015A3C
DebugSetProcessKillOnExit.KERNEL32 ref: 0000000140015B15
WaitForDebugEvent.KERNEL32 ref: 0000000140015B79
SetEvent.KERNEL32 ref: 0000000140015D44
RtlEnterCriticalSection.NTDLL ref: 0000000140015D70
RtlLeaveCriticalSection.NTDLL ref: 0000000140015D9E
CloseHandle.KERNEL32 ref: 0000000140015F88
RtlEnterCriticalSection.NTDLL ref: 0000000140016327
RtlLeaveCriticalSection.NTDLL ref: 00000001400163F4
OpenProcess.KERNEL32 ref: 000000014001643A
DebugBreakProcess.KERNEL32 ref: 000000014001644B
CloseHandle.KERNEL32 ref: 0000000140016467
OpenProcess.KERNEL32 ref: 00000001400164E1
K32EnumProcessModules.KERNEL32 ref: 000000014001650C
K32GetModuleBaseNameW.KERNEL32 ref: 000000014001655B
CloseHandle.KERNEL32 ref: 0000000140016590
ContinueDebugEvent.KERNEL32 ref: 00000001400165D5
CloseHandle.KERNEL32 ref: 00000001400165F9
ReadProcessMemory.KERNEL32 ref: 0000000140016811
OpenThread.KERNEL32 ref: 0000000140016A8D
GetThreadContext.KERNEL32 ref: 0000000140016B0D

Part of subcall function 0000000140013F60: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140013FC1

CloseHandle.KERNEL32 ref: 0000000140016CDA
OpenProcess.KERNEL32 ref: 0000000140016760

Part of subcall function 00000001400049C0: __std_exception_destroy.LIBVCRUNTIME ref: 0000000140004A98

DebugActiveProcessStop.KERNEL32 ref: 000000014001769F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140017783
GetLastError.KERNEL32 ref: 0000000140017789
GetLastError.KERNEL32 ref: 000000014001781E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014001788F

Strings

unp%u%ux-manual.mdmp, xrefs: 00000001400170E5
Process exited: {}, PID: {}, Exit Code: {}, xrefs: 000000014001600C
EXCEPTION_DEBUG_EVENT Process:{} Thread:{} Exception:0x{:08X} FirstChance:{} ExceptionFlags:0x{:08X}, xrefs: 000000014001617C
F59A, xrefs: 0000000140015A52
689A, xrefs: 0000000140015BBB
Debugger attached to process: , xrefs: 0000000140015AC3
689A, xrefs: 0000000140016137
689A, xrefs: 0000000140015A78
U, xrefs: 0000000140017433
F59A, xrefs: 0000000140015B92
Unable to disable kill on exit, xrefs: 00000001400177FA
Unable to start debugging of process with id {}, error code: {}, xrefs: 0000000140017793
Cause: VectoredExceptionHandler, xrefs: 0000000140016676, 00000001400169A1
F59A, xrefs: 00000001400173B6
d, xrefs: 000000014001618B
RIP_EVENT occurred {}:{}!, xrefs: 0000000140015E51
689A, xrefs: 00000001400176DD
689A, xrefs: 0000000140015FC7
Debugger exception 0x{:08X} successfully dumped process {} into '{}' (dump level: {}), xrefs: 0000000140017424
H, xrefs: 0000000140017837
unp%u%ux-unhandled.mdmp, xrefs: 00000001400170F4
PID: , xrefs: 0000000140015AE7
Debugging of own process is not supported, xrefs: 0000000140017721
Unable to wait for debugging event of process with id {}, error code: {}, xrefs: 0000000140017828
- Cause: , xrefs: 0000000140016895
F59A, xrefs: 0000000140015DE3
689A, xrefs: 00000001400173DF
689A, xrefs: 0000000140015E0C
F59A, xrefs: 0000000140015F9E
F59A, xrefs: 000000014001610E
*, xrefs: 000000014001601B
@, xrefs: 0000000140017290
Event:{} Process:{} Thread:{}, xrefs: 0000000140015C00
F59A, xrefs: 00000001400176B7
verifier.dll, xrefs: 0000000140016565

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: Process$CloseDebugHandle$Open$CriticalSection$Event_invalid_parameter_noinfo_noreturn$ActiveEnterErrorLastLeaveNameThread$BaseBreakContextContinueEnumExitFileImageKillMemoryModuleModulesReadStopWait__std_exception_destroy
String ID: - Cause: $ PID: $*$689A$689A$689A$689A$689A$689A$689A$@$Cause: VectoredExceptionHandler$Debugger attached to process: $Debugger exception 0x{:08X} successfully dumped process {} into '{}' (dump level: {})$Debugging of own process is not supported$EXCEPTION_DEBUG_EVENT Process:{} Thread:{} Exception:0x{:08X} FirstChance:{} ExceptionFlags:0x{:08X}$Event:{} Process:{} Thread:{}$F59A$F59A$F59A$F59A$F59A$F59A$F59A$H$Process exited: {}, PID: {}, Exit Code: {}$RIP_EVENT occurred {}:{}!$U$Unable to disable kill on exit$Unable to start debugging of process with id {}, error code: {}$Unable to wait for debugging event of process with id {}, error code: {}$d$unp%u%ux-manual.mdmp$unp%u%ux-unhandled.mdmp$verifier.dll
API String ID: 1934789087-895941338
Opcode ID: 52befe47cdb3fd150a0f9306a4cabdf493931040b5e64e686eb257149541a435
Instruction ID: 0058b21d05951af80c70cb3c119dfb6efd6361c6d656cde952f6fdf10c487868
Opcode Fuzzy Hash: 52befe47cdb3fd150a0f9306a4cabdf493931040b5e64e686eb257149541a435
Instruction Fuzzy Hash: EC037C72609BC486E732DB26E5403DEB3A0F799784F508216EBCC47AA9DF39D584CB40

Function 0000000140001670 Relevance: 79.6, APIs: 22, Strings: 23, Instructions: 863libraryloaderfileCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000001400016D0
GetProcAddress.KERNEL32 ref: 00000001400016E3
GetProcAddress.KERNEL32 ref: 00000001400016F6
GetProcAddress.KERNEL32 ref: 0000000140001709
OpenProcess.KERNEL32 ref: 0000000140001739
GetFileAttributesW.KERNEL32 ref: 000000014000175E
CreateFileW.KERNEL32(?,?,?,?,?,?,0000000140039C08), ref: 0000000140001980
DeviceIoControl.KERNEL32 ref: 00000001400019D4
K32GetPerformanceInfo.KERNEL32(?,?,?,?,?,?,0000000140039C08), ref: 0000000140001B5D
GetLastError.KERNEL32(?,?,?,?,?,?,0000000140039C08), ref: 0000000140001D3F
GetLastError.KERNEL32(?,?,?,?,?,?,0000000140039C08), ref: 0000000140001DFA
GetLastError.KERNEL32(?,?,?,?,?,?,0000000140039C08), ref: 00000001400020C9
CloseHandle.KERNEL32(?,?,?,?,?,?,0000000140039C08), ref: 000000014000245D
CloseHandle.KERNEL32(?,?,?,?,?,?,0000000140039C08), ref: 000000014000246B
GetLastError.KERNEL32(?,?,?,?,?,?,0000000140039C08), ref: 00000001400024B4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140039C08), ref: 0000000140002554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000259A
GetLastError.KERNEL32(?,?,?,?,?,?,0000000140039C08), ref: 00000001400025A0
GetLastError.KERNEL32 ref: 0000000140002631
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140002680
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140002686
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000268C

Strings

PssCaptureSnapshot, xrefs: 00000001400016D9
PssFreeSnapshot, xrefs: 00000001400016EC
Dump file {} already exists, xrefs: 00000001400025F1
dmp, xrefs: 000000014000180B
9CC4, xrefs: 000000014000251B
PerfInfo [MB]: CommitTotal: %llu, CommitLimit: %llu, PhysAvail: %llu, KrnlPaged: %llu, KrnlNonPaged: %llu, Handles: %u, Processe, xrefs: 0000000140001C17
Dumped by AvDump, xrefs: 0000000140001AF5
PssQuerySnapshot, xrefs: 00000001400016FF
Failed to dump process with error {:#x}, retrying with minimal content settings..., xrefs: 00000001400020CF
E26A, xrefs: 0000000140001F0C
E26A, xrefs: 000000014000252B
Failed to dump process with error {:#x}, retrying with limited dump content settings..., xrefs: 0000000140001E00
Failed to open process with id {}, error code: {}, xrefs: 00000001400025AA
MiniDumpWriteDump failed, error: {}, xrefs: 000000014000255E
Failed to dump process with error {:#x}, xrefs: 00000001400024BF
mdmp, xrefs: 00000001400018CA
Dump file '{}' could not be created, error code: {}, xrefs: 000000014000263B
kernel32.dll, xrefs: 00000001400016C9
1, xrefs: 00000001400025B6
dump, xrefs: 0000000140002530
9CC4, xrefs: 0000000140001F13
E26A, xrefs: 00000001400021DB
9CC4, xrefs: 00000001400021E2

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: ErrorLast$_invalid_parameter_noinfo_noreturn$AddressHandleProc$CloseFile$AttributesControlCreateDeviceInfoModuleOpenPerformanceProcess
String ID: PerfInfo [MB]: CommitTotal: %llu, CommitLimit: %llu, PhysAvail: %llu, KrnlPaged: %llu, KrnlNonPaged: %llu, Handles: %u, Processe$1$9CC4$9CC4$9CC4$Dump file '{}' could not be created, error code: {}$Dump file {} already exists$Dumped by AvDump$E26A$E26A$E26A$Failed to dump process with error {:#x}$Failed to dump process with error {:#x}, retrying with limited dump content settings...$Failed to dump process with error {:#x}, retrying with minimal content settings...$Failed to open process with id {}, error code: {}$MiniDumpWriteDump failed, error: {}$PssCaptureSnapshot$PssFreeSnapshot$PssQuerySnapshot$dmp$dump$kernel32.dll$mdmp
API String ID: 376777773-3630350583
Opcode ID: 3fb77e9cb2fcd3bb1a688ff8889f6d9e8b069020ce7dcae4adb0504b958aed3d
Instruction ID: d5e5fab381148c1bff7a856c653db2bd1001b950a7f209c7094abfbe4ae606ec
Opcode Fuzzy Hash: 3fb77e9cb2fcd3bb1a688ff8889f6d9e8b069020ce7dcae4adb0504b958aed3d
Instruction Fuzzy Hash: 65A24672600BC49AEB62CF36E8843DD33A5F748798F504216EB9D5BAA9DF34C695C340

Function 000000014002D940 Relevance: 75.3, APIs: 13, Strings: 29, Instructions: 1787COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F6B8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F6BE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F71E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F7A5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F7AB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F7B1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F7B7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F7EA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F7F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F7F6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F7FC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F802
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F808

Part of subcall function 0000000140013F60: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140013FC1

Strings

create dump containing process handle information, xrefs: 000000014002DBEF
pid, xrefs: 000000014002DAA3, 000000014002E0A9, 000000014002E58A, 000000014002ED9B
flood control - minimal interval in minutes to elapse since saving last dump. Default is 60., xrefs: 000000014002DC73
address of the exception pointers structure, xrefs: 000000014002DB8C
thread ID that caused the exception, xrefs: 000000014002DBAD
create live kernel memory dump, xrefs: 000000014002DAB2
data_segs, xrefs: 000000014002DC1A, 000000014002F3F4, 000000014002F4CD
Not enough arguments supplied, xrefs: 000000014002F74A, 000000014002F7BD
min_interval, xrefs: 000000014002DC7D, 000000014002F1D7, 000000014002F2AB
thread_id, xrefs: 000000014002DBB7, 000000014002E71E, 000000014002E929, 000000014002EB3B
kernel, xrefs: 000000014002DAB9, 000000014002DFB4
<, xrefs: 000000014002F2F5
Invalid arguments supplied, xrefs: 000000014002F6C4, 000000014002F777
exception_ptr, xrefs: 000000014002DB96, 000000014002E6E8, 000000014002E89A, 000000014002EC74
filename of dump to generate, xrefs: 000000014002DC31
optional comment to include into dump, xrefs: 000000014002DC52
handle_data, xrefs: 000000014002DBF9, 000000014002F318, 000000014002F392
Command-line usage, xrefs: 000000014002D9ED
process ID to dump, xrefs: 000000014002DA99
dump_level, xrefs: 000000014002DBD8, 000000014002E299, 000000014002E372, 000000014002F0FD, 000000014002F177
this, obviously, xrefs: 000000014002DC8C
attach to process as debugger and watch it for exceptions, xrefs: 000000014002DAD0
Argument dump_file not specified, xrefs: 000000014002F6F1
dbg, xrefs: 000000014002DADA, 000000014002E4B7, 000000014002E790
create dump containing data segments information, xrefs: 000000014002DC10
dump_file, xrefs: 000000014002DC3B, 000000014002E1A7, 000000014002E3D2, 000000014002E63D, 000000014002E961, 000000014002EFD1
help, xrefs: 000000014002DC93, 000000014002DD60
comment, xrefs: 000000014002DC5C, 000000014002EE74, 000000014002EF5E
amount of information to include in minidump. 0 - default, 1 - full memory., xrefs: 000000014002DBCE

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: <$Argument dump_file not specified$Command-line usage$Invalid arguments supplied$Not enough arguments supplied$address of the exception pointers structure$amount of information to include in minidump. 0 - default, 1 - full memory.$attach to process as debugger and watch it for exceptions$comment$create dump containing data segments information$create dump containing process handle information$create live kernel memory dump$data_segs$dbg$dump_file$dump_level$exception_ptr$filename of dump to generate$flood control - minimal interval in minutes to elapse since saving last dump. Default is 60.$handle_data$help$kernel$min_interval$optional comment to include into dump$pid$process ID to dump$this, obviously$thread ID that caused the exception$thread_id
API String ID: 3668304517-1605023467
Opcode ID: 5625fb0db9f62f2a542038e45993453e20a38afa67aa1cf11e76f809a3986bca
Instruction ID: b754154605ab7baf9f5a4d4cad2f16c90aa88233fc16587ab0b277c547277488
Opcode Fuzzy Hash: 5625fb0db9f62f2a542038e45993453e20a38afa67aa1cf11e76f809a3986bca
Instruction Fuzzy Hash: 8403F572614BC481EA22DB26E4843EE6361F7897D4F905116FB9D07AFAEF78C984C740

Function 0000000140048AC0 Relevance: 70.5, APIs: 28, Strings: 12, Instructions: 536servicesleepregistryCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 0000000140048B2B
OpenServiceW.ADVAPI32 ref: 0000000140048B67
QueryServiceStatus.ADVAPI32 ref: 0000000140048BA3

Part of subcall function 0000000140059660: RegOpenKeyExW.ADVAPI32 ref: 000000014005971C
Part of subcall function 0000000140059660: RegCloseKey.ADVAPI32 ref: 000000014005973F
Part of subcall function 0000000140059660: SetLastError.KERNEL32 ref: 000000014005974B

RegCloseKey.ADVAPI32 ref: 0000000140048DB0
SetLastError.KERNEL32 ref: 0000000140048DBC
ControlService.ADVAPI32 ref: 00000001400491BB
StartServiceW.ADVAPI32 ref: 00000001400491D0
GetLastError.KERNEL32 ref: 00000001400491DA
Sleep.KERNEL32 ref: 0000000140049247
QueryServiceStatus.ADVAPI32 ref: 0000000140049257
CloseServiceHandle.ADVAPI32 ref: 000000014004926A
CloseServiceHandle.ADVAPI32 ref: 0000000140049274
CloseServiceHandle.ADVAPI32 ref: 0000000140049281
CloseServiceHandle.ADVAPI32 ref: 000000014004928B
GetLastError.KERNEL32 ref: 00000001400492CB
GetLastError.KERNEL32 ref: 000000014004931B
GetLastError.KERNEL32 ref: 0000000140049356
GetLastError.KERNEL32 ref: 000000014004939E
GetLastError.KERNEL32 ref: 00000001400493F4
GetLastError.KERNEL32 ref: 0000000140049446

Strings

Unable to query status of the service '{}'!, xrefs: 00000001400492B6, 00000001400493DB
Unable to open the service '{}'!, xrefs: 0000000140049385
Type, xrefs: 000000014004904B
Unable to start the service '{}'!, xrefs: 0000000140049431
!, xrefs: 000000014004943D
SYSTEM\CurrentControlSet\Services\, xrefs: 0000000140048C08
Unable to send control code {} to the service '{}'!, xrefs: 0000000140049306
Unable to open the service control manager!, xrefs: 000000014004935E
ErrorControl, xrefs: 0000000140048DE3
Start, xrefs: 0000000140048F1A
O, xrefs: 0000000140049094
ServicesActive, xrefs: 0000000140048B22

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: ErrorLastService$Close$Handle$Open$QueryStatus$ControlManagerSleepStart
String ID: !$ErrorControl$O$SYSTEM\CurrentControlSet\Services\$ServicesActive$Start$Type$Unable to open the service '{}'!$Unable to open the service control manager!$Unable to query status of the service '{}'!$Unable to send control code {} to the service '{}'!$Unable to start the service '{}'!
API String ID: 914021282-1139266149
Opcode ID: 650a7d3c880a9c04a8784dffdabddba7ef7e5863e4024906fb18aff839f78393
Instruction ID: e746428b034b753f819b5fc75678727d8781594847a1229f713a5b317e7df695
Opcode Fuzzy Hash: 650a7d3c880a9c04a8784dffdabddba7ef7e5863e4024906fb18aff839f78393
Instruction Fuzzy Hash: 9A528FB2614BC09AEB62DF26D8807DD73A0F74878CF405125FB8957AA9EF78C684C744

Function 000000014002FD10 Relevance: 53.2, APIs: 16, Strings: 14, Instructions: 719COMMON

Download Yara Rule

Strings

SeDebugPrivilege, xrefs: 000000014002FE31
Successfully dumped kernel memory into '{}', xrefs: 000000014002FFB5
E502, xrefs: 00000001400307B3
\\.\pipe\lsass, xrefs: 0000000140030111
Lsass dumping is not supported, xrefs: 00000001400301DF
9, xrefs: 0000000140030807
+, xrefs: 000000014002FFC4
6373, xrefs: 0000000140030172
Minimum interval between dumps (, xrefs: 0000000140030ACA
6373, xrefs: 0000000140030A69
E502, xrefs: 000000014002FD74
Successfully dumped process {} into '{}' (dump level: {}), xrefs: 00000001400307F8
minutes) was not yet reached , xrefs: 0000000140030AEE
last.dump, xrefs: 0000000140030581, 00000001400309E9

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: minutes) was not yet reached $+$6373$6373$9$E502$E502$Lsass dumping is not supported$Minimum interval between dumps ($SeDebugPrivilege$Successfully dumped kernel memory into '{}'$Successfully dumped process {} into '{}' (dump level: {})$\\.\pipe\lsass$last.dump
API String ID: 3668304517-1309060305
Opcode ID: 3959f13308a53d779ee7367f625bf2d3a64f108ade1a3bf03b5012af82bcf960
Instruction ID: f7c574caa26f615195f0bafb14573898e7189bc56f31540c36fcf2833535e9d3
Opcode Fuzzy Hash: 3959f13308a53d779ee7367f625bf2d3a64f108ade1a3bf03b5012af82bcf960
Instruction Fuzzy Hash: A6826F72609BC486E772DF16E4503DAB3A0F789B94F508126EB9943BA9DF3CC544CB40

Function 0000000140014470 Relevance: 33.7, APIs: 11, Strings: 8, Instructions: 411COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140049500: OpenSCManagerW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001400144FC), ref: 0000000140049535
Part of subcall function 0000000140049500: OpenServiceW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001400144FC), ref: 0000000140049562
Part of subcall function 0000000140049500: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001400144FC), ref: 0000000140049575
Part of subcall function 0000000140049500: CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001400144FC), ref: 0000000140049591
Part of subcall function 0000000140049500: CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001400144FC), ref: 000000014004959B

RtlEnterCriticalSection.NTDLL ref: 00000001400146BF

Part of subcall function 0000000140049500: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001400144FC), ref: 00000001400495C4
Part of subcall function 0000000140049500: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001400144FC), ref: 0000000140049606

Strings

Unable to create sync event, xrefs: 0000000140014AE7
^, xrefs: 00000001400145D1
F59A, xrefs: 00000001400145A1
Bprotect, xrefs: 00000001400144D2
+, xrefs: 0000000140014611
689A, xrefs: 00000001400145C4
Driver incompatible with debugger detected., xrefs: 0000000140014605
BprotectEx, xrefs: 000000014001451F

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: ErrorLastService$CloseHandleOpen$CriticalEnterManagerSection
String ID: +$689A$Bprotect$BprotectEx$Driver incompatible with debugger detected.$F59A$Unable to create sync event$^
API String ID: 2384786053-2103501719
Opcode ID: 6246e33e4d18522323e2979d310de36177014b67129b8993640bb0660fbd4a61
Instruction ID: acc6ca1ac3d4bcc98d97c1d460dc2bf6ac9bcfe21a9f3a416ce2b6d3651b1c6f
Opcode Fuzzy Hash: 6246e33e4d18522323e2979d310de36177014b67129b8993640bb0660fbd4a61
Instruction Fuzzy Hash: 08129E32615BC486E762DF16E4903DAB3A4FB8DB84F518126EB8907BB4DF79C484CB00

Function 0000000140076810 Relevance: 27.5, APIs: 11, Strings: 4, Instructions: 1204COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140077B92
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140077B98

Part of subcall function 000000014003CB40: __std_exception_copy.LIBVCRUNTIME ref: 000000014003CB88

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140077BB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140077BBB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140077BC1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140077BC7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140077BCD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140077BD3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140077BD9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140077BF6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140077BFC

Strings

gfffffff, xrefs: 00000001400770E2
gfffffff, xrefs: 0000000140077B11
gfffffff, xrefs: 0000000140076E21
(, xrefs: 0000000140076DAB

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy
String ID: ($gfffffff$gfffffff$gfffffff
API String ID: 1944019136-2044015736
Opcode ID: 5136b0d809f81acb1283958e3410d931ada9a6dbe5a2ad97a49ecc9ad0ed624f
Instruction ID: cadec9307002fb482afa7b70277d176585e481f7c60079d498e52ce0c2159b11
Opcode Fuzzy Hash: 5136b0d809f81acb1283958e3410d931ada9a6dbe5a2ad97a49ecc9ad0ed624f
Instruction Fuzzy Hash: 74B2BE72704BC482EA629B26E4447EEB3A1F789BD4F445611EB9E07BA9DF7CC481C740

Function 000000014005A7A0 Relevance: 26.5, APIs: 11, Strings: 3, Instructions: 2029encryptiontimeregistryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 000000014005A871
GetSystemTimeAsFileTime.KERNEL32 ref: 000000014005A951
GetCurrentProcessId.KERNEL32 ref: 000000014005ABAF
GetCurrentThreadId.KERNEL32 ref: 000000014005ACE9
GlobalMemoryStatusEx.KERNEL32 ref: 000000014005AE5B
GetDiskFreeSpaceExW.KERNEL32 ref: 000000014005B35C
GetSystemTimes.KERNEL32 ref: 000000014005B5D7
QueryPerformanceCounter.KERNEL32 ref: 000000014005BD5F
CryptAcquireContextW.ADVAPI32 ref: 000000014005C266
CryptGenRandom.ADVAPI32 ref: 000000014005C28E
CryptReleaseContext.ADVAPI32 ref: 000000014005C505

Strings

Microsoft Base Cryptographic Provider v1.0, xrefs: 000000014005C256
Cannot open registry key, xrefs: 000000014005A8C7
@, xrefs: 000000014005C24E

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: Crypt$ContextCurrentSystemTime$AcquireCounterDiskFileFreeGlobalMemoryOpenPerformanceProcessQueryRandomReleaseSpaceStatusThreadTimes
String ID: @$Cannot open registry key$Microsoft Base Cryptographic Provider v1.0
API String ID: 641596549-1296241995
Opcode ID: 8bbcdc25e91c0466fedc14985ca10bf9c7be634f727564f723196ec6c475a166
Instruction ID: c9c06d2097c26ed99e9b658cc0718fdec311c56a7e8b571f4b331795d7023104
Opcode Fuzzy Hash: 8bbcdc25e91c0466fedc14985ca10bf9c7be634f727564f723196ec6c475a166
Instruction Fuzzy Hash: 001351B36186818BDB55CF29E4513AE77F0F79A784F541126F38A87699EB3EC904CB00

Function 00000001400026F0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 279filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400128B0: VerSetConditionMask.NTDLL ref: 0000000140012922
Part of subcall function 00000001400128B0: VerSetConditionMask.NTDLL ref: 0000000140012931
Part of subcall function 00000001400128B0: VerSetConditionMask.NTDLL ref: 0000000140012940
Part of subcall function 00000001400128B0: VerifyVersionInfoW.KERNEL32 ref: 0000000140012961

GetFileAttributesW.KERNEL32 ref: 000000014000274B
CreateFileW.KERNEL32 ref: 0000000140002922
NtSystemDebugControl.NTDLL ref: 0000000140002998
CloseHandle.KERNEL32 ref: 00000001400029A7
DeleteFileW.KERNEL32 ref: 00000001400029FC

Part of subcall function 000000014007B650: RtlPcToFileHeader.NTDLL ref: 000000014007B6A0
Part of subcall function 000000014007B650: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000000014001302F), ref: 000000014007B6E1

GetLastError.KERNEL32 ref: 0000000140002AA2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140002B65

Part of subcall function 00000001400033A0: TerminateProcess.KERNEL32 ref: 00000001400033FA
Part of subcall function 00000001400033A0: GetCurrentProcess.KERNEL32 ref: 0000000140003408

Strings

3, xrefs: 0000000140002AB8
Windows 8.1 or later is required for live kernel dumping, xrefs: 0000000140002A3D
Dump file {} already exists, xrefs: 0000000140002A63
NtSystemDebugControl failed, status: {:#010x}, xrefs: 0000000140002A02
dmp, xrefs: 00000001400027E4
mdmp, xrefs: 0000000140002882
Dump file '{}' could not be created, error code: {}, xrefs: 0000000140002AAC

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: File$ConditionMask$Process$AttributesCloseControlCreateCurrentDebugDeleteErrorExceptionHandleHeaderInfoLastRaiseSystemTerminateVerifyVersion_invalid_parameter_noinfo_noreturn
String ID: 3$Dump file '{}' could not be created, error code: {}$Dump file {} already exists$NtSystemDebugControl failed, status: {:#010x}$Windows 8.1 or later is required for live kernel dumping$dmp$mdmp
API String ID: 2346179174-4051622449
Opcode ID: f2ed98436135c8495667bffc05249207030db6e999f3df43ce323f906c08814b
Instruction ID: d2532aca21d2b9b7f68ee8878676270b080208754356df25d40381f4caa891a8
Opcode Fuzzy Hash: f2ed98436135c8495667bffc05249207030db6e999f3df43ce323f906c08814b
Instruction Fuzzy Hash: C0D14A72610B8496EB22DF66E8803DD73B4F7897A8F504216EB9D53AB9EF38C545C700

Function 00000001400A3F0C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1203COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00000001400A3F5B
_invalid_parameter_noinfo.LIBCMT ref: 00000001400A458E
_invalid_parameter_noinfo.LIBCMT ref: 00000001400A4704
_invalid_parameter_noinfo.LIBCMT ref: 00000001400A49C0
_invalid_parameter_noinfo.LIBCMT ref: 00000001400A4BE0
_invalid_parameter_noinfo.LIBCMT ref: 00000001400A4E1B
memcpy_s.LIBCPMT ref: 00000001400A4EF6
memcpy_s.LIBCPMT ref: 00000001400A4FA1
memcpy_s.LIBCPMT ref: 00000001400A5071

Part of subcall function 0000000140091924: _invalid_parameter_noinfo.LIBCMT ref: 0000000140091956

Strings

1#SNAN, xrefs: 00000001400A406E
1#IND, xrefs: 00000001400A404B
1#QNAN, xrefs: 00000001400A4077
1#INF, xrefs: 00000001400A4087

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 126489c02f89f32444c53208c887ce3e7162916d31ce3ead66bec1882e9e6cee
Instruction ID: 378258da1df3d0a3be93c01209ba7d409c16e2a030b42d5069ed35b0a8a1d70a
Opcode Fuzzy Hash: 126489c02f89f32444c53208c887ce3e7162916d31ce3ead66bec1882e9e6cee
Instruction Fuzzy Hash: FFB2DF76A142908BE766CF6AD440BEE77A1F3A87C8F505315EB0657EA8D734DA80CF40

Function 0000000140032B00 Relevance: 19.9, APIs: 10, Strings: 1, Instructions: 623COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140032BB4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140032C0F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140032C6B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400331F9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140033205
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003320B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140033211
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003321D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140033223
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003322F

Strings

(=, xrefs: 0000000140032F51, 0000000140033099

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: (=
API String ID: 3668304517-3258547529
Opcode ID: 56c9b8a907e4f7f30388f79c6fff3c512a22a2b609b44b23b3cfdbfec8c230fe
Instruction ID: d3026dc617975dbc0fae11b53bcd1b8976c14ad3504770994b9723004f1809d4
Opcode Fuzzy Hash: 56c9b8a907e4f7f30388f79c6fff3c512a22a2b609b44b23b3cfdbfec8c230fe
Instruction Fuzzy Hash: C3429E72A14B8481EB12CB2AE4813EE6361F799BD4F509215FB9D13BAADF38C5D0C740

Function 0000000140072F20 Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 590COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014007373D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400737E7

Strings

gfffffff, xrefs: 000000014007327B

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: gfffffff
API String ID: 3668304517-1523873471
Opcode ID: ea0bed14f6fd8a221ce5c85f356cd70518ca9004aa46f6dc453517bd3c9c7151
Instruction ID: 973354c1fd7a855e06744c45f1c7becab9a41793762c757bf87d089ddaceaf43
Opcode Fuzzy Hash: ea0bed14f6fd8a221ce5c85f356cd70518ca9004aa46f6dc453517bd3c9c7151
Instruction Fuzzy Hash: 0B32BFB2601B8482FA26DB26E4843DE6361F789BD0F549522EB5D07BEADF7CC485C740

Function 0000000140048230 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 377registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014005A7A0: RegOpenKeyExW.ADVAPI32 ref: 000000014005A871

Concurrency::cancel_current_task.LIBCPMT ref: 00000001400489DC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400489E1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400489E7
RegCloseKey.ADVAPI32 ref: 0000000140048A17
SetLastError.KERNEL32 ref: 0000000140048A23

Strings

Tag, xrefs: 0000000140048427
Group, xrefs: 00000001400483C7
SYSTEM\CurrentControlSet\Services\, xrefs: 00000001400482C4

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseConcurrency::cancel_current_taskErrorLastOpen
String ID: Group$SYSTEM\CurrentControlSet\Services\$Tag
API String ID: 2342203223-3512472385
Opcode ID: f2b4027a297b2d02ffeec11c995bceafd04a3ff707c0ce089216ac103398882c
Instruction ID: dba7bc752a1d05e0ded33738caa6f39dbac0386adf53da9ba466901ce0d3c83c
Opcode Fuzzy Hash: f2b4027a297b2d02ffeec11c995bceafd04a3ff707c0ce089216ac103398882c
Instruction Fuzzy Hash: 70128072619FC091EA71DB15E4503EEA3A1F7D9780F505625EBCD53AA9EF38C584CB00

Function 000000014006F0E0 Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 517COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014006F7C6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014006F7CC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014006F7D2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014006F7D8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014006F7DE

Strings

option, xrefs: 000000014006F12F, 000000014006F4BA
_token, xrefs: 000000014006F22E

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: _token$option
API String ID: 3668304517-4023011786
Opcode ID: 97091d6cb97254faeec8e4a5df26bfbf1ffdc79699f9418e2058bf893ef362fa
Instruction ID: acddcaf35ce4b853b78acbe7e4be319e569b1b970cdae44850855107222bc432
Opcode Fuzzy Hash: 97091d6cb97254faeec8e4a5df26bfbf1ffdc79699f9418e2058bf893ef362fa
Instruction Fuzzy Hash: 4222BB32714A4086FB12CF6AC9483ED2362F70DBD8FA45A11EF5D57AEADB74C5869300

Function 0000000140042F80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124fileCOMMON

Download Yara Rule

APIs

LockFileEx.KERNEL32 ref: 0000000140043089
UnlockFileEx.KERNEL32 ref: 00000001400430D4
SetLastError.KERNEL32 ref: 0000000140043121
CloseHandle.KERNEL32 ref: 000000014004318C

Strings

couldn't obtain shared file lock, xrefs: 00000001400431C4

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: File$CloseErrorHandleLastLockUnlock
String ID: couldn't obtain shared file lock
API String ID: 1994953073-3717060661
Opcode ID: 5381214164cbfcde355a917efa3f1e5b70d4e5fc025e5a7ce08c79cf7592e1e1
Instruction ID: 6dc9c28dc2bbea5aeb0c5c8121b6d775b216b4a95e7ee356a531a1ee5e03f9c1
Opcode Fuzzy Hash: 5381214164cbfcde355a917efa3f1e5b70d4e5fc025e5a7ce08c79cf7592e1e1
Instruction Fuzzy Hash: B6514D72618BC085EA71DB26E8513DAB3A5F7D9790F509325A7ED43AB9DF38C184CB00

Function 0000000140059C10 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120registrynativeCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 0000000140059CD6
SetLastError.KERNEL32 ref: 0000000140059CE2
RegSetValueExW.ADVAPI32 ref: 0000000140059D27
RegCloseKey.ADVAPI32 ref: 0000000140059D4B
SetLastError.KERNEL32 ref: 0000000140059D57

Part of subcall function 00000001400594B0: RegCreateKeyExW.ADVAPI32 ref: 0000000140059546
Part of subcall function 00000001400594B0: RegCreateKeyExW.ADVAPI32 ref: 00000001400595DE
Part of subcall function 00000001400594B0: RegCloseKey.ADVAPI32 ref: 00000001400595FC
Part of subcall function 00000001400594B0: SetLastError.KERNEL32 ref: 0000000140059608

NtClose.NTDLL ref: 0000000140059DA7

Strings

Cannot write key value, xrefs: 0000000140059D2D

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: Close$ErrorLast$Create$Value
String ID: Cannot write key value
API String ID: 1320403711-3393872497
Opcode ID: 2ec7a2271ba602718d70749ecf442ff4a7b786d39cc7c46cb2ff517a004f99a4
Instruction ID: 2ec24c23424257bf2840f2bcad33e52d2911314c2e675eb45ae1497282b7bbf1
Opcode Fuzzy Hash: 2ec7a2271ba602718d70749ecf442ff4a7b786d39cc7c46cb2ff517a004f99a4
Instruction Fuzzy Hash: 6241BF32215B8086EB62DF62E4957DA77A4FB88BC4F284125FF8A03765DF39C441CB10

Function 0000000140059900 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 94nativeregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014005A7A0: RegOpenKeyExW.ADVAPI32 ref: 000000014005A871

Part of subcall function 0000000140059AC0: RegDeleteTreeW.ADVAPI32(?,?,?,?,?,?,?,?,000000014005996C), ref: 0000000140059B01
Part of subcall function 0000000140059AC0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,000000014005996C), ref: 0000000140059B2F
Part of subcall function 0000000140059AC0: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,000000014005996C), ref: 0000000140059B3B

NtQueryKey.NTDLL ref: 00000001400599B7

Part of subcall function 00000001400597D0: NtOpenKey.NTDLL ref: 0000000140059889

NtDeleteKey.NTDLL ref: 0000000140059A40
NtClose.NTDLL ref: 0000000140059A5F
RegCloseKey.ADVAPI32 ref: 0000000140059A8D
SetLastError.KERNEL32 ref: 0000000140059A99

Strings

Cannot delete registry key, xrefs: 0000000140059A46
Cannot query kernel mode registry key path, xrefs: 00000001400599BD

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: Close$DeleteErrorLastOpen$QueryTree
String ID: Cannot delete registry key$Cannot query kernel mode registry key path
API String ID: 2384582698-3324586067
Opcode ID: 408225df95bdd7a8a36108006d88b0aaea0ba40410c2e6995d3acb5101e31627
Instruction ID: c0185c5e7e07c172dddb39523b0b6857f3cb2cbd74be1f292dc2529af919b534
Opcode Fuzzy Hash: 408225df95bdd7a8a36108006d88b0aaea0ba40410c2e6995d3acb5101e31627
Instruction Fuzzy Hash: D4412B72618BC092EB11DF66E4943DAB3A0FBD9780F505525FBC983A69EF78C548CB00

Function 0000000140014699 Relevance: 10.7, APIs: 7, Instructions: 197COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL ref: 00000001400146BF
RtlLeaveCriticalSection.NTDLL ref: 00000001400147D2
RtlInitializeCriticalSection.NTDLL ref: 0000000140014805
CreateEventW.KERNEL32 ref: 00000001400148F3
CloseHandle.KERNEL32 ref: 0000000140014908
WaitForMultipleObjects.KERNEL32 ref: 00000001400149BF
RtlLeaveCriticalSection.NTDLL ref: 0000000140014AA4
GetLastError.KERNEL32 ref: 0000000140014ADF
std::_Throw_Cpp_error.LIBCPMT ref: 0000000140014B15
std::_Throw_Cpp_error.LIBCPMT ref: 0000000140014B2D

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: CriticalSection$Cpp_errorLeaveThrow_std::_$CloseCreateEnterErrorEventHandleInitializeLastMultipleObjectsWait
String ID:
API String ID: 2765073912-0
Opcode ID: ecd216b08f9fd74a9c1be6b230cc400d8d31eb2996f637f51f31818544e1adf8
Instruction ID: 4046915ed44fe326b562858b187994a8cd86b385aa076283e19239acc64219b5
Opcode Fuzzy Hash: ecd216b08f9fd74a9c1be6b230cc400d8d31eb2996f637f51f31818544e1adf8
Instruction Fuzzy Hash: 66A16B32605BC486E7A29F12F4947DAB3A8FB8DB84F558116EB89477B0DF79C484CB00

Function 0000000140088100 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000000140088179
RtlLookupFunctionEntry.NTDLL ref: 0000000140088191
RtlVirtualUnwind.NTDLL ref: 00000001400881CC
IsDebuggerPresent.KERNEL32 ref: 0000000140088205
SetUnhandledExceptionFilter.KERNEL32 ref: 000000014008820F
UnhandledExceptionFilter.KERNEL32 ref: 000000014008821A

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 4fa09d09ecd95d6422647266fe9199911d7ff3209486aff70f905c38b8d44fbd
Instruction ID: 5f295c627d3f4a1f9ab801dadf57347dc710ed6b506405f99e25ff6f7181c6b6
Opcode Fuzzy Hash: 4fa09d09ecd95d6422647266fe9199911d7ff3209486aff70f905c38b8d44fbd
Instruction Fuzzy Hash: D6313832614F8096EB61CF66E8443DA73A4F788798F504126EB9D43BA9EF38C655CB00

Function 00000001400429D0 Relevance: 8.0, APIs: 5, Instructions: 483fileCOMMON

Download Yara Rule

APIs

LockFileEx.KERNEL32 ref: 0000000140043089
UnlockFileEx.KERNEL32 ref: 00000001400430D4
SetLastError.KERNEL32 ref: 0000000140043121
CloseHandle.KERNEL32 ref: 000000014004318C

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: File$CloseErrorHandleLastLockUnlock
String ID:
API String ID: 1994953073-0
Opcode ID: 8293c3e118a1685d0d8fe61e27a1e9435cf05ca2b7879448cc97020c69cf5e24
Instruction ID: b19ae1d1ca8e9597a534420853a95dbf5c266e96ab2866330c5e9f2adbdeadb8
Opcode Fuzzy Hash: 8293c3e118a1685d0d8fe61e27a1e9435cf05ca2b7879448cc97020c69cf5e24
Instruction Fuzzy Hash: EF22A272704B9085EB22CB26E4443EDA3A1F7997D4F954326EBAD43AE8DF38C585C704

Function 0000000140029200 Relevance: 7.6, APIs: 5, Instructions: 59fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 000000014002925D
GetLastError.KERNEL32 ref: 000000014002926C
DeviceIoControl.KERNEL32 ref: 00000001400292AA
GetLastError.KERNEL32 ref: 00000001400292B4
CloseHandle.KERNEL32 ref: 00000001400292BF

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: ErrorLast$CloseControlCreateDeviceFileHandle
String ID:
API String ID: 1177325624-0
Opcode ID: 11f514c96b4bc136fc0dcfa8cbf9ceb26a26f6227072a4a38d10f0bf4c1ad5fb
Instruction ID: 2a976e20c7c07be9545e79cd8fd8f730cedcea555264f88cf5bc0e3db44d78e7
Opcode Fuzzy Hash: 11f514c96b4bc136fc0dcfa8cbf9ceb26a26f6227072a4a38d10f0bf4c1ad5fb
Instruction Fuzzy Hash: 66213032614B8097E7128F66F84579AB7A4F78DBE4F540229FB9943BA4DB38D845CB00

Function 000000014001D7F0 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 447COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014001DA5C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014001DCD8

Strings

%, xrefs: 000000014001DD12
+, xrefs: 000000014001DD27

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: %$+
API String ID: 3668304517-2626897407
Opcode ID: ba850d6aa618e8a5ef159dc3786b625165af67347b89d150aaef4c85da97bd4d
Instruction ID: a0d898dbe7d671f5170276f5073ab47a7f6217a54e0e881cc844ee19e376ab2e
Opcode Fuzzy Hash: ba850d6aa618e8a5ef159dc3786b625165af67347b89d150aaef4c85da97bd4d
Instruction Fuzzy Hash: 1502F532708A8489F722CB66E4903ED73B1E7997C8F548116FF491BBA9DB39D946C340

Function 0000000140018AF0 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 446COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140018D5D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140018FD9

Strings

+, xrefs: 0000000140019027
%, xrefs: 0000000140019012

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: %$+
API String ID: 3668304517-2626897407
Opcode ID: ef3cfa6880285422245a7e8038cad12d370277293f6718c99b629d3b3881f313
Instruction ID: 5f2076fc5d2f6f41c57a6eed74219a67e11487e96eb78a4c63318edaad5f1c3e
Opcode Fuzzy Hash: ef3cfa6880285422245a7e8038cad12d370277293f6718c99b629d3b3881f313
Instruction Fuzzy Hash: E602F732705A8489F722CB66E4903ED73B1E7997C8F148215FF495BBA9DB39CA46C340

Function 0000000140091420 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 329COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 000000014009148A
memcpy_s.LIBCPMT ref: 00000001400914B5

Strings

, xrefs: 00000001400915E8

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-3916222277
Opcode ID: c10be92ccd777733aec77242fd83f6c250c9f7e3d5896467feec955041489aac
Instruction ID: 743f78193035bc79f1e57e9f59dd1a4a70d6b0a9934cb31c37873dd6cb708058
Opcode Fuzzy Hash: c10be92ccd777733aec77242fd83f6c250c9f7e3d5896467feec955041489aac
Instruction Fuzzy Hash: 2EC1F47271568587EB21CF1AE088BEEB7A1F3D87C4F458225EB4A47B94DB38D805CB00

Function 0000000140079FFC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000014007A028
GetCurrentThreadId.KERNEL32 ref: 000000014007A036
GetCurrentProcessId.KERNEL32 ref: 000000014007A042
QueryPerformanceCounter.KERNEL32 ref: 000000014007A052

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 695b2c72f8245567a92a4f97253ef12cd3ec153a36e762290f020759e5a569ed
Instruction ID: 1bd70d2ee80f52086e0b2869b45f11ac886149a817778f7592ab05b98df556ae
Opcode Fuzzy Hash: 695b2c72f8245567a92a4f97253ef12cd3ec153a36e762290f020759e5a569ed
Instruction Fuzzy Hash: A3110376710F008AEB01CFA6E8543A933A8F75DB98F440E25EB6D87BA4DB78C1948240

Function 02309500 Relevance: 5.4, Strings: 4, Instructions: 380COMMON

Download Yara Rule

Strings

, xrefs: 023097F6
, xrefs: 023096C9
(, xrefs: 0230956B
, xrefs: 02309636

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID: $ $ $(
API String ID: 0-3698178323
Opcode ID: 5c31586f011da146f7a0e2f3f26b49a2f6bf0a272a270216fad1032cc7f56bac
Instruction ID: 56ed98dba78e34fca3f2bd122c47688c0148ab4bdb7ab316b3d037c329e58e2d
Opcode Fuzzy Hash: 5c31586f011da146f7a0e2f3f26b49a2f6bf0a272a270216fad1032cc7f56bac
Instruction Fuzzy Hash: 2AD16F706187888FE779DF28D899BAAB7E5FB88704F40492DD48EC3251DF74A445CB82

Function 00000001400367A0 Relevance: 5.0, APIs: 3, Instructions: 479COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140036A1B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140036A21
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140036CE2

Part of subcall function 000000014003C280: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003C32E

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 0c5e3ae4d7f34646f4bf7f9aecd518afe444cf5d875dbf0ec729c9109402b926
Instruction ID: 54353db618213540d5186c5b37f8c69dbfbe8609b719d997372a201807642c31
Opcode Fuzzy Hash: 0c5e3ae4d7f34646f4bf7f9aecd518afe444cf5d875dbf0ec729c9109402b926
Instruction Fuzzy Hash: 0D22BD72614B8485EB12DF66E4843EE73A1F7897D4F509212FB9D03AAADF38C585C700

Function 023116A0 Relevance: 4.5, Strings: 3, Instructions: 795COMMON

Download Yara Rule

Strings

\8j, xrefs: 0231172F
$'2O, xrefs: 0231178F
U/, xrefs: 02311927

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID: AddressProcedure
String ID: $'2O$U/$\8j
API String ID: 3653107232-658286377
Opcode ID: 4935f0f32ad2d9a935451ba930207134b4bd1056c48635d3548c9aa2ad88d671
Instruction ID: bdc8b00fc2f658a74a6f408954fbbabe4d77246bbb27c0f876bd56659503106d
Opcode Fuzzy Hash: 4935f0f32ad2d9a935451ba930207134b4bd1056c48635d3548c9aa2ad88d671
Instruction Fuzzy Hash: E1425374A606444FE7A8EFB8E86872536E7F79D3407609A6B9409C33B4DE7C98039F50

Function 02327220 Relevance: 4.4, Strings: 3, Instructions: 626COMMON

Download Yara Rule

Strings

0, xrefs: 0232750E
@, xrefs: 02327525
, xrefs: 023274E1

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID: $0$@
API String ID: 0-2347541974
Opcode ID: be94cb7cfc3cd8444ac11f04680e5f8e06e857b9d45ba6d7f6f85da26437d9a4
Instruction ID: 3cc7740318adf931cadd1ae4e79554da7afcdecce33e5bff69b611314268b7a1
Opcode Fuzzy Hash: be94cb7cfc3cd8444ac11f04680e5f8e06e857b9d45ba6d7f6f85da26437d9a4
Instruction Fuzzy Hash: 9D223F30218B588FE7B4EF28D855B9AB7E2FB98314F50461D958EC3290DF749549CB82

Function 0000000140040A50 Relevance: 4.2, Strings: 3, Instructions: 431COMMON

Download Yara Rule

Strings

reg-key, xrefs: 0000000140040E71
product-reg-key, xrefs: 0000000140040BCB
Software\, xrefs: 0000000140040B64, 0000000140040E0D

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID: Software\$product-reg-key$reg-key
API String ID: 0-2334822848
Opcode ID: 4da8e0afcb8e9388d06a71be1f86bb65f70ed54fc2075c05b62e08a328c0d3e9
Instruction ID: e83f2201b4e9165746cb3b0bdb132f8ea2f66838df7c5e4937a6000ac8bf2a60
Opcode Fuzzy Hash: 4da8e0afcb8e9388d06a71be1f86bb65f70ed54fc2075c05b62e08a328c0d3e9
Instruction Fuzzy Hash: 7512E032A14B8492E702DF75C4413ED6370FBA8788F516226FB89676BAEF34D695C340

Function 0000000140094E30 Relevance: 4.1, Strings: 3, Instructions: 352COMMONLIBRARYCODE

Download Yara Rule

Strings

U, xrefs: 0000000140094E8D
C, xrefs: 0000000140094F42
-_., xrefs: 00000001400951EE

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: ErrorLast$Value
String ID: -_.$C$U
API String ID: 1883355122-122348360
Opcode ID: 893563df212f572994940df262ea965a83ddd967e6897792fc41d3a3a4659922
Instruction ID: 47f83df31a620841db7f71abc47568d93323410f9af05f2c893c73b2928b2718
Opcode Fuzzy Hash: 893563df212f572994940df262ea965a83ddd967e6897792fc41d3a3a4659922
Instruction Fuzzy Hash: 7DE1AB3220164096EB66EF27E4847ED27A1F78CBD4F548226FF4A07BA5EB74C655C700

Function 000000014009A738 Relevance: 3.2, APIs: 2, Instructions: 232COMMON

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 000000014009A987
RaiseException.KERNEL32 ref: 000000014009A998

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 65681df75707a92f2bc7e9ada3ab695fd425c163f5d037de68b2fc66d7e5ee35
Instruction ID: 523b48fd9272ed22601a5be54fc0fee5876a28af2ee06b70f9afebd8834ef710
Opcode Fuzzy Hash: 65681df75707a92f2bc7e9ada3ab695fd425c163f5d037de68b2fc66d7e5ee35
Instruction Fuzzy Hash: B8B11C77610B848BEB16CF2AC88639D77A0F389B98F158915EB5D877B4CB39C852C740

Function 0232B5E0 Relevance: 3.0, Strings: 2, Instructions: 550COMMON

Download Yara Rule

Strings

p, xrefs: 0232B6DA
), xrefs: 0232B7D9

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID: )$p
API String ID: 0-1764766951
Opcode ID: ee93447394ec2e47e78dee34ba32a62090d93dde5ca2884970cb00b8fe4b969e
Instruction ID: ced4a2f65aae668b5d3f416012c33f0593a06b98a33017af6c34cd5e6d1c9657
Opcode Fuzzy Hash: ee93447394ec2e47e78dee34ba32a62090d93dde5ca2884970cb00b8fe4b969e
Instruction Fuzzy Hash: CA02DE30628B588FE774DF28D8557AAB7E6FB88308F504A2DD48ED3290DF749549CB42

Function 0000000140099110 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 000000014009921D
gfff, xrefs: 000000014009929A

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: 04352b12e251caef85448169595c1d977d113804befc2cbc0cfa0fe36bdb305b
Instruction ID: da49b78225b27d5c317bd1a457599b25e9e006a51047f6e63fa0380021a18e3c
Opcode Fuzzy Hash: 04352b12e251caef85448169595c1d977d113804befc2cbc0cfa0fe36bdb305b
Instruction Fuzzy Hash: 8E5159737186C446E7268F3AE9157997B91F348BD4F48D221EBA84BBE5CB39C444C700

Function 0231CBE0 Relevance: 1.9, Strings: 1, Instructions: 623COMMON

Download Yara Rule

Strings

!yOr, xrefs: 0231CC2B

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID: AddressProcedure
String ID: !yOr
API String ID: 3653107232-2868905794
Opcode ID: a344c6b9773561e1a8feff107ffa0bbb357e6f0ee830072877925764f08a3291
Instruction ID: 884e62cc5f46fe2f43daa542b401d7c49b863043fc4284b0717f2ed5fb892d82
Opcode Fuzzy Hash: a344c6b9773561e1a8feff107ffa0bbb357e6f0ee830072877925764f08a3291
Instruction Fuzzy Hash: 81124F30218B488FD7B8EF28D855BAAB7E2FB99304F50496D948EC3690DF74D945CB42

Function 0231B4E0 Relevance: 1.8, Strings: 1, Instructions: 571COMMON

Download Yara Rule

Strings

P, xrefs: 0231B58D

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: fc71c7b77c584ab428780ddc863f287b4ad5f6815cb57d0fe849b24e33f4b176
Instruction ID: c9dfdb3a05c9c1a9d9d93bb8a0126dfad574dcbba947eb0ee3b65c75ec1e5d8e
Opcode Fuzzy Hash: fc71c7b77c584ab428780ddc863f287b4ad5f6815cb57d0fe849b24e33f4b176
Instruction Fuzzy Hash: F5025230218B484FE779AF68D4587AAB7D3FB98308F50452DE48AC3295DF78D946CB42

Function 02305D60 Relevance: 1.8, Strings: 1, Instructions: 524COMMON

Download Yara Rule

Strings

(, xrefs: 02305FE6

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: abcda2cce44acd7600387513da42d6dbaa6d0e49c1554b2389a16b5e095b6a28
Instruction ID: 97300179506a525884eb5a906817a9fb46ad9078d730b59108f3c36bc63d8c83
Opcode Fuzzy Hash: abcda2cce44acd7600387513da42d6dbaa6d0e49c1554b2389a16b5e095b6a28
Instruction Fuzzy Hash: FBF1A170628B488FD768DF28849676EB7DAFBCC304F50462DE08EC3695CB34D8568B42

Function 000000014000CB80 Relevance: 1.8, Strings: 1, Instructions: 521COMMON

Download Yara Rule

Strings

gfff, xrefs: 000000014000D260

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 8a2dcf9ab7c55880f9a741755fadcef32c767d2ea98bcf1b8f9d0d040eefc798
Instruction ID: 2e6303e5c84755d0e2fedad68920bbbdbb98dc67d56c676ba306184c5d9a5104
Opcode Fuzzy Hash: 8a2dcf9ab7c55880f9a741755fadcef32c767d2ea98bcf1b8f9d0d040eefc798
Instruction Fuzzy Hash: DA1215B262978086EB22CF26F1407EE7791F358BC4F149126FB4A47BA5DB78C945CB10

Function 000000014000B5C0 Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

gfff, xrefs: 000000014000BC12

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 188657171af1e0757aff3f81c85895f20b7be6e38f1443b3f445cd7df4c45def
Instruction ID: 419e06eae31c9b0086dba08d0a635922e550bfd7c4935c9a990d6660b0d2045f
Opcode Fuzzy Hash: 188657171af1e0757aff3f81c85895f20b7be6e38f1443b3f445cd7df4c45def
Instruction Fuzzy Hash: DB0229B522868582E72ACA2BE5547FC6695F388BC0F558137FF4B877F4E639CA408311

Function 023213A3 Relevance: 1.7, Strings: 1, Instructions: 437COMMON

Download Yara Rule

Strings

, xrefs: 02321439

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c30bd7ab68d751d74eb6e3fcd089575567a5f3ab528e208d543831b4295961bd
Instruction ID: c86acf0697317c6e04b0281086dc78695b2f9adec44c7f2e3f1dc9a3134360ab
Opcode Fuzzy Hash: c30bd7ab68d751d74eb6e3fcd089575567a5f3ab528e208d543831b4295961bd
Instruction Fuzzy Hash: 71D1B670628B584FE774DF68C4957BAB7D2FB89304F14866ED4CEC3252DB3494498B82

Function 02324550 Relevance: 1.7, Strings: 1, Instructions: 427COMMON

Download Yara Rule

Strings

8, xrefs: 02324666

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 6bbf3d654b950b392ce32ff54005e7a4c88c8c4e5069d455d2263e1fb34e77d3
Instruction ID: 54ad5be8a3a8c2449f8dee187edceaed3f28c8df9013a111fc3b86cc6eb3835b
Opcode Fuzzy Hash: 6bbf3d654b950b392ce32ff54005e7a4c88c8c4e5069d455d2263e1fb34e77d3
Instruction Fuzzy Hash: 4BC18430228B484FE778EB28D8557AAB7D6FBC8304F50456DD59AC3290DF74D946CB82

Function 023266E0 Relevance: 1.6, Strings: 1, Instructions: 328COMMON

Download Yara Rule

Strings

, xrefs: 0232677D

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 990200c829865227b6571aa3573083370787801c1570d2fe66e4a338792caab8
Instruction ID: 58eb790a425d2e654e1adbed0b1471094a38efa13445de134dfce58e4184e228
Opcode Fuzzy Hash: 990200c829865227b6571aa3573083370787801c1570d2fe66e4a338792caab8
Instruction Fuzzy Hash: BA919330228B584FD768AF2CD85676AB7D6FB88304F50452DE48AC3251DF79D9468B82

Function 02331490 Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

@, xrefs: 0233149C

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 59a31fbeb8a05151edb759329d96371e831f95528c315330fb92cc5f8aafcbf3
Instruction ID: 77e99e101771207c77fe38ed4d14137b8a1a1c25b4469f9413451d3bd71f08e2
Opcode Fuzzy Hash: 59a31fbeb8a05151edb759329d96371e831f95528c315330fb92cc5f8aafcbf3
Instruction Fuzzy Hash: DFA12070228B044BE768EB2CD45575BBBD2FBC8708F50862DB08ED3690CB79D9418B87

Function 0000000140098C60 Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 0000000140098FBF

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: 9da3902cafaa54ea0f26fcf8c8641c2ae7e0a60bf2e2409ba9268231b238ef55
Instruction ID: 45631be74bca65ee0c029d0995144cdcef367947e7f1576268a430681ad91ba9
Opcode Fuzzy Hash: 9da3902cafaa54ea0f26fcf8c8641c2ae7e0a60bf2e2409ba9268231b238ef55
Instruction Fuzzy Hash: 2EA133737057C486EB32CB2AA4607DE7B95E769BC4F049122EF8A477A5DA3DC901CB01

Function 000000014005F3E0 Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

gj, xrefs: 000000014005F648

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 100eea8c5719e573b0f57fdb57933fa8d496c7bc56ea0f9008c025b70b65f920
Instruction ID: a116e9c95324fa8595d9ae91701c575426a3e033bb2937926ad2e21f17145bb8
Opcode Fuzzy Hash: 100eea8c5719e573b0f57fdb57933fa8d496c7bc56ea0f9008c025b70b65f920
Instruction Fuzzy Hash: 6381F8732157C48FD309CF6898402AD7BA4F325F08F9C826DDB809B34ACA34D9A5C7A5

Function 023066C0 Relevance: 1.0, Instructions: 996COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c77ee9db95c24773db9081a7deccb5cf2f36f3081fec3039551d8f54b381666b
Instruction ID: ffe99cd3f050875ff7dc60bd43677a0aea1ff59ce491df0ad9511e3ea0b2c46d
Opcode Fuzzy Hash: c77ee9db95c24773db9081a7deccb5cf2f36f3081fec3039551d8f54b381666b
Instruction Fuzzy Hash: 14625734720B064BEB29DF2DDCE66A673DAFB8C740B844574AC46C72C9DF34E8418A65

Function 023155C0 Relevance: .9, Instructions: 926COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID: CreateFirstSnapshotThread32Toolhelp32
String ID:
API String ID: 490256885-0
Opcode ID: 981f0971402d7281a867420ae6825c153d13a7eb141935b46ef7612b15631b0c
Instruction ID: 83d422f3277f74973af09c1a0ae7328ae299dac946f1170d14ba58addfb9d042
Opcode Fuzzy Hash: 981f0971402d7281a867420ae6825c153d13a7eb141935b46ef7612b15631b0c
Instruction Fuzzy Hash: CC629370218B088FD7A4DF18D895BA6B7E1FB98304F6146BED44DC7265DF34A846CB82

Function 02322BB0 Relevance: .8, Instructions: 821COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6ed7e8d2c7d9338698d87b8b7149cf556e2881883802bf60fb96d9698b45afc0
Instruction ID: e11528149e15d80dfba7b1f190b07388ff691fa9ba317cc9ae468a1c38aa5fd7
Opcode Fuzzy Hash: 6ed7e8d2c7d9338698d87b8b7149cf556e2881883802bf60fb96d9698b45afc0
Instruction Fuzzy Hash: 32428430328B584BD769BB18DC517AAB7D6FBD8704F50856DA48AC3290DF38DA45CAC3

Function 02332F60 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a83add80c015651db2210a2c8c18f03a1d4ada41add862ec9d8abcd3fa1614
Instruction ID: f58875975f512e694411d87f31ea34c732f7719d36140aa21b53b2910de87f6c
Opcode Fuzzy Hash: d6a83add80c015651db2210a2c8c18f03a1d4ada41add862ec9d8abcd3fa1614
Instruction Fuzzy Hash: 14221E70218B888FE7B5EF18C855BEAB7E1FB98305F508A5DD48EC3290DB749545CB82

Function 02332812 Relevance: .6, Instructions: 559COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d6e6732e53faa95cd3743e2378d3a887562cd9e05599d55a6b56c32021c76b
Instruction ID: 2031991f789854849d8a887f9292cbb26d957e80ec6c0c045ddbc40e58dcf59f
Opcode Fuzzy Hash: 85d6e6732e53faa95cd3743e2378d3a887562cd9e05599d55a6b56c32021c76b
Instruction Fuzzy Hash: 35120A30218B488FE7A5EB28D895BABB7E1FB98305F504A5D948EC32A0DF74D545CB42

Function 0232FBC0 Relevance: .5, Instructions: 543COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: faae51807ddb49513d4786620cdd6c550b09a0d8d4213f58ccc1b562f963a966
Instruction ID: b7037c2cbbcfe99637e64824125650fc0ba0fae8ecec9fa2d7d9ace1a3aef260
Opcode Fuzzy Hash: faae51807ddb49513d4786620cdd6c550b09a0d8d4213f58ccc1b562f963a966
Instruction Fuzzy Hash: CFF15430728B484FD769EB28D86576AB7D3FBC8344F50452DA08AC3291DF78D9468B87

Function 02331F40 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e573f32f122f45f3bb05125e8f2b0bf86f8e17a829f365963d033b070a9e4f
Instruction ID: 66fd05c5b885140976aa7e1247ddb41b929de21df99f4b63eb482e4587c12f88
Opcode Fuzzy Hash: b1e573f32f122f45f3bb05125e8f2b0bf86f8e17a829f365963d033b070a9e4f
Instruction Fuzzy Hash: 0BF13370318B488FE765DF28D8557ABB7D2FB88314F50462DA48AC32A0DF78D945CB82

Function 02319120 Relevance: .5, Instructions: 494COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93e8d057c5f9894473d845d1c83c9ad02595634ce579fe39b255221776393a4b
Instruction ID: c95722b297681990262d781d6c54b3ecc264fb3fa3402c6e05d6cad8d3ce86a0
Opcode Fuzzy Hash: 93e8d057c5f9894473d845d1c83c9ad02595634ce579fe39b255221776393a4b
Instruction Fuzzy Hash: 94F14170218B488FE768EF18D8657AAB7D5FB89308F50492DE48EC3291DB78D545CB83

Function 023099D0 Relevance: .5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 580a3a3c83426d8ff6b88dfef7fa52f3433e29507ba5bdf8adfca3bd01625a3b
Instruction ID: 4579a8a5ef6b61bf1da3c99f0adb5fd1486e3e554a092a480512724684266e35
Opcode Fuzzy Hash: 580a3a3c83426d8ff6b88dfef7fa52f3433e29507ba5bdf8adfca3bd01625a3b
Instruction Fuzzy Hash: 95F17130218B488FD778EF28D4947AAB7E6FB88704F50462E948EC3291DF34D945CB92

Function 02330210 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 9aa099fc02c16ba095d4bf4291fdb0dcd3e10970e4b1abe0c916cefc9fc1f856
Instruction ID: d479f9aae4c24ecc1aae44f150ba90439749eebc18fed671276ae3c8b60d087b
Opcode Fuzzy Hash: 9aa099fc02c16ba095d4bf4291fdb0dcd3e10970e4b1abe0c916cefc9fc1f856
Instruction Fuzzy Hash: 0BD15D30328B484FD769EB2CD86576AB7D2FBC8304F50456DA48AC3291DF78D9468B82

Function 02314DB0 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67e5cb04a7b8afc38bfdb1fe03543906a8b7734bb26e47d94f1bfbbc31827fd8
Instruction ID: 37cea4706d70bb09e36625a4d111f91d15040b29c79a9fa1cf077947430cda51
Opcode Fuzzy Hash: 67e5cb04a7b8afc38bfdb1fe03543906a8b7734bb26e47d94f1bfbbc31827fd8
Instruction Fuzzy Hash: 89D16130328B484FDB69EB2CD455B6AB7E2FBD9344F90456DA08AC3251DF34E945CB82

Function 0000000140008700 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c60be4ab458fd0de4f10b45d507592baae063c69ce48d6c2cccd2856e2d476
Instruction ID: cdbd6d1a16a8e0e3d4a4337008ea41b7dc649f08b0b7c8d95fbcce9c25ceabd7
Opcode Fuzzy Hash: e2c60be4ab458fd0de4f10b45d507592baae063c69ce48d6c2cccd2856e2d476
Instruction Fuzzy Hash: 51D14AB2B049550BEB29CA1FB581BA9A695F3DC7C0F05A126EF8683BF0E775C845C700

Function 023142A0 Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b817203ba3c4443f5fb8480b07f75b397d38fcfc8ae896fd7bf819042d688969
Instruction ID: f032387dc33bd59dedde1e9aca371a72cf5f8c881e9931f3bf1e0388f9cd7a85
Opcode Fuzzy Hash: b817203ba3c4443f5fb8480b07f75b397d38fcfc8ae896fd7bf819042d688969
Instruction Fuzzy Hash: F0D1503021CB488FDB68EF29E85575AB7E5FB98304F10056EE58AC3260DF74E945CB82

Function 023282A0 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a71e2ed1c5bd6be6eb256dc2b4a77e1885c532c0b5c69f70e3d6037aa8625fe
Instruction ID: 41f9efc63f10987e87eef9c0ba2c1b3175a2bc8af11e52f96ac2596889cf3b43
Opcode Fuzzy Hash: 2a71e2ed1c5bd6be6eb256dc2b4a77e1885c532c0b5c69f70e3d6037aa8625fe
Instruction Fuzzy Hash: C2C15F7021CB484FE778EF28D8597AAB7D6FB98304F50462D958EC3290DF74D54A8B82

Function 023255E0 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d67f70248d9871493b444570412385d01f8192461fdcfc939c1c5d9bc251a4ce
Instruction ID: cb6f5659acbc0c3e3c2e105981d1932c65292e72866390db11ada82e181ea9b2
Opcode Fuzzy Hash: d67f70248d9871493b444570412385d01f8192461fdcfc939c1c5d9bc251a4ce
Instruction Fuzzy Hash: 2AC13170328B444FE768EB2CD46576ABBD2FB8C348F50456DE08AC3291DB78D9458B87

Function 000000014005EE20 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e9146de42fe06b3e918654735bac583dd07de0fd27d2d2d1bc3f54f1f3bf6c7
Instruction ID: 03ec3d44de05fd666a70fe56bf2f7e115c799be4fe0443e434daaa8e0cd68dd6
Opcode Fuzzy Hash: 3e9146de42fe06b3e918654735bac583dd07de0fd27d2d2d1bc3f54f1f3bf6c7
Instruction Fuzzy Hash: 11C13673B2425087D7ACCF1AE810A6A7B96F3C8754741A12DEA1B93B80DE39CC45CB80

Function 000000014000C200 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35121771ef7e3a2a21f4fe77380e6306a785aec2d0abbaad6edc0a9a8a3c264d
Instruction ID: 711fc9cbed791bafeb9942fecf9ad6579a287c36ff07293391c35c06956e8bb9
Opcode Fuzzy Hash: 35121771ef7e3a2a21f4fe77380e6306a785aec2d0abbaad6edc0a9a8a3c264d
Instruction Fuzzy Hash: A2D12BB273665046EB27CF2AF414BEA6691F398BC4F185124FF4A47BA4DB39C940CB00

Function 000000014008BDF4 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a02068b51a8db8e48cbbecbd50ab68d20f8956ba6d06c6d8de2256c976014b4
Instruction ID: 19551dc1b382e6e948458b19ea9d1326cec31ff93c2248c0597341d4f913b867
Opcode Fuzzy Hash: 0a02068b51a8db8e48cbbecbd50ab68d20f8956ba6d06c6d8de2256c976014b4
Instruction Fuzzy Hash: CED1BA7762064486EB7A8F2A9450BAD37A0F70CBC8F545226FF49437E6DB35CA46CB40

Function 0231BED0 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2428df4c2b5cda2abb3800129e89791470056923b1d70c4f1012cb95f183359f
Instruction ID: 15f489f3cad45d883332e1d63106f09b618d3195bdebcc1797942e39f619eb8b
Opcode Fuzzy Hash: 2428df4c2b5cda2abb3800129e89791470056923b1d70c4f1012cb95f183359f
Instruction Fuzzy Hash: B7B10C70228B488FDB68DF1CD459B9AB7E5FB99304F50892DA08EC3251CB74D945CB43

Function 000000014008BA28 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee1200db8e1ef7a7e1f657d3d6c118d16c3f2ddcba2727c09fdfbcc369e9b4a
Instruction ID: a26132ffcb03175a20d539ed755665c717936d486e66848fb88558251d16acdb
Opcode Fuzzy Hash: 1ee1200db8e1ef7a7e1f657d3d6c118d16c3f2ddcba2727c09fdfbcc369e9b4a
Instruction Fuzzy Hash: 2FD1BA3360064486EB6A8F2B80507EE2BA1F70DBC8F544206EF59177FADB75CA46C345

Function 0230A730 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92dcddac20bf2a85382346e7c818b7a8622ac2cf6c43a00e52d6e282357d0b4a
Instruction ID: 8f94db66012aa4d571d50976098dcbfdbeb1a14f4af6ba6295157503f4ec0b17
Opcode Fuzzy Hash: 92dcddac20bf2a85382346e7c818b7a8622ac2cf6c43a00e52d6e282357d0b4a
Instruction Fuzzy Hash: 4581C13061C7488FD719DF1CD89876ABBE5FB99304F15462DE58AC3291DB74E802CB92

Function 000000014008AA44 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0a5733841054f35ee6a67558ffbf079e1ddf009b8a0c96e68972e1481134178
Instruction ID: 2bdbea7d7c10ac6044f066501ee86dca2032a23fa607238a4a2fff40eb8e0564
Opcode Fuzzy Hash: e0a5733841054f35ee6a67558ffbf079e1ddf009b8a0c96e68972e1481134178
Instruction Fuzzy Hash: A7B19E73204B5486F7668F3AC0503AC3BA0F74EF89F284219EB4A47BA6CB39C651C745

Function 00000001400263B0 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b91349162c491fd9d3cfd84cd5ae5e35a4a82b261b7411649656c0553dd378
Instruction ID: e60a8c4b2552d29fb97310efb39fedef81bcafe08a45545273653e4b6d61c138
Opcode Fuzzy Hash: e3b91349162c491fd9d3cfd84cd5ae5e35a4a82b261b7411649656c0553dd378
Instruction Fuzzy Hash: 47911572601A8486FB668B37D5187E972E1F70DBE0F44422AEF6A17BE5D738DD848700

Function 000000014000F8D0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d88b30173d776bbec4e7b8c9e55c8544666a1e7114d5e494066a9e934f1503d
Instruction ID: 00cd9de9fe2c8728540a55737d053312021d889e0e09c000a9c56b72403b59af
Opcode Fuzzy Hash: 1d88b30173d776bbec4e7b8c9e55c8544666a1e7114d5e494066a9e934f1503d
Instruction Fuzzy Hash: 4991F2F2204B4086FA62CA27E5247F976E1E34DBE0F59C221AF2907BE5D778D941B701

Function 0000000140092E14 Relevance: .2, Instructions: 207COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 23ccc7ce9506a8c1c07d39999f756624c159b71199f188e85533ac9785993f0d
Instruction ID: 01408dce989196f21b784dde59595df15d8acd0e8679eb71819d0b645f1a3049
Opcode Fuzzy Hash: 23ccc7ce9506a8c1c07d39999f756624c159b71199f188e85533ac9785993f0d
Instruction Fuzzy Hash: 62819E72200A1086EB65CF2AD4953AD33A0F788BE8F148626FF6E87BA5CF35C5418740

Function 0000000140099790 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f347f940c396187d4bfaa3c273b676c370f4d474c152167812ccf1e7673009
Instruction ID: bd34691a7d67022634f9f1a61710223e65fd5656631df14b3dfee9598cc9dd5a
Opcode Fuzzy Hash: 50f347f940c396187d4bfaa3c273b676c370f4d474c152167812ccf1e7673009
Instruction Fuzzy Hash: F181937261878046EB75CF1FA4803AABA91F78E7D4F544229FB9D47BA9DB3DC5408B00

Function 0231A100 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455581737.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Offset: 02301000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2301000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb25984bbb84b506b7442a44f1ea2276f7130761b53bd599e6125853a15f57f
Instruction ID: 4887273439543c85dde077dbccf8d3e5ebfd5c00573153ce68b53127abe4e0b2
Opcode Fuzzy Hash: 9eb25984bbb84b506b7442a44f1ea2276f7130761b53bd599e6125853a15f57f
Instruction Fuzzy Hash: 443169311AA78D4ED32D496C98463B137CAF79760BF28623DC9D7C3663DA26444BC541

Function 00000001400897F0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1c3a0ccb6cd29ade6edb59abc650c0a6808c7d2b219c7f99c84549879a4588
Instruction ID: d81f174727280bfae3e1c8d2c25fc94816d80b7737fdfd02cb4f58fea932a1ae
Opcode Fuzzy Hash: 5d1c3a0ccb6cd29ade6edb59abc650c0a6808c7d2b219c7f99c84549879a4588
Instruction Fuzzy Hash: A951C377604A11C3E72E9F2AC1543AC27A0F75ABA8F190119EF5A177E9CB35CE41C780

Function 0000000140089BC4 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ecb8b9979793c10852181b7fabf84e18f565fc6bcd5914c49afb4f525614f51
Instruction ID: 79d5927eb58122ca7903d854d3224612b5208078e6fd7df8917aa9357f895dd0
Opcode Fuzzy Hash: 0ecb8b9979793c10852181b7fabf84e18f565fc6bcd5914c49afb4f525614f51
Instruction Fuzzy Hash: B851B173600A5482E72AAF2AC1543AC37E1F759FA8F184215EF46177E9CB36DE81C784

Function 00000001400899DC Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18b92091dba8f0accac89cfe48fde3d5d16b91869aa58acc72bd8e1dec618566
Instruction ID: 3fffde151232361014340c8c5a34b6e9530ca69be43a7a409e4eaad890ce83b0
Opcode Fuzzy Hash: 18b92091dba8f0accac89cfe48fde3d5d16b91869aa58acc72bd8e1dec618566
Instruction Fuzzy Hash: DD51ED7321065086E72EAF2AD1543AC3BA0F359BD8F294109EF4A177E9CB35CE81C780

Function 0000000140089DB0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2df5fec1a36e68530e0f9a86e93240da32b657597d58bd2d4df2635b41feada
Instruction ID: 268ec1035cc9012f911c526a7eb253b1ec329f76e70e69a9d96f9b92d1566653
Opcode Fuzzy Hash: e2df5fec1a36e68530e0f9a86e93240da32b657597d58bd2d4df2635b41feada
Instruction Fuzzy Hash: 6B519B73604A5086E76E9F2AC1943AC3BA0F759B98F1D0119EF4A577A9C735CE82C780

Function 0000000140089608 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e563b16fecf21a8b005dd336b56f4fbbb0e43b582ea3f098d82972a22c6ae1f7
Instruction ID: f2dfb29b7e83f9ed2624e5c96aca5b4a5c3ee50fe1cbf1a6b696d063b6e16715
Opcode Fuzzy Hash: e563b16fecf21a8b005dd336b56f4fbbb0e43b582ea3f098d82972a22c6ae1f7
Instruction Fuzzy Hash: 6751FE3761865083E72AAF2AC1543AC27A0F759BD8F294119EF4A177F8DB35CE91C780

Function 0000000140097BEC Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: d3a50af7144745bcb85e305d7bf68092fdcb426cdbbc72fc98c5a77fbff44355
Instruction ID: 2314152a2322c01b06b3399aa4dd9aaba0ac4941e7d2f78a4612815ca04ce106
Opcode Fuzzy Hash: d3a50af7144745bcb85e305d7bf68092fdcb426cdbbc72fc98c5a77fbff44355
Instruction Fuzzy Hash: 1D419D72310A5482EB44CF2BE9657A9A3A2B74CFD4F499026FF4D87B69DA38C1428340

Function 0000000140047400 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 94threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000000014004741A
OpenThreadToken.ADVAPI32(?,?,?,?,?,?,?,?,?,000000014002D891), ref: 000000014004742F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,000000014002D891), ref: 0000000140047439
ImpersonateSelf.ADVAPI32(?,?,?,?,?,?,?,?,?,000000014002D891), ref: 000000014004744B
GetCurrentThread.KERNEL32 ref: 0000000140047459
OpenThreadToken.ADVAPI32(?,?,?,?,?,?,?,?,?,000000014002D891), ref: 000000014004746E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,000000014002D891), ref: 0000000140047485
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,000000014002D891), ref: 00000001400474B1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,000000014002D891), ref: 00000001400474DC
CloseHandle.KERNEL32 ref: 0000000140047527
RevertToSelf.ADVAPI32 ref: 000000014004753A
CloseHandle.KERNEL32 ref: 0000000140047553

Strings

Unable to lookup privilege '{}'!, xrefs: 000000014004777D
Unable to assign the process impersonation token to the thread!, xrefs: 00000001400474E4
Unable to obtain the thread access token!, xrefs: 000000014004748E, 00000001400474B9
Unable to adjust token privilege '{}'!, xrefs: 00000001400477B9

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: ErrorLastThread$CloseCurrentHandleOpenSelfToken$ImpersonateRevert
String ID: Unable to adjust token privilege '{}'!$Unable to assign the process impersonation token to the thread!$Unable to lookup privilege '{}'!$Unable to obtain the thread access token!
API String ID: 475273544-197369002
Opcode ID: 6749da1815b9244086f365902ad23cd0f73f55f9474e7ad92115bfaa5316c3ea
Instruction ID: 14ed016d7a4ab3e69fe32eb5d2e51fe92fb5a36cbff291dcdc9b33d0a68bc050
Opcode Fuzzy Hash: 6749da1815b9244086f365902ad23cd0f73f55f9474e7ad92115bfaa5316c3ea
Instruction Fuzzy Hash: 37413871210A4592FB12AFA2E8547E92360FB8DB88F544021EB8E436B5DF3CD949C751

Function 000000014005E560 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 202libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014005E5AB
GetProcAddress.KERNEL32 ref: 000000014005E5C8
GetModuleHandleW.KERNEL32 ref: 000000014005E69C
GetProcAddress.KERNEL32 ref: 000000014005E6B9
GetLastError.KERNEL32 ref: 000000014005E707
GetLastError.KERNEL32 ref: 000000014005E744
GetLastError.KERNEL32 ref: 000000014005E7B6
GetLastError.KERNEL32 ref: 000000014005E7F3

Strings

GetProcAddress ({}), xrefs: 000000014005E74A, 000000014005E7F9
RtlGetVersion, xrefs: 000000014005E5BA
GetModuleHandleW ({}), xrefs: 000000014005E70D, 000000014005E7BC
GetProductInfo, xrefs: 000000014005E6AB
kernel32, xrefs: 000000014005E691
Unable to convert processor architecture ({}) to platform enumeration!, xrefs: 000000014005E781
ntdll, xrefs: 000000014005E59A

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: ErrorLast$AddressHandleModuleProc
String ID: GetModuleHandleW ({})$GetProcAddress ({})$GetProductInfo$RtlGetVersion$Unable to convert processor architecture ({}) to platform enumeration!$kernel32$ntdll
API String ID: 1762409328-1915291428
Opcode ID: 9d7484a7e32ca5d575654e4c2a5ec3eb30f234ca3929b35e0a70397d6b37d418
Instruction ID: 15b0a89f4416b3568538fbf9990143a13fd2117f3695a2507b66dd78fb4fd6fe
Opcode Fuzzy Hash: 9d7484a7e32ca5d575654e4c2a5ec3eb30f234ca3929b35e0a70397d6b37d418
Instruction Fuzzy Hash: 29A14932600A8599EB5ADF66E4503EC73A0E75C7C8F948026FB8D47AB8DF39C959C740

Function 0000000140047C40 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 227registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 0000000140047D7E
SetLastError.KERNEL32 ref: 0000000140047D8A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140047F88
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140048000
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140048006

Strings

SYSTEM\CurrentControlSet\Control\GroupOrderList, xrefs: 0000000140047CBB, 00000001400480D6
/, xrefs: 0000000140047CC7
Tag, xrefs: 0000000140048427
/, xrefs: 00000001400480E2
Group, xrefs: 00000001400483C7
SYSTEM\CurrentControlSet\Services\, xrefs: 00000001400482C4
The order list of the service group '{}' is malformed!, xrefs: 0000000140047FB8
6, xrefs: 0000000140047FC4

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseConcurrency::cancel_current_taskErrorLast
String ID: /$/$6$Group$SYSTEM\CurrentControlSet\Control\GroupOrderList$SYSTEM\CurrentControlSet\Services\$Tag$The order list of the service group '{}' is malformed!
API String ID: 973969752-2315443231
Opcode ID: 8fff48f6f37925aaabf05bbd2da003f2930900839ed49e0dcd490e852b0a9f6d
Instruction ID: 28ba2f08aa28f84ab621e218dfddfaa96cb2f13f9b34cb6f248e2f46ba81bf10
Opcode Fuzzy Hash: 8fff48f6f37925aaabf05bbd2da003f2930900839ed49e0dcd490e852b0a9f6d
Instruction Fuzzy Hash: 13A18A72211A8489EB62DF26E8407DD73A4F74C7D8F504626EB9D47BA9EF38C684C344

Function 00000001400288D0 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 208COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014002895A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00000001400289A5
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140028AE9
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140028B0C
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140028B1F
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140028B25
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140028B5F
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140028B82
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140028BAD
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140028C14

Strings

false, xrefs: 0000000140028A1D
true, xrefs: 0000000140028A4D
bad locale name, xrefs: 0000000140028B12

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: std::_$Lockit$Concurrency::cancel_current_taskLockit::_Lockit::~_$Locinfo::_Locinfo_ctor
String ID: bad locale name$false$true
API String ID: 1486878244-1062449267
Opcode ID: 3c2b06e2966f11c69d513af3ac03665a241348d72241f8d7a8a453f8c069b74a
Instruction ID: 3fd87f393ecb69b85c6b269462077d7561ae56962a89af143662b5c7ec8c1c71
Opcode Fuzzy Hash: 3c2b06e2966f11c69d513af3ac03665a241348d72241f8d7a8a453f8c069b74a
Instruction Fuzzy Hash: F5913B36606B4086FB22DF62E8503D973A1FB88BC4F144519AF8D67AAADB38C951C744

Function 0000000140057E90 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 164COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 0000000140057F5C
__std_exception_destroy.LIBVCRUNTIME ref: 0000000140057F6E
__std_exception_copy.LIBVCRUNTIME ref: 0000000140057F7B
__std_exception_destroy.LIBVCRUNTIME ref: 0000000140057F88
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140057FEB
ExpandEnvironmentStringsW.KERNEL32 ref: 0000000140058036
GetLastError.KERNEL32 ref: 0000000140058040

Strings

5, xrefs: 000000014005842F
Unable to convert NT path '{}' to a volume GUID path!, xrefs: 00000001400583C1, 0000000140058423
WSL Process, xrefs: 0000000140058B25
Unable to enumerate volumes!, xrefs: 0000000140058402
Unable to retrieve a path of the known folder ({})!, xrefs: 0000000140058076
\\?\, xrefs: 0000000140058189

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: __std_exception_copy__std_exception_destroy$EnvironmentErrorExpandLastStrings_invalid_parameter_noinfo_noreturn
String ID: 5$Unable to convert NT path '{}' to a volume GUID path!$Unable to enumerate volumes!$Unable to retrieve a path of the known folder ({})!$WSL Process$\\?\
API String ID: 2353729461-3251487983
Opcode ID: a971b00b6b545ec4fa32ac5bf8f1b4fc5e6327b307be9eea3f768c1d2fd21dbf
Instruction ID: 2b3ceb743f5014c40e1a22504b0814f19971f4b522418f385d7f29021a5ccfb4
Opcode Fuzzy Hash: a971b00b6b545ec4fa32ac5bf8f1b4fc5e6327b307be9eea3f768c1d2fd21dbf
Instruction Fuzzy Hash: 2C516772710A849AEB11DF26E4903DD33A4F758788F508522FB9C47AA9EB38D6A5C340

Function 0000000140030CD0 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 91registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerExW.ADVAPI32 ref: 0000000140030D29
GetLastError.KERNEL32 ref: 0000000140030E20

Part of subcall function 000000014003DAA0: RpcServerUseProtseqEpW.RPCRT4 ref: 000000014003DACE
Part of subcall function 000000014003DAA0: RpcServerRegisterIfEx.RPCRT4 ref: 000000014003DB06
Part of subcall function 000000014003DAA0: RpcServerRegisterIfEx.RPCRT4 ref: 000000014003DB36
Part of subcall function 000000014003DAA0: RpcServerRegisterIfEx.RPCRT4 ref: 000000014003DB63

SetServiceStatus.ADVAPI32 ref: 0000000140030D56
WaitForSingleObject.KERNEL32 ref: 0000000140030D68
RpcServerUnregisterIf.RPCRT4 ref: 0000000140030D7B
RpcServerUnregisterIf.RPCRT4 ref: 0000000140030D8E
RpcServerUnregisterIf.RPCRT4 ref: 0000000140030DA1
SetServiceStatus.ADVAPI32 ref: 0000000140030E18

Strings

6373, xrefs: 0000000140030E4D
RegisterServiceCtrlHandlerEx failure: gle={}, xrefs: 0000000140030E5C
,, xrefs: 0000000140030E73
StartServer failure: retval={}, xrefs: 0000000140030DDC
E502, xrefs: 0000000140030DD4

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: Server$Register$ServiceUnregister$Status$CtrlErrorHandlerLastObjectProtseqSingleWait
String ID: ,$6373$E502$RegisterServiceCtrlHandlerEx failure: gle={}$StartServer failure: retval={}
API String ID: 548640598-1530989511
Opcode ID: 63b4c982e2e00fcf33e1d6dfd9c0f91330e22ee9ccfe943ffa94c78227f84723
Instruction ID: 50e07fc66846bfbe4260a933a509bbc77413dc35a1dc1dc72b1564673e37ba95
Opcode Fuzzy Hash: 63b4c982e2e00fcf33e1d6dfd9c0f91330e22ee9ccfe943ffa94c78227f84723
Instruction Fuzzy Hash: 455126B6B10B14DAF702DFA6E8943CD33B1B748798F504116EA492BA68DF78D549CB40

Function 00000001400151E0 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 345COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(?,00000001400404EA), ref: 000000014001525E
VirtualQueryEx.KERNEL32 ref: 00000001400152C1
K32GetModuleBaseNameW.KERNEL32 ref: 00000001400153B8
CloseHandle.KERNEL32 ref: 000000014001582B

Strings

689A, xrefs: 0000000140015527
Exception params: , xrefs: 00000001400155E3
Exception in: , xrefs: 0000000140015561
F59A, xrefs: 0000000140015503
PID: , xrefs: 000000014001557C
Exception address: , xrefs: 0000000140015625
Exception code: , xrefs: 00000001400155A4

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: BaseCloseHandleModuleNameOpenProcessQueryVirtual
String ID: PID: $689A$Exception address: $Exception code: $Exception in: $Exception params: $F59A
API String ID: 855635403-3050060412
Opcode ID: 8a8765307c712108a0947df3e5f330cae9942757cb6adf4cefaa7f41d658f88e
Instruction ID: 12fd3af4425f6e6040738bb35b357383cfac07cb84db7fad37d320cb61551e6d
Opcode Fuzzy Hash: 8a8765307c712108a0947df3e5f330cae9942757cb6adf4cefaa7f41d658f88e
Instruction Fuzzy Hash: 4A023A72211AC49AEB61DF66E8943DD73A0F789788F504116EB4D4BB79EF38C645C700

Function 0000000140010CE0 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 228COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140010D7D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0000000140010DCF
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140010F6A
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140010F99
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140010FDF
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140011002
std::_Lockit::~_Lockit.LIBCPMT ref: 000000014001102D
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140011094

Strings

false, xrefs: 0000000140010CF6, 0000000140010E52
true, xrefs: 0000000140010E68
bad locale name, xrefs: 0000000140010F9F

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskLocinfo::_Locinfo_ctor
String ID: bad locale name$false$true
API String ID: 354050835-1062449267
Opcode ID: f7e4faf5650d59538b5a59f5a4b8092bc18465b3856432a638800222781c1f9e
Instruction ID: 5840e447b6844cdc5e1156469c82ff91de1907e4bc45fdb6f1b7e9f9b7996533
Opcode Fuzzy Hash: f7e4faf5650d59538b5a59f5a4b8092bc18465b3856432a638800222781c1f9e
Instruction Fuzzy Hash: D1B16B32615B8086EB12DF22E8803DE77A1FB887C8F145615FB8D1BA6ADF78C591C740

Function 0000000140049500 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 100serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001400144FC), ref: 0000000140049535
OpenServiceW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001400144FC), ref: 0000000140049562
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001400144FC), ref: 0000000140049575
CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001400144FC), ref: 0000000140049591
CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001400144FC), ref: 000000014004959B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001400144FC), ref: 00000001400495C4

Part of subcall function 000000014007B650: RtlPcToFileHeader.NTDLL ref: 000000014007B6A0
Part of subcall function 000000014007B650: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000000014001302F), ref: 000000014007B6E1

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001400144FC), ref: 0000000140049606

Strings

Unable to open the service '{}'!, xrefs: 00000001400495CB
, xrefs: 00000001400495D7
Unable to open the service control manager!, xrefs: 000000014004960E
ServicesActive, xrefs: 000000014004952C

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: ErrorLastService$CloseHandleOpen$ExceptionFileHeaderManagerRaise
String ID: $ServicesActive$Unable to open the service '{}'!$Unable to open the service control manager!
API String ID: 2158513109-1786243909
Opcode ID: a0523da25f66c11f40c07f91ab1d6dd001669a241499180a9da8d916ced0475a
Instruction ID: cf9ba95a574f67e8951b34db8deb6be0d0de46db6f0ccc00a4b8aebf5161a491
Opcode Fuzzy Hash: a0523da25f66c11f40c07f91ab1d6dd001669a241499180a9da8d916ced0475a
Instruction Fuzzy Hash: B4313671214B4092EA12EF22E8543E963A4FB8DBC0FA14025FB8E43A75EF3CC955C740

Function 0000000140098690 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000000014009869F
FlsGetValue.KERNEL32 ref: 00000001400986B4
FlsSetValue.KERNEL32 ref: 00000001400986D5
FlsSetValue.KERNEL32 ref: 0000000140098702
FlsSetValue.KERNEL32 ref: 0000000140098713
FlsSetValue.KERNEL32 ref: 0000000140098724
SetLastError.KERNEL32 ref: 000000014009873F
FlsGetValue.KERNEL32 ref: 0000000140098775
FlsSetValue.KERNEL32 ref: 0000000140098794

Part of subcall function 000000014009A1B0: RtlAllocateHeap.NTDLL(?,?,00000000,0000000140098926,?,?,?,000000014008808F,?,?,00000000,000000014008832A), ref: 000000014009A205

FlsSetValue.KERNEL32 ref: 00000001400987BC

Part of subcall function 0000000140098BC4: HeapFree.KERNEL32(?,?,00000000,000000014009FA22,?,?,?,000000014009FD9F,?,?,00000000,00000001400A0484,?,?,?,00000001400A03B7), ref: 0000000140098BDA
Part of subcall function 0000000140098BC4: GetLastError.KERNEL32(?,?,00000000,000000014009FA22,?,?,?,000000014009FD9F,?,?,00000000,00000001400A0484,?,?,?,00000001400A03B7), ref: 0000000140098BE4

FlsSetValue.KERNEL32 ref: 00000001400987CD
FlsSetValue.KERNEL32 ref: 00000001400987DE

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocateFree
String ID:
API String ID: 3174826731-0
Opcode ID: 04a89daeb5ac5b50f33649e46550b0b56fd2029df7522eb5f8f153315faf9387
Instruction ID: 8748f7850ea9bbf3ecbb45585572b62d9a9752533651cb9be03a1a6b81690c8e
Opcode Fuzzy Hash: 04a89daeb5ac5b50f33649e46550b0b56fd2029df7522eb5f8f153315faf9387
Instruction Fuzzy Hash: 0F412D7430524482FA6BA77769513E952419B8C7F4F280B28BF764BBF7DE38D4014B01

Function 00000001400477F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 128COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 0000000140047527
RevertToSelf.ADVAPI32 ref: 000000014004753A
CloseHandle.KERNEL32 ref: 0000000140047553

Strings

Unable to remove the impersonation token from the thread!, xrefs: 000000014004756E
Unable to lookup privilege '{}'!, xrefs: 000000014004777D
Unable to adjust token privilege '{}'!, xrefs: 00000001400477B9

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: CloseHandle$RevertSelf
String ID: Unable to adjust token privilege '{}'!$Unable to lookup privilege '{}'!$Unable to remove the impersonation token from the thread!
API String ID: 680554984-1021965375
Opcode ID: 7d74c2ae68d176f80f8f39417a9f00b875dfe7e1de54d8cc7cf82b9b6e49ae03
Instruction ID: cdf82a8bf0ce1fab008b22b615ef9f68c67fd5b9f83432e90ad38faf9f776c0f
Opcode Fuzzy Hash: 7d74c2ae68d176f80f8f39417a9f00b875dfe7e1de54d8cc7cf82b9b6e49ae03
Instruction Fuzzy Hash: 7E515972604F80A6EB12DF62E8507ED33B0FB48B88F544426EB8D57AA9DF38C555C780

Function 000000014006A6E0 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 328COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014006ABD2
Concurrency::cancel_current_task.LIBCPMT ref: 000000014006ABD8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014006ABDE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014006ABE4
Concurrency::cancel_current_task.LIBCPMT ref: 000000014006ABEA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014006ABF0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014006ABF6

Part of subcall function 000000014003CC00: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003CC8A

Strings

pid, xrefs: 000000014006A6E6
-, xrefs: 000000014006A9ED

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID: -$pid
API String ID: 3936042273-2050111806
Opcode ID: 39459574276101e149e668f5135789d0d5408215e88b59f5a015b6c16a9c453e
Instruction ID: fabfce5da7018e4877c0198e1f144d975b50803577cf2ec6f4d5724cba0d4fa3
Opcode Fuzzy Hash: 39459574276101e149e668f5135789d0d5408215e88b59f5a015b6c16a9c453e
Instruction Fuzzy Hash: AAE17B32210B8489EB11DB2AD8943DD7766FB49BE8F604A16EB6D037E9DF78C491C740

Function 0000000140029730 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 273COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014002975F
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140029782
std::_Lockit::~_Lockit.LIBCPMT ref: 00000001400297AD

Part of subcall function 0000000140029590: std::_Lockit::_Lockit.LIBCPMT ref: 0000000140029606
Part of subcall function 0000000140029590: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000000014002964E
Part of subcall function 0000000140029590: _Getctype.LIBCPMT ref: 0000000140029666
Part of subcall function 0000000140029590: std::_Lockit::~_Lockit.LIBCPMT ref: 00000001400296F6

std::_Facet_Register.LIBCPMT ref: 00000001400297F3
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140029814
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140029839

Strings

ios_base::failbit set, xrefs: 0000000140029935, 0000000140029AE8
ios_base::eofbit set, xrefs: 000000014002993C, 0000000140029AEF
ios_base::badbit set, xrefs: 000000014002992A, 0000000140029993, 0000000140029ADD

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_GetctypeLocinfo::_Locinfo_ctorRegister
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2324539378-1866435925
Opcode ID: 80f20ae880cd7af1f674dfb5d4272d68ab40ff994d64f0873548fe28a6f0b799
Instruction ID: e111c35751b719188429c53a6d1e1e3e75a67ddf4543741b545046ef157a2033
Opcode Fuzzy Hash: 80f20ae880cd7af1f674dfb5d4272d68ab40ff994d64f0873548fe28a6f0b799
Instruction Fuzzy Hash: 04C13872214B4486EB12DF1AE89039977A0F788FD4F54812AEB8D47BB5DF38C956C740

Function 00000001400183D0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 222COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00000001400184B3
std::_Lockit::_Lockit.LIBCPMT ref: 00000001400184DC
std::_Lockit::~_Lockit.LIBCPMT ref: 000000014001850A
std::_Facet_Register.LIBCPMT ref: 0000000140018561
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140018585

Strings

ios_base::failbit set, xrefs: 00000001400186C6
ios_base::eofbit set, xrefs: 00000001400186CD
ios_base::badbit set, xrefs: 00000001400186BA

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 459529453-1866435925
Opcode ID: 184e3463d0ce68ac614c95af53a1ee39b595bdcaf27f52da81bf45af14359873
Instruction ID: 54f7ea9e9456682b64ccfbfe22fe961ef79f89a3d10c261f5dd0102d8e8e279a
Opcode Fuzzy Hash: 184e3463d0ce68ac614c95af53a1ee39b595bdcaf27f52da81bf45af14359873
Instruction Fuzzy Hash: 00A12872205B8492EB22CF16E8903AA77A1F788BD4F548526EF8D077B5DF39C546C740

Function 00000001400345B0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 189COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014003465B
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140034684
std::_Lockit::~_Lockit.LIBCPMT ref: 00000001400346B2
std::_Lockit::~_Lockit.LIBCPMT ref: 000000014003472D

Part of subcall function 00000001400395B0: std::_Lockit::_Lockit.LIBCPMT ref: 0000000140039626
Part of subcall function 00000001400395B0: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000000014003966E
Part of subcall function 00000001400395B0: std::_Lockit::~_Lockit.LIBCPMT ref: 00000001400396FE

std::_Facet_Register.LIBCPMT ref: 0000000140034709
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140034868

Strings

ios_base::failbit set, xrefs: 000000014003487F
ios_base::eofbit set, xrefs: 0000000140034886
ios_base::badbit set, xrefs: 0000000140034873

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Locinfo::_Locinfo_ctorRegister
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3702003507-1866435925
Opcode ID: 037d58fa15f78d050895b9cf95e4fb02945ca99b45a46e19e7fa2bc18823c683
Instruction ID: 6c72215b502308b4d19634f5713abeefe1ea61ab301b75ccf22e2709bc96f48c
Opcode Fuzzy Hash: 037d58fa15f78d050895b9cf95e4fb02945ca99b45a46e19e7fa2bc18823c683
Instruction Fuzzy Hash: 5D911C72205B8481EB22DF5AE8913DAB7A1FB88BD4F148526EB8D47B79DF38C445C740

Function 0000000140029590 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140029606
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000000014002964E
_Getctype.LIBCPMT ref: 0000000140029666
std::_Lockit::~_Lockit.LIBCPMT ref: 00000001400296F6
std::_Lockit::_Lockit.LIBCPMT ref: 000000014002975F
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140029782
std::_Lockit::~_Lockit.LIBCPMT ref: 00000001400297AD
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140029814

Strings

bad locale name, xrefs: 0000000140029719

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$GetctypeLocinfo::_Locinfo_ctor
String ID: bad locale name
API String ID: 249287498-1405518554
Opcode ID: e7082fab6352342f877f570bc33ebb75009c9146a37448a9756aafedec09829e
Instruction ID: e3a783b7f3f4e3b661fd681bf2fe5da9bcad8ebf194ad2d0229f9e04157e6bdf
Opcode Fuzzy Hash: e7082fab6352342f877f570bc33ebb75009c9146a37448a9756aafedec09829e
Instruction Fuzzy Hash: D6712A32745B8085EB12DF62E8903DD73A5FB887C8F144529AF8967AAADF38C915C340

Function 0000000140057460 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 152COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000000014005750F
K32GetMappedFileNameW.KERNEL32 ref: 0000000140057525
GetLastError.KERNEL32 ref: 0000000140057714
GetLastError.KERNEL32 ref: 0000000140057770
GetLastError.KERNEL32 ref: 00000001400577A1

Strings

Unable to store the path of the module!, xrefs: 00000001400577A9
DataFolder, xrefs: 000000014005746F
Unable to get the path of the module!, xrefs: 0000000140057778
Unable to retrieve the path of the module!, xrefs: 000000014005771D

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: ErrorLast$CurrentFileMappedNameProcess
String ID: DataFolder$Unable to get the path of the module!$Unable to retrieve the path of the module!$Unable to store the path of the module!
API String ID: 1207367512-2037552110
Opcode ID: fe1bfbe4a8589865e0ba6e72039b0dcf4a50e70ce2de8e1576109a64ebb87e3c
Instruction ID: 1d99d5b9ee9eab08dc8c86b6c5e7e0c5ead8c965952f76fc9aec46b7c3feec4a
Opcode Fuzzy Hash: fe1bfbe4a8589865e0ba6e72039b0dcf4a50e70ce2de8e1576109a64ebb87e3c
Instruction Fuzzy Hash: 0F615B72218AC491EA62DB22F4507EEA361F79C784F904126EBCD43A69EF78D585CB40

Function 0000000140058720 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 140COMMON

Download Yara Rule

APIs

FindVolumeClose.KERNEL32 ref: 0000000140058CC8

Strings

5, xrefs: 000000014005842F
\SystemRoot\, xrefs: 0000000140058997
Unable to convert NT path '{}' to a volume GUID path!, xrefs: 0000000140058423
DataFolder, xrefs: 00000001400580D0
Unable to enumerate volumes!, xrefs: 0000000140058402
\Device\LanmanRedirector\, xrefs: 000000014005878F
\Device\Mup\, xrefs: 000000014005889C
Unable to retrieve volume paths for volume '{}'!, xrefs: 00000001400586D5

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: CloseFindVolume
String ID: 5$DataFolder$Unable to convert NT path '{}' to a volume GUID path!$Unable to enumerate volumes!$Unable to retrieve volume paths for volume '{}'!$\Device\LanmanRedirector\$\Device\Mup\$\SystemRoot\
API String ID: 664902110-4246012846
Opcode ID: ad7c29b02100301719761f52cc2ea08ae8938a70180d7a4fb3ce1e8974dcccf1
Instruction ID: 1849c877932131e3aeac80045ee2ef2a80c108937b66888cc186d23b58077a11
Opcode Fuzzy Hash: ad7c29b02100301719761f52cc2ea08ae8938a70180d7a4fb3ce1e8974dcccf1
Instruction Fuzzy Hash: 48519F72614B8081FB71DB16E8407D973A4F7887D0F408616FFA927AA5DF79C885CB40

Function 000000014002C010 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 358COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002C16C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002C172
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002C290
Concurrency::cancel_current_task.LIBCPMT ref: 000000014002C296
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002C35F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002C4AD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002C4B3

Strings

ios_base::failbit set, xrefs: 000000014002C37F

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID: ios_base::failbit set
API String ID: 3936042273-3924258884
Opcode ID: d0e7e7a2e1974941ae1b96c1c99521119145b685d426650eb89f3a2a2397f915
Instruction ID: 527590365acff6ada6692441932f82eef4975a9590fe435fe90c4af1a2a30145
Opcode Fuzzy Hash: d0e7e7a2e1974941ae1b96c1c99521119145b685d426650eb89f3a2a2397f915
Instruction Fuzzy Hash: 8DD1B472614B8481EA16DB26E4513AD7360F799BE4F548315FBAC037E6EF78C990C740

Function 0000000140068110 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 301COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014006850D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140068543
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140068549
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014006854F

Strings

, xrefs: 0000000140068280
K, xrefs: 0000000140068FD3
, xrefs: 00000001400681E9
[ --, xrefs: 0000000140068AED, 0000000140068B0B

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: $ $ [ --$K
API String ID: 3668304517-1316898524
Opcode ID: ba8ad85fab49c1c8392720268d41424c6e3a0a2850a9b770de3f8b71cd50b351
Instruction ID: 33b8748a0ce9b5a7b6ba9b5a28cad75024c6bf3266164c939941f4dadec6fb65
Opcode Fuzzy Hash: ba8ad85fab49c1c8392720268d41424c6e3a0a2850a9b770de3f8b71cd50b351
Instruction Fuzzy Hash: 07C1B472605B8486EF269B2AD85439D6362F789BE4F244A11FF4E07BA9DF78C481C740

Function 0000000140027870 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 216COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140027BA2

Strings

Number is too big, xrefs: 0000000140027F64
Can not switch from manual to automatic indexing, xrefs: 0000000140027F71
Unknown format specifier., xrefs: 0000000140027F3D
Argument not found., xrefs: 0000000140027F30, 0000000140027F7E
Invalid format string., xrefs: 0000000140027F4A
Can not switch from automatic to manual indexing, xrefs: 0000000140027F57
Missing '}' in format string., xrefs: 0000000140027F8B

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: Argument not found.$Can not switch from automatic to manual indexing$Can not switch from manual to automatic indexing$Invalid format string.$Missing '}' in format string.$Number is too big$Unknown format specifier.
API String ID: 3668304517-96604897
Opcode ID: 6ae073d4a7f77a6a8e7fd1a17a5666f8309c59158a6396b1077f6afd641cada8
Instruction ID: 8a5a0fab3dddc5db6a430d1a720256370c53a79f4d382a8c8edb9d15e8c8aa08
Opcode Fuzzy Hash: 6ae073d4a7f77a6a8e7fd1a17a5666f8309c59158a6396b1077f6afd641cada8
Instruction Fuzzy Hash: 7E91C272604A848AE7238F26E4447EC7BA1E75D7C8F94851AEF8C037B9EB35D955C340

Function 00000001400591A0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014005A7A0: RegOpenKeyExW.ADVAPI32 ref: 000000014005A871

Part of subcall function 0000000140059E00: RegQueryValueExW.ADVAPI32 ref: 0000000140059EA5

RegCloseKey.ADVAPI32 ref: 0000000140059229
SetLastError.KERNEL32 ref: 0000000140059235
ExpandEnvironmentStringsW.KERNEL32 ref: 0000000140059316
ExpandEnvironmentStringsW.KERNEL32 ref: 0000000140059373

Strings

String environment expansion failed due to unexpected buffer size, xrefs: 0000000140059440
String environment expansion failed, xrefs: 000000014005941F

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: EnvironmentExpandStrings$CloseErrorLastOpenQueryValue
String ID: String environment expansion failed$String environment expansion failed due to unexpected buffer size
API String ID: 2357329694-527591527
Opcode ID: bed5391467c1121ca96b4b31fc48628f542f9b303b31acf90c8e8063643ebaf0
Instruction ID: 9460c06f9952e987e85a005f162b0bb574501fdc1195e6a76ad8fd59d77a2e83
Opcode Fuzzy Hash: bed5391467c1121ca96b4b31fc48628f542f9b303b31acf90c8e8063643ebaf0
Instruction Fuzzy Hash: 1491BC72710A40A9EB22DF76D4903EC33B1EB98788F404512FB4957AA9EF39CA95C340

Function 0000000140011A60 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 215COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140011D93

Strings

Number is too big, xrefs: 000000014001218F
Can not switch from manual to automatic indexing, xrefs: 000000014001219C
Unknown format specifier., xrefs: 0000000140012168
Argument not found., xrefs: 000000014001215B, 00000001400121A9
Invalid format string., xrefs: 0000000140012175
Can not switch from automatic to manual indexing, xrefs: 0000000140012182
Missing '}' in format string., xrefs: 00000001400121B6

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: Argument not found.$Can not switch from automatic to manual indexing$Can not switch from manual to automatic indexing$Invalid format string.$Missing '}' in format string.$Number is too big$Unknown format specifier.
API String ID: 3668304517-96604897
Opcode ID: b289502791915fcfb5ba3a21ab0722be7a2e243f680952d3b3a9c662d29fc3e9
Instruction ID: 0ec7cd76aa4e2c5961cd70c4a005674cb22b336ee8f1c367bf3f397a015a45d5
Opcode Fuzzy Hash: b289502791915fcfb5ba3a21ab0722be7a2e243f680952d3b3a9c662d29fc3e9
Instruction Fuzzy Hash: DA81DB72600A449AE722DF2AE4447EC37B5F758BC4F908522EF8C07B69EB39C5A5C340

Function 0000000140044100 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32 ref: 0000000140044166
ReadFile.KERNEL32 ref: 00000001400441F2
GetLastError.KERNEL32 ref: 0000000140044274
GetLastError.KERNEL32 ref: 00000001400442C3

Strings

get_file_content: ReadFile, xrefs: 000000014004427C
get_file_content, xrefs: 000000014004429D
get_file_content: GetFileSizeEx, xrefs: 00000001400442CB

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: ErrorFileLast$ReadSize
String ID: get_file_content$get_file_content: GetFileSizeEx$get_file_content: ReadFile
API String ID: 3509033087-2648918662
Opcode ID: 6fff3f04ea3b197b3296cdd13bade9e01c6dd2927da1543f621be0ffb8e9d733
Instruction ID: d61b73416bd6d7c834fc3e4ea08e9635e00d5d11ecda4caa3ef7cc9c25f81872
Opcode Fuzzy Hash: 6fff3f04ea3b197b3296cdd13bade9e01c6dd2927da1543f621be0ffb8e9d733
Instruction Fuzzy Hash: A6516672700A8499EB12DF72E9403ED33A5E758BC8F418522BF4E17A69EE38D695C340

Function 000000014009AE70 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,00000000,00000000,000000014009B708,?,?,?,?,0000000140095C7D,?,?,?,?,0000000140060E04), ref: 000000014009AFEF
GetProcAddress.KERNEL32(?,00000000,00000000,000000014009B708,?,?,?,?,0000000140095C7D,?,?,?,?,0000000140060E04), ref: 000000014009AFFB

Strings

api-ms-, xrefs: 000000014009AF39
ext-ms-, xrefs: 000000014009AF4C

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 715d91696d5f05c1d05fb450de7ca50a66ac6eb40b0d5cf0c54e9b46d7f48f02
Instruction ID: 9b0e2bc5e33462b48884463105d41d1d058da79c167aef460b2c70ee2a237020
Opcode Fuzzy Hash: 715d91696d5f05c1d05fb450de7ca50a66ac6eb40b0d5cf0c54e9b46d7f48f02
Instruction Fuzzy Hash: 0A41B2B2311A0096FB17DB57A8643D563A6BB4EBE0F184535BF198B7A5EF3CC4458380

Function 0000000140088EB0 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000140088EF0
_invalid_parameter_noinfo.LIBCMT ref: 000000014008929C
_invalid_parameter_noinfo.LIBCMT ref: 0000000140089547

Strings

f, xrefs: 0000000140088FE6
p, xrefs: 0000000140088F76
p, xrefs: 0000000140088FEE

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: 46919a817da2534f5824c40397ea1c5d459151ac2c327dc55986b63d88954a0d
Instruction ID: 2b112e5cc3b9fed0b3e6fc0e951df276abf5b814fa7f693cb19a1f86b623236f
Opcode Fuzzy Hash: 46919a817da2534f5824c40397ea1c5d459151ac2c327dc55986b63d88954a0d
Instruction Fuzzy Hash: 5912A07360414186FB26BE56E0547EAB6A2F3997E4FDC4015F7C247AE8D63DC7809B04

Function 0000000140070BA0 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 422COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014007119E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400711AA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400711B0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400711B6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400711BC

Strings

prefix, xrefs: 0000000140070CFF

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: prefix
API String ID: 3668304517-2477885070
Opcode ID: 0e4aa983185c1852e1d017b38383dafe2a0531d02685cdc7dab4165f0644b2c5
Instruction ID: 7ee74934a6ccb17f949b4455a25dab5283cfa3cc9bc51289ddcf73f01baaccea
Opcode Fuzzy Hash: 0e4aa983185c1852e1d017b38383dafe2a0531d02685cdc7dab4165f0644b2c5
Instruction Fuzzy Hash: A402A932710A848AFB22DBA6D0403ED27B2E748BC8F445615EF5927BEADB78C595C344

Function 0000000140010BD0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0000000140010CCE
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140010D7D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0000000140010DCF
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140010F6A
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140010F99
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140010FDF
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140011002
std::_Lockit::~_Lockit.LIBCPMT ref: 000000014001102D
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140011094

Strings

false, xrefs: 0000000140010CF6, 0000000140010E52
true, xrefs: 0000000140010E68

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_task$Locinfo::_Locinfo_ctor
String ID: false$true
API String ID: 2740378190-2658103896
Opcode ID: abc2807fcc9a3990018865eccb76438d26fc032f544cb797fc049037c0a27c05
Instruction ID: ecb81626bd03e3a807474287880aa0c3bcef507e45b04215bfc02994481c7157
Opcode Fuzzy Hash: abc2807fcc9a3990018865eccb76438d26fc032f544cb797fc049037c0a27c05
Instruction Fuzzy Hash: 21B17F32615B8086E712DF22E8403DA77A4FB987C8F145625FF881BBAADF79C591C740

Function 0000000140047060 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 198COMMON

Download Yara Rule

Strings

StringFileInfo, xrefs: 0000000140047140, 000000014004732C
Unable to determine product identifier from resources!, xrefs: 00000001400473AA
Resource section is empty, xrefs: 00000001400470CC
There is no resource section in module, xrefs: 000000014004709B

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID: Resource section is empty$StringFileInfo$There is no resource section in module$Unable to determine product identifier from resources!
API String ID: 0-3023212541
Opcode ID: a29aeeb14d2df50d98afcdf1b0d4279c1eeb0476905c306e89f4bcb3cbedc810
Instruction ID: cf6080c2011ba1a2cf470b03cb6a33f21a7d019162a361bb936239f857183a0e
Opcode Fuzzy Hash: a29aeeb14d2df50d98afcdf1b0d4279c1eeb0476905c306e89f4bcb3cbedc810
Instruction Fuzzy Hash: A5A1AB72A00B9086D710CF19E444B9AB7A1F799BB4FA58325EBBD437E4EB38C595C700

Function 00000001400452B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140079670: RtlAcquireSRWLockExclusive.NTDLL ref: 0000000140079680

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001400404CC), ref: 00000001400452F4
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001400404CC), ref: 0000000140045304
GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001400404CC), ref: 0000000140045311

Strings

ProductId, xrefs: 0000000140045372
on_avast_dll_unload, xrefs: 00000001400452FA
ModuleId, xrefs: 000000014004531D, 000000014004534A

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: HandleModule$AcquireAddressExclusiveLockProc
String ID: ModuleId$ProductId$on_avast_dll_unload
API String ID: 920030147-2425011003
Opcode ID: 037e22b5e19308eba2705e2bfc324ad02dd89a86a19de993d254a0a7635cba5a
Instruction ID: 323f4e85ebe704c904bfe2354bead2b7d203800df374dfaaa8868d3716c1b990
Opcode Fuzzy Hash: 037e22b5e19308eba2705e2bfc324ad02dd89a86a19de993d254a0a7635cba5a
Instruction Fuzzy Hash: 8B31B271220A8591EE13EF16E8517DA6321FB987C9F805221F38E576B6EF3CC648C740

Function 0000000140086BEC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,?,00000000,0000000140086DF3,?,?,?,000000014007B7DE,?,?,00000000,000000014007B799), ref: 0000000140086C71
GetLastError.KERNEL32(?,?,?,000000014007B7DE,?,?,00000000,000000014007B799,?,?,?,?,000000014007B225), ref: 0000000140086C7F
LoadLibraryExW.KERNEL32(?,?,?,000000014007B7DE,?,?,00000000,000000014007B799,?,?,?,?,000000014007B225), ref: 0000000140086CA9
FreeLibrary.KERNEL32(?,?,?,000000014007B7DE,?,?,00000000,000000014007B799,?,?,?,?,000000014007B225), ref: 0000000140086D17
GetProcAddress.KERNEL32(?,?,?,000000014007B7DE,?,?,00000000,000000014007B799,?,?,?,?,000000014007B225), ref: 0000000140086D23

Strings

api-ms-, xrefs: 0000000140086C91

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: adb8888907e09ba1064ac421d20c92d4963af2ce4d1b24166459b60f3c77c598
Instruction ID: e6687341ef8f3c7ba6c879ccf321d65f832a4f308149dadd61031be3b38f39b4
Opcode Fuzzy Hash: adb8888907e09ba1064ac421d20c92d4963af2ce4d1b24166459b60f3c77c598
Instruction Fuzzy Hash: F631AE32312B4091EE27DF67A8007A933A4FB4CBE5F5A0925BF994B7A0EF78D5408300

Function 00000001400A6B8C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000001400A6BBD
GetLastError.KERNEL32 ref: 00000001400A6BC9
CloseHandle.KERNEL32 ref: 00000001400A6BE1
CreateFileW.KERNEL32 ref: 00000001400A6C0C
WriteConsoleW.KERNEL32 ref: 00000001400A6C2B

Strings

CONOUT$, xrefs: 00000001400A6BED

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 87ff61bf0eb5e7788eeeeeab0a9fcabd9a512a72c9e2d02dbeac0c991f3165b4
Instruction ID: 372faba3a097c7d2f6a08d2073c60a5f207de366b8f73af6c1a75e1845f4a562
Opcode Fuzzy Hash: 87ff61bf0eb5e7788eeeeeab0a9fcabd9a512a72c9e2d02dbeac0c991f3165b4
Instruction Fuzzy Hash: BF115871314E8086E7528F57F84439AA3B0F79CFE4F144224EBA987BB4DB78D9948740

Function 000000014006454C Relevance: 9.2, APIs: 6, Instructions: 200COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00000001400645BE
MultiByteToWideChar.KERNEL32 ref: 0000000140064666
LCMapStringEx.KERNEL32 ref: 000000014006469D
LCMapStringEx.KERNEL32 ref: 00000001400646F6
LCMapStringEx.KERNEL32 ref: 00000001400647A3
WideCharToMultiByte.KERNEL32 ref: 00000001400647E5

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 3557958d0ae3b78f9751d0b8b814af1337478352f741e81fc4db53b26dea7625
Instruction ID: 6842bab0ad94cae96335bbfa1fc2af57c68baecb01e2109dcbb880e736b599f6
Opcode Fuzzy Hash: 3557958d0ae3b78f9751d0b8b814af1337478352f741e81fc4db53b26dea7625
Instruction Fuzzy Hash: 5A819672214B8086EB228F66E8503DA67E2FB89BE8F244615FB5D57BE4DF7CC4458700

Function 0000000140068560 Relevance: 9.2, APIs: 6, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c16cbe06e57022fcb9eb00b63ed72328f14eb8be0c39fae87b8467141f4297a
Instruction ID: 9b566be6c38d7f59c4d767b02cbd1e074424b53eb7bcce1e57e5e8e23f6a8e27
Opcode Fuzzy Hash: 7c16cbe06e57022fcb9eb00b63ed72328f14eb8be0c39fae87b8467141f4297a
Instruction Fuzzy Hash: D7716932614AC09DEB229FB6D8503ED3B72F31939CF544606EF9817AAADB74C684C350

Function 00000001400648D0 Relevance: 9.1, APIs: 6, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00000001400648E5
std::_Lockit::_Lockit.LIBCPMT ref: 000000014006490A
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140064934
std::_Facet_Register.LIBCPMT ref: 00000001400649AB
std::_Lockit::~_Lockit.LIBCPMT ref: 00000001400649CC
Concurrency::cancel_current_task.LIBCPMT ref: 00000001400649DF

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 198bbccf348a905434221bb5f7dc1ad49d1d9e274a8e8bf475110d6e8ef405a1
Instruction ID: 94f7ca4aff702e3f9992d92c36c271d965f3f5f725d085f13adeda8b124abf24
Opcode Fuzzy Hash: 198bbccf348a905434221bb5f7dc1ad49d1d9e274a8e8bf475110d6e8ef405a1
Instruction Fuzzy Hash: 74314F72381A4091EB17DB57E8513DA6362E78DBE4F280921EF8D477F5DA38C842C310

Function 0000000140003460 Relevance: 9.1, APIs: 6, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 000000014002CFF0: WideCharToMultiByte.KERNEL32 ref: 000000014002D0A5
Part of subcall function 000000014002CFF0: WideCharToMultiByte.KERNEL32 ref: 000000014002D0F1

__std_exception_copy.LIBVCRUNTIME ref: 00000001400034FC
__std_exception_destroy.LIBVCRUNTIME ref: 000000014000350F
__std_exception_copy.LIBVCRUNTIME ref: 000000014000351D
__std_exception_destroy.LIBVCRUNTIME ref: 000000014000352C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140003589
__std_exception_destroy.LIBVCRUNTIME ref: 00000001400035BC

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: __std_exception_destroy$ByteCharMultiWide__std_exception_copy$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 523040611-0
Opcode ID: fa4dc23b3ad6e9fcd597a11a7ec9e68a2f6ac467085843f88b8659ce6f344d8a
Instruction ID: 3d565eefd2a7b9f8ac1bc5355bbce57d79f68becd27fc65ae4ac525cdfedcfaf
Opcode Fuzzy Hash: fa4dc23b3ad6e9fcd597a11a7ec9e68a2f6ac467085843f88b8659ce6f344d8a
Instruction Fuzzy Hash: 9F417D72614B8481EB01DB26E44539E73A4F7887D4F505221FBAC437B5EB78C596C740

Function 0000000140013C90 Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140013CBF
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140013CE2
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140013D0D
std::_Facet_Register.LIBCPMT ref: 0000000140013D53
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140013D74
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140013D99

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 15ee7beeb097c68bc734869bcc63f727c70bbce813f3497d9f3b03ca5efdc9b0
Instruction ID: 1c674c83286ae2aee47e831bf660798327e6f99cfac64260bd036f09269cd56b
Opcode Fuzzy Hash: 15ee7beeb097c68bc734869bcc63f727c70bbce813f3497d9f3b03ca5efdc9b0
Instruction Fuzzy Hash: C1312972744A4081EA22DB17F8913DAB3A1FB8CBD4F544A22BB9D47BB9DA38C5418740

Function 0000000140028B30 Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140028B5F
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140028B82
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140028BAD

Part of subcall function 00000001400288D0: std::_Lockit::_Lockit.LIBCPMT ref: 000000014002895A
Part of subcall function 00000001400288D0: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00000001400289A5

std::_Facet_Register.LIBCPMT ref: 0000000140028BF3
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140028C14
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140028C39

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_$Lockit::~_$Concurrency::cancel_current_taskFacet_Locinfo::_Locinfo_ctorRegister
String ID:
API String ID: 2294326227-0
Opcode ID: 090e2651584242fbda00d00416eddefc7d35491b7b686caa8ee7eef954108abb
Instruction ID: 5a6ca4d219850a1a36c42ee13ceabd503083a9a0d66260f7b46ad7ea63cf857b
Opcode Fuzzy Hash: 090e2651584242fbda00d00416eddefc7d35491b7b686caa8ee7eef954108abb
Instruction Fuzzy Hash: 8B311A71315A4481EA22DB27E8903DA73A1F78CBD4F584625BB9D47BF9DF38C9418700

Function 000000014001ECA0 Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014001ECCF
std::_Lockit::_Lockit.LIBCPMT ref: 000000014001ECF2
std::_Lockit::~_Lockit.LIBCPMT ref: 000000014001ED1D
std::_Facet_Register.LIBCPMT ref: 000000014001ED63
std::_Lockit::~_Lockit.LIBCPMT ref: 000000014001ED84
Concurrency::cancel_current_task.LIBCPMT ref: 000000014001EDA9

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 5b5e727d6f9bb57e30d2e841a7f4ec508acd135abc5a9031aa3e0aa538af0bb5
Instruction ID: 2c81a413fcad2d477535b269f603ba3d39ed49fa78c093efb9e326bff0503961
Opcode Fuzzy Hash: 5b5e727d6f9bb57e30d2e841a7f4ec508acd135abc5a9031aa3e0aa538af0bb5
Instruction Fuzzy Hash: FA313C72305A8081EA12DB27F8913DAB3A1E78CBD4F584621BB9D4BBF9DE3CC5458700

Function 0000000140098808 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0000000140091A99,?,?,?,?,000000014009A217,?,?,00000000,0000000140098926,?,?,?), ref: 0000000140098817
FlsSetValue.KERNEL32(?,?,?,0000000140091A99,?,?,?,?,000000014009A217,?,?,00000000,0000000140098926,?,?,?), ref: 000000014009884D
FlsSetValue.KERNEL32(?,?,?,0000000140091A99,?,?,?,?,000000014009A217,?,?,00000000,0000000140098926,?,?,?), ref: 000000014009887A
FlsSetValue.KERNEL32(?,?,?,0000000140091A99,?,?,?,?,000000014009A217,?,?,00000000,0000000140098926,?,?,?), ref: 000000014009888B
FlsSetValue.KERNEL32(?,?,?,0000000140091A99,?,?,?,?,000000014009A217,?,?,00000000,0000000140098926,?,?,?), ref: 000000014009889C
SetLastError.KERNEL32(?,?,?,0000000140091A99,?,?,?,?,000000014009A217,?,?,00000000,0000000140098926,?,?,?), ref: 00000001400988B7

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 7d3276344bc0c9b84c189718fe3c6237352cc154d7de042a69bf42044b124105
Instruction ID: 58aba3e27b1ac579a9d9edacfe43c9ab3524d4413e3a170859a1a2ba7f8ea326
Opcode Fuzzy Hash: 7d3276344bc0c9b84c189718fe3c6237352cc154d7de042a69bf42044b124105
Instruction Fuzzy Hash: 35114F7070064082FA6BA7779A913EE62529B8C7F4F580B28BF7647BF6DE38C4014B11

Function 0000000140014C60 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 267COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL ref: 0000000140014D17
RtlLeaveCriticalSection.NTDLL ref: 00000001400150E9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140015116

Strings

Exception stack: , xrefs: 0000000140014F71
Module base:, xrefs: 0000000140015022

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: CriticalSection$EnterLeave_invalid_parameter_noinfo_noreturn
String ID: Exception stack: $Module base:
API String ID: 2008198395-3948699789
Opcode ID: da24b52b3f46397d813f91a4cd6d684d5e8991d166ef78b384b64ff89428dca4
Instruction ID: ce66e9ddc033545f6407d044a9ce76e1e69ea8023946881deb25b6c407eb24ca
Opcode Fuzzy Hash: da24b52b3f46397d813f91a4cd6d684d5e8991d166ef78b384b64ff89428dca4
Instruction Fuzzy Hash: B3D17E72A00B8085E726DF66D8403E977A0F79DBC8F109215EB4D1B7AAEF39C685C740

Function 000000014009C514 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 218COMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,000000014009C4B4), ref: 000000014009C637
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,000000014009C4B4), ref: 000000014009C6C1

Strings

@|Z, xrefs: 000000014009C57E, 000000014009C5D7, 000000014009C607, 000000014009C6F6, 000000014009C79A

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID: @|Z
API String ID: 953036326-2280643266
Opcode ID: 9a7970f5ad25ba0cc72ceb65fdea28adc17d09fc76d9a74a9c055339a61bbc4e
Instruction ID: 67242f7ddf94f2eece3f833f1a970e01786ae8192ca36f6c3b2749f4ec89bbe2
Opcode Fuzzy Hash: 9a7970f5ad25ba0cc72ceb65fdea28adc17d09fc76d9a74a9c055339a61bbc4e
Instruction Fuzzy Hash: AC91D1B2B24A5489FB62CFA79480BED6BA0F34CBD8F545106EF4A57AB5CB34C485C710

Function 0000000140041A10 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 198fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 0000000140041AD3
GetLastError.KERNEL32 ref: 0000000140041AED
_Xtime_get_ticks.LIBCPMT ref: 0000000140041C1F
CloseHandle.KERNEL32 ref: 0000000140041CB1

Part of subcall function 000000014005F980: __std_exception_copy.LIBVCRUNTIME ref: 000000014005F9E6
Part of subcall function 000000014005F980: __std_exception_destroy.LIBVCRUNTIME ref: 000000014005F9F9
Part of subcall function 000000014005F980: __std_exception_copy.LIBVCRUNTIME ref: 000000014005FA07
Part of subcall function 000000014005F980: __std_exception_destroy.LIBVCRUNTIME ref: 000000014005FA16

Part of subcall function 000000014007B650: RtlPcToFileHeader.NTDLL ref: 000000014007B6A0
Part of subcall function 000000014007B650: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000000014001302F), ref: 000000014007B6E1

Strings

couldn't open file, xrefs: 0000000140041CF2

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: File__std_exception_copy__std_exception_destroy$CloseCreateErrorExceptionHandleHeaderLastRaiseXtime_get_ticks
String ID: couldn't open file
API String ID: 1114502772-3645828643
Opcode ID: 7c8b22423497cd5fcf71eb43bec814ad0144a45b29ae167b955e874da053ca90
Instruction ID: 319782d7b28b5739e7981c1199afd861e8d5b3003aa0c3de4c322a0093fa346b
Opcode Fuzzy Hash: 7c8b22423497cd5fcf71eb43bec814ad0144a45b29ae167b955e874da053ca90
Instruction Fuzzy Hash: 5171E272704B5882EA15DB16B8153E9A3A5F7897E4F128232BFAE477E4EB3CD441C740

Function 000000014002CFF0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 188COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 000000014002D0A5
WideCharToMultiByte.KERNEL32 ref: 000000014002D0F1

Strings

to_narrow<wchar_t>::WideCharToMultiByte, xrefs: 000000014002D176, 000000014002D199
to_narrow<wchar_t> invalid arguments, xrefs: 000000014002D153

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: to_narrow<wchar_t> invalid arguments$to_narrow<wchar_t>::WideCharToMultiByte
API String ID: 626452242-1534530176
Opcode ID: 72503945ac01bfc4329ed9d87c037f900e34af3ca36075de242b687c440cbc09
Instruction ID: d6c6e307881a8f992393d6b62ca8f95ca68037eb04720d2ebeda1b4a9b1c9100
Opcode Fuzzy Hash: 72503945ac01bfc4329ed9d87c037f900e34af3ca36075de242b687c440cbc09
Instruction Fuzzy Hash: BD61AF72604A8481EB129F1AE4803D977A0F799BD4F64412AFB9907AF9DF38CD92C740

Function 0000000140023040 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 177COMMON

Download Yara Rule

Strings

false, xrefs: 000000014002324D
true, xrefs: 0000000140023246
integral cannot be stored in char, xrefs: 0000000140022709, 0000000140023025

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID: false$integral cannot be stored in char$true
API String ID: 0-219347480
Opcode ID: 414494b3c16a6699bf9a620f3f59aaaaf1085228148d12dab47a966e1c410d2a
Instruction ID: 8bdec9e6d27b5e176ae8c7e45078ecab331386496d937ac09da921fbd89a2f82
Opcode Fuzzy Hash: 414494b3c16a6699bf9a620f3f59aaaaf1085228148d12dab47a966e1c410d2a
Instruction Fuzzy Hash: 1D715872704B8489EB12CF6AD4513DC3361E749BD8F14421AEF5D17BA9DB38C95AC341

Function 000000014005E8C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL ref: 000000014005E943

Part of subcall function 0000000140079580: Concurrency::cancel_current_task.LIBCPMT ref: 00000001400795B0
Part of subcall function 0000000140079580: Concurrency::cancel_current_task.LIBCPMT ref: 00000001400795B6
Part of subcall function 0000000140079580: RtlAcquireSRWLockExclusive.NTDLL ref: 00000001400795D0
Part of subcall function 0000000140079580: RtlReleaseSRWLockExclusive.NTDLL ref: 00000001400795E0

RtlEnterCriticalSection.NTDLL ref: 000000014005E9B1
RtlLeaveCriticalSection.NTDLL ref: 000000014005EA60

Strings

DataFolder, xrefs: 000000014005E8D3
Singleton already destroyed, xrefs: 000000014005EAFF

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: CriticalSection$Concurrency::cancel_current_taskExclusiveLock$AcquireEnterInitializeLeaveRelease
String ID: DataFolder$Singleton already destroyed
API String ID: 299831208-793623586
Opcode ID: 70bd86f110884df4e1785b7eafbc3f5d60e84e0131820b3f25bc122850874676
Instruction ID: f9c2ae39cd048764f1b1a1c505b2fb8f70154a92a940e39ce9cae4f8c5b15387
Opcode Fuzzy Hash: 70bd86f110884df4e1785b7eafbc3f5d60e84e0131820b3f25bc122850874676
Instruction Fuzzy Hash: F3712C32616B8486EA56DF22E890399B3B4F78CBD0F548129EB8D43775EF39D491C740

Function 0000000140059E00 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 169registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32 ref: 0000000140059EA5
RegQueryValueExW.ADVAPI32 ref: 0000000140059FE5

Part of subcall function 000000014007B650: RtlPcToFileHeader.NTDLL ref: 000000014007B6A0
Part of subcall function 000000014007B650: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000000014001302F), ref: 000000014007B6E1

Strings

Cannot query registry data due to value changed too often, xrefs: 000000014005A073
Cannot query registry value data, xrefs: 000000014005A004
Cannot query registry value size, xrefs: 0000000140059F09

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: QueryValue$ExceptionFileHeaderRaise
String ID: Cannot query registry data due to value changed too often$Cannot query registry value data$Cannot query registry value size
API String ID: 1209918281-756855248
Opcode ID: cdfc8d8dec3e0aceed18b92c2a090a35b64572d05e06943e6087fc05a855b88f
Instruction ID: e890d0c149b90de7ec06307b22622564639cb7c1eb9132f914ba7199c8ac07c1
Opcode Fuzzy Hash: cdfc8d8dec3e0aceed18b92c2a090a35b64572d05e06943e6087fc05a855b88f
Instruction Fuzzy Hash: B0714A72618B8096EB11CF26E4503DEBBB0F7987C8F505116FB8957A79DB38E584CB40

Function 000000014005A0A0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 134registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32 ref: 000000014005A123
RegQueryValueExW.ADVAPI32 ref: 000000014005A208

Part of subcall function 000000014007B650: RtlPcToFileHeader.NTDLL ref: 000000014007B6A0
Part of subcall function 000000014007B650: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000000014001302F), ref: 000000014007B6E1

Strings

Cannot query registry data due to value changed too often, xrefs: 000000014005A279
Cannot query registry value data, xrefs: 000000014005A225
Cannot query registry value size, xrefs: 000000014005A171

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: QueryValue$ExceptionFileHeaderRaise
String ID: Cannot query registry data due to value changed too often$Cannot query registry value data$Cannot query registry value size
API String ID: 1209918281-756855248
Opcode ID: 6751fffad8c0006ff87c85d87a78f51a0e4f473fb89e5397368257717576fc6b
Instruction ID: d514a2feefedc57c96a96d79bb10e2e3ea0c90f8cd4c3be355e16a948fc1715b
Opcode Fuzzy Hash: 6751fffad8c0006ff87c85d87a78f51a0e4f473fb89e5397368257717576fc6b
Instruction Fuzzy Hash: F8513572614B848AEB11CF6AE8803DEB7A4F789BC4F504526FB8843B68DF38D555CB40

Function 00000001400139A0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140013A16
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0000000140013A5E
_Getctype.LIBCPMT ref: 0000000140013A76
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140013B2E

Strings

bad locale name, xrefs: 0000000140013B51

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2967684691-1405518554
Opcode ID: aa3cac9b3afc0d7d72fb7aa3733a8dd6ac9cd9b0bd3536bb37a82acffe86e78f
Instruction ID: 0ddadadbcd5eafeab6b5e1e4eb9906aac0567c7b603df310d8fa229e127ad581
Opcode Fuzzy Hash: aa3cac9b3afc0d7d72fb7aa3733a8dd6ac9cd9b0bd3536bb37a82acffe86e78f
Instruction Fuzzy Hash: 0A514832B45B808AEB12DFB2E4803ED7375FB98788F144515EF8927A66EB34D555C340

Function 0000000140059020 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014005A7A0: RegOpenKeyExW.ADVAPI32 ref: 000000014005A871

RegQueryValueExW.ADVAPI32 ref: 000000014005908C
RegCloseKey.ADVAPI32 ref: 00000001400590BC
SetLastError.KERNEL32 ref: 00000001400590C8

Part of subcall function 000000014007B650: RtlPcToFileHeader.NTDLL ref: 000000014007B6A0
Part of subcall function 000000014007B650: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000000014001302F), ref: 000000014007B6E1

__std_exception_copy.LIBVCRUNTIME ref: 0000000140059166

Strings

Cannot query registry value, xrefs: 0000000140059092

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: CloseErrorExceptionFileHeaderLastOpenQueryRaiseValue__std_exception_copy
String ID: Cannot query registry value
API String ID: 2471027143-1100310711
Opcode ID: b4f45b8d46c78af4719a31ad7011067c5d62a3d89bb104fbee140b35cca76be6
Instruction ID: 04ebbc1ad51d44f6911fa77968d2cf9d6d5af23c0ee17b3da5f7f2288a28212d
Opcode Fuzzy Hash: b4f45b8d46c78af4719a31ad7011067c5d62a3d89bb104fbee140b35cca76be6
Instruction Fuzzy Hash: F4415B72218B8086EB11DF26E59039A73B5F78CBC0F605525EB9943B69EF39C964CB40

Function 00000001400594B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32 ref: 0000000140059546
RegCreateKeyExW.ADVAPI32 ref: 00000001400595DE
RegCloseKey.ADVAPI32 ref: 00000001400595FC
SetLastError.KERNEL32 ref: 0000000140059608

Strings

Cannot create registry key, xrefs: 000000014005961A

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: Create$CloseErrorLast
String ID: Cannot create registry key
API String ID: 3551974399-2366797263
Opcode ID: 3ec95448bdc617c482522325469cceee4e515c8a8735681f6ca8fa9e47f5c220
Instruction ID: 3eb822ce1125e0bffa799eb2f2375e9dd5885ae909aee2e2e6b8cb74dd9c23c2
Opcode Fuzzy Hash: 3ec95448bdc617c482522325469cceee4e515c8a8735681f6ca8fa9e47f5c220
Instruction Fuzzy Hash: F5411872618B8086E761CF65E8907CE77B4F788798F10452AEF8957A68DF38C595CB00

Function 000000014003DAA0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RpcServerUseProtseqEpW.RPCRT4 ref: 000000014003DACE
RpcServerRegisterIfEx.RPCRT4 ref: 000000014003DB06
RpcServerRegisterIfEx.RPCRT4 ref: 000000014003DB36
RpcServerRegisterIfEx.RPCRT4 ref: 000000014003DB63

Strings

ncalrpc, xrefs: 000000014003DAB8

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: Server$Register$Protseq
String ID: ncalrpc
API String ID: 1860028169-2983622238
Opcode ID: 4566a10439cefd2c14e989e83b89a395e60d9820173bb6aa9ef00cc5247a4b76
Instruction ID: 10cee73c4aa8f6cdb9266569f3072bc1e783d4a374773acd5f6aefa3e8576cce
Opcode Fuzzy Hash: 4566a10439cefd2c14e989e83b89a395e60d9820173bb6aa9ef00cc5247a4b76
Instruction Fuzzy Hash: 74115EB2214A4182F722CF22F894BC677A1F79C788F844126E78993974DB7CC508CB44

Function 0000000140078360 Relevance: 7.8, APIs: 5, Instructions: 346COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140078788
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014007878E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140078794
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014007879A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400787A0

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: fee4fbc3e24080502c11db0b4f51419df4899d4d6d64c79ff5143d57b816f531
Instruction ID: 47ab0e778c3cae299a7c4feb092146cd11f42151b130c6dcfc262edc7dbf75bc
Opcode Fuzzy Hash: fee4fbc3e24080502c11db0b4f51419df4899d4d6d64c79ff5143d57b816f531
Instruction Fuzzy Hash: 76E16772B10B8486EB16CF6AE4443DD63B2F748BD8F149616EF5817BA9DB38C594C340

Function 000000014009A418 Relevance: 7.7, APIs: 5, Instructions: 196COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000000014009A45B
_set_statfp.LIBCMT ref: 000000014009A479
_set_statfp.LIBCMT ref: 000000014009A4A2
_set_statfp.LIBCMT ref: 000000014009A6DB

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 123615ce69416e293d68908fa560a63ae141a92441ef9de540260bc5543d7e22
Instruction ID: 0fd36dd1a82220153425df396268225fb20c3ec40fe76be7d1705e5a7e7cb260
Opcode Fuzzy Hash: 123615ce69416e293d68908fa560a63ae141a92441ef9de540260bc5543d7e22
Instruction Fuzzy Hash: 58818332604A8449F6779F3BA4543EAB7A0EF5F3D4F094205BF9A275B5DB3CC5828A40

Function 0000000140047900 Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00000001400479D6
__std_exception_destroy.LIBVCRUNTIME ref: 00000001400479E8
__std_exception_copy.LIBVCRUNTIME ref: 00000001400479F5
__std_exception_destroy.LIBVCRUNTIME ref: 0000000140047A02
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140047A65

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: __std_exception_copy__std_exception_destroy$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3939952210-0
Opcode ID: b3ba6bb0e34398673ff49c1a4f1d5b5dfce54e4fc739281dc3ad6e0765d69aac
Instruction ID: 0be40fc27ae5d9ae9e0b2865981b49cc38d1d78e8dc0d529cec524be7ca832d3
Opcode Fuzzy Hash: b3ba6bb0e34398673ff49c1a4f1d5b5dfce54e4fc739281dc3ad6e0765d69aac
Instruction Fuzzy Hash: 6E413732B11B8499EB01CF66E4813DD33B4F798788F508626EB4C57AA9EF34D6A5C340

Function 000000014004A120 Relevance: 7.6, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000000014004A1EE
__std_exception_destroy.LIBVCRUNTIME ref: 000000014004A200
__std_exception_copy.LIBVCRUNTIME ref: 000000014004A20D
__std_exception_destroy.LIBVCRUNTIME ref: 000000014004A21A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014004A27D

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: __std_exception_copy__std_exception_destroy$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3939952210-0
Opcode ID: 1f2a8305fef613a7b7c1366366916cb242077bafb53b71d12d9c566d9e90576e
Instruction ID: 91d5117f9bfe9cdd505eb2f9f603e5257e56c558e9ab816fce1fdd8bc0944e41
Opcode Fuzzy Hash: 1f2a8305fef613a7b7c1366366916cb242077bafb53b71d12d9c566d9e90576e
Instruction Fuzzy Hash: 8B412632611B84A9EB01DF66E5903DC33B4F798788F408622FB4C57AA9EF74D6A5C340

Function 000000014005EBA0 Relevance: 7.6, APIs: 5, Instructions: 103COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000000014005EC6E
__std_exception_destroy.LIBVCRUNTIME ref: 000000014005EC80
__std_exception_copy.LIBVCRUNTIME ref: 000000014005EC8D
__std_exception_destroy.LIBVCRUNTIME ref: 000000014005EC9A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014005ECFD

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: __std_exception_copy__std_exception_destroy$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3939952210-0
Opcode ID: ca7198a35c09b8c2a1d2652aacee97b22971d12ad1cb2bd0ba02b99a3693a14e
Instruction ID: 19c0f644c5996321750162594ffae60b48271a7043ee4a7134125f2171f1065a
Opcode Fuzzy Hash: ca7198a35c09b8c2a1d2652aacee97b22971d12ad1cb2bd0ba02b99a3693a14e
Instruction Fuzzy Hash: AD413632611B8499EB01CF66E5903DC33B5F758788F408626EB9C17AAAEF34D2A5C340

Function 000000014001BA80 Relevance: 7.6, APIs: 5, Instructions: 101COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000000014001BB65
__std_exception_destroy.LIBVCRUNTIME ref: 000000014001BB77
__std_exception_copy.LIBVCRUNTIME ref: 000000014001BB84
__std_exception_destroy.LIBVCRUNTIME ref: 000000014001BB91
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014001BBF4

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: __std_exception_copy__std_exception_destroy$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3939952210-0
Opcode ID: 733ddc207bc49f335a72192dd71da86b5e8d69a8a103fe2191a10c6033290cc1
Instruction ID: 196861a57875547a2a3d103c6ad5802c7914acbd5c03a4b87542c4cf7168f1df
Opcode Fuzzy Hash: 733ddc207bc49f335a72192dd71da86b5e8d69a8a103fe2191a10c6033290cc1
Instruction Fuzzy Hash: 85413472611B84A9EB01DF66E4803DC33B5F758798F408226FB9C17BA9EB74D6A5C340

Function 0000000140049D20 Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 0000000140049DF6
__std_exception_destroy.LIBVCRUNTIME ref: 0000000140049E08
__std_exception_copy.LIBVCRUNTIME ref: 0000000140049E15
__std_exception_destroy.LIBVCRUNTIME ref: 0000000140049E22
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140049E85

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: __std_exception_copy__std_exception_destroy$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3939952210-0
Opcode ID: be3464c3a08c349efedf0c46838e7046ce6e4dc2cd6b47540c023e9fa3259f76
Instruction ID: abe57ed7e5c95b63a7758696159104acb2f8c7d7a7bc1f745aec086952ebb880
Opcode Fuzzy Hash: be3464c3a08c349efedf0c46838e7046ce6e4dc2cd6b47540c023e9fa3259f76
Instruction Fuzzy Hash: D1412432611B84A9EB01CF66E4803DC33A4F79879CF408226EB4C57AA9EF34D6A5C344

Function 000000014008DDB8 Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014008DDDC
CreateThread.KERNEL32 ref: 000000014008DE1D
GetLastError.KERNEL32 ref: 000000014008DE2B
CloseHandle.KERNEL32 ref: 000000014008DE48
FreeLibrary.KERNEL32 ref: 000000014008DE57

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 2067211477-0
Opcode ID: e5870b07309b9fb3d5724a213b615b567d52ca05316e70d13df25f9b5f570b04
Instruction ID: 965a1335f200944b60dada93899e7ebfd69b977873099df52df0a6ea16f698bd
Opcode Fuzzy Hash: e5870b07309b9fb3d5724a213b615b567d52ca05316e70d13df25f9b5f570b04
Instruction Fuzzy Hash: 32211F76205B4082EE5AAF67A4513EA73A0BBACFD4F144526FF4947BA5DF38C640C700

Function 00000001400988D0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000000014008808F,?,?,00000000,000000014008832A,?,?,?,?,?,00000001400882B6), ref: 00000001400988EF
FlsSetValue.KERNEL32(?,?,?,000000014008808F,?,?,00000000,000000014008832A,?,?,?,?,?,00000001400882B6), ref: 000000014009890E
FlsSetValue.KERNEL32(?,?,?,000000014008808F,?,?,00000000,000000014008832A,?,?,?,?,?,00000001400882B6), ref: 0000000140098936
FlsSetValue.KERNEL32(?,?,?,000000014008808F,?,?,00000000,000000014008832A,?,?,?,?,?,00000001400882B6), ref: 0000000140098947
FlsSetValue.KERNEL32(?,?,?,000000014008808F,?,?,00000000,000000014008832A,?,?,?,?,?,00000001400882B6), ref: 0000000140098958

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 1242a127319296256211208d7fb47c39d8199e86aaa36262febbd3c5ce4f9c16
Instruction ID: bfec05fd07b564d1a0d2a0394d3f9ac12f52d9618567ebabe614c443833c668e
Opcode Fuzzy Hash: 1242a127319296256211208d7fb47c39d8199e86aaa36262febbd3c5ce4f9c16
Instruction Fuzzy Hash: 0911427030464482FAAA9737A6913F962419B8C7F4F5C4724BF7A477F6DE38C4018B02

Function 0000000140053BF0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 170COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL ref: 0000000140053C73

Part of subcall function 0000000140079580: Concurrency::cancel_current_task.LIBCPMT ref: 00000001400795B0
Part of subcall function 0000000140079580: Concurrency::cancel_current_task.LIBCPMT ref: 00000001400795B6
Part of subcall function 0000000140079580: RtlAcquireSRWLockExclusive.NTDLL ref: 00000001400795D0
Part of subcall function 0000000140079580: RtlReleaseSRWLockExclusive.NTDLL ref: 00000001400795E0

RtlEnterCriticalSection.NTDLL ref: 0000000140053CE1
RtlLeaveCriticalSection.NTDLL ref: 0000000140053DAF

Strings

Singleton already destroyed, xrefs: 0000000140053E4E

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: CriticalSection$Concurrency::cancel_current_taskExclusiveLock$AcquireEnterInitializeLeaveRelease
String ID: Singleton already destroyed
API String ID: 299831208-257684709
Opcode ID: 7c6f20288bbf5095be689e7122dd872f908856bf7fa0d0142f9cf8bb55b22af9
Instruction ID: 4b35a25cb3c4676208d3a52ba88c4e2f7e65f3b440d398bc6bcd8edda79aa7a5
Opcode Fuzzy Hash: 7c6f20288bbf5095be689e7122dd872f908856bf7fa0d0142f9cf8bb55b22af9
Instruction Fuzzy Hash: 9D716A32611B8086EB56CF22E8903A9B3B4F79CB84F558225EB8D43775EF39D4A1C740

Function 000000014006E6A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 000000014006DB20: __std_exception_copy.LIBVCRUNTIME ref: 000000014006DB84

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014006E865
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014006E86B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014006E871

Strings

n once, xrefs: 000000014006E746

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy
String ID: n once
API String ID: 1944019136-284773441
Opcode ID: ce6991487a4218bd576e611f7037e5cbbe3899e4f8cc35503520b7f070ed61ce
Instruction ID: 5dc7f5d92bccd6774901fa63c351214304673952db77c16a97a7a1ee0dbacc22
Opcode Fuzzy Hash: ce6991487a4218bd576e611f7037e5cbbe3899e4f8cc35503520b7f070ed61ce
Instruction Fuzzy Hash: 12516972611B8489EB12CF7AE8543DD3366EB49BD8F509611AB5C07BEADF78C181C300

Function 0000000140066EC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 000000014006DB20: __std_exception_copy.LIBVCRUNTIME ref: 000000014006DB84

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140067023
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140067029

Strings

/, xrefs: 0000000140066F11
(, xrefs: 0000000140066F08

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy
String ID: ($/
API String ID: 1944019136-2468745909
Opcode ID: 2b0b3099e6005553687e055680946745d6231b4c04129d9763468462212361d5
Instruction ID: 0464f1527052c086c2319fab285b9ceaf66ebf46eb78baafa60bfd9882813a2a
Opcode Fuzzy Hash: 2b0b3099e6005553687e055680946745d6231b4c04129d9763468462212361d5
Instruction Fuzzy Hash: B551BE72215B8081FB02CB6AE49439EB3A1E789BE4F105615FBAD477EADF7CC0848700

Function 00000001400395B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140039626
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000000014003966E
std::_Lockit::~_Lockit.LIBCPMT ref: 00000001400396FE

Strings

bad locale name, xrefs: 0000000140039721

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2775327233-1405518554
Opcode ID: 1414991dbdecf56344e52e0e0c32b67c05f8fda9118dd4dbe854212d07a6a867
Instruction ID: 4b21ec1d3f5d05d5fbb28de49515162a2d6aca5fef3022fe2805013068dcbc0d
Opcode Fuzzy Hash: 1414991dbdecf56344e52e0e0c32b67c05f8fda9118dd4dbe854212d07a6a867
Instruction Fuzzy Hash: BB411532716A80D9EB56DF62E4913EE33A4EB48788F044425EF4927EAADF34C525D344

Function 000000014001CA40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014001CAB6
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000000014001CAFE
std::_Lockit::~_Lockit.LIBCPMT ref: 000000014001CB8E

Strings

bad locale name, xrefs: 000000014001CBB1

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2775327233-1405518554
Opcode ID: 67334affb38956a56cdcccb68bfac42c5f3a00cad1a36b976b3c7baf7da2d873
Instruction ID: 1b4047c68961f6d1163d1ec08fe634b61fb2381447eb18497c5d1b166cf7dcd0
Opcode Fuzzy Hash: 67334affb38956a56cdcccb68bfac42c5f3a00cad1a36b976b3c7baf7da2d873
Instruction Fuzzy Hash: 05416832316B80C9EB16DFB2E4917ED33A4EB48788F044425EF496BAAADF35C525D344

Function 000000014009C27C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000000014009C393
GetLastError.KERNEL32 ref: 000000014009C3B5

Strings

U, xrefs: 000000014009C33F
@|Z, xrefs: 000000014009C2BD

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: @|Z$U
API String ID: 442123175-2687595095
Opcode ID: 48194efef41d634dfaafc76d3ac8d096a32dcf7b3a92be0930006c4cd2cb2571
Instruction ID: 0471a06396b1ad8b7ae2f15c87dca4ada56b6efaa703bd25428672b7ac151f78
Opcode Fuzzy Hash: 48194efef41d634dfaafc76d3ac8d096a32dcf7b3a92be0930006c4cd2cb2571
Instruction Fuzzy Hash: F041A272724A8486EB21DF66E4447EA67A0F79C7C4F948021EF8D87BA8DB3CC541C740

Function 00000001400725A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 0000000140072648
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400726B2

Strings

O, xrefs: 00000001400725D3
C, xrefs: 00000001400725CA

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: __std_exception_copy_invalid_parameter_noinfo_noreturn
String ID: C$O
API String ID: 1109970293-2585155372
Opcode ID: 53e7129cb027607950035b9adad8961daa4b36f300ac358a440e50e719d15978
Instruction ID: be6445adadab469562bc0324a6a1ac9beb165ce9228a46a260c9a1a5fa40831e
Opcode Fuzzy Hash: 53e7129cb027607950035b9adad8961daa4b36f300ac358a440e50e719d15978
Instruction Fuzzy Hash: 34313C72514B8482E7128B2AE4513E97760FB9DBD8F505216FB9C437B6EB7CC195C310

Function 000000014005ED10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 000000014005ED65
GetLastError.KERNEL32 ref: 000000014005EDDA

Strings

Unable to retrieve environment variable '{}'!, xrefs: 000000014005EDC5
-, xrefs: 000000014005EDD1

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: EnvironmentErrorLastVariable
String ID: -$Unable to retrieve environment variable '{}'!
API String ID: 3114522214-584169599
Opcode ID: 527f662b23c1b4a882dbf7370019445303981129e745c3a8f1c2050ea109a79a
Instruction ID: f5d8d70390093e31130ea3b6e30c320d89e7b569c4f444a5908d59a2e5c8d7e2
Opcode Fuzzy Hash: 527f662b23c1b4a882dbf7370019445303981129e745c3a8f1c2050ea109a79a
Instruction Fuzzy Hash: F0212832618B8481E751DB22E85539AB3A5FB8CBC4F504125BBCD43669EF3CD5958B40

Function 0000000140055950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140055880: RtlInitializeCriticalSection.NTDLL ref: 00000001400558C1
Part of subcall function 0000000140055880: RtlDeleteCriticalSection.NTDLL ref: 00000001400558DA
Part of subcall function 0000000140055880: RtlEnterCriticalSection.NTDLL ref: 0000000140055937

SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140004711), ref: 00000001400559A4
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140004711), ref: 00000001400559C5
RtlLeaveCriticalSection.NTDLL ref: 00000001400559EF

Strings

asw::lifetime::impl::lifetime_creation_monitor_holder::set_created, xrefs: 0000000140055A10

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: CriticalSection$CloseDeleteEnterEventHandleInitializeLeave
String ID: asw::lifetime::impl::lifetime_creation_monitor_holder::set_created
API String ID: 3040484998-3605786268
Opcode ID: a97a8769dbe6fd78ecf7b1a42f8fdec5e0d80cc19b8db7cc52d4824e9a28bc80
Instruction ID: 4938b172fda1cedb61a9709e50ad8186f7bef5d74812dc94d7dba1a726f99d2a
Opcode Fuzzy Hash: a97a8769dbe6fd78ecf7b1a42f8fdec5e0d80cc19b8db7cc52d4824e9a28bc80
Instruction Fuzzy Hash: 43213A32204B4482EB12EF26E8A43A963B4FB8CBD4F644521EB5D476B5DF78D891C740

Function 0000000140056580 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000000140056447), ref: 00000001400565A0
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000000140056447), ref: 00000001400565C3
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000000140056447), ref: 00000001400565E3

Strings

Cannot create event, xrefs: 00000001400565EB

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: CloseCreateErrorEventHandleLast
String ID: Cannot create event
API String ID: 937152468-3475436419
Opcode ID: 85e723dc28051c9128e89b5ef90c266e87eb60135b79c33272b5393e587c48b7
Instruction ID: 8c3f2093b324fccf10d60abad5a9520c9baf034ca4899f78ebf9708e01a9c787
Opcode Fuzzy Hash: 85e723dc28051c9128e89b5ef90c266e87eb60135b79c33272b5393e587c48b7
Instruction Fuzzy Hash: 0D118B31302E8682EF27DBA2A8103D963A1BB4CB84F480425AB8D43B74EF7CD515C740

Function 0000000140059B60 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014005A7A0: RegOpenKeyExW.ADVAPI32 ref: 000000014005A871

RegDeleteValueW.ADVAPI32 ref: 0000000140059BAE
RegCloseKey.ADVAPI32 ref: 0000000140059BDC
SetLastError.KERNEL32 ref: 0000000140059BE8

Strings

Cannot delete registry value, xrefs: 0000000140059BB4

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: CloseDeleteErrorLastOpenValue
String ID: Cannot delete registry value
API String ID: 1963916417-4063604081
Opcode ID: 67389c08b5669c2787062dd8f1e903ed67bb6e7db85a2c69f7914face2663579
Instruction ID: 506817aa63d746383d21c3308bf371876a7f944bd3a9b96990b4554b18483697
Opcode Fuzzy Hash: 67389c08b5669c2787062dd8f1e903ed67bb6e7db85a2c69f7914face2663579
Instruction Fuzzy Hash: 04118272628B8082EB11DB62F45539A73B4FBCD7C4F405915BA8D43675DF3CC5448B00

Function 0000000140059AC0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014005A7A0: RegOpenKeyExW.ADVAPI32 ref: 000000014005A871

RegDeleteTreeW.ADVAPI32(?,?,?,?,?,?,?,?,000000014005996C), ref: 0000000140059B01
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,000000014005996C), ref: 0000000140059B2F
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,000000014005996C), ref: 0000000140059B3B

Strings

Cannot delete registry key tree, xrefs: 0000000140059B07

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: CloseDeleteErrorLastOpenTree
String ID: Cannot delete registry key tree
API String ID: 321458958-3455289483
Opcode ID: a3ded7c5a9c98ec971dc730303bf7900f9e99ad81b66e9a2e0dad1d390e19f4e
Instruction ID: 9cea434b4cbf3e4c222e52f50331696bd945e54bcaac784f61492dfacb5b65a7
Opcode Fuzzy Hash: a3ded7c5a9c98ec971dc730303bf7900f9e99ad81b66e9a2e0dad1d390e19f4e
Instruction Fuzzy Hash: 6C018072628F8082EA21EB72F85539AA3A0FBCD784F401A15B68D93675EF3CC1448B00

Function 0000000140001170 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014000117B
GetProcAddress.KERNEL32 ref: 000000014000118B

Strings

RtlDllShutdownInProgress, xrefs: 0000000140001184
ntdll.dll, xrefs: 0000000140001174

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlDllShutdownInProgress$ntdll.dll
API String ID: 1646373207-582119455
Opcode ID: 486b237c5a67cd82c74454a3fea0250b3484a4e9cd859289d73c8fac4d6443f3
Instruction ID: 0f3b9b58c82f9aa9ab337f3f0cfcadf00547ac744fe9edc45628ac7a7d5f9fd8
Opcode Fuzzy Hash: 486b237c5a67cd82c74454a3fea0250b3484a4e9cd859289d73c8fac4d6443f3
Instruction Fuzzy Hash: C2D0C974622E00E1E607AF47EC553D43271B74C791FD00515D60A03330AF3CD55AC740

Function 000000014009BBD0 Relevance: 6.3, APIs: 4, Instructions: 305fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000000014009BC57
WriteFile.KERNEL32 ref: 000000014009BF1E
WriteFile.KERNEL32 ref: 000000014009BF67
GetLastError.KERNEL32 ref: 000000014009C028

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 40bd82a7c78bf1289091e82a3ee2415cba04c08fad2a586ea6ade76a6e5a6c9c
Instruction ID: 19c48ec83b0aa6899f29b94af066237a63b485f59a4bf98e1bf1d6ef42a76257
Opcode Fuzzy Hash: 40bd82a7c78bf1289091e82a3ee2415cba04c08fad2a586ea6ade76a6e5a6c9c
Instruction Fuzzy Hash: B7D1EE72B14A848AE712CFBAD5403DD3BB5F348BE8F544216EF9997BA9DA34C416C700

Function 0000000140028E30 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014003B1A9), ref: 0000000140028ED2
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014003B1A9), ref: 0000000140028F12

Strings

to_wide<char>::MultiByteToWideChar, xrefs: 0000000140028F97, 0000000140028FBA
to_wide<char> invalid arguments, xrefs: 0000000140028F74

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: to_wide<char> invalid arguments$to_wide<char>::MultiByteToWideChar
API String ID: 626452242-363086301
Opcode ID: c7c08583812b46095b61781c5ffed97884927f8ba22f2713555a0cc6983142a8
Instruction ID: 4d8cc23a3861524033b35381a912b0fc51dcb5d9570516251ee907262d4b9398
Opcode Fuzzy Hash: c7c08583812b46095b61781c5ffed97884927f8ba22f2713555a0cc6983142a8
Instruction Fuzzy Hash: FB410F32215B8481EB629F02E5403E973A1FB98BD8F141139BF5E07AB5EF38C992C340

Function 0000000140059660 Relevance: 6.1, APIs: 4, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 000000014005971C
RegCloseKey.ADVAPI32 ref: 000000014005973F
SetLastError.KERNEL32 ref: 000000014005974B
RegQueryInfoKeyW.ADVAPI32 ref: 0000000140059795

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: CloseErrorInfoLastOpenQuery
String ID:
API String ID: 4026330008-0
Opcode ID: cda00aa15a7f34e4a25872eaeea430025bd5d75f5a785da38cf24a26c16a6e6b
Instruction ID: a71bdfb01883035fc8546c3d1f1f35ec8381dc35e6c8e93d0c80b9c088452a08
Opcode Fuzzy Hash: cda00aa15a7f34e4a25872eaeea430025bd5d75f5a785da38cf24a26c16a6e6b
Instruction Fuzzy Hash: F6311D32218B8486EB61CF56F49979AB3A8F7887C0F644126EBD943B64DF39C551CB00

Function 0000000140003BB0 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140055880: RtlInitializeCriticalSection.NTDLL ref: 00000001400558C1
Part of subcall function 0000000140055880: RtlDeleteCriticalSection.NTDLL ref: 00000001400558DA
Part of subcall function 0000000140055880: RtlEnterCriticalSection.NTDLL ref: 0000000140055937

CloseHandle.KERNEL32(?,?,?,?,?,00000000,?,0000000140004675), ref: 0000000140003C10
RtlLeaveCriticalSection.NTDLL ref: 0000000140003C51
CreateEventW.KERNEL32(?,?,?,?,?,00000000,?,0000000140004675), ref: 0000000140003C85
RtlLeaveCriticalSection.NTDLL ref: 0000000140003C9F

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: CriticalSection$Leave$CloseCreateDeleteEnterEventHandleInitialize
String ID:
API String ID: 3435541109-0
Opcode ID: 27da87d7525a020086e45bc55bec4e685603b6a503a6185e878488744b99e3b4
Instruction ID: 85fc1c0a83deffbb265eef27bece4194f1a6fa20c55c05c7cdf3801a246b2988
Opcode Fuzzy Hash: 27da87d7525a020086e45bc55bec4e685603b6a503a6185e878488744b99e3b4
Instruction Fuzzy Hash: E4316A72214B8086F763DF22F85079A77A4F78C7D8F188611BB8957AA5DF38D491C740

Function 00000001400128B0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

VerSetConditionMask.NTDLL ref: 0000000140012922
VerSetConditionMask.NTDLL ref: 0000000140012931
VerSetConditionMask.NTDLL ref: 0000000140012940
VerifyVersionInfoW.KERNEL32 ref: 0000000140012961

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: 452efdd4f692d1e884ec315b98b4abd69929eecd61e40fe0fb36c871c85bc769
Instruction ID: 013a3806318f21c79f943d46fcd361c2d7bcf03c60229824e0722f46477d8758
Opcode Fuzzy Hash: 452efdd4f692d1e884ec315b98b4abd69929eecd61e40fe0fb36c871c85bc769
Instruction Fuzzy Hash: E3114F3261568496E731CF22F4457DAB3A0FB8CB84F118625EB9947B64EB3CD645CF40

Function 000000014005F980 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000000014005F9E6
__std_exception_destroy.LIBVCRUNTIME ref: 000000014005F9F9
__std_exception_copy.LIBVCRUNTIME ref: 000000014005FA07
__std_exception_destroy.LIBVCRUNTIME ref: 000000014005FA16

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: __std_exception_copy__std_exception_destroy
String ID:
API String ID: 2960854011-0
Opcode ID: 6733e03be22301ba3ef0e99c153bae17e299ab6a1f83f2e860b0a71dd9607e63
Instruction ID: f0bb4adc6b4dd4a7cf9654619226c9556f9994f544bcbf27281b2ab3b3870acc
Opcode Fuzzy Hash: 6733e03be22301ba3ef0e99c153bae17e299ab6a1f83f2e860b0a71dd9607e63
Instruction Fuzzy Hash: FA118C32624B4481EB01DF25E48539D77A4F798BC4F604125FB9D4376AEF38C996C750

Function 000000014005F770 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000000014005F7D6
__std_exception_destroy.LIBVCRUNTIME ref: 000000014005F7E9
__std_exception_copy.LIBVCRUNTIME ref: 000000014005F7F7
__std_exception_destroy.LIBVCRUNTIME ref: 000000014005F806

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: __std_exception_copy__std_exception_destroy
String ID:
API String ID: 2960854011-0
Opcode ID: 542e6935168dbd11bc08cd37ad643b41faa539432d4ebbdd17dca4974c99cdd3
Instruction ID: 267324faae7d233520a0d8ed61557ded62087f4cbaf681df3e553709503b3392
Opcode Fuzzy Hash: 542e6935168dbd11bc08cd37ad643b41faa539432d4ebbdd17dca4974c99cdd3
Instruction Fuzzy Hash: 99118C32624B4481EB01DF25E48139D77A4F79CBC4F608125FB9D0376AEB38C996C710

Function 000000014005F8B0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000000014005F918
__std_exception_destroy.LIBVCRUNTIME ref: 000000014005F92B
__std_exception_copy.LIBVCRUNTIME ref: 000000014005F939
__std_exception_destroy.LIBVCRUNTIME ref: 000000014005F948

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: __std_exception_copy__std_exception_destroy
String ID:
API String ID: 2960854011-0
Opcode ID: 62d9a73a0acf46c2332e574337326d1331295c8d0383671e655a7c7e699e0e44
Instruction ID: b5265a7ec846762b022f962f9ebdac92f0270735d81d900c28c8e7686cf911af
Opcode Fuzzy Hash: 62d9a73a0acf46c2332e574337326d1331295c8d0383671e655a7c7e699e0e44
Instruction Fuzzy Hash: 23214C32224B8481EB01DF21E88539D73A5F788BC4F614225FB9D43765EF38C596C700

Function 000000014005F6A0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000000014005F708
__std_exception_destroy.LIBVCRUNTIME ref: 000000014005F71B
__std_exception_copy.LIBVCRUNTIME ref: 000000014005F729
__std_exception_destroy.LIBVCRUNTIME ref: 000000014005F738

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: __std_exception_copy__std_exception_destroy
String ID:
API String ID: 2960854011-0
Opcode ID: 7999edc1383b33dbfdbcd54aa8cc89eb2e311b35a0c690bbd6ad3fcad860ae34
Instruction ID: 4deb287e485d9cc7c8d53c793f4b7463465d4c3e62d044c8a5e6476d11d8e03a
Opcode Fuzzy Hash: 7999edc1383b33dbfdbcd54aa8cc89eb2e311b35a0c690bbd6ad3fcad860ae34
Instruction Fuzzy Hash: 05211832624B4481EB01DF25E88539D73A9F788BD4FA54225FB9D4776AEF38C592C700

Function 0000000140079580 Relevance: 6.0, APIs: 4, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00000001400795B0
Concurrency::cancel_current_task.LIBCPMT ref: 00000001400795B6
RtlAcquireSRWLockExclusive.NTDLL ref: 00000001400795D0
RtlReleaseSRWLockExclusive.NTDLL ref: 00000001400795E0

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: Concurrency::cancel_current_taskExclusiveLock$AcquireRelease
String ID:
API String ID: 1304602613-0
Opcode ID: 84bb316eac59f392674c0bccf319f6d6d28f957edd07f7beb69ef115125f1a9f
Instruction ID: 0dce682ebe817e32d61f8728b318b500aeceaf637d429e04cada650a5c2243ad
Opcode Fuzzy Hash: 84bb316eac59f392674c0bccf319f6d6d28f957edd07f7beb69ef115125f1a9f
Instruction Fuzzy Hash: 44F06D70611C0591FE17AB63A8157E522B09B5C7B0F580A10BB79471F2EA3CC496C310

Function 000000014000DA40 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

nan, xrefs: 000000014000DB70

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID: nan
API String ID: 0-1810114945
Opcode ID: a11dce36ecbdafa46039370b2097645fba5a46745698a1cbb76e0880d5fd8821
Instruction ID: 0e9de96d5d1ff602d59062be2b7c4507a33184d965af0a6b98dc4c34342b0870
Opcode Fuzzy Hash: a11dce36ecbdafa46039370b2097645fba5a46745698a1cbb76e0880d5fd8821
Instruction Fuzzy Hash: ED028BB2604BC489EB62CF2AE4803ED3BA1F7597D8F509216FB4947BA9DB74C581C310

Function 00000001400259B0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 399COMMON

Download Yara Rule

APIs

__std_fs_convert_narrow_to_wide.LIBCPMT ref: 0000000140025C1B

Part of subcall function 0000000140062898: MultiByteToWideChar.KERNEL32 ref: 00000001400628B4
Part of subcall function 0000000140062898: GetLastError.KERNEL32 ref: 00000001400628C2

Strings

\u{, xrefs: 0000000140025D33
\x{, xrefs: 0000000140025E30

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__std_fs_convert_narrow_to_wide
String ID: \u{$\x{
API String ID: 1033888727-3325273574
Opcode ID: ae328bf1be006d6752bff118feeef84db8402c3f6fcce22a48d6b254611e15d3
Instruction ID: 54a2823de4257917c54320cb21ca7cf787ad5b1ae14b123a1386ac876b94e2fe
Opcode Fuzzy Hash: ae328bf1be006d6752bff118feeef84db8402c3f6fcce22a48d6b254611e15d3
Instruction Fuzzy Hash: 5E024A72604B8886DB169F26D5903AD7B61F348FC9F948516EF5E033A8DF38C856C354

Function 0000000140007520 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

integral cannot be stored in wchar_t, xrefs: 00000001400079B9

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID: integral cannot be stored in wchar_t
API String ID: 0-1689078516
Opcode ID: b2893074f87381b3bfe03490b58b747f50e7b23f689dc4be389cbe9dfe34f12b
Instruction ID: 7f534a460b2e3e69ceffbc228a422ce7ce83d315cc88fab3d6e8895a6351ad92
Opcode Fuzzy Hash: b2893074f87381b3bfe03490b58b747f50e7b23f689dc4be389cbe9dfe34f12b
Instruction Fuzzy Hash: C7E192B2B14B8485EB22CB6AF4407ED77A1F7487D8F508116EB9E17BA9DB38C585C700

Function 0000000140022270 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

integral cannot be stored in char, xrefs: 0000000140022709, 0000000140023025

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID: integral cannot be stored in char
API String ID: 0-960316848
Opcode ID: de3f9bbb75f06938dda710c6efef91e6c5b368340e744e9b07a28b2e26b52ac5
Instruction ID: 53947a9d27e19c6f0efc18f476bfc996490f820c94bca11df3eac56f3b26ff61
Opcode Fuzzy Hash: de3f9bbb75f06938dda710c6efef91e6c5b368340e744e9b07a28b2e26b52ac5
Instruction Fuzzy Hash: 4CE1C272614B8495EB22CBAAE4503ED77A1F7487D4F50851AFB9D13BB8DB38C984C700

Function 00000001400115C0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

integral cannot be stored in wchar_t, xrefs: 0000000140011A49

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID: integral cannot be stored in wchar_t
API String ID: 0-1689078516
Opcode ID: 8ca15a9393aa8e6eb612ff0fba9b85bf37b20341f5a6997befa598268c2b8718
Instruction ID: f3069717cfdafdd280e1c1ab3f26c5eca656a1b41689258997a484e0637ade87
Opcode Fuzzy Hash: 8ca15a9393aa8e6eb612ff0fba9b85bf37b20341f5a6997befa598268c2b8718
Instruction Fuzzy Hash: 02E1E432714B8489EB16CB6AE4403ED77B1F7887C8F548116FB990BBAADB39C545C700

Function 00000001400273D0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 328COMMON

Download Yara Rule

Strings

integral cannot be stored in char, xrefs: 0000000140027859

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID: integral cannot be stored in char
API String ID: 0-960316848
Opcode ID: d0d2e916398f6898de0923c58e3c77d0ec866c883e4f6f62d43be85d5bfc6e1d
Instruction ID: d21b3c0728488a04d0f0e3c182603a63497a7304f0bd80a36175043157c340ad
Opcode Fuzzy Hash: d0d2e916398f6898de0923c58e3c77d0ec866c883e4f6f62d43be85d5bfc6e1d
Instruction Fuzzy Hash: 45E1C272614BD489EB22CB6AE4407ED77A1F7887D4F50411AEB9E13BB9DB38C985C700

Function 00000001400079D0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

integral cannot be stored in wchar_t, xrefs: 0000000140007E59

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID: integral cannot be stored in wchar_t
API String ID: 0-1689078516
Opcode ID: 6e5655417842cec83c6c31e054ae60070a1cb284b4648287c0c18fd5079e7d29
Instruction ID: 177f1ddbb5c8bb6812cf0caabf67a1115521c4c1a6353a107d4e0cf6bb5ac0da
Opcode Fuzzy Hash: 6e5655417842cec83c6c31e054ae60070a1cb284b4648287c0c18fd5079e7d29
Instruction Fuzzy Hash: 1EE1C2B2B04B8489EB22CB6AE4407ED77A1F7897D4F508116EB9D17BA9DB38C585C700

Function 0000000140021A00 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

integral cannot be stored in char, xrefs: 0000000140021E79

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID: integral cannot be stored in char
API String ID: 0-960316848
Opcode ID: dd939a103b95df8a5a583a298043b0a1e500fba652d1453b2587984992a50253
Instruction ID: afb9f644a45fe65091148028d645abc2b9e5c2307c5cdcbedacd16938f3a67f8
Opcode Fuzzy Hash: dd939a103b95df8a5a583a298043b0a1e500fba652d1453b2587984992a50253
Instruction Fuzzy Hash: 5FE18332614B8489EB22CBAAE4403ED77B1F7997D4F54411AEB9D13BB9DB38C985C700

Function 0000000140006A20 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

integral cannot be stored in wchar_t, xrefs: 0000000140006E99

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID: integral cannot be stored in wchar_t
API String ID: 0-1689078516
Opcode ID: ff47a51abcea04dad4cf6a7afb91ea76228fbdcaed751e7c2a681021dc8b3048
Instruction ID: eae89ec92fa47fb006078aa76ab9835f20a87d8bfa096dd306e392a552332065
Opcode Fuzzy Hash: ff47a51abcea04dad4cf6a7afb91ea76228fbdcaed751e7c2a681021dc8b3048
Instruction Fuzzy Hash: CBD1A2B2714BC489EB12CB7AE4403ED77A2F7497D4F508116EB9927BA9DB38C585C700

Function 0000000140022720 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

integral cannot be stored in char, xrefs: 0000000140022B99

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID:
String ID: integral cannot be stored in char
API String ID: 0-960316848
Opcode ID: 3e08981d0d50072fffb208d1b181ce712436944bd81eb42cb26110f9af70dcdc
Instruction ID: 77f1a2635b4ea6a26a7bd05df825fd257562911db5390db708b577132d1802c1
Opcode Fuzzy Hash: 3e08981d0d50072fffb208d1b181ce712436944bd81eb42cb26110f9af70dcdc
Instruction Fuzzy Hash: FED1A172608B8495EB22CFAAE4403ED77A1F7487D4F50451AFB9D17BA9DB38C985C700

Function 000000014005CF80 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 164libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00000000,?), ref: 000000014005D029
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00000000,?), ref: 000000014005D039

Strings

onexit_register_connector_avast_2, xrefs: 000000014005D032

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: onexit_register_connector_avast_2
API String ID: 1646373207-1395861777
Opcode ID: 5a87a214f69ad9996f46f4e108c4ea3ca191a62f081bee089b7bb08d12dc77f1
Instruction ID: a1a42fb89e812f52026d846da79f20e6a533aa0836c450a4e0f9b8a47379ce3e
Opcode Fuzzy Hash: 5a87a214f69ad9996f46f4e108c4ea3ca191a62f081bee089b7bb08d12dc77f1
Instruction Fuzzy Hash: 45515932611B4486EB62DF26E88479977A4F798BD0F258126EF8E03B71EF39C494C740

Function 00000001400A7C6C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000001400A7CE3
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00000001400A7D3F

Strings

Bad dynamic_cast!, xrefs: 00000001400A7DAE

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: FileFindHeaderInstanceTargetType
String ID: Bad dynamic_cast!
API String ID: 746355257-2956939130
Opcode ID: 053c9f1fb5c591eed51df0dc6a645f10714740855049077f4847ad7af1dcec99
Instruction ID: 683ecf31377dba3ec332864e2048048cf32618811e63f4a593aac7f5a2ca328e
Opcode Fuzzy Hash: 053c9f1fb5c591eed51df0dc6a645f10714740855049077f4847ad7af1dcec99
Instruction Fuzzy Hash: FD41A633310A8482EA62CB26D850BE963A0FB68FD1F508625EF5E47760DB3CD586CB00

Function 00000001400499F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140049B43
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140049B49

Strings

Missing '}' in format string., xrefs: 000000014004A10B

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: Missing '}' in format string.
API String ID: 73155330-4229097544
Opcode ID: 318dd1cd310d3d081f1afe8cb7041309903cced94d2d52f12b714d599188ddf1
Instruction ID: cb4f3f15b259488e5d0522d5e6846b3d1254cef31a75e9c84d18b321aa26888e
Opcode Fuzzy Hash: 318dd1cd310d3d081f1afe8cb7041309903cced94d2d52f12b714d599188ddf1
Instruction Fuzzy Hash: 9E317A72310B8885EA15DB67E5483EA63A1E74CBE0F698635AFAD077E6DA38C5408344

Function 0000000140004610 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140003BB0: CloseHandle.KERNEL32(?,?,?,?,?,00000000,?,0000000140004675), ref: 0000000140003C10
Part of subcall function 0000000140003BB0: RtlLeaveCriticalSection.NTDLL ref: 0000000140003C51

WaitForSingleObject.KERNEL32 ref: 000000014000472D
CloseHandle.KERNEL32 ref: 000000014000474F

Part of subcall function 0000000140055950: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140004711), ref: 00000001400559A4
Part of subcall function 0000000140055950: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140004711), ref: 00000001400559C5
Part of subcall function 0000000140055950: RtlLeaveCriticalSection.NTDLL ref: 00000001400559EF

Strings

lifetime_object must be allocated on static memory (static or global variable or member of such a variable)., xrefs: 000000014000478E, 00000001400047AF

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: CloseHandle$CriticalLeaveSection$EventObjectSingleWait
String ID: lifetime_object must be allocated on static memory (static or global variable or member of such a variable).
API String ID: 1589410826-2706815617
Opcode ID: 70fbb50609f8680399669a0b62196d18a9183809f6b550a39b1a2611b842fc93
Instruction ID: 647d8cd8eba3d463f440ef20a717d61b08e7360fbff38d954fcfc02b020de2d1
Opcode Fuzzy Hash: 70fbb50609f8680399669a0b62196d18a9183809f6b550a39b1a2611b842fc93
Instruction Fuzzy Hash: B3513672205B40DAEB12DF22E8403DD33A9F758B88F554515EB8D17BAAEF38C566C384

Function 00000001400142A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 000000014007B650: RtlPcToFileHeader.NTDLL ref: 000000014007B6A0
Part of subcall function 000000014007B650: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000000014001302F), ref: 000000014007B6E1

RtlEnterCriticalSection.NTDLL ref: 00000001400143BD
RtlLeaveCriticalSection.NTDLL ref: 00000001400143E4

Strings

SeDebugPrivilege, xrefs: 000000014001437C

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: CriticalSection$EnterExceptionFileHeaderLeaveRaise
String ID: SeDebugPrivilege
API String ID: 2444850325-2896544425
Opcode ID: 47d8983b96d37c3e8854e2e4cbbe1dba1b62a19109350f9d8f540ca4deb4a241
Instruction ID: f1f92afc38bd9f4ddb9e79221918fe44b65bcaace029efc352db289fed50697a
Opcode Fuzzy Hash: 47d8983b96d37c3e8854e2e4cbbe1dba1b62a19109350f9d8f540ca4deb4a241
Instruction Fuzzy Hash: 20416C32714A8482EB12DF26E990399B360F798BD0F508126EB9D47BB5DF39C955CB40

Function 000000014009C160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000000014009C22A
GetLastError.KERNEL32 ref: 000000014009C246

Strings

@|Z, xrefs: 000000014009C19D

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: @|Z
API String ID: 442123175-2280643266
Opcode ID: 4d3883991d044e5f8481b72bf69049fc59e4f8c00c4b58c3e002fbe9b4be9fb8
Instruction ID: 3f1c01616c2ee589f927939d3637c8df3745ace4301eb73e08597168e5664043
Opcode Fuzzy Hash: 4d3883991d044e5f8481b72bf69049fc59e4f8c00c4b58c3e002fbe9b4be9fb8
Instruction Fuzzy Hash: E231A0B2720A8097EB119F2AE8847C9A3A4F74D7C4F948026FB4D87B75EB38C451C700

Function 000000014009C05C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000000014009C10F
GetLastError.KERNEL32 ref: 000000014009C12B

Strings

@|Z, xrefs: 000000014009C099

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: @|Z
API String ID: 442123175-2280643266
Opcode ID: b2619aea4b0a86de30143718d0d7df1bf87129b80a6487e2213ea35b366648dc
Instruction ID: afd051437b6ecd1fb29d68d9fbb558d24c54c6263bf42787d770bc6915232dd9
Opcode Fuzzy Hash: b2619aea4b0a86de30143718d0d7df1bf87129b80a6487e2213ea35b366648dc
Instruction Fuzzy Hash: A831F6B2714B849AEB129F2AE4807C977A0F35D7C4F948022FB8E83B65DB38C452C704

Function 000000014009AA78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_set_errno_from_matherr.LIBCMT ref: 000000014009AACC
_set_errno_from_matherr.LIBCMT ref: 000000014009AB39

Strings

exp, xrefs: 000000014009AAA7

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: _set_errno_from_matherr
String ID: exp
API String ID: 1187470696-113136155
Opcode ID: 23fb8bf8561696ed20789f4b5315ada3f67038f5de7566c309f028128f6b7feb
Instruction ID: 4b4ea9116dfd52d7bfed5474c20783261fbe1eeadf6c2c7b2c28c3331a2a0795
Opcode Fuzzy Hash: 23fb8bf8561696ed20789f4b5315ada3f67038f5de7566c309f028128f6b7feb
Instruction Fuzzy Hash: 23211336A11A148EE751DF79D4407EC33B0FB4D788F401525FA0A97B5ADB38C4418B84

Function 0000000140013850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140013869
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00000001400138AA

Part of subcall function 0000000140060C20: _Yarn.LIBCPMT ref: 0000000140060C4E

Strings

bad locale name, xrefs: 00000001400138B9

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_Yarn
String ID: bad locale name
API String ID: 1838369231-1405518554
Opcode ID: 802ff0980d04b4db02e5ba51858d71f3f779e2e030b5ec0d2da0c67aacc4f2da
Instruction ID: 012a4c23d11e70e4875300475464f06cbea90c8a51559425b988c7c1f862b1d2
Opcode Fuzzy Hash: 802ff0980d04b4db02e5ba51858d71f3f779e2e030b5ec0d2da0c67aacc4f2da
Instruction Fuzzy Hash: FF118273512B8089DB45DF76E88039937A5FB5CB84F285529EF8D4375AEB34C5A0C340

Function 000000014007B650 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000000014007B6A0
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000000014001302F), ref: 000000014007B6E1

Strings

csm, xrefs: 000000014007B6CE

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 44996603751e475c21f511c15604da97b45f5dbdc84fbf61fd74fa057623675e
Instruction ID: 97096e95f0a54c85afef7ed1224f34eec0d21f81e9d769d8f74bf3c6f37c6066
Opcode Fuzzy Hash: 44996603751e475c21f511c15604da97b45f5dbdc84fbf61fd74fa057623675e
Instruction Fuzzy Hash: C011F872614B8482EB628F16F44039AB7E5F788BC4F688225EF8D47B68DF3CC5518B00

Function 000000014003C130 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000014003C19E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003C1A4

Strings

bad lexical cast: source type value could not be interpreted as target, xrefs: 000000014003C1B5

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: bad lexical cast: source type value could not be interpreted as target
API String ID: 73155330-1048129864
Opcode ID: f3bb27ac5047e19dedf0d6da02468c2e3f585c9b51c22ee196a804300db88823
Instruction ID: e86fb346fa771a227f78ccbf78225370e6b6e86b001ce4119a58be2a8374efb9
Opcode Fuzzy Hash: f3bb27ac5047e19dedf0d6da02468c2e3f585c9b51c22ee196a804300db88823
Instruction Fuzzy Hash: 81F06D72A1274190ED1BE32294A179A22E09F8D7F0F500B25A779437F5EA7CC1A19740

Function 0000000140032730 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

NdrClientCall3.RPCRT4 ref: 000000014003277C

Strings

RpcSs, xrefs: 000000014003274B
ProfSvc_Group, xrefs: 0000000140032757

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: Call3Client
String ID: ProfSvc_Group$RpcSs
API String ID: 3485104391-3334544503
Opcode ID: 3ed6a751fb5f92ac7acbe13990157098f9866c2bdd419afd221b180d999669f2
Instruction ID: 1d081a55aff4297c1fe0a1371b611127ee1f05e2046a89e31c42fb846dc7a33a
Opcode Fuzzy Hash: 3ed6a751fb5f92ac7acbe13990157098f9866c2bdd419afd221b180d999669f2
Instruction Fuzzy Hash: 3FF0343A618F45C2DA22EF02F48478A33A4F389B98FA04525EB8D53734EF38C555CB40

Function 00000001400012E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000001400012E6
GetProcAddress.KERNEL32 ref: 00000001400012F6

Strings

asw_process_storage_allocate_connector, xrefs: 00000001400012EF

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: asw_process_storage_allocate_connector
API String ID: 1646373207-1936732423
Opcode ID: 355904bb20010df249d9f112ddb9b3fafe9b2d7e850c0db1054c1d88b9a4d7da
Instruction ID: a866c2790b832b27c4b0a52729c54a8bf83d1d104be047b08cff1080df31d475
Opcode Fuzzy Hash: 355904bb20010df249d9f112ddb9b3fafe9b2d7e850c0db1054c1d88b9a4d7da
Instruction Fuzzy Hash: 68D00274662E4091EA1BAB63EC9539932B0B74CB91FA0142ADA4A03730EE3D959A8740

Function 0000000140001310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000140001316
GetProcAddress.KERNEL32 ref: 0000000140001326

Strings

asw_process_storage_deallocate_connector, xrefs: 000000014000131F

Memory Dump Source

Source File: 00000000.00000002.2455994437.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2455980831.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456049607.00000001400B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456083887.0000000140104000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456097979.0000000140105000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456112019.000000014010A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2456127621.0000000140118000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_6Pk1nTmcHN.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: asw_process_storage_deallocate_connector
API String ID: 1646373207-2412585098
Opcode ID: 7fbf2e3eae8837fc89484dcb5c3e227af1717040b68a3726fc97e25be653a77c
Instruction ID: b342fbb4cc203b2b891b2666d10f6c58ec410c46130ef509588b26ae7f2f9580
Opcode Fuzzy Hash: 7fbf2e3eae8837fc89484dcb5c3e227af1717040b68a3726fc97e25be653a77c
Instruction Fuzzy Hash: EED01274612F0091EA0BAB63EC4139832B0B74CB90FA0002ADB0A03730EF3C919A8300

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., `C:\dbg\ntsd.exe -g notepad.exe` ).
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 6Pk1nTmcHN.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_6Pk1nTmcHN.exe_391e34d76b9d88a1aa9c20e1d1785e9c3c5c724c_505b6263_f3129ac0-c9d0-4e92-929c-882be24afc23\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD980.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAF8.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB28.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

Windows Analysis Report
6Pk1nTmcHN.exe

Function 02324D00 Relevance: 10.8, APIs: 7, Instructions: 282
COMMON

Function 0231F3A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 215
threadprocessCOMMON

Function 0230CCE0 Relevance: 1.6, APIs: 1, Instructions: 114
libraryloaderCOMMON

Function 023071B0 Relevance: .1, Instructions: 140
COMMON

Function 02334360 Relevance: .1, Instructions: 138
COMMON

Function 023345F0 Relevance: .1, Instructions: 82
COMMON

Function 023351C0 Relevance: .1, Instructions: 71
COMMON

Function 02317A50 Relevance: .1, Instructions: 69
COMMON

Function 02307830 Relevance: 7.8, APIs: 5, Instructions: 340
networkCOMMON

Function 02308ED0 Relevance: 1.9, APIs: 1, Instructions: 410
synchronizationCOMMON

Function 02318C60 Relevance: 1.7, APIs: 1, Instructions: 188
COMMON

Function 000000014009A1B0 Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Function 0232B4E0 Relevance: 1.5, APIs: 1, Instructions: 35
memoryCOMMON