Edit tour

Windows Analysis Report
sGfciyumij.exe

Overview

General Information

Sample name:	sGfciyumij.exe renamed because original name is a hash value
Original sample name:	499d69d5ab8ba263975d5780e3b639a2a8905c50f2a1379bf972889c3913add4.exe
Analysis ID:	1509587
MD5:	0c3dda927e649661441905cd181c7e70
SHA1:	469bb0c2e694535b62cbd0def0eeb92b43948bea
SHA256:	499d69d5ab8ba263975d5780e3b639a2a8905c50f2a1379bf972889c3913add4
Tags:	62-192-173-45exe
Infos:

Detection

BruteRatel

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected BruteRatel

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Modifies the context of a thread in another process (thread injection)

Sets debug register (to hijack the execution of another thread)

AV process strings found (often used to terminate AV products)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found potential string decryption / allocating functions

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

sGfciyumij.exe (PID: 5144 cmdline: "C:\Users\user\Desktop\sGfciyumij.exe" MD5: 0C3DDA927E649661441905CD181C7E70)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Brute Ratel C4, BruteRatel	Brute Ratel is a a Customized Command and Control Center for Red Team and Adversary SimulationSMB and TCP payloads provide functionality to write custom external C2 channels over legitimate websites such as Slack, Discord, Microsoft Teams and more.Built-in debugger to detect EDR userland hooks.Ability to keep memory artifacts hidden from EDRs and AV.Direct Windows SYS calls on the fly.	No Attribution	https://0xdarkvortex.dev/hiding-in-plainsight/ https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/ https://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities https://blog.krakz.fr/articles/latrodectus/ https://blog.reveng.ai/latrodectus-distribution-via-brc4/	https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3387407913.000000000050C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BruteRatel_2	Yara detected BruteRatel	Joe Security
Process Memory Space: sGfciyumij.exe PID: 5144	JoeSecurity_BruteRatel_2	Yara detected BruteRatel	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: sGfciyumij.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_00000001400481B0 BCryptOpenAlgorithmProvider,BCryptGetProperty,BCryptGetProperty,BCryptCreateHash,BCryptHashData,BCryptFinishHash,BCryptCloseAlgorithmProvider,BCryptDestroyHash,	0_2_00000001400481B0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140048540 BCryptOpenAlgorithmProvider,BCryptImportKeyPair,BCryptVerifySignature,BCryptDestroyKey,BCryptDestroyKey,BCryptCloseAlgorithmProvider,	0_2_0000000140048540
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_00000001400488E0 BCryptOpenAlgorithmProvider,BCryptDestroyKey,BCryptCloseAlgorithmProvider,BCryptImportKeyPair,BCryptVerifySignature,BCryptDestroyKey,	0_2_00000001400488E0

Source:

Binary string: D:\Jenkins\workspace\N_MBAMWsc\bin\x64\Release\MBAMwsc.pdb source: sGfciyumij.exe

Source: C:\Users\user\Desktop\sGfciyumij.exe

Code function: 0_2_0000000140057D00 FindFirstFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_0000000140057D00

Source: C:\Users\user\Desktop\sGfciyumij.exe

Code function: 0_2_0000000140035830 GetWindowsDirectoryW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,GetLogicalDriveStringsW,QueryDosDeviceW,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_0000000140035830

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: weblineinfo.com

Source: sGfciyumij.exe, 00000000.00000002.3387470070.0000000000576000.00000004.00000020.00020000.00000000.sdmp, sGfciyumij.exe, 00000000.00000002.3387470070.000000000059D000.00000004.00000020.00020000.00000000.sdmp, sGfciyumij.exe, 00000000.00000002.3387407913.000000000050C000.00000004.00000020.00020000.00000000.sdmp, sGfciyumij.exe, 00000000.00000003.3111896816.0000000000576000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/
Source: sGfciyumij.exe, 00000000.00000002.3387407913.000000000050C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/1-46d0-b6b6-535557bcc5fahE
Source: sGfciyumij.exe, 00000000.00000002.3387470070.000000000059D000.00000004.00000020.00020000.00000000.sdmp, sGfciyumij.exe, 00000000.00000003.3111870213.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/N
Source: sGfciyumij.exe, 00000000.00000002.3387407913.000000000050C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/user
Source: sGfciyumij.exe, 00000000.00000002.3387470070.0000000000576000.00000004.00000020.00020000.00000000.sdmp, sGfciyumij.exe, 00000000.00000002.3387407913.000000000050C000.00000004.00000020.00020000.00000000.sdmp, sGfciyumij.exe, 00000000.00000002.3387407913.000000000056A000.00000004.00000020.00020000.00000000.sdmp, sGfciyumij.exe, 00000000.00000003.3111896816.0000000000576000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues
Source: sGfciyumij.exe, 00000000.00000002.3387407913.000000000056A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues$
Source: sGfciyumij.exe, 00000000.00000002.3387407913.000000000056A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues21
Source: sGfciyumij.exe, 00000000.00000002.3387407913.000000000056A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesBv_
Source: sGfciyumij.exe, 00000000.00000002.3387407913.000000000056A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesbu?
Source: sGfciyumij.exe, 00000000.00000002.3387407913.000000000050C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValueshqos.dll.muic5fazE
Source: sGfciyumij.exe, 00000000.00000002.3387407913.000000000050C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesl
Source: sGfciyumij.exe, 00000000.00000002.3387470070.0000000000576000.00000004.00000020.00020000.00000000.sdmp, sGfciyumij.exe, 00000000.00000003.3111896816.0000000000576000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesz
Source: sGfciyumij.exe, 00000000.00000002.3387470070.0000000000576000.00000004.00000020.00020000.00000000.sdmp, sGfciyumij.exe, 00000000.00000003.3111896816.0000000000576000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/xf

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53999
Source: unknown	Network traffic detected: HTTP traffic on port 53999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140048540 BCryptOpenAlgorithmProvider,BCryptImportKeyPair,BCryptVerifySignature,BCryptDestroyKey,BCryptDestroyKey,BCryptCloseAlgorithmProvider,		0_2_0000000140048540
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_00000001400488E0 BCryptOpenAlgorithmProvider,BCryptDestroyKey,BCryptCloseAlgorithmProvider,BCryptImportKeyPair,BCryptVerifySignature,BCryptDestroyKey,		0_2_00000001400488E0

Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_3_01FDD6CA NtProtectVirtualMemory,	0_3_01FDD6CA
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_3_01FDD65A NtAllocateVirtualMemory,	0_3_01FDD65A
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140033A90 NtAllocateVirtualMemory,NtProtectVirtualMemory,	0_2_0000000140033A90
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140033958 NtAllocateVirtualMemory,NtProtectVirtualMemory,	0_2_0000000140033958
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_01FF55C0 NtClose,NtTerminateThread,	0_2_01FF55C0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_01FF8149 NtSetContextThread,	0_2_01FF8149
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_02014740 NtFreeVirtualMemory,	0_2_02014740
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_02014360 NtCreateThreadEx,	0_2_02014360
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_02014BE0 NtProtectVirtualMemory,	0_2_02014BE0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_02014FF0 NtQueueApcThread,	0_2_02014FF0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_01FFF3A0 CreateToolhelp32Snapshot,Thread32First,NtSuspendThread,NtResumeThread,NtClose,	0_2_01FFF3A0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_01FF7A50 NtSetContextThread,	0_2_01FF7A50
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_020151C0 NtReadVirtualMemory,	0_2_020151C0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_020145F0 NtDuplicateObject,	0_2_020145F0

Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140016110	0_2_0000000140016110
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014000D2F0	0_2_000000014000D2F0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014000A9F8	0_2_000000014000A9F8
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140046A30	0_2_0000000140046A30
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014000DA60	0_2_000000014000DA60
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140014BA0	0_2_0000000140014BA0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140001D40	0_2_0000000140001D40
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014003DE8B	0_2_000000014003DE8B
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140029060	0_2_0000000140029060
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014013A090	0_2_000000014013A090
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014001A0B0	0_2_000000014001A0B0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014001E120	0_2_000000014001E120
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140158138	0_2_0000000140158138
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140010140	0_2_0000000140010140
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140003140	0_2_0000000140003140
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140045150	0_2_0000000140045150
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014014F1B4	0_2_000000014014F1B4
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140015240	0_2_0000000140015240
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_00000001400212E0	0_2_00000001400212E0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140025340	0_2_0000000140025340
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014002E350	0_2_000000014002E350
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140168378	0_2_0000000140168378
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_00000001401503DC	0_2_00000001401503DC
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_00000001400363E3	0_2_00000001400363E3
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_00000001401663E8	0_2_00000001401663E8
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140043490	0_2_0000000140043490
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014000E4B0	0_2_000000014000E4B0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014014D4AC	0_2_000000014014D4AC
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014001C4F0	0_2_000000014001C4F0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140143510	0_2_0000000140143510
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140175534	0_2_0000000140175534
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140017540	0_2_0000000140017540
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_00000001400445C0	0_2_00000001400445C0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_00000001400415C0	0_2_00000001400415C0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014003C5C0	0_2_000000014003C5C0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014002D600	0_2_000000014002D600
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140021620	0_2_0000000140021620
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140045630	0_2_0000000140045630
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140041640	0_2_0000000140041640
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140165678	0_2_0000000140165678
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014003F6B0	0_2_000000014003F6B0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014014D6B0	0_2_000000014014D6B0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014002A6C0	0_2_000000014002A6C0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014015C714	0_2_000000014015C714
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_00000001401507E0	0_2_00000001401507E0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140035830	0_2_0000000140035830
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014014D8BC	0_2_000000014014D8BC
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_00000001400378E0	0_2_00000001400378E0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014016193C	0_2_000000014016193C
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140014930	0_2_0000000140014930
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140004960	0_2_0000000140004960
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_00000001401689F8	0_2_00000001401689F8
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140169A18	0_2_0000000140169A18
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140041A20	0_2_0000000140041A20
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140159A80	0_2_0000000140159A80
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014014DAC0	0_2_000000014014DAC0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140025AF0	0_2_0000000140025AF0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140163AE8	0_2_0000000140163AE8
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014000EBD0	0_2_000000014000EBD0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014003CC80	0_2_000000014003CC80
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014014DCCC	0_2_000000014014DCCC
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014014EE30	0_2_000000014014EE30
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014001CE50	0_2_000000014001CE50
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014015BEC0	0_2_000000014015BEC0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140020EC0	0_2_0000000140020EC0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014014DED0	0_2_000000014014DED0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140167EE4	0_2_0000000140167EE4
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140043F30	0_2_0000000140043F30
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0000000140159F8C	0_2_0000000140159F8C
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014002FFD0	0_2_000000014002FFD0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_01FF55C0	0_2_01FF55C0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_02010210	0_2_02010210
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_02007220	0_2_02007220
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_01FE99D0	0_2_01FE99D0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_01FF4DB0	0_2_01FF4DB0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_01FE5D60	0_2_01FE5D60
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_020082A0	0_2_020082A0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_01FF9120	0_2_01FF9120
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_020066E0	0_2_020066E0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_01FE9500	0_2_01FE9500
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_01FFA100	0_2_01FFA100
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_01FFB4E0	0_2_01FFB4E0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_02011F40	0_2_02011F40
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_02012F60	0_2_02012F60
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_020013A3	0_2_020013A3
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_02002BB0	0_2_02002BB0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0200FBC0	0_2_0200FBC0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_02012812	0_2_02012812
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_01FFCBE0	0_2_01FFCBE0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_02011490	0_2_02011490
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_01FEA730	0_2_01FEA730
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_01FFBED0	0_2_01FFBED0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_01FE66C0	0_2_01FE66C0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_02004550	0_2_02004550
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_01FF16A0	0_2_01FF16A0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_01FF42A0	0_2_01FF42A0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_0200B5E0	0_2_0200B5E0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_020055E0	0_2_020055E0

Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: String function: 0000000140009260 appears 91 times
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: String function: 000000014013D720 appears 43 times
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: String function: 000000014013D238 appears 52 times

Source: sGfciyumij.exe

Binary or memory string: OriginalFilenameMBAMwsc.exe: vs sGfciyumij.exe

Source: classification engine

Classification label: mal72.troj.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\sGfciyumij.exe

Code function: 0_2_00000001400412F0 GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,

0_2_00000001400412F0

Source: C:\Users\user\Desktop\sGfciyumij.exe

Code function: 0_2_01FFF3A0 CreateToolhelp32Snapshot,Thread32First,NtSuspendThread,NtResumeThread,NtClose,

0_2_01FFF3A0

Source: C:\Users\user\Desktop\sGfciyumij.exe

Code function: 0_2_0000000140015240 CoInitializeEx,CoCreateInstance,VariantInit,VariantClear,VariantClear,CoUninitialize,_invalid_parameter_noinfo_noreturn,

0_2_0000000140015240

Source: C:\Users\user\Desktop\sGfciyumij.exe

Code function: 0_2_0000000140045630 AuthzInitializeResourceManager,GetLastError,AuthzInitializeContextFromSid,GetLastError,AuthzAccessCheck,GetLastError,AuthzFreeContext,AuthzFreeResourceManager,

0_2_0000000140045630

Source: C:\Users\user\Desktop\sGfciyumij.exe

Code function: 0_2_000000014000EBD0 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,GetLastError,GetLastError,GetTickCount64,NotifyServiceStatusChangeW,StartServiceW,GetLastError,GetLastError,GetLastError,GetLastError,SleepEx,CloseServiceHandle,CloseServiceHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,CloseServiceHandle,CloseServiceHandle,_invalid_parameter_noinfo_noreturn,CloseServiceHandle,

0_2_000000014000EBD0

Source: C:\Users\user\Desktop\sGfciyumij.exe

Mutant created: NULL

Source: sGfciyumij.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\sGfciyumij.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: sGfciyumij.exe

ReversingLabs: Detection: 36%

Source: sGfciyumij.exe	String found in binary or memory: /launch
Source: sGfciyumij.exe	String found in binary or memory: id-cmc-addExtensions
Source: sGfciyumij.exe	String found in binary or memory: set-addPolicy
Source: sGfciyumij.exe	String found in binary or memory: SOFTWARE\CLASSES\Wow6432Node/disable/uninstall/status/offlineclean/notifyexpire/renew runas/wac/AS/AV/enable/update/launchontrueoffsnoozedexpired/scansubstatusnonerecommendedneeded/settingssubstatus/updatesubstatus( #@

Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\sGfciyumij.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: sGfciyumij.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: sGfciyumij.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: sGfciyumij.exe

Static file information: File size 2857472 > 1048576

Source: sGfciyumij.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x181600

Source: sGfciyumij.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: sGfciyumij.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: sGfciyumij.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: sGfciyumij.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: sGfciyumij.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: sGfciyumij.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: sGfciyumij.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Jenkins\workspace\N_MBAMWsc\bin\x64\Release\MBAMwsc.pdb source: sGfciyumij.exe

Source: sGfciyumij.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: sGfciyumij.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: sGfciyumij.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: sGfciyumij.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: sGfciyumij.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: sGfciyumij.exe

Static PE information: real checksum: 0x28a8a2 should be: 0x2c58b3

Source: sGfciyumij.exe

Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\sGfciyumij.exe

Code function: 0_2_0000000140022C5C push rax; retf 001Fh

0_2_0000000140022C5D

Source: C:\Users\user\Desktop\sGfciyumij.exe

0_2_000000014000EBD0

Source: C:\Users\user\Desktop\sGfciyumij.exe

Code function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,

0_2_02004D00

Source: C:\Users\user\Desktop\sGfciyumij.exe

Code function: 0_2_0000000140057D00 FindFirstFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_0000000140057D00

Source: C:\Users\user\Desktop\sGfciyumij.exe

0_2_0000000140035830

Source: C:\Users\user\Desktop\sGfciyumij.exe

Code function: 0_2_0000000140036C70 GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,GetSystemInfo,IsWow64Process2,GetCurrentProcess,GetModuleHandleW,GetProcAddress,IsWow64Process,

0_2_0000000140036C70

Source: sGfciyumij.exe, 00000000.00000002.3387470070.0000000000576000.00000004.00000020.00020000.00000000.sdmp, sGfciyumij.exe, 00000000.00000002.3387407913.000000000050C000.00000004.00000020.00020000.00000000.sdmp, sGfciyumij.exe, 00000000.00000003.3111896816.0000000000576000.00000004.00000020.00020000.00000000.sdmp, sGfciyumij.exe, 00000000.00000003.2480948451.0000000000584000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: sGfciyumij.exe, 00000000.00000003.2132945714.000000000052B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\sGfciyumij.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\sGfciyumij.exe

Code function: 0_2_01FECCE0 LdrGetProcedureAddress,

0_2_01FECCE0

Source: C:\Users\user\Desktop\sGfciyumij.exe

Code function: 0_2_000000014014C1E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_000000014014C1E0

Source: C:\Users\user\Desktop\sGfciyumij.exe

Code function: 0_2_000000014013CC20 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_000000014013CC20

Source: C:\Users\user\Desktop\sGfciyumij.exe

Code function: 0_2_0000000140047BE0 GetProcessHeap,HeapAlloc,

0_2_0000000140047BE0

Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014014C1E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_000000014014C1E0
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: 0_2_000000014013CDB0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_000000014013CDB0

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\sGfciyumij.exe	NtSetContextThread: Indirect: 0x1FF816E	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	NtSetContextThread: Indirect: 0x1FF7AFE	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	NtResumeThread: Indirect: 0x1FFF5FA	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	NtReadVirtualMemory: Indirect: 0x201523C	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	NtCreateThreadEx: Indirect: 0x201444E	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	NtQueueApcThread: Indirect: 0x201506A	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	NtClose: Indirect: 0x1FF6154
Source: C:\Users\user\Desktop\sGfciyumij.exe	NtTerminateThread: Indirect: 0x1FF6165	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	NtAllocateVirtualMemory: Indirect: 0x1FDD6C3	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	NtProtectVirtualMemory: Indirect: 0x1FDD71F	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	NtSuspendThread: Indirect: 0x1FFF4F0	Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	NtClose: Indirect: 0x1FFF626
Source: C:\Users\user\Desktop\sGfciyumij.exe	NtProtectVirtualMemory: Indirect: 0x2014C5C	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\sGfciyumij.exe	Thread register set: target process: unknown			Jump to behavior
Source: C:\Users\user\Desktop\sGfciyumij.exe	Thread register set: target process: unknown			Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Users\user\Desktop\sGfciyumij.exe

Thread register set: unknown 1

Jump to behavior

Source: C:\Users\user\Desktop\sGfciyumij.exe

Code function: 0_2_000000014000AD90 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,SysAllocString,ShellExecuteW,

0_2_000000014000AD90

Source: C:\Users\user\Desktop\sGfciyumij.exe

Code function: 0_2_0000000140040CA0 AllocateAndInitializeSid,

0_2_0000000140040CA0

Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00000001401750D4
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_000000014017468C
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: EnumSystemLocalesW,	0_2_00000001401749E8
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: EnumSystemLocalesW,	0_2_000000014016CA48
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: EnumSystemLocalesW,	0_2_0000000140174AB8
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: GetLocaleInfoW,	0_2_000000014016CEC8
Source: C:\Users\user\Desktop\sGfciyumij.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0000000140174EF0

Source: C:\Users\user\Desktop\sGfciyumij.exe

Code function: 0_2_0000000140003140 CoInitializeEx,CoGetClassObject,CallNamedPipeW,Sleep,CallNamedPipeW,SysAllocString,SysFreeString,_invalid_parameter_noinfo_noreturn,GetLocalTime,GetTickCount,SysAllocString,SysAllocString,SysAllocString,SysAllocString,GetCurrentThreadId,GetProcessId,SysFreeString,SysFreeString,SysFreeString,SysFreeString,_invalid_parameter_noinfo_noreturn,GetLocalTime,GetTickCount,SysAllocString,SysAllocString,SysAllocString,SysAllocString,GetCurrentThreadId,GetProcessId,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

0_2_0000000140003140

Source: C:\Users\user\Desktop\sGfciyumij.exe

Code function: 0_2_02004D00 GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,

0_2_02004D00

Source: C:\Users\user\Desktop\sGfciyumij.exe

Code function: 0_2_0000000140014930 GetModuleHandleW,GetProcAddress,GetVersionExW,NetWkstaGetInfo,NetApiBufferFree,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,VerSetConditionMask,VerifyVersionInfoW,

0_2_0000000140014930

Source: sGfciyumij.exe

Binary or memory string: \MBAM.exe

Stealing of Sensitive Information

Yara detected BruteRatel

Source: Yara match	File source: 00000000.00000002.3387407913.000000000050C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sGfciyumij.exe PID: 5144, type: MEMORYSTR

Remote Access Functionality

Yara detected BruteRatel

Source: Yara match	File source: 00000000.00000002.3387407913.000000000050C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sGfciyumij.exe PID: 5144, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Windows Service	1 Exploitation for Privilege Escalation	1 Access Token Manipulation	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	22 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Service Execution	1 DLL Side-Loading	1 Access Token Manipulation	2 Process Injection	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Windows Service	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Process Injection	1 Abuse Elevation Control Mechanism	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Abuse Elevation Control Mechanism	2 Obfuscated Files or Information	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 DLL Side-Loading	1 DLL Side-Loading	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	14 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
sGfciyumij.exe	37%	ReversingLabs	Win64.Trojan.InjectedShellCode

Source	Detection	Scanner	Label
https://weblineinfo.com/N	0%	Avira URL Cloud	safe
https://weblineinfo.com/1-46d0-b6b6-535557bcc5fahE	0%	Avira URL Cloud	safe
https://weblineinfo.com/user	0%	Avira URL Cloud	safe
https://weblineinfo.com/xf	0%	Avira URL Cloud	safe
https://weblineinfo.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
weblineinfo.com	62.192.173.45	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://weblineinfo.com/xf	sGfciyumij.exe, 00000000.00000002.3387470070.0000000000576000.00000004.00000020.00020000.00000000.sdmp, sGfciyumij.exe, 00000000.00000003.3111896816.0000000000576000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://weblineinfo.com/N	sGfciyumij.exe, 00000000.00000002.3387470070.000000000059D000.00000004.00000020.00020000.00000000.sdmp, sGfciyumij.exe, 00000000.00000003.3111870213.000000000059D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://weblineinfo.com/	sGfciyumij.exe, 00000000.00000002.3387470070.0000000000576000.00000004.00000020.00020000.00000000.sdmp, sGfciyumij.exe, 00000000.00000002.3387470070.000000000059D000.00000004.00000020.00020000.00000000.sdmp, sGfciyumij.exe, 00000000.00000002.3387407913.000000000050C000.00000004.00000020.00020000.00000000.sdmp, sGfciyumij.exe, 00000000.00000003.3111896816.0000000000576000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://weblineinfo.com/1-46d0-b6b6-535557bcc5fahE	sGfciyumij.exe, 00000000.00000002.3387407913.000000000050C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://weblineinfo.com/user	sGfciyumij.exe, 00000000.00000002.3387407913.000000000050C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
62.192.173.45	weblineinfo.com	Lithuania		25780	HUGESERVER-NETWORKSUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1509587
Start date and time:	2024-09-11 20:21:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	sGfciyumij.exe renamed because original name is a hash value
Original Sample Name:	499d69d5ab8ba263975d5780e3b639a2a8905c50f2a1379bf972889c3913add4.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 77% Number of executed functions: 39 Number of non-executed functions: 139
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: sGfciyumij.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
62.192.173.45	10kmr9d7.dll	Get hash	malicious	Unknown	Browse
62.192.173.45	10kmr9d7.dll	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
weblineinfo.com	10kmr9d7.dll	Get hash	malicious	Unknown	Browse	62.192.173.45
weblineinfo.com	10kmr9d7.dll	Get hash	malicious	Unknown	Browse	62.192.173.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HUGESERVER-NETWORKSUS	sbuvJk8Zn8.exe	Get hash	malicious	XenoRAT	Browse	2.58.85.196
	10kmr9d7.dll	Get hash	malicious	Unknown	Browse	62.192.173.45
	10kmr9d7.dll	Get hash	malicious	Unknown	Browse	62.192.173.45
	mirai.spc.elf	Get hash	malicious	Mirai	Browse	171.22.79.159
	ClientAny.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	2.58.84.229
	https://denizfirsatgsmtektikbuo.xyz/	Get hash	malicious	HTMLPhisher	Browse	2.58.85.5
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	107.161.53.91
	lKXAJFq3ih.exe	Get hash	malicious	AsyncRAT	Browse	2.58.85.145
	peign94sXb.elf	Get hash	malicious	Unknown	Browse	171.22.79.111
	jSlv5GLHad.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	185.133.35.50

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.631203205093183
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	sGfciyumij.exe
File size:	2'857'472 bytes
MD5:	0c3dda927e649661441905cd181c7e70
SHA1:	469bb0c2e694535b62cbd0def0eeb92b43948bea
SHA256:	499d69d5ab8ba263975d5780e3b639a2a8905c50f2a1379bf972889c3913add4
SHA512:	edeea381fcc54df4ec9197227b1719e048a6215eb5a015f4f122bcee465b0a968b1a811efab7e49dc04a548a0d04e34befee577f9b88567f9059c83dbd5d43f1
SSDEEP:	49152:IFfXWgsVXeLERcq5a7C2mwXBLM40HR1DldPYcaifCR18Q:NOFMdHXBOca/18
TLSH:	81D59D07D3EA41F9DDB6C2388962D403EBB2B8150770ABCF06A495651FE36E15E3E724
File Content Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......L.-..kC..kC..kC.C.@..kC.C.F..kC..kC..kC...G..kC...@..kC...F.ikC.u....kC.{.G..kC.C.G..kC.f.G..iC.f.F.WkC..kB..jC.C.B./kC.f.J.6kC

File Icon


Icon Hash:	e9359c7777737333

Static PE Info

General

Entrypoint:	0x14013d6ec
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA
Time Stamp:	0x66688435 [Tue Jun 11 17:07:01 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	3e4dc544b32d46ff67e39ad1b3dbfdc4

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FA6A8ED06FCh
dec eax
add esp, 28h
jmp 00007FA6A8ED0027h
int3
int3
jmp 00007FA6A8ECF824h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
sub esp, 10h
dec esp
mov dword ptr [esp], edx
dec esp
mov dword ptr [esp+08h], ebx
dec ebp
xor ebx, ebx
dec esp
lea edx, dword ptr [esp+18h]
dec esp
sub edx, eax
dec ebp
cmovb edx, ebx
dec esp
mov ebx, dword ptr [00000010h]
dec ebp
cmp edx, ebx
jnc 00007FA6A8ED01C8h
inc cx
and edx, 8D4DF000h
wait
add al, dh

Rich Headers

Programming Language:

[C++] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x24aa48	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26e000	0x4e5cc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x25a000	0x124ec	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2bd000	0x5ff8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x22f420	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x22f600	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x22f2e0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x183000	0x8c8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x18151e	0x181600	729bf26d67970947dc5f52ea3c131bfe	False	0.48268668403340903	data	6.4811954872775255	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x183000	0xc9884	0xc9a00	13a97fcf741931da0bdbe829b11b24b0	False	0.3742964875232486	data	5.684406524498899	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x24d000	0xce7c	0x7800	ea53810db83cddffd7b0abf079889430	False	0.18258463541666667	data	4.423063086771718	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x25a000	0x124ec	0x12600	6cd2363be479f36fafd6aefdfb77faeb	False	0.4761373299319728	PEX Binary Archive	6.138155581624255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x26d000	0x1f4	0x200	94e583dfe43f0826cf4c77165249ec57	False	0.521484375	data	4.201666898260521	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x26e000	0x4e5cc	0x4e600	f7c518deb20c05115ba8730e32950d93	False	0.8120576654704944	data	7.279045577242069	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2bd000	0x5ff8	0x6000	ced03205d1587997f90d126186c124ab	False	0.2732340494791667	data	5.4500743873909725	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x26e1c0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 80630 x 80630 px/m	English	United States	0.1148852478410032
RT_STRING	0x27e9e8	0x30	data	English	United States	0.625
RT_GROUP_ICON	0x27ea18	0x14	data	English	United States	1.15
RT_VERSION	0x27ea2c	0x2d4	data	English	United States	0.4613259668508287
RT_ANICURSOR	0x27ed00	0x3d74a	data			0.9982917663136317
RT_MANIFEST	0x2bc44c	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
CRYPT32.dll	CertDuplicateCertificateContext, CertFindCertificateInStore, CertFreeCertificateContext, CertOpenStore, CertCloseStore, CertGetCertificateContextProperty, CertEnumCertificatesInStore
KERNEL32.dll	GlobalFree, ExpandEnvironmentStringsW, GetLongPathNameW, GetWindowsDirectoryW, LocalAlloc, GetCurrentProcessId, GetFileSizeEx, ReadFile, WriteFile, GetFileSize, SetEndOfFile, GetStdHandle, FindNextFileW, FindClose, GetModuleHandleA, GetCurrentDirectoryW, InitializeCriticalSectionAndSpinCount, GetSystemTimeAsFileTime, TerminateProcess, GetStartupInfoW, SetEvent, ResetEvent, ReleaseMutex, CreateMutexW, CreateEventW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetEnvironmentVariableW, SetEnvironmentVariableW, GetFileType, DeleteFiber, QueryPerformanceCounter, ConvertFiberToThread, GetConsoleMode, SetConsoleMode, ReadConsoleA, ReadConsoleW, WriteConsoleW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, FindFirstFileExW, FlushFileBuffers, GetFileInformationByHandle, DeleteFileW, SetFileAttributesW, RemoveDirectoryW, CreateDirectoryW, GetFileAttributesExW, GetFileAttributesW, FindFirstFileW, WaitForMultipleObjects, GetCurrentThread, LoadLibraryW, GetExitCodeProcess, WaitForSingleObject, CreateProcessW, GlobalAlloc, GetLogicalDriveStringsW, SetLastError, GetNativeSystemInfo, IsWow64Process, CopyFileW, LocalFree, GetCurrentProcess, GetSystemInfo, VerifyVersionInfoW, VerSetConditionMask, GetVersionExW, MultiByteToWideChar, WideCharToMultiByte, OutputDebugStringW, FileTimeToSystemTime, CloseHandle, CreateFileW, GetTimeZoneInformation, SystemTimeToTzSpecificLocalTime, GetLocalTime, GetModuleHandleW, GetProcAddress, GetTickCount, SleepEx, GetTickCount64, GetModuleFileNameW, GetProcessHeap, DeleteCriticalSection, DecodePointer, HeapAlloc, HeapReAlloc, GetLastError, HeapSize, InitializeCriticalSectionEx, HeapFree, SwitchToThread, EnterCriticalSection, LeaveCriticalSection, RtlUnwind, GetFullPathNameW, SetStdHandle, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, FlsFree, FlsSetValue, FlsGetValue, FlsAlloc, SetFilePointerEx, GetConsoleOutputCP, GetCommandLineW, GetCommandLineA, PeekNamedPipe, GetDriveTypeW, SetConsoleCtrlHandler, GetModuleHandleExW, ExitProcess, LoadLibraryExW, RtlPcToFileHeader, InterlockedPushEntrySList, RtlUnwindEx, InitializeSListHead, SleepConditionVariableSRW, WakeAllConditionVariable, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, RaiseException, IsDebuggerPresent, GetCPInfo, LCMapStringEx, EncodePointer, GetStringTypeW, FormatMessageW, CallNamedPipeW, GetProcessId, GetCurrentThreadId, Sleep, QueryDosDeviceW, FreeLibrary
USER32.dll	GetProcessWindowStation, MessageBoxW, GetUserObjectInformationW
ADVAPI32.dll	SetEntriesInAclW, CheckTokenMembership, FreeSid, StartServiceW, NotifyServiceStatusChangeW, CloseServiceHandle, RegOpenKeyExW, RegQueryValueExW, RegCloseKey, RegEnumKeyExW, IsTextUnicode, OpenThreadToken, OpenProcessToken, OpenSCManagerW, OpenServiceW, QueryServiceStatusEx, CryptEnumProvidersW, CryptSignHashW, CryptDecrypt, CryptExportKey, CryptGetUserKey, CryptGetProvParam, CryptSetHashParam, CryptDestroyKey, ReportEventW, RegisterEventSourceW, DeregisterEventSource, CryptDestroyHash, CryptReleaseContext, CryptCreateHash, CryptAcquireContextW, CreateWellKnownSid, GetSidSubAuthority, GetSidSubAuthorityCount, AreAllAccessesGranted, MapGenericMask, ConvertStringSidToSidW, ConvertSidToStringSidW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegQueryInfoKeyW, RegLoadAppKeyW, RegLoadKeyW, RegEnumValueW, RegEnumKeyW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, TreeSetNamedSecurityInfoW, SetSecurityInfo, GetSecurityInfo, SetNamedSecurityInfoW, GetNamedSecurityInfoW, DeleteAce, GetExplicitEntriesFromAclW, QueryServiceConfigW, AllocateAndInitializeSid
SHELL32.dll	SHGetFolderPathW, ShellExecuteW
ole32.dll	CoUninitialize, CoInitializeEx, CoGetClassObject, CoCreateInstance, StringFromGUID2
OLEAUT32.dll	SystemTimeToVariantTime, VariantInit, VariantClear, VariantTimeToSystemTime, VariantChangeType, SysFreeString, SysAllocString
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
MPR.dll	WNetGetConnectionW
NETAPI32.dll	NetApiBufferFree, NetWkstaGetInfo
PSAPI.DLL	GetProcessImageFileNameW
sfc.dll	SfcIsFileProtected
AUTHZ.dll	AuthzInitializeContextFromSid, AuthzAccessCheck, AuthzFreeContext, AuthzFreeResourceManager, AuthzInitializeResourceManager
bcrypt.dll	BCryptGetProperty, BCryptGenRandom, BCryptCreateHash, BCryptHashData, BCryptImportKeyPair, BCryptDestroyHash, BCryptCloseAlgorithmProvider, BCryptFinishHash, BCryptDestroyKey, BCryptVerifySignature, BCryptOpenAlgorithmProvider
WS2_32.dll	recv, send, WSACleanup, WSAStartup, WSAGetLastError, WSASetLastError, closesocket

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 11, 2024 20:22:18.942310095 CEST	49706	443	192.168.2.5	62.192.173.45
Sep 11, 2024 20:22:18.942389965 CEST	443	49706	62.192.173.45	192.168.2.5
Sep 11, 2024 20:22:18.942523003 CEST	49706	443	192.168.2.5	62.192.173.45
Sep 11, 2024 20:22:18.954622984 CEST	49706	443	192.168.2.5	62.192.173.45
Sep 11, 2024 20:22:18.954655886 CEST	443	49706	62.192.173.45	192.168.2.5
Sep 11, 2024 20:22:51.020116091 CEST	49706	443	192.168.2.5	62.192.173.45
Sep 11, 2024 20:23:22.047103882 CEST	53999	443	192.168.2.5	62.192.173.45
Sep 11, 2024 20:23:22.047148943 CEST	443	53999	62.192.173.45	192.168.2.5
Sep 11, 2024 20:23:22.047239065 CEST	53999	443	192.168.2.5	62.192.173.45
Sep 11, 2024 20:23:22.047689915 CEST	53999	443	192.168.2.5	62.192.173.45
Sep 11, 2024 20:23:22.047712088 CEST	443	53999	62.192.173.45	192.168.2.5
Sep 11, 2024 20:23:54.114371061 CEST	53999	443	192.168.2.5	62.192.173.45
Sep 11, 2024 20:24:20.178037882 CEST	54000	443	192.168.2.5	62.192.173.45
Sep 11, 2024 20:24:20.178132057 CEST	443	54000	62.192.173.45	192.168.2.5
Sep 11, 2024 20:24:20.178246021 CEST	54000	443	192.168.2.5	62.192.173.45
Sep 11, 2024 20:24:20.178653955 CEST	54000	443	192.168.2.5	62.192.173.45
Sep 11, 2024 20:24:20.178689957 CEST	443	54000	62.192.173.45	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 11, 2024 20:22:18.920835018 CEST	55879	53	192.168.2.5	1.1.1.1
Sep 11, 2024 20:22:18.936714888 CEST	53	55879	1.1.1.1	192.168.2.5
Sep 11, 2024 20:22:35.870491982 CEST	53	51347	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 11, 2024 20:22:18.920835018 CEST	192.168.2.5	1.1.1.1	0x59d7	Standard query (0)	weblineinfo.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 11, 2024 20:22:18.936714888 CEST	1.1.1.1	192.168.2.5	0x59d7	No error (0)	weblineinfo.com		62.192.173.45	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	14:22:15
Start date:	11/09/2024
Path:	C:\Users\user\Desktop\sGfciyumij.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\sGfciyumij.exe"
Imagebase:	0x140000000
File size:	2'857'472 bytes
MD5 hash:	0C3DDA927E649661441905CD181C7E70
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BruteRatel_2, Description: Yara detected BruteRatel, Source: 00000000.00000002.3387407913.000000000050C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	42.3%
Signature Coverage:	40.1%
Total number of Nodes:	723
Total number of Limit Nodes:	29

Executed Functions

Function 000000014003DE8B Relevance: 99.2, APIs: 28, Strings: 28, Instructions: 1210windowCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003DF8D
FormatMessageW.KERNEL32 ref: 000000014003E013
LocalFree.KERNEL32 ref: 000000014003E2D7

Strings

ORCreateKey, xrefs: 000000014003E83B
ORDeleteKey, xrefs: 000000014003E8A7
mb::common::system::OfflineRegistryLibrary::Load, xrefs: 000000014003E53E, 000000014003E64B, 000000014003E6D7
ORSetValue, xrefs: 000000014003EFDE
Could not load the offline registry library! File path = [%ls]. Will not be able to perform actions on offline hives., xrefs: 000000014003E5B9
Failed to verify the file! Cannot load the offline registry library support dll! FilePath=[%ls]., xrefs: 000000014003E6B1
ORGetValue, xrefs: 000000014003EABC
OREnumKey, xrefs: 000000014003E906
Loading the offline registry library. Path = [%ls]., xrefs: 000000014003E518
ORCreateHive, xrefs: 000000014003E7AF
ORSaveHive, xrefs: 000000014003EEBA
ORSetVirtualFlags, xrefs: 000000014003F06C
ORCloseKey, xrefs: 000000014003E771
ORMergeHives, xrefs: 000000014003ED96
ORDeleteValue, xrefs: 000000014003E8C5
Successfully loaded the offline registry library., xrefs: 000000014003E625
ORQueryInfoKey, xrefs: 000000014003EE28
OROpenHive, xrefs: 000000014003EC72
ORCloseHive, xrefs: 000000014003E759
OREnumValue, xrefs: 000000014003E998
ORGetVirtualFlags, xrefs: 000000014003EBE0
ORGetKeySecurity, xrefs: 000000014003EA2A
\offreg.dll, xrefs: 000000014003E4D7
ORSetKeySecurity, xrefs: 000000014003EF4C
ORGetVersion, xrefs: 000000014003EB4E
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\OfflineRegistryLibrary.cpp, xrefs: 000000014003E537, 000000014003E644, 000000014003E6D0
(0x, xrefs: 000000014003DEC8
OROpenKey, xrefs: 000000014003ED04

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: FormatFreeLocalMessage_invalid_parameter_noinfo_noreturn
String ID: (0x$Could not load the offline registry library! File path = [%ls]. Will not be able to perform actions on offline hives.$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\OfflineRegistryLibrary.cpp$Failed to verify the file! Cannot load the offline registry library support dll! FilePath=[%ls].$Loading the offline registry library. Path = [%ls].$ORCloseHive$ORCloseKey$ORCreateHive$ORCreateKey$ORDeleteKey$ORDeleteValue$OREnumKey$OREnumValue$ORGetKeySecurity$ORGetValue$ORGetVersion$ORGetVirtualFlags$ORMergeHives$OROpenHive$OROpenKey$ORQueryInfoKey$ORSaveHive$ORSetKeySecurity$ORSetValue$ORSetVirtualFlags$Successfully loaded the offline registry library.$\offreg.dll$mb::common::system::OfflineRegistryLibrary::Load
API String ID: 1505264261-2641161069
Opcode ID: 152a30eae06c54f6305780326a33a88afdab27233bf6187057eb9b80a8b3f8a4
Instruction ID: f1b2e5f55cbf675957eb493b6f37cce96eeba6d922de30b3332a4f9d7433f89f
Opcode Fuzzy Hash: 152a30eae06c54f6305780326a33a88afdab27233bf6187057eb9b80a8b3f8a4
Instruction Fuzzy Hash: BAB28C72B10B8495EE06DB6AD5443ED63A1E78DBD8F505312EB6C17AEAEF78C191C300

Function 0000000140001D40 Relevance: 54.8, APIs: 10, Strings: 21, Instructions: 528
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140034E80: Concurrency::cancel_current_task.LIBCPMT ref: 0000000140034EE7
Part of subcall function 0000000140034E80: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140034EED

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000263B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140002641
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000264D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140002653
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140002659
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000265F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140002665
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000266B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140002671
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140002677

Part of subcall function 000000014013CD74: Concurrency::cancel_current_task.LIBCPMT ref: 000000014013CDA4
Part of subcall function 000000014013CD74: Concurrency::cancel_current_task.LIBCPMT ref: 000000014013CDAA

Strings

R-ST, xrefs: 0000000140002193
Rar!, xrefs: 0000000140001E72
P[4\, xrefs: 0000000140002163
-TES, xrefs: 00000001400021BA
RD-A, xrefs: 00000001400021A3
MSCF, xrefs: 0000000140002008
EICA, xrefs: 000000014000218B
ANDA, xrefs: 000000014000219B
)7}$, xrefs: 0000000140002183
Rar!Rar!, xrefs: 000000014000210F
)7CC, xrefs: 000000014000217B
PZX5, xrefs: 000000014000216B
T-FI, xrefs: 00000001400021C1
L, xrefs: 000000014000206E
NTIV, xrefs: 00000001400021AB
LE!$, xrefs: 00000001400021C8
H+H*, xrefs: 00000001400021CF
X5O!, xrefs: 00000001400021F7
IRUS, xrefs: 00000001400021B3
P%@A, xrefs: 000000014000215B
4(P^, xrefs: 0000000140002173

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID: )7CC$)7}$$-TES$4(P^$ANDA$EICA$H+H*$IRUS$L$LE!$$MSCF$NTIV$P%@A$PZX5$P[4\$R-ST$RD-A$Rar!$Rar!Rar!$T-FI$X5O!
API String ID: 3936042273-42239843
Opcode ID: d0f24612083c7cec7c108ed78f54bf0ed5cf37174db4eab948ebcd9a382ccca4
Instruction ID: 472343e91544a6cbda591fd361516fdcd391ed5c1335d5c251b9af51f3bbb3dc
Opcode Fuzzy Hash: d0f24612083c7cec7c108ed78f54bf0ed5cf37174db4eab948ebcd9a382ccca4
Instruction Fuzzy Hash: 61422873A11BC489EB61CF76E8843DD37A5F788B98F204615EB981BAA9DF74C190C740

Function 0000000140016110 Relevance: 41.9, APIs: 18, Strings: 5, Instructions: 1624COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140016243
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140016C2E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140016C34
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140016C40
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140016C46
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140016C52
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140016C58
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140016C5E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140016C64
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140016C6A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140016C70

Strings

Entry: RegistryUtilities::GetOriginalRegPath(%ls, %ls), xrefs: 00000001400162C7
Exit: <- RegistryUtilities::GetOriginalRegPath(%ls, %ls), xrefs: 000000014001644B, 00000001400169D8, 0000000140016BDA
_CLASSES, xrefs: 0000000140040427
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\RegistryUtilities.cpp, xrefs: 00000001400162E6, 000000014001646A, 00000001400169F7, 0000000140016BF3
mb::common::system::RegistryUtilities::GetOriginalRegPath, xrefs: 00000001400162ED, 0000000140016471, 00000001400169FE, 0000000140016BFA

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\RegistryUtilities.cpp$Entry: RegistryUtilities::GetOriginalRegPath(%ls, %ls)$Exit: <- RegistryUtilities::GetOriginalRegPath(%ls, %ls)$_CLASSES$mb::common::system::RegistryUtilities::GetOriginalRegPath
API String ID: 3668304517-962652969
Opcode ID: 3f13b2fbf2e8f0d48acbf5614fda260bca3e461282a06ce0d80fb58b73834142
Instruction ID: 030596199d835868f9e2105171607def1744b4e36ea0835a01afc81454be1ad4
Opcode Fuzzy Hash: 3f13b2fbf2e8f0d48acbf5614fda260bca3e461282a06ce0d80fb58b73834142
Instruction Fuzzy Hash: 82E2ADB2B10A8085EB12CF6AD8543ED23A1F749BD8F454622EF5D17BAADF78C585C340

Function 0000000140033958 Relevance: 38.6, APIs: 2, Strings: 20, Instructions: 93
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFE,0000000140019423), ref: 0000000140033AA7
NtProtectVirtualMemory.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFE,0000000140019423), ref: 0000000140033ACE

Strings

E, xrefs: 00000001400339A8
P, xrefs: 0000000140033988
&, xrefs: 00000001400339C1
<, xrefs: 00000001400339AD
$, xrefs: 00000001400339D0
k, xrefs: 00000001400339EE
F, xrefs: 00000001400339CB
A, xrefs: 00000001400339BC
m, xrefs: 0000000140033999
#, xrefs: 00000001400339B2
O, xrefs: 000000014003399E
x, xrefs: 00000001400339A3
Y, xrefs: 0000000140033994
8, xrefs: 00000001400339E4
%, xrefs: 00000001400339C6
f, xrefs: 00000001400339E9
>, xrefs: 00000001400339D5
z, xrefs: 00000001400339DF
B, xrefs: 00000001400339B7
!, xrefs: 00000001400339DA

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: MemoryVirtual$AllocateProtect
String ID: !$#$$$%$&$8$<$>$A$B$E$F$O$P$Y$f$k$m$x$z
API String ID: 2931642484-3285722826
Opcode ID: 39f445d931aa1c8d191d7cb3a9d0e493cf1c591d1aeb13f95d8391392bb9d6e8
Instruction ID: 8219aa4f2922111a13f794d4fdba734c6c57011f4a7618d342a4606a2c91253d
Opcode Fuzzy Hash: 39f445d931aa1c8d191d7cb3a9d0e493cf1c591d1aeb13f95d8391392bb9d6e8
Instruction Fuzzy Hash: F241702220C7C085E7529769B40878BEB90E3967B8F440255F7E847BDADBBEC548CB21

Function 000000014000D2F0 Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 361
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000000014000D334
SysAllocString.OLEAUT32 ref: 000000014000D33E

Part of subcall function 0000000140012AB0: MultiByteToWideChar.KERNEL32 ref: 0000000140012B21
Part of subcall function 0000000140012AB0: MultiByteToWideChar.KERNEL32 ref: 0000000140012BF0

SysAllocString.OLEAUT32 ref: 000000014000D3DE
SysAllocString.OLEAUT32 ref: 000000014000D42D
SysAllocString.OLEAUT32 ref: 000000014000D510
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000D610
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000D616
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000D61C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000D622
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000D628
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000D62E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000D864
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000D86A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000D870

Strings

Malwarebytes, xrefs: 000000014000D6D1
3.1.0.245, xrefs: 000000014000D4E2
Malwarebytes, xrefs: 000000014000D35F, 000000014000D3FF

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$AllocString$ByteCharMultiWide$FileModuleName
String ID: 3.1.0.245$Malwarebytes$Malwarebytes
API String ID: 1712074557-2206061662
Opcode ID: 341e508f6d43bf4f9130441cc99660f6f47f8da3a1b257e6c0da50a16d517a0b
Instruction ID: 1882f31349a73834cecdb9e852d769fb4adce6bf615b1a67cefcbcac5dec22fd
Opcode Fuzzy Hash: 341e508f6d43bf4f9130441cc99660f6f47f8da3a1b257e6c0da50a16d517a0b
Instruction Fuzzy Hash: F8E16DB2624B8081EA12DB6AE4553DE6361E78DBE4F505312FBAD07AF9DF78C480C740

Function 0000000140014BA0 Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 364
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,?,?,0000000140014878,?,?,?,?,?,?,?,?,00000000,000000014000E93E), ref: 0000000140014C08
RegCloseKey.KERNEL32(?,?,00000000,?,?,0000000140014878,?,?,?,?,?,?,?,?,00000000,000000014000E93E), ref: 0000000140014C17
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,0000000140014878,?,?,?,?,?,?,?,?,00000000,000000014000E93E), ref: 0000000140014C80
RegQueryValueExW.ADVAPI32 ref: 0000000140014CCA
RegCloseKey.ADVAPI32 ref: 0000000140014CD7
SHGetFolderPathW.SHELL32 ref: 0000000140014DE7
SHGetFolderPathW.SHELL32 ref: 0000000140015036
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014001515A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140015160
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140015166

Strings

BCD00000000, xrefs: 0000000140014BFA
InstRoot, xrefs: 0000000140014CBE
SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE, xrefs: 0000000140014C72

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseFolderOpenPath$QueryValue
String ID: BCD00000000$InstRoot$SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE
API String ID: 3316190143-2582240236
Opcode ID: 1a85a1f4e35ecda581be34b5ba8eb01baa71020f111f761d15a2d553af307a42
Instruction ID: 9821237fe0aebb07e07302a056dcbfab63735c34570acbcf358e0cff65cc78bc
Opcode Fuzzy Hash: 1a85a1f4e35ecda581be34b5ba8eb01baa71020f111f761d15a2d553af307a42
Instruction Fuzzy Hash: D8F1BD72710B8081EB129F66E4443DEA7B1F789BD8F940216EB9D1BBB8DB79C585C700

Function 000000014000A9F8 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000AB38

Part of subcall function 000000014000B7C0: SwitchToThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000014000AB7D), ref: 000000014000B89D
Part of subcall function 000000014000B7C0: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000014000AB7D), ref: 000000014000B8AA

Part of subcall function 000000014000C8F0: EnterCriticalSection.KERNEL32 ref: 000000014000C8F7

SysFreeString.OLEAUT32 ref: 000000014000ACBE
SysFreeString.OLEAUT32 ref: 000000014000ACCD
SysFreeString.OLEAUT32 ref: 000000014000ACDC
SysFreeString.OLEAUT32 ref: 000000014000ACEB

Strings

/notifyexpire, xrefs: 000000014000AA8A
/renew, xrefs: 000000014000AABB
/status, xrefs: 000000014000AA28
/uninstall, xrefs: 000000014000A9FB
/offlineclean, xrefs: 000000014000AA59

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: FreeString$CriticalEnterSectionSleepSwitchThread_invalid_parameter_noinfo_noreturn
String ID: /notifyexpire$/offlineclean$/renew$/status$/uninstall
API String ID: 2155412874-690304953
Opcode ID: 4ebb4fa9563715da7d1d0742c0f45022e9f1940b4062bada7f839af18a8445d8
Instruction ID: 2ce03b71e1b1971416ab6af8a69fb9fd8e8ee4e7de491ae800abcc87c5891897
Opcode Fuzzy Hash: 4ebb4fa9563715da7d1d0742c0f45022e9f1940b4062bada7f839af18a8445d8
Instruction Fuzzy Hash: D1A1AA76710A8486EB56DB26E5543ED33A1A78EBE8F444212EB6E07BE9CF7CC541C301

Function 02004D00 Relevance: 10.8, APIs: 7, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32 ref: 02004D92
GetComputerNameExW.KERNEL32 ref: 02004DA7
GetComputerNameExW.KERNEL32 ref: 02004DD6
GetTokenInformation.KERNELBASE ref: 02004E12
GetNativeSystemInfo.KERNEL32 ref: 02004EC4
GetAdaptersInfo.IPHLPAPI ref: 02004FB0
GetAdaptersInfo.IPHLPAPI ref: 02004FF5

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID: InfoName$AdaptersComputer$InformationNativeSystemTokenUser
String ID:
API String ID: 1596153048-0
Opcode ID: cee6622d4819fa64709ae73456ee7563a7e84bd08e275b7a7d176abad07eaf72
Instruction ID: 6f6a35dae173a3ff8b3f08e4c5e2dde680706dd976161345f53dd88111660a98
Opcode Fuzzy Hash: cee6622d4819fa64709ae73456ee7563a7e84bd08e275b7a7d176abad07eaf72
Instruction Fuzzy Hash: 4C91A330218B488FFB54EB14E8957DAB7E6FB94304F40452DE94AC7290DB78EA45CB83

Function 0000000140046A30 Relevance: 9.2, APIs: 6, Instructions: 247
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000001400478C5), ref: 0000000140046AC5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140046B5C
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000140047685), ref: 0000000140046BFF
GetProcessImageFileNameW.PSAPI(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000140047685), ref: 0000000140046C0E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140046D17
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140046D1D

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FileNameProcess$CurrentImageModule
String ID:
API String ID: 1832280428-0
Opcode ID: ba64fc8e139bb2f5e48f7d4f83b44e0c1e79f37bcf759785589c5b864ed070ad
Instruction ID: 9d4b724f015df147c315dc65e45c68d65ea21a0d4aa9de6c9088870609f9364d
Opcode Fuzzy Hash: ba64fc8e139bb2f5e48f7d4f83b44e0c1e79f37bcf759785589c5b864ed070ad
Instruction Fuzzy Hash: E791BC72B14B8081EA118F66E44439EB3A1E789BE4F545325FBA907BE9DF78D490CB40

Function 000000014000DA60 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 185
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000014000E800: SwitchToThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-0000002E,000000014000DAA0), ref: 000000014000E8DD
Part of subcall function 000000014000E800: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-0000002E,000000014000DAA0), ref: 000000014000E8EA

RegOpenKeyExW.KERNEL32 ref: 000000014000DAD1
RegQueryValueExW.KERNEL32 ref: 000000014000DB08
RegCloseKey.ADVAPI32 ref: 000000014000DB12

Part of subcall function 000000014000D2F0: GetModuleFileNameW.KERNEL32 ref: 000000014000D334
Part of subcall function 000000014000D2F0: SysAllocString.OLEAUT32 ref: 000000014000D33E
Part of subcall function 000000014000D2F0: SysAllocString.OLEAUT32 ref: 000000014000D3DE
Part of subcall function 000000014000D2F0: SysAllocString.OLEAUT32 ref: 000000014000D42D

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 000000014000DAC3
UBR, xrefs: 000000014000DAFD

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: AllocString$CloseFileModuleNameOpenQuerySleepSwitchThreadValue
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion$UBR
API String ID: 2069460334-1999827919
Opcode ID: 2dd774db59b199ea5cdc9f663b069d3836465939255def7f1d4cbc2491be5a88
Instruction ID: f93b56ab3c629cbd67b773c966ce461e7c45a0b795098969249fcd14c68712d0
Opcode Fuzzy Hash: 2dd774db59b199ea5cdc9f663b069d3836465939255def7f1d4cbc2491be5a88
Instruction Fuzzy Hash: 05916D72A11B8186E711DF62E4543E873A4F79DB88F559226BB8C07766EF78C290C350

Function 01FFF3A0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 215
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 01FFF406
Thread32First.KERNEL32 ref: 01FFF42B

Strings

0, xrefs: 01FFF47E

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID: CreateFirstSnapshotThread32Toolhelp32
String ID: 0
API String ID: 490256885-4108050209
Opcode ID: fb1a1b96e559aa1530ecb2324eae7579615e09b3a3f5883ae9b762a1d4b345d2
Instruction ID: d42604cc4683dcdf0e15632b0098fcdd1ffdaa48214cc33d31925b75ba2e5615
Opcode Fuzzy Hash: fb1a1b96e559aa1530ecb2324eae7579615e09b3a3f5883ae9b762a1d4b345d2
Instruction Fuzzy Hash: 9B617171218B488FE794EF29D848BAAB7E1FFC8304F50456DA64EC32A0DFB4D5458B42

Function 0000000140033A90 Relevance: 3.1, APIs: 2, Instructions: 62nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFE,0000000140019423), ref: 0000000140033AA7
NtProtectVirtualMemory.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFE,0000000140019423), ref: 0000000140033ACE

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: MemoryVirtual$AllocateProtect
String ID:
API String ID: 2931642484-0
Opcode ID: 65ef6fb0ad4f5bbb93bc364a7f9e746dec585cdcc59158779761026988766e45
Instruction ID: d2e3070823e07c721c61363a9a953ecbaf913381e04c0e2bd01639375735bcca
Opcode Fuzzy Hash: 65ef6fb0ad4f5bbb93bc364a7f9e746dec585cdcc59158779761026988766e45
Instruction Fuzzy Hash: 6821C672314B8082EB625B36A454B9B67A4E789BF4F940321EB7A57AE4DF3DC144C700

Function 01FECCE0 Relevance: 1.6, APIs: 1, Instructions: 114libraryloaderCOMMON

Download Yara Rule

APIs

LdrGetProcedureAddress.NTDLL ref: 01FECDB2

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID: AddressProcedure
String ID:
API String ID: 3653107232-0
Opcode ID: 64a4c363e66e8fcb324c2d013a85a570e217f1f41a485886b1e3891cf8e103dc
Instruction ID: e0e54d3ddb25e5fcacab961fb37011acb1436bfe6bd88652fb0e43ad50826c85
Opcode Fuzzy Hash: 64a4c363e66e8fcb324c2d013a85a570e217f1f41a485886b1e3891cf8e103dc
Instruction Fuzzy Hash: D631B87151CB088BC7689F18DC4A6BAF7E4FB95711F54062EE58AC3211D632F8468BC7

Function 01FF55C0 Relevance: .9, Instructions: 926COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID: CreateFirstSnapshotThread32Toolhelp32
String ID:
API String ID: 490256885-0
Opcode ID: 6d431203f5ad2e3b4f9a634e3776c8fe81fb6f5dc60a405660c162b949f7cce5
Instruction ID: 1e21b5e4749d97d444b9995d62e9c93c7281df91ce1cbcd18bac80e61b93d3ce
Opcode Fuzzy Hash: 6d431203f5ad2e3b4f9a634e3776c8fe81fb6f5dc60a405660c162b949f7cce5
Instruction Fuzzy Hash: 90629270118B098FD7A4DF18D884BA6B7E1FB98304F2146BED58DC7265CF75A846CB82

Function 02014360 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246b04183441d9db0d4c236240df2ca26f18e78107733016fa740d2a375581b5
Instruction ID: 689193dce21a2178597584dfeb1dc912c21f8a037c47fcaddad8458030ab8fa2
Opcode Fuzzy Hash: 246b04183441d9db0d4c236240df2ca26f18e78107733016fa740d2a375581b5
Instruction Fuzzy Hash: 26411BB151CB488FE7B89F0CA8466EAB7E0FB99720F10492FD5C983215D775A4428BC3

Function 020145F0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7425b9f205f2e48f6743ce85b3d4803992b94f2dd7c42288ff67dbf43d2a16d5
Instruction ID: 8db6a6b91e994cf990dceb87c826fe262d45ad6f719356711da3472fdd272898
Opcode Fuzzy Hash: 7425b9f205f2e48f6743ce85b3d4803992b94f2dd7c42288ff67dbf43d2a16d5
Instruction Fuzzy Hash: 6A21817161DB459FE754DF08D8466AABBE4FB98725F20091FE449C3320D7759480CB83

Function 02014BE0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4459b4d784854b5074084b1eb2e58009c50c2c7bf0fd286647bf740f6eacac18
Instruction ID: 43fd8a12b9fc72cff2c6aa36ce37eec1b11199900c8fe286ce02d316e77ae5d0
Opcode Fuzzy Hash: 4459b4d784854b5074084b1eb2e58009c50c2c7bf0fd286647bf740f6eacac18
Instruction Fuzzy Hash: 3211C23066CB498FDB94EF589847769B7E4F798316F40481EE889C3260D775E480CB93

Function 020151C0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9efb2dc69225788838bd08ce1b571aed7e5ff7df66dff9cf99eed66fee9a7a8
Instruction ID: 9427e1ceea94dc99f4c7660af0a9c8d95a22435e4278847c3fb278da2a30aa11
Opcode Fuzzy Hash: c9efb2dc69225788838bd08ce1b571aed7e5ff7df66dff9cf99eed66fee9a7a8
Instruction Fuzzy Hash: 5C110670668B498FDB58DF089C466B977E4F789315F80441EE889C3210D779D480CB83

Function 01FF7A50 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb11d53fe8240a521e5f77f5ce288efeffd0a38eebd87c38d9030f26bb6a810
Instruction ID: cab3343340696a087f5ceeff57b3367f4f9a759627eca1ef027f83b69cdad3a9
Opcode Fuzzy Hash: 5bb11d53fe8240a521e5f77f5ce288efeffd0a38eebd87c38d9030f26bb6a810
Instruction Fuzzy Hash: AB115C70518B488FE724AF9CD446776F7D1FB84314F50061DEA89C21B0EBF6914C8643

Function 02014FF0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b493b046dda1831e3ac93b31f1d57d2ffdedc147415695421c0937c946fff3
Instruction ID: 2ec74d127e9fae1ac7e93c9cfa308f484ffa87e37c0238cca0100799e30f0db2
Opcode Fuzzy Hash: a3b493b046dda1831e3ac93b31f1d57d2ffdedc147415695421c0937c946fff3
Instruction Fuzzy Hash: A411733061CB498FDB559F589C46BAA7BE0F798755F80081EE449C2250D775D480CAC3

Function 02014740 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c2dce99591ed636752d02e92fb4e83679b8b4534c19c070d62bd12e62a70ad
Instruction ID: 7429a33435f097e636ef93c2ab2fdef3821c7a0715a70f4a3c4259289c898639
Opcode Fuzzy Hash: c6c2dce99591ed636752d02e92fb4e83679b8b4534c19c070d62bd12e62a70ad
Instruction Fuzzy Hash: 6301B53062CB458FEB48EB1898576BA77F1FB89714F14491EE44EC3660DB39E9408B83

Function 01FDD65A Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2156549221.0000000001FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1fa0000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e753f29fc521fa2d0b6c7a6994e588844e22f1070003091da851a212630d82
Instruction ID: d353e1c02ee15b97a1c3781f67527a920bded1c3206dd2b5a59dc73660b7393f
Opcode Fuzzy Hash: d7e753f29fc521fa2d0b6c7a6994e588844e22f1070003091da851a212630d82
Instruction Fuzzy Hash: 0AF068B0A28B448BD744DF2984C963577E1FBDC655F24452EE899C7361CB329842CB83

Function 01FDD6CA Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2156549221.0000000001FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1fa0000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03d8a45eb9b0d3ccc835ff03553e770b46152858ebd01b16508ffef1a6f20c3
Instruction ID: ce92d2cc8ead630f0bca072f6df8d887305257e8db4f3d07bd611d37afa88fce
Opcode Fuzzy Hash: c03d8a45eb9b0d3ccc835ff03553e770b46152858ebd01b16508ffef1a6f20c3
Instruction Fuzzy Hash: 57F08970A24F444BC704AF2C884A53577E2F7E8645F54452EE848C7361DB35E542CB43

Function 01FF8149 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a87759f1dbb7da0b31a2215c550786eb7d616866bd4ea5bb0906d9c5e547a0c
Instruction ID: fcfea591302347233b5c6b390070c5affd6ef56cfe6895f20972d02546fb5ab3
Opcode Fuzzy Hash: 3a87759f1dbb7da0b31a2215c550786eb7d616866bd4ea5bb0906d9c5e547a0c
Instruction Fuzzy Hash: 86D0A97348DB188EE7209AA8F8833E8B3E0F781328F80482FC18CC2002D63E40468B06

Function 00000001400147C0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 69
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140014930: GetModuleHandleW.KERNEL32 ref: 0000000140014976
Part of subcall function 0000000140014930: GetProcAddress.KERNEL32 ref: 0000000140014986
Part of subcall function 0000000140014930: GetVersionExW.KERNEL32 ref: 00000001400149B3
Part of subcall function 0000000140014930: NetWkstaGetInfo.NETAPI32 ref: 00000001400149CF
Part of subcall function 0000000140014930: NetApiBufferFree.NETAPI32 ref: 00000001400149E5
Part of subcall function 0000000140014930: RegOpenKeyExW.ADVAPI32 ref: 0000000140014A11
Part of subcall function 0000000140014930: RegQueryValueExW.ADVAPI32 ref: 0000000140014A55
Part of subcall function 0000000140014930: RegQueryValueExW.ADVAPI32 ref: 0000000140014A94
Part of subcall function 0000000140014930: RegQueryValueExW.ADVAPI32 ref: 0000000140014ADD

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,00000000,000000014000E93E), ref: 0000000140014805
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,000000014000E93E), ref: 0000000140014815
GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,00000000,000000014000E93E), ref: 000000014001482D
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00000000,000000014000E93E), ref: 0000000140014844

Part of subcall function 0000000140036C70: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000000140036CD4
Part of subcall function 0000000140036C70: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000000140036CE4
Part of subcall function 0000000140036C70: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000000140036D24
Part of subcall function 0000000140036C70: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000000140036D34
Part of subcall function 0000000140036C70: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000000140036D99
Part of subcall function 0000000140036C70: IsWow64Process.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000000140036DA7
Part of subcall function 0000000140036C70: GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000000140036DBD

RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,00000000,000000014000E93E), ref: 00000001400148A4
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000000,000000014000E93E), ref: 00000001400148B3

Strings

NativeSoftware\Wow6432Node\Microsoft\Windows\CurrentVersion\Run, xrefs: 0000000140014896
GetNativeSystemInfo, xrefs: 000000014001480E
kernel32.dll, xrefs: 00000001400147FE

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: AddressHandleModuleProc$InfoProcessQueryValue$CurrentNativeOpenSystem$BufferCloseFreeVersionWkstaWow64
String ID: GetNativeSystemInfo$NativeSoftware\Wow6432Node\Microsoft\Windows\CurrentVersion\Run$kernel32.dll
API String ID: 2650187040-1704487226
Opcode ID: 1736c4be3a20f96ecfb9bdb5335c42383f1c3165f1d74c320c28dcbad8b4591c
Instruction ID: 74280784d4bc9cf742dc04d5e9cf70378f3f4cdf0393e2d2d249149cc7765621
Opcode Fuzzy Hash: 1736c4be3a20f96ecfb9bdb5335c42383f1c3165f1d74c320c28dcbad8b4591c
Instruction Fuzzy Hash: 1B314A32214B8081EB929F66F8843DA77A0FB8DB84F581125FB8A4B7B9DF39C545C750

Function 000000014016CAC4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,000000014016D2B8,?,?,?,?,0000000140163E91,?,?,?,?,000000014013C04C), ref: 000000014016CC40
GetProcAddress.KERNEL32(?,?,?,000000014016D2B8,?,?,?,?,0000000140163E91,?,?,?,?,000000014013C04C), ref: 000000014016CC4C

Strings

ext-ms-, xrefs: 000000014016CB9D
api-ms-, xrefs: 000000014016CB8A

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 1adb821155c22b541925954a9dc0fd7253069aa58c6e7ffdb90b8f366aa64c41
Instruction ID: 4ad419e63c0451b2e7d95b3925d1edb6d7b9003227e2fc4fdfccc5f616971cac
Opcode Fuzzy Hash: 1adb821155c22b541925954a9dc0fd7253069aa58c6e7ffdb90b8f366aa64c41
Instruction Fuzzy Hash: D8419D72321A4092EA57DB17AC04BF523A5BB4DFE0F495A25DF0D8B7A4EB39C945C304

Function 00000001400560C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExW.KERNEL32 ref: 00000001400560DC
CreateEventW.KERNEL32 ref: 00000001400560F7
CreateEventW.KERNEL32 ref: 0000000140056117
std::bad_exception::bad_exception.LIBCMT ref: 0000000140056151
std::bad_exception::bad_exception.LIBCMT ref: 0000000140056187
std::bad_exception::bad_exception.LIBCMT ref: 00000001400561BD

Strings

cannot create reader/writer lock, xrefs: 0000000140056132, 0000000140056168, 000000014005619E

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: Createstd::bad_exception::bad_exception$Event$Mutex
String ID: cannot create reader/writer lock
API String ID: 2124267931-2318472515
Opcode ID: ca99f4f60c774062c7544afa5256e3ed1891e3e61c66dd1e14279c19b4dfa002
Instruction ID: c0c37d7130e05df2cec0792781b445151af1821803f21a84a8343b1cfc7f81da
Opcode Fuzzy Hash: ca99f4f60c774062c7544afa5256e3ed1891e3e61c66dd1e14279c19b4dfa002
Instruction Fuzzy Hash: 0821B172311B05A2FF22EB25E4507DA2360FB8C784F946425AB4D47AB5EE3DC609CB00

Function 01FE7830 Relevance: 6.3, APIs: 4, Instructions: 340
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET ref: 01FE788A
InternetConnectW.WININET ref: 01FE78CB
HttpSendRequestA.WININET ref: 01FE79DA
InternetCloseHandle.WININET ref: 01FE7B11

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID: Internet$CloseConnectHandleHttpOpenRequestSend
String ID:
API String ID: 304526711-0
Opcode ID: 488b002841e1bd412dd0cc874d8b1d67b82a8a3cb49ca359c288d6713fbca809
Instruction ID: a15fc48f00f78efd7e64581b1a6caca0f077ca9043508b051790377d1044dade
Opcode Fuzzy Hash: 488b002841e1bd412dd0cc874d8b1d67b82a8a3cb49ca359c288d6713fbca809
Instruction Fuzzy Hash: 9BA1B330618B098FEB18EF5CD8597AAB7E5FB98700F04066DE94AC3294DF75D9418BC2

Function 000000014000A960 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/disable, xrefs: 000000014000A983
/uninstall, xrefs: 000000014000A9FB

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID:
String ID: /disable$/uninstall
API String ID: 0-1084472821
Opcode ID: fbc4f2629d237c453a7ec397fc63e7d022fa54acb8b014f2ce1fab5554fd89aa
Instruction ID: b81a4eee4a98deaf5aeaf7e76c51fce8f8e6651ab16087b190fbcae63c2a01d1
Opcode Fuzzy Hash: fbc4f2629d237c453a7ec397fc63e7d022fa54acb8b014f2ce1fab5554fd89aa
Instruction Fuzzy Hash: 3B51AC76710B8085EB16DB66E4503EE33A1B78EBC8F544216EB9D07BAADF78C191C340

Function 00000001400520C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00000001400520D4
std::bad_exception::bad_exception.LIBCMT ref: 0000000140052105

Strings

Failed to initialize network subsystem, xrefs: 00000001400520E6

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: Startupstd::bad_exception::bad_exception
String ID: Failed to initialize network subsystem
API String ID: 36264510-1820565237
Opcode ID: b4eb353d5264da8f90b1a8a0ef867063e0c9c8b7a8b4c1db5961b8ebe8e52577
Instruction ID: 13c00bd7769de46b6a5651dd2a253a066179111457733b2a5429c6a39555dacd
Opcode Fuzzy Hash: b4eb353d5264da8f90b1a8a0ef867063e0c9c8b7a8b4c1db5961b8ebe8e52577
Instruction Fuzzy Hash: 7FF030B3214945A1FB21EB25F8553DA6321F799744FC06521A34D478BAEE7DC709C700

Function 0000000140047750 Relevance: 4.6, APIs: 3, Instructions: 141sleepthreadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 0000000140047837
Sleep.KERNEL32 ref: 0000000140047844

Part of subcall function 000000014013D334: AcquireSRWLockExclusive.KERNEL32(?,?,?,00000001400583E1,?,?,?,0000000140002BF9), ref: 000000014013D344

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014004797A

Part of subcall function 000000014013D2C8: AcquireSRWLockExclusive.KERNEL32(?,?,?,000000014005840B,?,?,?,0000000140002BF9), ref: 000000014013D2D8
Part of subcall function 000000014013D2C8: ReleaseSRWLockExclusive.KERNEL32(?,?,?,000000014005840B,?,?,?,0000000140002BF9), ref: 000000014013D318

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: ExclusiveLock$Acquire$ReleaseSleepSwitchThread_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2006716402-0
Opcode ID: 9afc03b3c6b6327597985d4be38e61f325282314ef3a536221abb02654494955
Instruction ID: 7c9bd40af7ea37067aac91f1722c10aceb3b74398300da81d0ee049923a7fd0f
Opcode Fuzzy Hash: 9afc03b3c6b6327597985d4be38e61f325282314ef3a536221abb02654494955
Instruction Fuzzy Hash: 43619B32211A9086FA23CB26E8457D973A1F78CB90F404226EB5D837F1EFB9C984C744

Function 01FDC24A Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

, xrefs: 01FDC4B4

Memory Dump Source

Source File: 00000000.00000003.2156549221.0000000001FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1fa0000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e1b5f217ab961a454b36722efd1ce63e8d0791c74eab14a614d4f9e3fc2a9a33
Instruction ID: fe7e72448aa6e719fc5d9a83d221469554e4d068be75456e41cdb456463e298e
Opcode Fuzzy Hash: e1b5f217ab961a454b36722efd1ce63e8d0791c74eab14a614d4f9e3fc2a9a33
Instruction Fuzzy Hash: D7A1A33161CB088FDB54EF1CC885BAAB7E1FB98310F54466EE48AC7265DB34E545CB82

Function 01FF8C60 Relevance: 3.2, APIs: 2, Instructions: 188COMMON

Download Yara Rule

APIs

CreateFiber.KERNEL32 ref: 01FF8E01
DeleteFiber.KERNELBASE ref: 01FF8E1C

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID: Fiber$CreateDelete
String ID:
API String ID: 2527733159-0
Opcode ID: a81c3d8a98be896dd9ba18f06cc8f029549e5d5c5a40f868ab439c78b2d98936
Instruction ID: 6e11fad19a7f0c31b1f82f6f950fdefedfd823bb0b7ed7ec0cf91211a4d76df8
Opcode Fuzzy Hash: a81c3d8a98be896dd9ba18f06cc8f029549e5d5c5a40f868ab439c78b2d98936
Instruction Fuzzy Hash: 0E51F831A189188FEB68AF2C9C5976973D5FF58350F20072EE99BC31E1DA75984287C2

Function 000000014000E800 Relevance: 3.1, APIs: 2, Instructions: 124sleepthreadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-0000002E,000000014000DAA0), ref: 000000014000E8DD
Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-0000002E,000000014000DAA0), ref: 000000014000E8EA

Part of subcall function 000000014013D334: AcquireSRWLockExclusive.KERNEL32(?,?,?,00000001400583E1,?,?,?,0000000140002BF9), ref: 000000014013D344

Part of subcall function 000000014013D2C8: AcquireSRWLockExclusive.KERNEL32(?,?,?,000000014005840B,?,?,?,0000000140002BF9), ref: 000000014013D2D8
Part of subcall function 000000014013D2C8: ReleaseSRWLockExclusive.KERNEL32(?,?,?,000000014005840B,?,?,?,0000000140002BF9), ref: 000000014013D318

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: ExclusiveLock$Acquire$ReleaseSleepSwitchThread
String ID:
API String ID: 3066270627-0
Opcode ID: d011e9fcae6a3cf8af6303155344bf9c5ac1203140cdbd4589f26c72ccdfb819
Instruction ID: b616942290d6e4a425ff43685c7309482b68317d53eb933a04cff363b0de1ebb
Opcode Fuzzy Hash: d011e9fcae6a3cf8af6303155344bf9c5ac1203140cdbd4589f26c72ccdfb819
Instruction Fuzzy Hash: 64515B71206A8086FB52DB2BF8547DA73A5BB8CB90F444125EB4A873F5EF39C849C740

Function 000000014013CD74 Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000014013CDA4

Part of subcall function 000000014013B8E8: std::bad_alloc::bad_alloc.LIBCMT ref: 000000014013B8F1

Concurrency::cancel_current_task.LIBCPMT ref: 000000014013CDAA

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: b363fbfb082da6ed4b100b66efc0b1c3cca4414650e2484265a6478799093a01
Instruction ID: 1a53bc0ae4094479f314cc7956cdd9da91ea7a3763b39e4bee811d2a55a54395
Opcode Fuzzy Hash: b363fbfb082da6ed4b100b66efc0b1c3cca4414650e2484265a6478799093a01
Instruction Fuzzy Hash: 57E0127072118652FD7B32F358553E906840B1EF70E1C1B307B3B096F7E934C4619691

Function 00000001400561E0 Relevance: 2.5, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00000001400561FC
CloseHandle.KERNEL32 ref: 0000000140056206

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 7b0a4b3615aaa7102769c46be8e6c591c76dcee8c9bcb9b14aa991e0f9ab2447
Instruction ID: 723df857803f82974ecfc79fad59c764d73f5c57e806b5e40e2d497afb2c1645
Opcode Fuzzy Hash: 7b0a4b3615aaa7102769c46be8e6c591c76dcee8c9bcb9b14aa991e0f9ab2447
Instruction Fuzzy Hash: 87D09232600904D1EB169B73E8A43A863B0E78CF99F182021DF1E47271CE38C6968324

Function 01FE8ED0 Relevance: 1.9, APIs: 1, Instructions: 410synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexExA.KERNEL32 ref: 01FE8F00

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 6f5cb151aadba70b4aa6e5bafaf7101ce807ceecab62b3beafb4f2b699b4b3ec
Instruction ID: 2783cefe23adccdaad7c35596865c942492d87e3334113898f7e708136684508
Opcode Fuzzy Hash: 6f5cb151aadba70b4aa6e5bafaf7101ce807ceecab62b3beafb4f2b699b4b3ec
Instruction Fuzzy Hash: 56E10F71518A0D8FE751EF14E894BE6BBF4F768340F60067BE84AC6264DB389245CB86

Function 000000014003D530 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140056450: WaitForMultipleObjects.KERNEL32 ref: 0000000140056487
Part of subcall function 0000000140056450: ResetEvent.KERNEL32 ref: 00000001400564A3
Part of subcall function 0000000140056450: ResetEvent.KERNEL32 ref: 00000001400564AD
Part of subcall function 0000000140056450: ReleaseMutex.KERNEL32 ref: 00000001400564B6

Part of subcall function 00000001400561E0: CloseHandle.KERNEL32 ref: 00000001400561FC
Part of subcall function 00000001400561E0: CloseHandle.KERNEL32 ref: 0000000140056206

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003D5CC

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: CloseEventHandleReset$MultipleMutexObjectsReleaseWait_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2886672318-0
Opcode ID: abb6fcb1c4f4bafc8d95b9ee41e8c8d985039863a12ab0f272bb873287092e26
Instruction ID: 527263015702d4115b4742bf2f4fdd3bfb1e38bd9170e42860ca13b629b5449b
Opcode Fuzzy Hash: abb6fcb1c4f4bafc8d95b9ee41e8c8d985039863a12ab0f272bb873287092e26
Instruction Fuzzy Hash: C5118C72310B8092EA06EB2AE5543EE7361F74CBC8F440622EB5D47B66EF39C5A0C344

Function 0000000140167DAC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,000000014016EC4D,?,?,00000000,00000001401649FF,?,?,?,000000014016572F,?,?,?,0000000140165625), ref: 0000000140167DEA

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: a20a491f826e01268f0b819b45a0d52f4775ead2c48b6af0959b61fcd8953722
Instruction ID: 84e013747916b1eb75d2c46b29caed73478c1f4ee43632a2669ef8d94d904506
Opcode Fuzzy Hash: a20a491f826e01268f0b819b45a0d52f4775ead2c48b6af0959b61fcd8953722
Instruction Fuzzy Hash: 1BF01C3130128557FA5756E76D51BF512845F5DFB4F4C0E205F2E862E1DA7CC4418610

Non-executed Functions

Function 0000000140025AF0 Relevance: 150.1, APIs: 59, Strings: 25, Instructions: 3075COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002607E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140026084
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002608A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140026090
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140026096
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002609C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400264B9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400264BF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400264C5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400264CB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002654A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140026A18
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140026A1E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140026A24
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140026A2A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140026A30
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140026A36
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140026EA7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140026EAD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140026EB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140026EB9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140026EBF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140026EC5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140027293
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140027299
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002729F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400272A5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400272AB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002770B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140027711
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140027717
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140027723
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140027729
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002772F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140027D08
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140027D0E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140027D14
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140027D20
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140027D26
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140027D2C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140027D32
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140027D38
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400289DA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400289E0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400289E6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400289F2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400289F8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400289FE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140028A0A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140028A10
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140028A16
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140028A1C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140028A22
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140028A28
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140028A2E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140028A34
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140028A3A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140028A40
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140028A46

Strings

Failed to open key = %ls\%ls, wow64 = 0x%x, %ls, xrefs: 0000000140025CCE
mb::common::system::RegistryUtilities::GetBinaryValueImpl, xrefs: 0000000140025CF4, 0000000140025EE6
System32, xrefs: 0000000140027323, 00000001400277DA, 0000000140027DD6
Could not delete key = %ls\%ls\%ls, xrefs: 0000000140026405
Error deleting offline key %ls\%ls, %ls, xrefs: 0000000140026C88
%ls failed with exit code %d, xrefs: 00000001400275E9, 0000000140027BDC, 00000001400287BE
mb::common::system::RegistryUtilities::ExportRegFileInWinPE, xrefs: 00000001400287E4
SysWOW64, xrefs: 000000014002731C, 00000001400277D3
" ", xrefs: 00000001400279A8, 0000000140027FCD, 0000000140028462
Failed to open offline reg key %ls\%ls, %ls, xrefs: 0000000140026B15
mb::common::system::RegistryUtilities::DeleteOfflineKeyImpl, xrefs: 0000000140026B3B, 0000000140026CAE
mb::common::system::RegistryUtilities::DeleteKey, xrefs: 000000014002642B
Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 000000014002706F
Error deleting key %ls\%ls, %ls, xrefs: 000000014002687E
export ", xrefs: 0000000140027993, 0000000140027FB6, 00000001400283B0
mb::common::system::RegistryUtilities::DeleteKeyImpl, xrefs: 0000000140026729, 00000001400268A4
Failed to open reg key %ls\%ls, wow64 = 0x%x, %ls, xrefs: 0000000140026703
Sysnative, xrefs: 0000000140027DCF
mb::common::system::RegistryUtilities::ImportRegFile, xrefs: 000000014002760F
import ", xrefs: 00000001400274D4
mb::common::system::RegistryUtilities::ExportRegFile, xrefs: 0000000140027C02
Failed to query reg key %ls\%ls, value name = %ls, %ls, xrefs: 0000000140025EC0
Software\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 0000000140026F27
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\RegistryUtilities.cpp, xrefs: 0000000140025CED, 0000000140025EDF, 0000000140026424, 0000000140026722, 000000014002689D, 0000000140026B34, 0000000140026CA7, 0000000140027608, 0000000140027BFB, 00000001400287DD
DisableRegistryTools, xrefs: 0000000140026F4B

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: " "$%ls failed with exit code %d$Could not delete key = %ls\%ls\%ls$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\RegistryUtilities.cpp$DisableRegistryTools$Error deleting key %ls\%ls, %ls$Error deleting offline key %ls\%ls, %ls$Failed to open key = %ls\%ls, wow64 = 0x%x, %ls$Failed to open offline reg key %ls\%ls, %ls$Failed to open reg key %ls\%ls, wow64 = 0x%x, %ls$Failed to query reg key %ls\%ls, value name = %ls, %ls$Software\Microsoft\Windows\CurrentVersion\Policies\System$Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System$SysWOW64$Sysnative$System32$export "$import "$mb::common::system::RegistryUtilities::DeleteKey$mb::common::system::RegistryUtilities::DeleteKeyImpl$mb::common::system::RegistryUtilities::DeleteOfflineKeyImpl$mb::common::system::RegistryUtilities::ExportRegFile$mb::common::system::RegistryUtilities::ExportRegFileInWinPE$mb::common::system::RegistryUtilities::GetBinaryValueImpl$mb::common::system::RegistryUtilities::ImportRegFile
API String ID: 3668304517-4245381116
Opcode ID: 462b89b6e59b777cc80b1431fa8f37c4793ea1841da6239b619aff98cc51b877
Instruction ID: 49ed9c544f69a9d3cc1f42c8d135e64a04342989ce10c8dd96f7f0071bfe9ec8
Opcode Fuzzy Hash: 462b89b6e59b777cc80b1431fa8f37c4793ea1841da6239b619aff98cc51b877
Instruction Fuzzy Hash: B6537AB2B10B8485EB11DB6AE4443ED63A1F789BE8F505216EF6C17BA9DF78C585C300

Function 000000014001E120 Relevance: 102.6, APIs: 32, Strings: 25, Instructions: 2874COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014001EA60
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014001EA66
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014001EA6C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014001ECEB
SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00000001400202A1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020DB8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020DBE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020DCA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020DD0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020DD6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020DF4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020DFA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020E00
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020E06
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020E0C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020E12
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020E18
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020E1E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020E24
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020E2A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020E36
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020E3C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020E42
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020E48
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020E4E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020E60
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020E72
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020E78
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020E7E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020E84
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020E8A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140020E90

Part of subcall function 00000001400064F0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000657C

Strings

%PROGRAMFILES(X86)%\, xrefs: 000000014001F7B5
(X86), xrefs: 000000014001F639
Using GetValueString for registry value type (%d), Key=%s, Value=%s, xrefs: 000000014001E39A
RegQueryValue failed: Key=%s, Value=%s, RetCode=%d., xrefs: 000000014001E43A, 000000014001E677, 000000014001E8B2
SYSTEMROOT\, xrefs: 000000014001F733
mb::common::system::RegistryUtilities::GetOfflineValueString, xrefs: 000000014001EBF0, 000000014001EC60
RegOpenKey failed: Key=%s, RetCode=%d., xrefs: 000000014001E4B7, 000000014001E6F4, 000000014001E92E
%PROGRAMFILES%, xrefs: 000000014001F3C5
Using GetValueString for registry value type %d, xrefs: 000000014001E5D8, 000000014001E815, 000000014001EC3A
.EXE, xrefs: 000000014001FEEA, 000000014001FF66, 000000014001FFE1
RUNDLL32.EXE , xrefs: 000000014001EEE2
%WINDIR%\, xrefs: 000000014001F6C9
%SYSTEM%\, xrefs: 000000014001F6B0
%SYSDIR%, xrefs: 000000014001F352
.DLL, xrefs: 000000014002005C, 00000001400200D7, 0000000140020152
RUNDLL32 , xrefs: 000000014001EF65
SYSTEM32\, xrefs: 000000014001F697
%SYSTEMROOT%\, xrefs: 000000014001F700
Failed to get value '%ls' for open offline registry subkey '%ls': %i, xrefs: 000000014001EBCA
\??\, xrefs: 000000014001F2D1
%PROGRAMFILES%\, xrefs: 000000014001F796
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\RegistryUtilities.cpp, xrefs: 000000014001E3B9, 000000014001E459, 000000014001E4D6, 000000014001E5F7, 000000014001E696, 000000014001E713, 000000014001E834, 000000014001E8D1, 000000014001E94D, 000000014001EBE9, 000000014001EC59
mb::common::system::RegistryUtilities::GetValueStringInternal, xrefs: 000000014001E3C0, 000000014001E460, 000000014001E4DD, 000000014001E5FE, 000000014001E69D, 000000014001E71A, 000000014001E83B, 000000014001E8D8, 000000014001E954
\SYSTEMROOT\, xrefs: 000000014001F766
(X86), xrefs: 000000014001F651

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$SimpleString::operator=
String ID: (X86)$%PROGRAMFILES%$%PROGRAMFILES%\$%PROGRAMFILES(X86)%\$%SYSDIR%$%SYSTEM%\$%SYSTEMROOT%\$%WINDIR%\$(X86)$.DLL$.EXE$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\RegistryUtilities.cpp$Failed to get value '%ls' for open offline registry subkey '%ls': %i$RUNDLL32 $RUNDLL32.EXE $RegOpenKey failed: Key=%s, RetCode=%d.$RegQueryValue failed: Key=%s, Value=%s, RetCode=%d.$SYSTEM32\$SYSTEMROOT\$Using GetValueString for registry value type %d$Using GetValueString for registry value type (%d), Key=%s, Value=%s$\??\$\SYSTEMROOT\$mb::common::system::RegistryUtilities::GetOfflineValueString$mb::common::system::RegistryUtilities::GetValueStringInternal
API String ID: 3611281024-742977986
Opcode ID: aec5005acf46235b870413662141df9ab2d7366cc6b36072e49790399cda7ed7
Instruction ID: a637c67bfd62308773ed7eb7ca593789563a044841fd4f796b840801913f95fe
Opcode Fuzzy Hash: aec5005acf46235b870413662141df9ab2d7366cc6b36072e49790399cda7ed7
Instruction Fuzzy Hash: 8F538CB2710B8095EB11DF6AE8443DD23A1F748BE8F405616EB6D1BAEADF78C585C340

Function 0000000140041A20 Relevance: 73.0, APIs: 23, Strings: 18, Instructions: 1264COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140041AEA
ConvertSidToStringSidW.ADVAPI32 ref: 0000000140041C75
LocalFree.KERNEL32 ref: 0000000140041D5C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140041E5E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140041E64
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140041E6A
ConvertSidToStringSidW.ADVAPI32 ref: 0000000140041FF5
LocalFree.KERNEL32 ref: 00000001400420DC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400421DE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400421E4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400421EA
ConvertStringSidToSidW.ADVAPI32 ref: 0000000140042232
LocalFree.KERNEL32 ref: 000000014004231D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014004233F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400424F5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400424FB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140042865
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014004286B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140042871
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140042877

Part of subcall function 0000000140015C00: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140015D32

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140042CA3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140042CA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140042CB5

Strings

D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\Permissions.cpp, xrefs: 0000000140041C04, 0000000140041CD8, 0000000140041DAD, 0000000140041F84, 0000000140042058, 000000014004212D, 00000001400422A8, 000000014004243D, 0000000140042580, 00000001400427B4, 00000001400428F2, 0000000140042D09
Error converting sid '%s' to PSID, Error = %s, xrefs: 0000000140042282
mb::common::system::Permissions::ResetFolderPermissions, xrefs: 00000001400428F9
ACLs not initialized, cannot reset folder permissions on %s., xrefs: 00000001400428CC
BUILTIN\Administrators SID not initialized, cannot reset folder permissions on %ls., xrefs: 0000000140042D10
Error converting PSID to sid string, Error = %s, xrefs: 0000000140041CB2, 0000000140042032
Permissions, xrefs: 0000000140041BEA, 0000000140041CBE, 0000000140041D93, 0000000140041F6A, 000000014004203E, 0000000140042113, 000000014004228E, 0000000140042423, 0000000140042566, 000000014004279A, 00000001400428D8, 0000000140042D29
mb::common::system::Permissions::ResetFilePermissions, xrefs: 0000000140042587, 00000001400427BB
mb::common::system::Permissions::ResetFolderOwnership, xrefs: 0000000140042D22
Object '%s' has a NULL SID for owner, xrefs: 0000000140041D87
mb::common::system::Permissions::SetOwner, xrefs: 00000001400422AF, 0000000140042444
Error getting security info on '%s', %s, xrefs: 0000000140041BDE, 0000000140041F5E
Error resetting permissions on given file %s, Error = %s., xrefs: 000000014004278E
Object '%s' has a NULL SID for group, xrefs: 0000000140042107
Error taking ownership of given object %s, Error = %s., xrefs: 0000000140042417
mb::common::system::Permissions::GetOwner, xrefs: 0000000140041C0B, 0000000140041CDF, 0000000140041DB4
mb::common::system::Permissions::GetGroup, xrefs: 0000000140041F8B, 000000014004205F, 0000000140042134
ACLs not initialized, cannot reset file permissions on %s., xrefs: 000000014004255A

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ConvertFreeLocalString
String ID: ACLs not initialized, cannot reset file permissions on %s.$ACLs not initialized, cannot reset folder permissions on %s.$BUILTIN\Administrators SID not initialized, cannot reset folder permissions on %ls.$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\Permissions.cpp$Error converting PSID to sid string, Error = %s$Error converting sid '%s' to PSID, Error = %s$Error getting security info on '%s', %s$Error resetting permissions on given file %s, Error = %s.$Error taking ownership of given object %s, Error = %s.$Object '%s' has a NULL SID for group$Object '%s' has a NULL SID for owner$Permissions$mb::common::system::Permissions::GetGroup$mb::common::system::Permissions::GetOwner$mb::common::system::Permissions::ResetFilePermissions$mb::common::system::Permissions::ResetFolderOwnership$mb::common::system::Permissions::ResetFolderPermissions$mb::common::system::Permissions::SetOwner
API String ID: 347880976-2862994028
Opcode ID: afaa8cd3f92774f8b916f9589616477a91638bf1b100b1ab48e2dc968674ca20
Instruction ID: 93fe4ab0cfac20fe5e10077eb05eb808461078215abf2cda143accd2164bfda5
Opcode Fuzzy Hash: afaa8cd3f92774f8b916f9589616477a91638bf1b100b1ab48e2dc968674ca20
Instruction Fuzzy Hash: 93C289B2B10B4085EB11DB66E4847ED23A1F788BE8F815226EF5D17BA8DF78C195C344

Function 000000014000EBD0 Relevance: 72.3, APIs: 23, Strings: 18, Instructions: 589serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 000000014000ED56
GetLastError.KERNEL32 ref: 000000014000ED86
OpenServiceW.ADVAPI32 ref: 000000014000EDEC
GetLastError.KERNEL32 ref: 000000014000EE1C
GetLastError.KERNEL32 ref: 000000014000EE88
GetLastError.KERNEL32 ref: 000000014000EEA3
GetLastError.KERNEL32 ref: 000000014000F25E
GetLastError.KERNEL32 ref: 000000014000F278
CloseServiceHandle.ADVAPI32 ref: 000000014000F35D
CloseServiceHandle.ADVAPI32 ref: 000000014000F374
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000F43D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000F443
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000F449
CloseServiceHandle.ADVAPI32 ref: 000000014000F476
CloseServiceHandle.ADVAPI32 ref: 000000014000F48F

Part of subcall function 000000014000B7C0: SwitchToThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000014000AB7D), ref: 000000014000B89D
Part of subcall function 000000014000B7C0: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000014000AB7D), ref: 000000014000B8AA

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000F541
CloseServiceHandle.ADVAPI32 ref: 000000014000F562

Strings

OpenService failed on %1s. Error %u., xrefs: 000000014000EE47
wscsvc state %u pid %u, xrefs: 000000014000EF7C
wscsvc is already running, xrefs: 000000014000EFC7
Failed to open wscsvc handle %08X, xrefs: 000000014000EEBD
wscsvc, xrefs: 000000014000EC61
D:\Jenkins\workspace\N_MBAMWsc\src\wsccom.cpp, xrefs: 000000014000EFA2, 000000014000EFED, 000000014000F112, 000000014000F19F, 000000014000F24A, 000000014000F2E1, 000000014000F337
StartService failed %08X, xrefs: 000000014000F224
MBAMWsc, xrefs: 000000014000EF88, 000000014000EFD3, 000000014000F0F8, 000000014000F236, 000000014000F45A
wsccom::WaitForWscServiceRunning, xrefs: 000000014000EFA9, 000000014000EFF4, 000000014000F119, 000000014000F1A6, 000000014000F251, 000000014000F2E8, 000000014000F33E
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\WindowsService.cpp, xrefs: 000000014000EDBD, 000000014000EE66, 000000014000F09D
wscsvc did not enter the running state %u %u %08X, xrefs: 000000014000F318
mb::common::system::WindowsService::Open, xrefs: 000000014000EDC4, 000000014000EE6D
Waiting %u seconds for wscsvc to enter running state, xrefs: 000000014000F0EC
NotifyServiceStatusChange failed %u, xrefs: 000000014000F180
mb::common::system::WindowsService::GetServiceStartState, xrefs: 000000014000F0A4
wscsvc has entered the running state, xrefs: 000000014000F2C4
Unable to get start state for %ls, xrefs: 000000014000F07E
OpenSCManager failed. Error %u., xrefs: 000000014000ED9E

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: ErrorLastService$CloseHandle$_invalid_parameter_noinfo_noreturn$Open$ManagerSleepSwitchThread
String ID: D:\Jenkins\workspace\N_MBAMWsc\src\wsccom.cpp$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\WindowsService.cpp$Failed to open wscsvc handle %08X$MBAMWsc$NotifyServiceStatusChange failed %u$OpenSCManager failed. Error %u.$OpenService failed on %1s. Error %u.$StartService failed %08X$Unable to get start state for %ls$Waiting %u seconds for wscsvc to enter running state$mb::common::system::WindowsService::GetServiceStartState$mb::common::system::WindowsService::Open$wsccom::WaitForWscServiceRunning$wscsvc$wscsvc did not enter the running state %u %u %08X$wscsvc has entered the running state$wscsvc is already running$wscsvc state %u pid %u
API String ID: 2726523056-1075624375
Opcode ID: f814ba64a25b7a01a76ce7358d567553f583ea29953cea7f00d4da0e5ef5a6b4
Instruction ID: 07f26e6115913c6db5420ea2eec29cca9812e2566524e71bbd7a5ecfc2170309
Opcode Fuzzy Hash: f814ba64a25b7a01a76ce7358d567553f583ea29953cea7f00d4da0e5ef5a6b4
Instruction Fuzzy Hash: 5B528BB6610B8486EB11CF26E8847ED33A1F78CB98F505216EB8D47AB9DF78C585D340

Function 0000000140003140 Relevance: 70.5, APIs: 33, Strings: 7, Instructions: 471memorypipetimeCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 0000000140003194
CoGetClassObject.OLE32 ref: 00000001400031CC
CallNamedPipeW.KERNEL32 ref: 000000014000320D
Sleep.KERNEL32 ref: 0000000140003230
CallNamedPipeW.KERNEL32 ref: 0000000140003269
SysAllocString.OLEAUT32 ref: 000000014000330A
SysFreeString.OLEAUT32 ref: 0000000140003344
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400033F6
GetLocalTime.KERNEL32 ref: 0000000140003464
GetTickCount.KERNEL32 ref: 0000000140003480
SysAllocString.OLEAUT32 ref: 00000001400035D9
SysAllocString.OLEAUT32 ref: 000000014000363A
SysAllocString.OLEAUT32 ref: 0000000140003647
SysAllocString.OLEAUT32 ref: 0000000140003657
GetCurrentThreadId.KERNEL32 ref: 000000014000366F
GetProcessId.KERNEL32 ref: 0000000140003679
SysFreeString.OLEAUT32 ref: 00000001400036C4
SysFreeString.OLEAUT32 ref: 00000001400036CD
SysFreeString.OLEAUT32 ref: 00000001400036D6
SysFreeString.OLEAUT32 ref: 00000001400036DF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140003714
GetLocalTime.KERNEL32 ref: 0000000140003770
GetTickCount.KERNEL32 ref: 000000014000379F
SysAllocString.OLEAUT32 ref: 00000001400037EA
SysAllocString.OLEAUT32 ref: 00000001400037F8
SysAllocString.OLEAUT32 ref: 0000000140003806
SysAllocString.OLEAUT32 ref: 0000000140003816
GetCurrentThreadId.KERNEL32 ref: 000000014000382F
GetProcessId.KERNEL32 ref: 0000000140003839
SysFreeString.OLEAUT32 ref: 0000000140003888
SysFreeString.OLEAUT32 ref: 0000000140003891
SysFreeString.OLEAUT32 ref: 000000014000389A
SysFreeString.OLEAUT32 ref: 00000001400038A3

Strings

D:\Jenkins\workspace\N_MBAMWsc\src\IService.cpp, xrefs: 000000014000337B
NeedAKey, xrefs: 00000001400031FF, 000000014000325B
Error 0x, xrefs: 00000001400034E3
\\.\pipe\MBLG, xrefs: 0000000140003206, 0000000140003262
MbamService::Initialize, xrefs: 0000000140003374
MBAMWsc, xrefs: 0000000140003650, 000000014000380C
Initialize complete., xrefs: 0000000140003362

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: String$AllocFree$CallCountCurrentLocalNamedPipeProcessThreadTickTime_invalid_parameter_noinfo_noreturn$ClassInitializeObjectSleep
String ID: Error 0x$D:\Jenkins\workspace\N_MBAMWsc\src\IService.cpp$Initialize complete.$MBAMWsc$MbamService::Initialize$NeedAKey$\\.\pipe\MBLG
API String ID: 3662678588-1227516934
Opcode ID: 6a60c12cac678354da0e1a7e17c03cf93b820a5e75e704868b6d5b8e057fe969
Instruction ID: 35fe5bb89a2cccf6c61688297c03298982f1aee1f0a8af4f17683fb160d9ca06
Opcode Fuzzy Hash: 6a60c12cac678354da0e1a7e17c03cf93b820a5e75e704868b6d5b8e057fe969
Instruction Fuzzy Hash: 1C225BB2614B8096E712CF26E8443DE77A0F78DB94F545216EF8953BA8EF78C285C740

Function 000000014002E350 Relevance: 61.3, APIs: 21, Strings: 13, Instructions: 1807COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002E4EA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F189
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F195
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F19B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F1A1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F1A7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F1AD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F1B3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F1B9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F1BF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F1C5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F1CB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002F1D1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002FC96
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002FC9C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002FCA8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002FCB4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002FCBA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002FCC0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002FCC6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002FCCC

Strings

RegistryUtilities::TranslateHKU(%ls, %ls): profile not found for %ls, xrefs: 000000014002EEB5
Entry: RegistryUtilities::GetHivePath(%p, %ls), xrefs: 000000014002FD2A
Exit: true <- RegistryUtilities::GetHivePath(%p, %ls), xrefs: 000000014002FF93
Entry: RegistryUtilities::GetOfflineHive(%ls, %p), xrefs: 000000014002F255
Exit: <- RegistryUtilities::TranslateHKU(%ls, %ls), xrefs: 000000014002E760, 000000014002EC27, 000000014002EF21, 000000014002F0F5
Entry: RegistryUtilities::TranslateHKU(%ls, %ls), xrefs: 000000014002E568
Exit: true <- RegistryUtilities::GetOfflineHive(%ls, %p), xrefs: 000000014002FC65
mb::common::system::RegistryUtilities::GetOfflineHive, xrefs: 000000014002F27B, 000000014002F53D, 000000014002F9E3, 000000014002FC85
mb::common::system::RegistryUtilities::TranslateHKU, xrefs: 000000014002E58E, 000000014002E786, 000000014002EC47, 000000014002EEDB, 000000014002EF47, 000000014002F115
Exit: false <- RegistryUtilities::GetHivePath(%p, %ls), xrefs: 000000014002FD98, 000000014002FE97
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\RegistryUtilities.cpp, xrefs: 000000014002E587, 000000014002E77F, 000000014002EC40, 000000014002EED4, 000000014002EF40, 000000014002F10E, 000000014002F274, 000000014002F536, 000000014002F9DC, 000000014002FC7E, 000000014002FD49, 000000014002FDB7, 000000014002FEB6, 000000014002FFAC
Exit: false <- RegistryUtilities::GetOfflineHive(%ls, %p), xrefs: 000000014002F517, 000000014002F9C3
mb::common::system::RegistryUtilities::GetHivePath, xrefs: 000000014002FD50, 000000014002FDBE, 000000014002FEBD, 000000014002FFB3

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\RegistryUtilities.cpp$Entry: RegistryUtilities::GetHivePath(%p, %ls)$Entry: RegistryUtilities::GetOfflineHive(%ls, %p)$Entry: RegistryUtilities::TranslateHKU(%ls, %ls)$Exit: <- RegistryUtilities::TranslateHKU(%ls, %ls)$Exit: false <- RegistryUtilities::GetHivePath(%p, %ls)$Exit: false <- RegistryUtilities::GetOfflineHive(%ls, %p)$Exit: true <- RegistryUtilities::GetHivePath(%p, %ls)$Exit: true <- RegistryUtilities::GetOfflineHive(%ls, %p)$RegistryUtilities::TranslateHKU(%ls, %ls): profile not found for %ls$mb::common::system::RegistryUtilities::GetHivePath$mb::common::system::RegistryUtilities::GetOfflineHive$mb::common::system::RegistryUtilities::TranslateHKU
API String ID: 3668304517-3799554803
Opcode ID: 87dd03ea458205be0005401f9351cfab5973355789130229f8c8311f9301ba5c
Instruction ID: fe8202cd6a712caadc397c1c4c5253a0197549952831d91abc9ef9245069614f
Opcode Fuzzy Hash: 87dd03ea458205be0005401f9351cfab5973355789130229f8c8311f9301ba5c
Instruction Fuzzy Hash: 4D03ACB2A00B8485EB12CF6AE4443ED27A1F749BD8F50561AEB5D17BB9DF78C984C340

Function 000000014001A0B0 Relevance: 59.2, APIs: 16, Strings: 17, Instructions: 1456COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014001B8E6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014001B8EC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014001B8F2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014001B8F8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014001B8FE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014001B904
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014001B90A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014001B91C

Strings

Failed to open offline registry subkey '%ls': %i, xrefs: 000000014001BC23
SeSecurityPrivilege, xrefs: 000000014001A57F
mb::common::system::RegistryUtilities::EnumerateKeyImpl, xrefs: 000000014001A1CD, 000000014001A295, 000000014001A3F5, 000000014001A531, 000000014001A65E, 000000014001A8BB, 000000014001AA9F, 000000014001ACB3, 000000014001AF05, 000000014001B826
Exit: <- RegistryUtilities::EnumerateKeyImpl(%p, %ls, %p, %i, %i, %p:%i, %p:%ls), xrefs: 000000014001A26F, 000000014001A3CF, 000000014001AC8D, 000000014001B806
RegOpenKey failed, trying to reset permissions: Key=%s\%s, RetCode=%d., xrefs: 000000014001A50B
true, xrefs: 000000014001A108, 000000014001A1DA, 000000014001A362, 000000014001A6EC, 000000014001A8FA, 000000014001AC18, 000000014001AF53, 000000014001B787, 000000014001BA47, 000000014001BB1A, 000000014001BC85, 000000014001BDC5
Entry: RegistryUtilities::EnumerateKeyImpl(%p, %ls, %p, %i, %i, %p:%i, %p:%ls), xrefs: 000000014001A1A7
Failed to query offline registry subkey '%ls': %i, xrefs: 000000014001BD55
Entry: RegistryUtilities::EnumerateOfflineKeyImpl(%p, %ls, %p, %i, %p:%i, %p:%ls), xrefs: 000000014001BADC
false, xrefs: 000000014001A10F, 000000014001A6E5, 000000014001A8F3, 000000014001AC11, 000000014001AF4C, 000000014001B780, 000000014001BA4E, 000000014001BB0F, 000000014001BC7E, 000000014001BDBE
Could not get security info for resetting permissions on key: Key=%s., xrefs: 000000014001A895
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\RegistryUtilities.cpp, xrefs: 000000014001A1C6, 000000014001A28E, 000000014001A3EE, 000000014001A52A, 000000014001A657, 000000014001A8B4, 000000014001AA98, 000000014001ACAC, 000000014001AEFE, 000000014001B81F, 000000014001BAFB, 000000014001BC42, 000000014001BD74, 000000014001C431
RegQueryInfoKey failed: Key=%s, RetCode=%d., xrefs: 000000014001AEDF
mb::common::system::RegistryUtilities::EnumerateOfflineKeyImpl, xrefs: 000000014001BB02, 000000014001BC49, 000000014001BD7B, 000000014001C438
Could not open key after resetting permissions: Key=%s, status=%d., xrefs: 000000014001AA79
Exit: <- RegistryUtilities::EnumerateOfflineKeyImpl(%p, %ls, %p, %i, %p:%i, %p:%ls), xrefs: 000000014001BBA4, 000000014001C418
RegOpenKey with ACCESS_SYSTEM_SECURITY failed: Key=%s\%s, RetCode=%d., xrefs: 000000014001A638

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: Could not get security info for resetting permissions on key: Key=%s.$Could not open key after resetting permissions: Key=%s, status=%d.$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\RegistryUtilities.cpp$Entry: RegistryUtilities::EnumerateKeyImpl(%p, %ls, %p, %i, %i, %p:%i, %p:%ls)$Entry: RegistryUtilities::EnumerateOfflineKeyImpl(%p, %ls, %p, %i, %p:%i, %p:%ls)$Exit: <- RegistryUtilities::EnumerateKeyImpl(%p, %ls, %p, %i, %i, %p:%i, %p:%ls)$Exit: <- RegistryUtilities::EnumerateOfflineKeyImpl(%p, %ls, %p, %i, %p:%i, %p:%ls)$Failed to open offline registry subkey '%ls': %i$Failed to query offline registry subkey '%ls': %i$RegOpenKey failed, trying to reset permissions: Key=%s\%s, RetCode=%d.$RegOpenKey with ACCESS_SYSTEM_SECURITY failed: Key=%s\%s, RetCode=%d.$RegQueryInfoKey failed: Key=%s, RetCode=%d.$SeSecurityPrivilege$false$mb::common::system::RegistryUtilities::EnumerateKeyImpl$mb::common::system::RegistryUtilities::EnumerateOfflineKeyImpl$true
API String ID: 3668304517-2491135254
Opcode ID: 913bf4ddcd3dcfc8800f617e71d07c84fc348d892059dacaf472c4cc36d9d4e8
Instruction ID: 3f0d76ce6dd9d3c91182f6f908d507233ca0b22aefe430e5adc5768021a956b6
Opcode Fuzzy Hash: 913bf4ddcd3dcfc8800f617e71d07c84fc348d892059dacaf472c4cc36d9d4e8
Instruction Fuzzy Hash: DDF23776600B808AEB21CF66E8847DD77A5F749BD8F544216EB8D4BBA8DF39C584C700

Function 0000000140029060 Relevance: 54.0, APIs: 19, Strings: 11, Instructions: 1470COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140029222
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140029228
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140029B3C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140029B42
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140029B4E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140029B54
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140029B5A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140029B60
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140029B66
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140029B6C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002A47D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002A483
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002A48F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002A495
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002A49B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002A4A1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002A4A7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002A4AD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002A5A3

Strings

SeBackupPrivilege, xrefs: 00000001400299C1, 000000014002A311
Failed to create reg key %ls\%ls, %ls, xrefs: 0000000140029134
Failed to save reg key %ls to file %ls, %ls, xrefs: 000000014002A3A4
mb::common::system::RegistryUtilities::CreateOfflineRegKeyImpl, xrefs: 000000014002915A
Failed to save offline reg key %ls to file %ls, %ls, xrefs: 0000000140029F00
Failed to save import file %ls to reg key %ls. %ls, xrefs: 00000001400295B0
SeRestorePrivilege, xrefs: 00000001400299CD
Failed to restore reg key %ls to file %ls, %ls, xrefs: 0000000140029A63
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\RegistryUtilities.cpp, xrefs: 0000000140029153, 00000001400295CF, 0000000140029A82, 0000000140029B84, 0000000140029F1F, 000000014002A3C3
mb::common::system::RegistryUtilities::ExportRegFileEx, xrefs: 0000000140029F26, 000000014002A3CA
mb::common::system::RegistryUtilities::ImportRegFileEx, xrefs: 00000001400295D6, 0000000140029A89

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\RegistryUtilities.cpp$Failed to create reg key %ls\%ls, %ls$Failed to restore reg key %ls to file %ls, %ls$Failed to save import file %ls to reg key %ls. %ls$Failed to save offline reg key %ls to file %ls, %ls$Failed to save reg key %ls to file %ls, %ls$SeBackupPrivilege$SeRestorePrivilege$mb::common::system::RegistryUtilities::CreateOfflineRegKeyImpl$mb::common::system::RegistryUtilities::ExportRegFileEx$mb::common::system::RegistryUtilities::ImportRegFileEx
API String ID: 3668304517-2524583579
Opcode ID: 5d4cb20496cd3017527228c49deeb0702a9c632286129b543997c496f8cdbfdd
Instruction ID: d9c78d17f384a3034e50a140ef03f7ee6672422892b895cf62c9e03ab5b088f8
Opcode Fuzzy Hash: 5d4cb20496cd3017527228c49deeb0702a9c632286129b543997c496f8cdbfdd
Instruction Fuzzy Hash: D4D27BB2B10B8085EB11CB6AE4847ED63A1F749BD8F505616EF6D17AE9DF78C984C300

Function 00000001400481B0 Relevance: 47.5, APIs: 8, Strings: 19, Instructions: 215COMMON

Download Yara Rule

APIs

BCryptOpenAlgorithmProvider.BCRYPT ref: 0000000140048257
BCryptGetProperty.BCRYPT ref: 000000014004829F
BCryptGetProperty.BCRYPT ref: 000000014004833E
BCryptCloseAlgorithmProvider.BCRYPT ref: 00000001400484D6
BCryptDestroyHash.BCRYPT ref: 00000001400484E6

Strings

**** Error 0x%x returned by BCryptHashData, xrefs: 000000014004851F
SHA1, xrefs: 0000000140048245
ObjectLength, xrefs: 0000000140048298
MbHashMemory, xrefs: 00000001400482FE, 0000000140048383, 00000001400484A8
**** Error 0x%x returned by BCryptGetProperty getting object length, xrefs: 00000001400482B0
MbCommonSigCRYPTUSR, xrefs: 00000001400482E8, 00000001400483A6, 00000001400484AF
**** Error 0x%x returned by BCryptOpenAlgorithmProvider - Hash, xrefs: 0000000140048268
**** memory allocation failed, xrefs: 00000001400482D8
SHA512, xrefs: 0000000140048221
MD5, xrefs: 000000014004823C
HashDigestLength, xrefs: 0000000140048337
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\CryptoUser.cpp, xrefs: 00000001400482F2, 0000000140048378, 000000014004849C
SHA256, xrefs: 0000000140048233
**** Invalid hash size: %u, need %u, xrefs: 000000014004839A
**** Invalid hash buffer: %p, xrefs: 00000001400483D5
**** Error 0x%x returned by BCryptGetProperty getting hash length, xrefs: 000000014004834F
**** Error 0x%x returned by BCryptFinishHash, xrefs: 0000000140048488
**** Error 0x%x returned by BCryptCreateHash, xrefs: 000000014004841F
SHA384, xrefs: 000000014004822A

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: Crypt$AlgorithmPropertyProvider$CloseDestroyHashOpen
String ID: **** Error 0x%x returned by BCryptCreateHash$**** Error 0x%x returned by BCryptFinishHash$**** Error 0x%x returned by BCryptGetProperty getting hash length$**** Error 0x%x returned by BCryptGetProperty getting object length$**** Error 0x%x returned by BCryptHashData$**** Error 0x%x returned by BCryptOpenAlgorithmProvider - Hash$**** Invalid hash buffer: %p$**** Invalid hash size: %u, need %u$**** memory allocation failed$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\CryptoUser.cpp$HashDigestLength$MD5$MbCommonSigCRYPTUSR$MbHashMemory$ObjectLength$SHA1$SHA256$SHA384$SHA512
API String ID: 786474298-4021669043
Opcode ID: 9bc2c1f0b46aa982d0170119001cd442fc1df9d4866e68e72b156281e49a3abf
Instruction ID: 6627d50b7561cfca1afa1e395a22bf4f982fcf655b713cb56ed58425fcbecb16
Opcode Fuzzy Hash: 9bc2c1f0b46aa982d0170119001cd442fc1df9d4866e68e72b156281e49a3abf
Instruction Fuzzy Hash: D7A17B76214B4182E622CB97F454BDAB7A4FB9CB84F51052AEF4983BB4DFB8C144CB44

Function 00000001400488E0 Relevance: 36.9, APIs: 6, Strings: 15, Instructions: 151COMMON

Download Yara Rule

APIs

BCryptOpenAlgorithmProvider.BCRYPT ref: 000000014004893A
BCryptDestroyKey.BCRYPT ref: 000000014004899B
BCryptCloseAlgorithmProvider.BCRYPT ref: 00000001400489AD
BCryptVerifySignature.BCRYPT ref: 0000000140048AFD
BCryptImportKeyPair.BCRYPT ref: 0000000140048A0B

Part of subcall function 000000014000B7C0: SwitchToThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000014000AB7D), ref: 000000014000B89D
Part of subcall function 000000014000B7C0: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000014000AB7D), ref: 000000014000B8AA

BCryptDestroyKey.BCRYPT ref: 0000000140048B4A

Strings

SHA1, xrefs: 0000000140048ACF
ImportRsaPublicKeyX, xrefs: 0000000140048A3F
MbCommonSigCRYPTUSR, xrefs: 000000014004895C, 0000000140048A11
RSA, xrefs: 0000000140048927
SHA512, xrefs: 0000000140048A99
MD5, xrefs: 0000000140048AC1
VerifyData, xrefs: 0000000140048971, 0000000140048B26
**** Failed to import public key - %x, xrefs: 0000000140048A67
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\CryptoUser.cpp, xrefs: 0000000140048966, 0000000140048A33, 0000000140048B1A
**** Error 0x%x returned by BCryptOpenAlgorithmProvider, xrefs: 000000014004894F
SHA256, xrefs: 0000000140048AB3
RSAPUBLICBLOB, xrefs: 00000001400489F9
Verify signature returns %x, xrefs: 0000000140048B0E
Failed to import the public key - %x, xrefs: 0000000140048A27
SHA384, xrefs: 0000000140048AA5

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: Crypt$AlgorithmDestroyProvider$CloseImportOpenPairSignatureSleepSwitchThreadVerify
String ID: **** Error 0x%x returned by BCryptOpenAlgorithmProvider$**** Failed to import public key - %x$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\CryptoUser.cpp$Failed to import the public key - %x$ImportRsaPublicKeyX$MD5$MbCommonSigCRYPTUSR$RSA$RSAPUBLICBLOB$SHA1$SHA256$SHA384$SHA512$Verify signature returns %x$VerifyData
API String ID: 18285709-4080738847
Opcode ID: 253bd8ad043f7f5d23c6d42c4a7a4926aa2add889e7280a1aae84b636234c7c1
Instruction ID: d2732028aca960aa74f2a6cb9d20b61ea78ecf1427f6a480fbafe10b8f3c2ce6
Opcode Fuzzy Hash: 253bd8ad043f7f5d23c6d42c4a7a4926aa2add889e7280a1aae84b636234c7c1
Instruction Fuzzy Hash: CE617C36214B4082E722CF56F884B9A77A4F78CB94F55052AEF8D43BB4DBB8C545CB41

Function 0000000140014930 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 141registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000140014976
GetProcAddress.KERNEL32 ref: 0000000140014986
GetVersionExW.KERNEL32 ref: 00000001400149B3
NetWkstaGetInfo.NETAPI32 ref: 00000001400149CF
NetApiBufferFree.NETAPI32 ref: 00000001400149E5
RegOpenKeyExW.ADVAPI32 ref: 0000000140014A11
RegQueryValueExW.ADVAPI32 ref: 0000000140014A55
RegQueryValueExW.ADVAPI32 ref: 0000000140014A94
RegQueryValueExW.ADVAPI32 ref: 0000000140014ADD
RegCloseKey.ADVAPI32 ref: 0000000140014AF7
VerSetConditionMask.KERNEL32 ref: 0000000140014B27
VerifyVersionInfoW.KERNEL32 ref: 0000000140014B5F

Strings

, xrefs: 0000000140014ABB
ntdll.dll, xrefs: 0000000140014968
CurrentMajorVersionNumber, xrefs: 0000000140014A32
RtlGetVersion, xrefs: 000000014001497F
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0000000140014A03
CurrentMinorVersionNumber, xrefs: 0000000140014A60
CurrentBuild, xrefs: 0000000140014AB1

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: QueryValue$InfoVersion$AddressBufferCloseConditionFreeHandleMaskModuleOpenProcVerifyWksta
String ID: $CurrentBuild$CurrentMajorVersionNumber$CurrentMinorVersionNumber$RtlGetVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
API String ID: 380271113-4080675615
Opcode ID: d264c980e0307f058ed0f7f38f8ee6f2c3e3912229aea73ce5ebb5bc72d3f01d
Instruction ID: 7c36c2c8f82c0f31277204bfe215c3ffd9385f40c7d0292b353260a1d1cec3fd
Opcode Fuzzy Hash: d264c980e0307f058ed0f7f38f8ee6f2c3e3912229aea73ce5ebb5bc72d3f01d
Instruction Fuzzy Hash: 69618133214B8096EB22CF22E8947DA73A4F78CB88F545125EB4A47B74DF79C655CB40

Function 000000014013A090 Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 190memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140139D00: GetVersionExW.KERNEL32 ref: 0000000140139D26

SysAllocString.OLEAUT32 ref: 000000014013A127

Strings

AntiVirusProduct, xrefs: 000000014013A120
companyName, xrefs: 000000014013A2BB
versionNumber, xrefs: 000000014013A2FD
onAccessScanningEnabled, xrefs: 000000014013A284
instanceGuid, xrefs: 000000014013A1D9
productUptoDate, xrefs: 000000014013A255
displayName, xrefs: 000000014013A216

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: AllocStringVersion
String ID: AntiVirusProduct$companyName$displayName$instanceGuid$onAccessScanningEnabled$productUptoDate$versionNumber
API String ID: 396535641-3696764090
Opcode ID: 92365ec957f5c6bb7c3b5eaf72e40eea2b5cfd44aeb71e7cef8a06df930a09c4
Instruction ID: 1bde6fc8d24e5da1185405a7ee7afeaa44823d0016f5da261935d23c25a8d058
Opcode Fuzzy Hash: 92365ec957f5c6bb7c3b5eaf72e40eea2b5cfd44aeb71e7cef8a06df930a09c4
Instruction Fuzzy Hash: 58911876214B8582EB51CF26E49479EB7A0FB88B94F805112EF8E43B68DF7DC549CB00

Function 00000001400363E3 Relevance: 28.4, APIs: 9, Strings: 7, Instructions: 394COMMON

Download Yara Rule

APIs

SfcIsFileProtected.SFC ref: 00000001400363EB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400364FC

Part of subcall function 00000001400363E3: CreateProcessW.KERNEL32 ref: 0000000140036850

Strings

mb::common::system::ProcessUtils::RunProcess, xrefs: 00000001400368C7
mb::common::system::ProcessUtils::RunProcessWithValidation, xrefs: 00000001400364AA
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\ProcessUtils.cpp, xrefs: 0000000140036491, 00000001400368C0
Failed to verify the signature of %s, cannot start process, xrefs: 0000000140036485
Error spawning process = %s, %s, xrefs: 000000014003689A
ProcessUtils, xrefs: 0000000140036498, 00000001400368A6
/uninstall, xrefs: 000000014003651E

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: CreateFileProcessProtected_invalid_parameter_noinfo_noreturn
String ID: /uninstall$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\ProcessUtils.cpp$Error spawning process = %s, %s$Failed to verify the signature of %s, cannot start process$ProcessUtils$mb::common::system::ProcessUtils::RunProcess$mb::common::system::ProcessUtils::RunProcessWithValidation
API String ID: 2770220707-1882738051
Opcode ID: 8e1107c93a25b49de24fe4887ffee283373b0477b51f6cd2cca23848c7d6ebfa
Instruction ID: acc5e87b79ad9ba3f185277cbc43708d8c731fbddf56daab43d67cc3d3e2ec4b
Opcode Fuzzy Hash: 8e1107c93a25b49de24fe4887ffee283373b0477b51f6cd2cca23848c7d6ebfa
Instruction Fuzzy Hash: 44F18072A10B8085EB12CB76E5453EE63A1F7897D8F509216EB9D17BB9DF78C190C340

Function 0000000140036C70 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 188libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000000140036CD4
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000000140036CE4

Part of subcall function 000000014013D2C8: AcquireSRWLockExclusive.KERNEL32(?,?,?,000000014005840B,?,?,?,0000000140002BF9), ref: 000000014013D2D8
Part of subcall function 000000014013D2C8: ReleaseSRWLockExclusive.KERNEL32(?,?,?,000000014005840B,?,?,?,0000000140002BF9), ref: 000000014013D318

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000000140036D24
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000000140036D34
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000000140036D99
IsWow64Process.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000000140036DA7
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000000140036DCA
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000000140036E52
GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000000140036DBD

Part of subcall function 000000014013D334: AcquireSRWLockExclusive.KERNEL32(?,?,?,00000001400583E1,?,?,?,0000000140002BF9), ref: 000000014013D344

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000000140036E88
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000000140036E98

Strings

ntdll.dll, xrefs: 0000000140036E81
NtQueryInformationProcess, xrefs: 0000000140036E91
IsWow64Process, xrefs: 0000000140036CDD
IsWow64Process2, xrefs: 0000000140036D2D
kernel32.dll, xrefs: 0000000140036CCD, 0000000140036D1D

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: AddressExclusiveHandleLockModuleProcProcess$AcquireCurrentInfoSystem$NativeReleaseWow64
String ID: IsWow64Process$IsWow64Process2$NtQueryInformationProcess$kernel32.dll$ntdll.dll
API String ID: 814231749-4277038175
Opcode ID: cf160950b207b9fe2748167afd79d1318de0ff561e3d995c345dac11aa07bdfd
Instruction ID: 4c6c794b614ded4db3535bcee7f7f68c80263225b478c109792987af0f95284a
Opcode Fuzzy Hash: cf160950b207b9fe2748167afd79d1318de0ff561e3d995c345dac11aa07bdfd
Instruction Fuzzy Hash: 9E916932615680C6FB53DB27E8547EA33B0BB9DB80F449126EB4A472F5EB79C984C710

Function 0000000140043490 Relevance: 26.9, APIs: 8, Strings: 7, Instructions: 629COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140043C33
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140043C39
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140043C3F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140043C45
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140043C4B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140043C51
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140043C57
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140043C5D

Strings

D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\Permissions.cpp, xrefs: 000000014004350D, 0000000140043733, 0000000140043956
SeSecurityPrivilege, xrefs: 0000000140043614
mb::common::system::Permissions::ResetRegKeyPermissions, xrefs: 0000000140043514, 000000014004373A, 000000014004395D
Error opening reg key %s, Error = %s., xrefs: 000000014004370D, 0000000140043930
Permissions, xrefs: 00000001400434F3, 0000000140043719, 000000014004393C
Software\Classes\, xrefs: 0000000140043548
ACLs not initialized, cannot reset reg key permissions on %s., xrefs: 00000001400434E7

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: ACLs not initialized, cannot reset reg key permissions on %s.$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\Permissions.cpp$Error opening reg key %s, Error = %s.$Permissions$SeSecurityPrivilege$Software\Classes\$mb::common::system::Permissions::ResetRegKeyPermissions
API String ID: 3668304517-2727333950
Opcode ID: b3dbde28dcbd27a1c8b2fecfafdc2b4e2df126e134bff6941c6b53a3d40792f7
Instruction ID: 89c3f2516944e41edd1229ae083b33508687440877a06bf39677498dc0329626
Opcode Fuzzy Hash: b3dbde28dcbd27a1c8b2fecfafdc2b4e2df126e134bff6941c6b53a3d40792f7
Instruction Fuzzy Hash: AD528CB2610B8486EB11CF6AE48439E77A1F788BE8F515216EF9D17BA8DF78D044C704

Function 0000000140035830 Relevance: 26.2, APIs: 17, Instructions: 708COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140056450: WaitForMultipleObjects.KERNEL32 ref: 0000000140056487
Part of subcall function 0000000140056450: ResetEvent.KERNEL32 ref: 00000001400564A3
Part of subcall function 0000000140056450: ResetEvent.KERNEL32 ref: 00000001400564AD
Part of subcall function 0000000140056450: ReleaseMutex.KERNEL32 ref: 00000001400564B6

GetWindowsDirectoryW.KERNEL32 ref: 00000001400358F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140035B36
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140035B3C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140035D8F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140035D95
GetLogicalDriveStringsW.KERNEL32 ref: 0000000140035E7F

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$EventReset$DirectoryDriveLogicalMultipleMutexObjectsReleaseStringsWaitWindows
String ID:
API String ID: 1124998599-0
Opcode ID: b43362a7784f2dc0ec4de9731b391dbaa62c09b2302e314725346ea6ee0cfc97
Instruction ID: 077eeeb6691b516ca414932e43054904cd3c4191b601b66e6c81189ab9305f8f
Opcode Fuzzy Hash: b43362a7784f2dc0ec4de9731b391dbaa62c09b2302e314725346ea6ee0cfc97
Instruction Fuzzy Hash: B0628072A11B8481FA12EB6AE4553EE6361E78D7E4F505311BBAD17AFADF78C580C300

Function 0000000140015240 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 305comCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E800: SwitchToThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-0000002E,000000014000DAA0), ref: 000000014000E8DD
Part of subcall function 000000014000E800: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-0000002E,000000014000DAA0), ref: 000000014000E8EA

CoInitializeEx.OLE32 ref: 000000014001528B
CoCreateInstance.OLE32 ref: 00000001400152BA
VariantInit.OLEAUT32 ref: 00000001400153CA
VariantClear.OLEAUT32 ref: 00000001400155ED
VariantClear.OLEAUT32 ref: 0000000140015614
CoUninitialize.OLE32 ref: 0000000140015672
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400156A9

Strings

root\SecurityCenter, xrefs: 00000001400152E3
WQL, xrefs: 000000014001536B
displayName, xrefs: 00000001400153E9
SELECT * FROM AntiVirusProduct, xrefs: 0000000140015364
root\SecurityCenter2, xrefs: 00000001400152DC

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: Variant$Clear$CreateInitInitializeInstanceSleepSwitchThreadUninitialize_invalid_parameter_noinfo_noreturn
String ID: SELECT * FROM AntiVirusProduct$WQL$displayName$root\SecurityCenter$root\SecurityCenter2
API String ID: 3760070528-1785626855
Opcode ID: d47ad77e5cc124070a6631159c9e03db79b36ebab5218442494dc71b3604b668
Instruction ID: d64ba0fc4eb054dfd6755f2fa1e94a3f29a1db3444e3bc84c7a8cf560e825fec
Opcode Fuzzy Hash: d47ad77e5cc124070a6631159c9e03db79b36ebab5218442494dc71b3604b668
Instruction Fuzzy Hash: 4FD16472710A44DAEB11DFA6E4547ED33B1FB48B89F804616EB1E1BAA8DF39C549C340

Function 0000000140010140 Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 238COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014001050A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140010510
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140010516

Strings

DEBUG, xrefs: 00000001400103DA
Date{0}Time{0}Tick Count{0}Process ID{0}Thread ID{0}Log Level{0}Context Tag{0}Function Name{0}File Name{0}Line Number{0}Message, xrefs: 0000000140010406
UNKNOWN, xrefs: 0000000140010278
{0}, xrefs: 000000014001047B
TRACE, xrefs: 00000001400103F6
WARNING, xrefs: 00000001400103A8
ERROR, xrefs: 000000014001038F
INFO, xrefs: 00000001400103C1
NONE, xrefs: 0000000140010373

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: DEBUG$Date{0}Time{0}Tick Count{0}Process ID{0}Thread ID{0}Log Level{0}Context Tag{0}Function Name{0}File Name{0}Line Number{0}Message$ERROR$INFO$NONE$TRACE$UNKNOWN$WARNING${0}
API String ID: 3668304517-1305759413
Opcode ID: 534d078a9a3faf7622c84812b5c1e571d89831ce9364a73a94c664d4c956d6c5
Instruction ID: a8732b692de3b30e342725d7ba537c73959aa8cafc9f8f866b3eba4f7b74e448
Opcode Fuzzy Hash: 534d078a9a3faf7622c84812b5c1e571d89831ce9364a73a94c664d4c956d6c5
Instruction Fuzzy Hash: 3CA1D0B2620B8592EA11DF2AE4847DE7365F78D7D8F519212EB9C0B6B5DF78C181C340

Function 0000000140025340 Relevance: 19.8, APIs: 7, Strings: 4, Instructions: 504COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140025958
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002595E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140025964
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002596A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140025970
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140025976
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002597C

Strings

Failed to query reg key %ls\%ls, value name = %ls, %ls, xrefs: 000000014002573F
Failed to open key = %ls\%ls, wow64 = 0x%x, %ls, xrefs: 0000000140025551
mb::common::system::RegistryUtilities::GetValueAsStringImpl, xrefs: 0000000140025577, 0000000140025765
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\RegistryUtilities.cpp, xrefs: 0000000140025570, 000000014002575E

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\RegistryUtilities.cpp$Failed to open key = %ls\%ls, wow64 = 0x%x, %ls$Failed to query reg key %ls\%ls, value name = %ls, %ls$mb::common::system::RegistryUtilities::GetValueAsStringImpl
API String ID: 3668304517-714731424
Opcode ID: 22e963a8d1c0e991d212bf7853635bf573f793fbea43b3ba8fd92718b7af0529
Instruction ID: 8fdebf23c4f3acc0543edb1a80cafcb94eb15696b0cb38256d14703cd8ce2f85
Opcode Fuzzy Hash: 22e963a8d1c0e991d212bf7853635bf573f793fbea43b3ba8fd92718b7af0529
Instruction Fuzzy Hash: C9226972A10B8485EB11DF6AE4843ED67A1F789BD8F50421AEF9C17BA8DF38C585C344

Function 000000014001C4F0 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 470COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014001C988
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014001C98E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014001CB2E

Strings

HKEY_CLASSES_ROOT\, xrefs: 000000014001C829
HKEY_CURRENT_USER\, xrefs: 000000014001C7B4
HKU\, xrefs: 000000014001C6CA
HKLM\, xrefs: 000000014001C57C
HKEY_USERS\, xrefs: 000000014001C85E
HKEY_LOCAL_MACHINE\, xrefs: 000000014001C73F
HKCU\, xrefs: 000000014001C65A
HKCR\, xrefs: 000000014001C692

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: HKCR\$HKCU\$HKEY_CLASSES_ROOT\$HKEY_CURRENT_USER\$HKEY_LOCAL_MACHINE\$HKEY_USERS\$HKLM\$HKU\
API String ID: 3668304517-4065843753
Opcode ID: e39a7440d2ec571e2b586c18d62dce03bc594a7fb33e88e4a2afa08fc3543b79
Instruction ID: ed8fa5fc2ca0593537f8e17d26cde3807e627fd17fe6126ab0e58f79e9cd9ef5
Opcode Fuzzy Hash: e39a7440d2ec571e2b586c18d62dce03bc594a7fb33e88e4a2afa08fc3543b79
Instruction Fuzzy Hash: 3112D1B2A20A8491EE12CB6BD944BEC2361B78D7F4F405702FB791BAE5DF79D5908300

Function 0000000140045150 Relevance: 19.6, APIs: 3, Strings: 8, Instructions: 311COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014004550E
Concurrency::cancel_current_task.LIBCPMT ref: 000000014004551A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140045520

Strings

D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\Permissions.cpp, xrefs: 00000001400451EC, 00000001400453F0, 000000014004548D, 00000001400455AC
Successfully called TreeSetNamedSecurityInfo on '%s', xrefs: 0000000140045467
Error calling TreeSetNamedSecurityInfo on '%s', %s, xrefs: 00000001400453CA
Permissions, xrefs: 00000001400451D2, 00000001400453D6, 0000000140045473, 0000000140045592
mb::common::system::Permissions::RecurseResetNamedSecurityInfo, xrefs: 00000001400451F3, 00000001400453F7, 0000000140045494
Error creating well-known ID %u, xrefs: 0000000140045586
mb::common::system::Permissions::CheckEffectiveAccess, xrefs: 00000001400455B3
Invalid path argument, xrefs: 00000001400451C6

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID: D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\Permissions.cpp$Error calling TreeSetNamedSecurityInfo on '%s', %s$Error creating well-known ID %u$Invalid path argument$Permissions$Successfully called TreeSetNamedSecurityInfo on '%s'$mb::common::system::Permissions::CheckEffectiveAccess$mb::common::system::Permissions::RecurseResetNamedSecurityInfo
API String ID: 3936042273-2496151557
Opcode ID: 46e375f59ab2a20bd7a5b3918fc5e8747e896e5653b8f4cae5d3a0626df9bfe8
Instruction ID: cf5927056bd4b684578dd3b2d0bd1a7d601be3b7a79627e55d28c336953f106f
Opcode Fuzzy Hash: 46e375f59ab2a20bd7a5b3918fc5e8747e896e5653b8f4cae5d3a0626df9bfe8
Instruction Fuzzy Hash: 9AD1AC72205B8481EA62DB16E5447EE73A1F78DBE5F554226EB8D07BB9EF78C041C700

Function 000000014003CC80 Relevance: 18.1, APIs: 9, Strings: 1, Instructions: 582COMMON

Download Yara Rule

APIs

QueryDosDeviceW.KERNEL32 ref: 000000014003CE50
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003CF31
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003CF37
GetLastError.KERNEL32 ref: 000000014003D043
GetLastError.KERNEL32 ref: 000000014003D04E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003D4C6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003D4CC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003D4D8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003D4DE

Strings

*#?[, xrefs: 000000014003CFDA

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLast$DeviceQuery
String ID: *#?[
API String ID: 2801438217-1890044607
Opcode ID: 7e8d6770c942fb455ac005f85bd689bacdf5f4f0d2d8311d71f8ef889df53a9b
Instruction ID: 4214f1e3003680b90a7d2225dea77450e3abe261e8fd504cf25d92d0c8d85158
Opcode Fuzzy Hash: 7e8d6770c942fb455ac005f85bd689bacdf5f4f0d2d8311d71f8ef889df53a9b
Instruction Fuzzy Hash: 7532E3B2B10B8091EB16DB7AE4443EE2361E749BE8F405312EF6957AE9DF78D495C300

Function 0000000140158138 Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 608COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014015817F

Strings

p, xrefs: 000000014015836E
f, xrefs: 00000001401582FC
0, xrefs: 00000001401586F0
f, xrefs: 0000000140158366
p, xrefs: 0000000140158309
f, xrefs: 00000001401584A5

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0$f$f$p$p$f
API String ID: 3215553584-303101543
Opcode ID: d7a9dd42b1848e2143ed605a801f00928f2ca6b2440c02d50b299732a67e6c35
Instruction ID: 6fe22bcf7abdc2e8213343559dcad6da7cdc74627848b1691c4bf1520e189d54
Opcode Fuzzy Hash: d7a9dd42b1848e2143ed605a801f00928f2ca6b2440c02d50b299732a67e6c35
Instruction Fuzzy Hash: 3242E13260468186FB669B1BD0443F973A1F398F54F9C4D16DFA65FAE4DB3AC8908B10

Function 000000014000E4B0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 214COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000E7B6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000E7BC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000E7C2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000E7C8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000E7CE

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat, xrefs: 000000014000E54F, 000000014000E6A3, 000000014000E735
cadca5fe-87d3-4b96-b7fb-a231484277cc, xrefs: 000000014000E529

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat$cadca5fe-87d3-4b96-b7fb-a231484277cc
API String ID: 3668304517-895003009
Opcode ID: 5574246dd8d0897dc1a7b11709eaf55db77457b99466e98868d3df49de9ede99
Instruction ID: f035f80d48dff788a4860d08f1fd81ae8387436c0e06aaea8abaab332b87018a
Opcode Fuzzy Hash: 5574246dd8d0897dc1a7b11709eaf55db77457b99466e98868d3df49de9ede99
Instruction Fuzzy Hash: 599161B2B24B8494EB11DB7AE0453ED6361E799BE4F545312BB6C27AEADF74C180C340

Function 00000001400412F0 Relevance: 12.1, APIs: 8, Instructions: 59threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0000000140041308
OpenThreadToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,000000014001A58B), ref: 000000014004131E
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014001A58B), ref: 0000000140041328
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,000000014001A58B), ref: 000000014004133B
LookupPrivilegeValueW.ADVAPI32 ref: 000000014004134F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014001A58B), ref: 000000014004135E
AdjustTokenPrivileges.ADVAPI32 ref: 00000001400413BB
CloseHandle.KERNEL32 ref: 00000001400413CA

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: Token$CloseCurrentHandleOpenProcessThread$AdjustLookupPrivilegePrivilegesValue
String ID:
API String ID: 815265755-0
Opcode ID: 67856adf70b52231435489435047f255276115e7e7c1964fc957456d8e4ce2e3
Instruction ID: cd7dc849102994aad23d29b918c37a566c55a803bd918467edc59231a32ad169
Opcode Fuzzy Hash: 67856adf70b52231435489435047f255276115e7e7c1964fc957456d8e4ce2e3
Instruction Fuzzy Hash: 3B214C76314A8492EB528F62E4543DAB7A0FB8CF95F441025EB8A47B64DF7CC288DB10

Function 00000001400212E0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 225libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000140021322
GetProcAddress.KERNEL32 ref: 0000000140021332

Strings

SfcIsKeyProtected, xrefs: 000000014002132B
Sfc.dll, xrefs: 000000014002131B

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Sfc.dll$SfcIsKeyProtected
API String ID: 1646373207-2682706285
Opcode ID: 95ce98735e58c2b9bfffad71a79250629429116caadc5794d116ed701922a4dd
Instruction ID: f24936e27466ac17eeaf3d6335868034eca60d4857a6cbcee4d85eb2fce53f33
Opcode Fuzzy Hash: 95ce98735e58c2b9bfffad71a79250629429116caadc5794d116ed701922a4dd
Instruction Fuzzy Hash: F581E172204B8082EA118BA6E4443EEA7A1F7E9BE4F544215FF9907BF9CF78C585C700

Function 00000001401750D4 Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140167A10: GetLastError.KERNEL32 ref: 0000000140167A1F
Part of subcall function 0000000140167A10: FlsGetValue.KERNEL32 ref: 0000000140167A34
Part of subcall function 0000000140167A10: SetLastError.KERNEL32 ref: 0000000140167ABF

Part of subcall function 0000000140167A10: FlsSetValue.KERNEL32 ref: 0000000140167A55
Part of subcall function 0000000140167A10: FlsGetValue.KERNEL32 ref: 0000000140167AF5

GetUserDefaultLCID.KERNEL32(?,00000000,00000092,?), ref: 0000000140175244

Part of subcall function 0000000140167A10: FlsSetValue.KERNEL32 ref: 0000000140167A82
Part of subcall function 0000000140167A10: FlsSetValue.KERNEL32 ref: 0000000140167A93
Part of subcall function 0000000140167A10: FlsSetValue.KERNEL32 ref: 0000000140167AA4
Part of subcall function 0000000140167A10: FlsSetValue.KERNEL32 ref: 0000000140167B14
Part of subcall function 0000000140167A10: FlsSetValue.KERNEL32 ref: 0000000140167B3C

EnumSystemLocalesW.KERNEL32(?,00000000,00000092,?,?,00000000,?,0000000140166599), ref: 000000014017522B
ProcessCodePage.LIBCMT ref: 000000014017526E
IsValidCodePage.KERNEL32 ref: 0000000140175280
IsValidLocale.KERNEL32 ref: 0000000140175296
GetLocaleInfoW.KERNEL32 ref: 00000001401752F2
GetLocaleInfoW.KERNEL32 ref: 000000014017530E

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 2591520935-0
Opcode ID: 396caba08cb7377e3113bb913dcbd9c1d2dd11e5ed165bdd9fd4473bb18ab49f
Instruction ID: d49b362cbde4f135e2c410e3d415beb0941842d2651573d911125a182ab74851
Opcode Fuzzy Hash: 396caba08cb7377e3113bb913dcbd9c1d2dd11e5ed165bdd9fd4473bb18ab49f
Instruction Fuzzy Hash: AA7149327107508AFB62AB62D8507ED37B0BB4CF88F9445268F1A577A6EBB8C945C350

Function 000000014014C1E0 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000014014C259
RtlLookupFunctionEntry.KERNEL32 ref: 000000014014C271
RtlVirtualUnwind.KERNEL32 ref: 000000014014C2AC
IsDebuggerPresent.KERNEL32 ref: 000000014014C2E5
SetUnhandledExceptionFilter.KERNEL32 ref: 000000014014C2EF
UnhandledExceptionFilter.KERNEL32 ref: 000000014014C2FA

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 755106d5b8320feb1360f5384fccd98747917d2b8f1d28cf8d4cc2dd22e3e23b
Instruction ID: ccf897ea4f23b192354f64f64014109c0226c5af9b20a71b83aa40ab866b74cc
Opcode Fuzzy Hash: 755106d5b8320feb1360f5384fccd98747917d2b8f1d28cf8d4cc2dd22e3e23b
Instruction Fuzzy Hash: 7B314236214B8096EB61CF26E8447DE73A4F78CB98F540126EB9D43BA5EF78C655CB00

Function 00000001400378E0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 503COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140037BB4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140037E90

Strings

+, xrefs: 0000000140037EDF
%, xrefs: 0000000140037EC4

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: %$+
API String ID: 3668304517-2626897407
Opcode ID: ef67291946aa4c9e33d217ee6b1085f198b0b20f24ce95c927d283db96a5419e
Instruction ID: 2978ac92ec34a4398e9e4422668e9e1858cd5b9aab98dee59a783e642f3f1c55
Opcode Fuzzy Hash: ef67291946aa4c9e33d217ee6b1085f198b0b20f24ce95c927d283db96a5419e
Instruction Fuzzy Hash: FC120132714A848AFB27CB66E4407EE67B1AB9DBC8F144225EF4D17BA9DB38C545C340

Function 0000000140004960 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 501COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140004C35
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140004F11

Strings

%, xrefs: 0000000140004F44
+, xrefs: 0000000140004F5F

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: %$+
API String ID: 3668304517-2626897407
Opcode ID: a07c91fe86db3863ba3603b1c064481582d3c7eaeafc6911a57574c4078a6de7
Instruction ID: 1c6ec397d2fd1074b71bf9d284edaf945d0b4ff835e23d395e6dd2091c94cb26
Opcode Fuzzy Hash: a07c91fe86db3863ba3603b1c064481582d3c7eaeafc6911a57574c4078a6de7
Instruction Fuzzy Hash: 4B1205B27146C48AFB26CF66E4503EE67A1EB9D7C8F044221EF4917BAADB38C545C344

Function 000000014013CC20 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000000014013CC81
IsDebuggerPresent.KERNEL32 ref: 000000014013CC99
OutputDebugStringW.KERNEL32 ref: 000000014013CCAA

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 000000014013CCA3

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: 5b36b9ae3331362d9a3dd631090981b644f3c78fc874ca70b388895a508e2db4
Instruction ID: 92014cf3c0786f25768dde6fe5f6ec1edd56ed8e2d1ba26b04b1199915b2e7ab
Opcode Fuzzy Hash: 5b36b9ae3331362d9a3dd631090981b644f3c78fc874ca70b388895a508e2db4
Instruction Fuzzy Hash: 15118E32310B90A7F706DB63EA583E933A4FB48B54F445125DB4983AA0EF79D5B8C710

Function 01FE9500 Relevance: 5.4, Strings: 4, Instructions: 380COMMON

Download Yara Rule

Strings

, xrefs: 01FE9636
, xrefs: 01FE96C9
, xrefs: 01FE97F6
(, xrefs: 01FE956B

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID: $ $ $(
API String ID: 0-3698178323
Opcode ID: ae88a64d9128b7ea91ad866959b872dc0bc89cc83698f34044dd52247478a8bb
Instruction ID: 41a76cdd61e4d35aedada52fa44ed94c444e550db94d07e3d36167115e574b8b
Opcode Fuzzy Hash: ae88a64d9128b7ea91ad866959b872dc0bc89cc83698f34044dd52247478a8bb
Instruction Fuzzy Hash: 0AD15C70618B888FE769DF28D888BAAB7E5FB88304F40492DD58EC3251DF759545CB82

Function 000000014016193C Relevance: 4.8, APIs: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000140161A20
SetConsoleCtrlHandler.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001401607D0), ref: 0000000140161C3C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001401607D0), ref: 0000000140161C4F

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: ConsoleCtrlErrorHandlerLast_invalid_parameter_noinfo
String ID:
API String ID: 2654339681-0
Opcode ID: 3e5d63b0454c0a6e39d3d928f087767678f41cb6f101e604e376369ec17ee97c
Instruction ID: 1d03c99324dcf61f8c94b18674a3bdfa57ca5041516929358568f4ca188d754f
Opcode Fuzzy Hash: 3e5d63b0454c0a6e39d3d928f087767678f41cb6f101e604e376369ec17ee97c
Instruction Fuzzy Hash: B5C1AC3260564083FA679B6BDC543EE66A1A7CDF84F5C4C26DB0E57BF4EA78C9419300

Function 01FF16A0 Relevance: 4.5, Strings: 3, Instructions: 795COMMON

Download Yara Rule

Strings

\8j, xrefs: 01FF172F
U/, xrefs: 01FF1927
$'2O, xrefs: 01FF178F

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID: AddressProcedure
String ID: $'2O$U/$\8j
API String ID: 3653107232-658286377
Opcode ID: 4935f0f32ad2d9a935451ba930207134b4bd1056c48635d3548c9aa2ad88d671
Instruction ID: bcacbae62061b13ee1b3deb64e27b32e71975fd9aa348387d77c7dec15ebf4d6
Opcode Fuzzy Hash: 4935f0f32ad2d9a935451ba930207134b4bd1056c48635d3548c9aa2ad88d671
Instruction Fuzzy Hash: D0427774B60A858FE798EF7CEC5C73536E2F7AD3407A0856AA409D73A4DE3D98025B40

Function 02007220 Relevance: 4.4, Strings: 3, Instructions: 626COMMON

Download Yara Rule

Strings

, xrefs: 020074E1
0, xrefs: 0200750E
@, xrefs: 02007525

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID: $0$@
API String ID: 0-2347541974
Opcode ID: 13e784bc25f126a74ffd797636f91267a9e64475e21a47f507065c68eba02605
Instruction ID: 3ea616b23f421dac3777480126d120a8f9be5abd8edfc41d9bbd7d46a0d023aa
Opcode Fuzzy Hash: 13e784bc25f126a74ffd797636f91267a9e64475e21a47f507065c68eba02605
Instruction Fuzzy Hash: 55222F70218B488FE7A4EF18D895BDAB7E1FB98314F50462DD58EC32A0DF78A545CB42

Function 0000000140169A18 Relevance: 3.2, APIs: 2, Instructions: 227COMMON

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 0000000140169C67
RaiseException.KERNEL32 ref: 0000000140169C78

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: f6d5b661d75791a1c395168faed2e2afadaa5f31fac753cee68d38bcf272f211
Instruction ID: 1661daac63cbb97339e586268a213c546ae75180bec48695b2d33eba4b1741c7
Opcode Fuzzy Hash: f6d5b661d75791a1c395168faed2e2afadaa5f31fac753cee68d38bcf272f211
Instruction Fuzzy Hash: 79B1C677611B848BEB56CF2AC8863987BE4F388F58F198915DB5D877A8CB39C451C700

Function 0200B5E0 Relevance: 3.0, Strings: 2, Instructions: 550COMMON

Download Yara Rule

Strings

), xrefs: 0200B7D9
p, xrefs: 0200B6DA

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID: )$p
API String ID: 0-1764766951
Opcode ID: b0860d0b4d58efb4f2e2f1552468fa527151c01b601a8b10e355e2c993dcd8de
Instruction ID: 969cd2574b39b43100ee34ab7946ca273d2a11cf7363743c5ad1bca39929dd26
Opcode Fuzzy Hash: b0860d0b4d58efb4f2e2f1552468fa527151c01b601a8b10e355e2c993dcd8de
Instruction Fuzzy Hash: 2C020F30618B488FF7A5DF18D895BAAB7E2FB98308F50492DE48EC3290DF749545DB42

Function 0000000140168378 Relevance: 2.6, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

Strings

e+000, xrefs: 0000000140168485
gfff, xrefs: 0000000140168502

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: d81937549b1f2002436f5e2bb3da605523053ddeda466b9169e692c92c4c3c57
Instruction ID: 8650e506bdd1be2f4e2033797dbf534079e1177994c6090c3f82b3b200f69782
Opcode Fuzzy Hash: d81937549b1f2002436f5e2bb3da605523053ddeda466b9169e692c92c4c3c57
Instruction Fuzzy Hash: 105143727146D487E7268E3AEC10799AB91F348F94F489722CFA88BAE5DF39C4458700

Function 0000000140047BE0 Relevance: 2.5, APIs: 2, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140047AF9), ref: 0000000140047C10
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140047AF9), ref: 0000000140047C21

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: ec63a258a964875cecf9824b430d78ec8442724cc5992bb29e9149edf67b474d
Instruction ID: c0b361fd154bdff6aebe20077f67496f38163e3b4af1793c91f5050f86ebca54
Opcode Fuzzy Hash: ec63a258a964875cecf9824b430d78ec8442724cc5992bb29e9149edf67b474d
Instruction Fuzzy Hash: 01118B32208B8086EB41CF52F54439ABBA0F78DB94F588129EB8C47765DFBCC1A48B00

Function 01FFCBE0 Relevance: 1.9, Strings: 1, Instructions: 623COMMON

Download Yara Rule

Strings

!yOr, xrefs: 01FFCC2B

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID: AddressProcedure
String ID: !yOr
API String ID: 3653107232-2868905794
Opcode ID: a344c6b9773561e1a8feff107ffa0bbb357e6f0ee830072877925764f08a3291
Instruction ID: 30e4a1093f66f974d8e310794b21f7fef6a2de2a2dbffb936403e723e840bd6a
Opcode Fuzzy Hash: a344c6b9773561e1a8feff107ffa0bbb357e6f0ee830072877925764f08a3291
Instruction Fuzzy Hash: 03125D30218B488FE7A8EF28C855BAAB7E1FF99304F50452D918EC32A0DF75D945CB42

Function 01FFB4E0 Relevance: 1.8, Strings: 1, Instructions: 571COMMON

Download Yara Rule

Strings

P, xrefs: 01FFB58D

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: fc71c7b77c584ab428780ddc863f287b4ad5f6815cb57d0fe849b24e33f4b176
Instruction ID: dc6e99ed824f33aa3b6e9558fddd85552b27b5370bba48e8ecb000d8b5c4772f
Opcode Fuzzy Hash: fc71c7b77c584ab428780ddc863f287b4ad5f6815cb57d0fe849b24e33f4b176
Instruction Fuzzy Hash: 5702633061CB488FE774EF68D8587AAB6D2FF98305F50452DA58AC32A1DFB9C4458B42

Function 01FE5D60 Relevance: 1.8, Strings: 1, Instructions: 524COMMON

Download Yara Rule

Strings

(, xrefs: 01FE5FE6

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: abcda2cce44acd7600387513da42d6dbaa6d0e49c1554b2389a16b5e095b6a28
Instruction ID: acb8f91b5f10ea9f8ab63cb7da3da47bda060cc70e200389b579b5b8a83cd3cd
Opcode Fuzzy Hash: abcda2cce44acd7600387513da42d6dbaa6d0e49c1554b2389a16b5e095b6a28
Instruction Fuzzy Hash: D9F19071B18B488FEB69DF2C844876ABBE2FBD8714F50452EE08EC3251DB35D4468B46

Function 020013A3 Relevance: 1.7, Strings: 1, Instructions: 437COMMON

Download Yara Rule

Strings

, xrefs: 02001439

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c8f6abd951fddb39abbf005080ccbc701d7de3dfb555edcc3e9d7ef58874c8aa
Instruction ID: 88d8dc9dc5e34583125829733df44f469421a737d62d9dcb8eadb1528b8ea2a9
Opcode Fuzzy Hash: c8f6abd951fddb39abbf005080ccbc701d7de3dfb555edcc3e9d7ef58874c8aa
Instruction Fuzzy Hash: C0D1C330628B884FF775EF68C8897BAB7E1FB99304F504A2ED48EC3291DB7494459742

Function 02004550 Relevance: 1.7, Strings: 1, Instructions: 427COMMON

Download Yara Rule

Strings

8, xrefs: 02004666

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 6b67e5068f6b5c119f0bffc7c64d18de370588fa1bf746384f48e482c057c185
Instruction ID: 6353ac8ac7a4774b9f4dd6da13bcf3ec7204e89970cffbc6fb66c527d0a9d446
Opcode Fuzzy Hash: 6b67e5068f6b5c119f0bffc7c64d18de370588fa1bf746384f48e482c057c185
Instruction Fuzzy Hash: AAC1B430228B484FF765EB28D8957AEB3D2FBD8304F50452DA54AC32E0DF74D8469B86

Function 020066E0 Relevance: 1.6, Strings: 1, Instructions: 328COMMON

Download Yara Rule

Strings

, xrefs: 0200677D

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: aa71fcebb32854f5365f8010357581097b4f2512602ed2335f62549310407270
Instruction ID: 04bbbf321e55bcf17f431b590bf1b93c598baca47695342cb7962bd881bb27cb
Opcode Fuzzy Hash: aa71fcebb32854f5365f8010357581097b4f2512602ed2335f62549310407270
Instruction Fuzzy Hash: 6391B93022CB484FE758EF28D89576AB7D6FBC8304F50452DE58AC3291DF79D8429B86

Function 02011490 Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

@, xrefs: 0201149C

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 59a31fbeb8a05151edb759329d96371e831f95528c315330fb92cc5f8aafcbf3
Instruction ID: 3e8a8a80ca1e9c7ce0f72fc35060c60da28789e2ca944b3a301439ab54ef456c
Opcode Fuzzy Hash: 59a31fbeb8a05151edb759329d96371e831f95528c315330fb92cc5f8aafcbf3
Instruction Fuzzy Hash: 22A13F70228B044BE758EF2CD85575AB7E2FBC8708F50862DB18ED3690DB79D9418B87

Function 00000001401749E8 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140167A10: GetLastError.KERNEL32 ref: 0000000140167A1F
Part of subcall function 0000000140167A10: FlsGetValue.KERNEL32 ref: 0000000140167A34
Part of subcall function 0000000140167A10: SetLastError.KERNEL32 ref: 0000000140167ABF

EnumSystemLocalesW.KERNEL32(?,?,?,00000001401751D7,?,00000000,00000092,?,?,00000000,?,0000000140166599), ref: 0000000140174A86

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: d827d398fb2be732cf64f640d77d11986ad99533ecfdda7ab377154c05eb39d1
Instruction ID: afa71bbefb048de6964e5928d27107bf35cc809329f89af43224725e76f0d794
Opcode Fuzzy Hash: d827d398fb2be732cf64f640d77d11986ad99533ecfdda7ab377154c05eb39d1
Instruction Fuzzy Hash: D311AC77A546448BEB268F26E4807E97BA0E398FE5F549115CB2A433E4DB34CAD1C740

Function 0000000140174AB8 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140167A10: GetLastError.KERNEL32 ref: 0000000140167A1F
Part of subcall function 0000000140167A10: FlsGetValue.KERNEL32 ref: 0000000140167A34
Part of subcall function 0000000140167A10: SetLastError.KERNEL32 ref: 0000000140167ABF

EnumSystemLocalesW.KERNEL32(?,?,?,0000000140175193,?,00000000,00000092,?,?,00000000,?,0000000140166599), ref: 0000000140174B36

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: e978d8d44f54b43789b77c9c3e0592a449489afad3c4f8d1a33e47e592676277
Instruction ID: 5c78489ed30e5fe006e7936c2b3adfcb67fe9c892e52a028572902b1c42f9280
Opcode Fuzzy Hash: e978d8d44f54b43789b77c9c3e0592a449489afad3c4f8d1a33e47e592676277
Instruction Fuzzy Hash: BC017B72B0828487E7124F27F4407E972E1E748FA1F459321D765432E8CB74C8C0C700

Function 000000014016CA48 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,00000000,000000014016CE97,?,?,?,?,?,?,?,?,00000000,0000000140174038), ref: 000000014016CA97

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: a1a4aebfc91c581e2bb9a6b543a7038600c51dc8710df0846d963a8f5ed3316b
Instruction ID: 120d6c98ecb1d39f65b88de00a80dba8693697b588a339e0bea9d0409361e825
Opcode Fuzzy Hash: a1a4aebfc91c581e2bb9a6b543a7038600c51dc8710df0846d963a8f5ed3316b
Instruction Fuzzy Hash: 54F03776300A4483EB45DB6AF8947D93361F79DBC0F549025EB4A837B5EE7CC9A18304

Function 0000000140040CA0 Relevance: 1.5, APIs: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 0000000140040D0E

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: AllocateInitialize
String ID:
API String ID: 220217950-0
Opcode ID: 3660a22e3e960f987bf451dafde6dcb525b2f72f462f9537d55531b1bf86a41b
Instruction ID: 2dfcc9cfaf486a5bc15e72cbce0e6305dde1758bee78a4e6201e0eb95db29ec4
Opcode Fuzzy Hash: 3660a22e3e960f987bf451dafde6dcb525b2f72f462f9537d55531b1bf86a41b
Instruction Fuzzy Hash: F7F06D76A192C48BD3B0CF29E480B5ABBA1F799B94F104115EAC983B18D739D5948F00

Function 01FE66C0 Relevance: 1.0, Instructions: 996COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c77ee9db95c24773db9081a7deccb5cf2f36f3081fec3039551d8f54b381666b
Instruction ID: d3ca5170e2ccd73d97df5f993bd7759adb513bc08308c89d95e3b8003c69c779
Opcode Fuzzy Hash: c77ee9db95c24773db9081a7deccb5cf2f36f3081fec3039551d8f54b381666b
Instruction Fuzzy Hash: 16620434720B0A8BFB29DF2CDC99BA537D6FB9C750F844474AC4AC7285DE78E8418691

Function 02002BB0 Relevance: .8, Instructions: 821COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb335efdb646f4d1c715b7d8a92101005b4f4c71c71004709584aa8badfbe395
Instruction ID: a58ddf6e00b528602d3e5ee67d58f801998dbc37d53b165537af69a9dfc04437
Opcode Fuzzy Hash: eb335efdb646f4d1c715b7d8a92101005b4f4c71c71004709584aa8badfbe395
Instruction Fuzzy Hash: 98428230328B048FE769AB18DC557AAB7D2FBD8704F50456DA48AC3290DF38D945DB83

Function 02012F60 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a83add80c015651db2210a2c8c18f03a1d4ada41add862ec9d8abcd3fa1614
Instruction ID: d37ada3612325dec7dc37df606ed3495e030ea24c9350e66834f4f4daafc7878
Opcode Fuzzy Hash: d6a83add80c015651db2210a2c8c18f03a1d4ada41add862ec9d8abcd3fa1614
Instruction Fuzzy Hash: 7D222E70218B888FE7B9EF18C854BDAB7E1FB98305F504A6DE48EC3290DB749545CB42

Function 02012812 Relevance: .6, Instructions: 559COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 141414486e6dcd6db102a0dcc69ba121492b53746aa2abfaed83b5878ad76e83
Instruction ID: 6a4087318f85f8ac8a30ed6ec6722a64153ed826f03c42d4e826219fa7080887
Opcode Fuzzy Hash: 141414486e6dcd6db102a0dcc69ba121492b53746aa2abfaed83b5878ad76e83
Instruction Fuzzy Hash: E9120E30218B488FE7A4EF28D894BAAB7E1FB98305F504A6DD49EC3290DF74D545DB42

Function 0200FBC0 Relevance: .5, Instructions: 543COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6830cd1ff2b1eea55f6eaa4abb6144c01ddd4dc95e3f02123529a47543dd8d
Instruction ID: c908901c70e6aeaf34a8159b135dddcf80a0ecdd534f03cb81c7c1bc6ed190e8
Opcode Fuzzy Hash: 3d6830cd1ff2b1eea55f6eaa4abb6144c01ddd4dc95e3f02123529a47543dd8d
Instruction Fuzzy Hash: 0CF1613032CB484FE758EB28D8A576AB7D2FBD8344F50452DA58AC3290DF78D9419B87

Function 02011F40 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b75fb823a353ca8dc1e44f519c5ae98cd4bc4c796f790001a98ff7edc0cca4a
Instruction ID: 235967d92420522192fd0d04a150dc2c9ba2cba23d4d1a1096f7780bb702964d
Opcode Fuzzy Hash: 5b75fb823a353ca8dc1e44f519c5ae98cd4bc4c796f790001a98ff7edc0cca4a
Instruction Fuzzy Hash: CDF13070218B488FE764DF28D8957AAB7E2FBD8304F50462DA58EC32A0DF75D945CB42

Function 01FF9120 Relevance: .5, Instructions: 494COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa8ef53c996ffe4f0ea5f186e32b437e4baf59453c7933b166b4a13b75eea46
Instruction ID: 51cb717b560dac4b0ebdd30ceea9f75fffd0cb55e06b4a5ffd31b204e4b4d13b
Opcode Fuzzy Hash: cfa8ef53c996ffe4f0ea5f186e32b437e4baf59453c7933b166b4a13b75eea46
Instruction Fuzzy Hash: 6FF16F70218B488FE768EF18D8557AAB7E1FB88308F50452DE18EC32A1DBB9D545CB43

Function 01FE99D0 Relevance: .5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf909c3245cbfb605e205f1b6652f61485a4d0021b7aed283de42b2c53d394ff
Instruction ID: 2c5f4d4164b4ef7f139cd994d1397511c42629bd4b7471bf77e04e16b2aed4b9
Opcode Fuzzy Hash: cf909c3245cbfb605e205f1b6652f61485a4d0021b7aed283de42b2c53d394ff
Instruction Fuzzy Hash: CAF18030618B488FE774EF28D8587AAB7E2FB98304F504A2D958EC3290DFB5D545CB52

Function 02010210 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa099fc02c16ba095d4bf4291fdb0dcd3e10970e4b1abe0c916cefc9fc1f856
Instruction ID: dc3d7da33186b06f5b6f64c5ec520f1dfaecf321c251d33d3e9322f03d69abc8
Opcode Fuzzy Hash: 9aa099fc02c16ba095d4bf4291fdb0dcd3e10970e4b1abe0c916cefc9fc1f856
Instruction Fuzzy Hash: 25D15030328B484FE758EB2CD86576EB7D2FBD8344F50452DA58AC3290DFB8D9419B86

Function 01FF4DB0 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d560102bc2eea68efe4c92e244aa415b9a8cc1eab01d618360132088605c66
Instruction ID: 86dfe466e9c68d5e1760a4f6e2f44b5fcaae19b4264c6e813e672c6804806e07
Opcode Fuzzy Hash: 55d560102bc2eea68efe4c92e244aa415b9a8cc1eab01d618360132088605c66
Instruction Fuzzy Hash: 50D1953022CB488FD758EB2CC495BABB7D2FB99344F50456DE18AC32A0DF75D9458B82

Function 01FF42A0 Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b817203ba3c4443f5fb8480b07f75b397d38fcfc8ae896fd7bf819042d688969
Instruction ID: 8bb30c240282346ac2c53ec211b8a27157dadc18bd0302c50f10d337b376c11b
Opcode Fuzzy Hash: b817203ba3c4443f5fb8480b07f75b397d38fcfc8ae896fd7bf819042d688969
Instruction Fuzzy Hash: 61D1513061CB088FEB59EF29D85566AB7E1FF98304F10056EE58AC3260DFB5E945CB42

Function 020082A0 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf57cbc0b7ccc185c60c4b5f94adbeda4c451ce52c5a668f06d63ff3a15e055d
Instruction ID: 351ea5643f28d876d02e11c404067796cdc4882d4262d4bdaba1c96e8f32bf29
Opcode Fuzzy Hash: cf57cbc0b7ccc185c60c4b5f94adbeda4c451ce52c5a668f06d63ff3a15e055d
Instruction Fuzzy Hash: 0BC1307021CB484FF768EF68D8997AAB7D2FB98304F50862DD58EC3290DF7494459B82

Function 020055E0 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d67f70248d9871493b444570412385d01f8192461fdcfc939c1c5d9bc251a4ce
Instruction ID: 3b8179e2c40c7d15fb73fa4851688526326c83cd316421553c9898dfa01c3828
Opcode Fuzzy Hash: d67f70248d9871493b444570412385d01f8192461fdcfc939c1c5d9bc251a4ce
Instruction Fuzzy Hash: 1FC17070328B484FE758EB2CD85576ABBD2FB8C308F50462DE08AC3290DB79D9459B46

Function 01FFBED0 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2428df4c2b5cda2abb3800129e89791470056923b1d70c4f1012cb95f183359f
Instruction ID: 2a82dac9ec1a2037f456fac638b40e63586231a3ed0e9f663a21297253761a7c
Opcode Fuzzy Hash: 2428df4c2b5cda2abb3800129e89791470056923b1d70c4f1012cb95f183359f
Instruction Fuzzy Hash: 79B13D70628B488FE768EF2CD459B9AB7E1FB98304F50452DE18EC3261DB75D845CB42

Function 00000001401503DC Relevance: .3, Instructions: 327COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca157f37a7ff7870d8233d8b2cc212f20d7f303e8a9724ae19aaef0a627145a7
Instruction ID: f1874bfbc7e1281058d3564017ccc93f286706d85707bd6ff5c1edb4637aebbe
Opcode Fuzzy Hash: ca157f37a7ff7870d8233d8b2cc212f20d7f303e8a9724ae19aaef0a627145a7
Instruction Fuzzy Hash: 03D1AA36610A4086EB6BCEAB95543ED37A1F74DF48F2C4215DF4A0B6B5EB36C851CB40

Function 00000001401663E8 Relevance: .3, Instructions: 309COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodePageValidValue_invalid_parameter_noinfo
String ID:
API String ID: 4023145424-0
Opcode ID: 83a0a706191b9cbd7d58c2f48e7b76d66853e0ba45b62b363f1df9343bf7d59c
Instruction ID: 06f5bbde143778937eb0fafaa398f8d0b5196f9c9d70593ec7ad9d63aa788f3e
Opcode Fuzzy Hash: 83a0a706191b9cbd7d58c2f48e7b76d66853e0ba45b62b363f1df9343bf7d59c
Instruction Fuzzy Hash: 1EC1C17620078086EB619B73DD107EA77A5F798F88F444926EF8E87AA9DF38C545C700

Function 0000000140159A80 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 188c10d7e66e5bfed439f5e22177af773f0e3c25f04850c32b4aa30e70456c53
Instruction ID: 99b709c28741e4176f1b4272f39a96b64e97b6f7daf7a7144a5b344df3208594
Opcode Fuzzy Hash: 188c10d7e66e5bfed439f5e22177af773f0e3c25f04850c32b4aa30e70456c53
Instruction Fuzzy Hash: 3191683331468446FF2A8E27A4507F926E0A749F94F0C1529DF2A4F7E5DA3AC506DB02

Function 01FEA730 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 739a3d2fd449fcecab3bc3dc05aa0fa5b4f8815b2c591d1fde98be55f4dc1af0
Instruction ID: 9857ab83672164aa7957b261643e8a8047ed2984a28908f88d4efb964b536423
Opcode Fuzzy Hash: 739a3d2fd449fcecab3bc3dc05aa0fa5b4f8815b2c591d1fde98be55f4dc1af0
Instruction Fuzzy Hash: B481BF3061CA488FE719DF1CD88876ABBE1FB99304F15466DE48BC3291DB75D842CB82

Function 000000014014F1B4 Relevance: .2, Instructions: 241COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2700913cdaa8e072fbaccf966302ce6e5f9fdad91f4d24834899644e4036f4ea
Instruction ID: ffbaa6f9c57025f90e0b292df968a750f48d97ce8f1ac2bdfb349248bd13b909
Opcode Fuzzy Hash: 2700913cdaa8e072fbaccf966302ce6e5f9fdad91f4d24834899644e4036f4ea
Instruction Fuzzy Hash: 1CB16C76204B848AEB66CF3AD0503AD3BA0F34DF48F2A422ADB4A473B5CB75D441E755

Function 0000000140163AE8 Relevance: .2, Instructions: 207COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: acba69c8a14c132deca5852aba72511722fcf418cd711944a4c76bd6c587ef30
Instruction ID: 3a30d487e53f8b73cdf3bb574a6b4e81c138e69f3b58ec60369493071200ead1
Opcode Fuzzy Hash: acba69c8a14c132deca5852aba72511722fcf418cd711944a4c76bd6c587ef30
Instruction Fuzzy Hash: 6C819172610A5087EB65CF6ADC913AD23A0F748FA8F548A16EF2E977E5CF34C4528700

Function 00000001401689F8 Relevance: .2, Instructions: 198COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94877b7f1168a199183d97b9ee620f98dfed5660db1c467fcd5f505cffb62de4
Instruction ID: b96502891d90a0d417930f3e190cc36b07dd1574319377b0cf734b00601ccb58
Opcode Fuzzy Hash: 94877b7f1168a199183d97b9ee620f98dfed5660db1c467fcd5f505cffb62de4
Instruction Fuzzy Hash: 1081927261478087EB75CF1AAC807EA7691F349B94F544726DF9D47BA9CB3DC4408B00

Function 01FFA100 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387519872.0000000001FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 01FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe1000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0716cf927f3d622e8d1be20f109cdfcaa474ac34fc56a286013c67232f28705
Instruction ID: ca91fc87a69e970c7f5f908e22084e9f166f95fc86622d8a93e1389057fad613
Opcode Fuzzy Hash: d0716cf927f3d622e8d1be20f109cdfcaa474ac34fc56a286013c67232f28705
Instruction Fuzzy Hash: 01319A3596838C8EE31C4B2C98453B13B86EFA3685F2A622DCBDFC3272E99750474D41

Function 000000014014DAC0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: 725235c21b47caf0edbcd50936ad3ab27c366b7dafd4723d132d9e19fb169f0c
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: D8517176210A5096EF368F2AC0843A837A1E79DF68F264225CF49577B8CB76DC53C780

Function 000000014014D8BC Relevance: .1, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a3dccb135ddd09f63c505db29ff29986bf9dd63497299e7c799fac6b959aa4
Instruction ID: 6a9cddf51357c73a49b2b04b7ed73e33111add63407a83b77df6bb68fe242a81
Opcode Fuzzy Hash: f6a3dccb135ddd09f63c505db29ff29986bf9dd63497299e7c799fac6b959aa4
Instruction Fuzzy Hash: 0E517E76224A5096EB268F2AC0503A837A0E74DF5CF269121CF8D977B9CB36CC53C780

Function 000000014014D4AC Relevance: .1, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db363646d287334b7a31293e9082935613ba5dde14aee32d187fc7345eaa1eeb
Instruction ID: ac5d1c6bd68b3ff00ec2dc55348a953991c08f666444e243ebda23d6ea0f3805
Opcode Fuzzy Hash: db363646d287334b7a31293e9082935613ba5dde14aee32d187fc7345eaa1eeb
Instruction Fuzzy Hash: E8517E76620A5096EB268B2AD0503A837B0E35DF5CF2A9121DF4D5B7B8CB36DC43CB40

Function 000000014014DCCC Relevance: .1, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e46230d8c0bb23a9b26f12389beaf27d8e9063d4bba2e4d98de2a57eaa924be5
Instruction ID: a9699c7ab3d5653fbf48160e69d0a6032427de9810f49af852ddafcb59c472f4
Opcode Fuzzy Hash: e46230d8c0bb23a9b26f12389beaf27d8e9063d4bba2e4d98de2a57eaa924be5
Instruction Fuzzy Hash: 1F517F76620A5096EB268B2AC0503A837A0E79DF68F269121CF495B7F9C736DC53C780

Function 000000014000A8B0 Relevance: 52.5, APIs: 1, Strings: 29, Instructions: 18COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000A8E8

Strings

wscApp::NotifyUserForNearExpiration, xrefs: 000000014000B1C7
/updatesubstatus, xrefs: 000000014000B6AE
/disable, xrefs: 000000014000AFC0
expired, xrefs: 000000014000B483
/settingssubstatus, xrefs: 000000014000B602
NotifyUserForNearExpiration failed., xrefs: 000000014000B04C, 000000014000B133
/enable, xrefs: 000000014000AFD8
/scansubstatus, xrefs: 000000014000B559
wscApp::InitiateOfflineCleaning, xrefs: 000000014000B11E
/uninstall, xrefs: 000000014000B09F
off, xrefs: 000000014000B2D9
snoozed, xrefs: 000000014000B3AE
/wac, xrefs: 000000014000AE97
/update, xrefs: 000000014000AFF0
D:\Jenkins\workspace\N_MBAMWsc\src\wscApp.cpp, xrefs: 000000014000B125, 000000014000B1CE
/status, xrefs: 000000014000B1E7
runas, xrefs: 000000014000B786
InitiateOfflineCleaning failed., xrefs: 000000014000B045
/renew, xrefs: 000000014000B008
stoi argument out of range, xrefs: 000000014000B7AA
needed, xrefs: 000000014000B5D0, 000000014000B679, 000000014000B725
none, xrefs: 000000014000B582, 000000014000B62B, 000000014000B6D7
true, xrefs: 000000014000B236, 000000014000B2FF, 000000014000B3D4, 000000014000B4A9
/AS, xrefs: 000000014000AF94, 000000014000B06F
/notifyexpire, xrefs: 000000014000B176
/AV, xrefs: 000000014000AFAC, 000000014000B087
recommended, xrefs: 000000014000B5A9, 000000014000B652, 000000014000B6FE
invalid stoi argument, xrefs: 000000014000B79D
/offlineclean, xrefs: 000000014000B0B7

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: /AS$/AV$/disable$/enable$/notifyexpire$/offlineclean$/renew$/scansubstatus$/settingssubstatus$/status$/uninstall$/update$/updatesubstatus$/wac$D:\Jenkins\workspace\N_MBAMWsc\src\wscApp.cpp$InitiateOfflineCleaning failed.$NotifyUserForNearExpiration failed.$expired$invalid stoi argument$needed$none$off$recommended$runas$snoozed$stoi argument out of range$true$wscApp::InitiateOfflineCleaning$wscApp::NotifyUserForNearExpiration
API String ID: 3668304517-793541459
Opcode ID: 526ea6badeea54726d4b16b0a3cf65bd3febbc1057dcb98f1bee845a2d33564f
Instruction ID: c2579e90a46674481716ed07c56492673aac538bb9cbd6c9f5aa16ef27347ac4
Opcode Fuzzy Hash: 526ea6badeea54726d4b16b0a3cf65bd3febbc1057dcb98f1bee845a2d33564f
Instruction Fuzzy Hash: ABD012B1B5164581EC1A936A954539C22D1874BBF1E908711A33C0B7E5C97890D65305

Function 00000001400041B0 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 118memorytimethreadCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0000000140004211
GetTickCount.KERNEL32 ref: 0000000140004231

Part of subcall function 000000014000A7A0: SystemTimeToVariantTime.OLEAUT32 ref: 000000014000A809
Part of subcall function 000000014000A7A0: VariantTimeToSystemTime.OLEAUT32 ref: 000000014000A824

SysAllocString.OLEAUT32 ref: 000000014000427D
SysAllocString.OLEAUT32 ref: 000000014000428D
SysAllocString.OLEAUT32 ref: 000000014000429D
SysAllocString.OLEAUT32 ref: 00000001400042AD
GetCurrentThreadId.KERNEL32 ref: 00000001400042C6
GetProcessId.KERNEL32 ref: 00000001400042D0
SysFreeString.OLEAUT32 ref: 000000014000431C
SysFreeString.OLEAUT32 ref: 0000000140004325
SysFreeString.OLEAUT32 ref: 000000014000432E
SysFreeString.OLEAUT32 ref: 0000000140004337
CoUninitialize.OLE32 ref: 0000000140004365

Strings

D:\Jenkins\workspace\N_MBAMWsc\src\IService.cpp, xrefs: 0000000140004286
MbamService::~MbamService, xrefs: 0000000140004296
8, xrefs: 00000001400042EB
MBAMWsc, xrefs: 00000001400042A6
MBAMWsc process finished., xrefs: 0000000140004276

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: String$Time$AllocFree$SystemVariant$CountCurrentLocalProcessThreadTickUninitialize
String ID: 8$D:\Jenkins\workspace\N_MBAMWsc\src\IService.cpp$MBAMWsc$MBAMWsc process finished.$MbamService::~MbamService
API String ID: 696792126-3938568586
Opcode ID: 53a718f3b0540c413012100aaca2926b44f4adbb5edd2298459ffa551bc3d378
Instruction ID: 9b694a97de8b48f67e0d5064a82356e898c7834bf51fe69a95c371d96420f6c7
Opcode Fuzzy Hash: 53a718f3b0540c413012100aaca2926b44f4adbb5edd2298459ffa551bc3d378
Instruction Fuzzy Hash: 4A513876214B4096E712DF26F85439AB7A0F78CB94F585126EF8943B74EF38C685CB00

Function 0000000140036940 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 0000000140036B66
CloseHandle.KERNEL32 ref: 0000000140036B70

Strings

mb::common::system::ProcessUtils::RunProcess, xrefs: 00000001400369B7, 0000000140036A67
Error waiting for process = %s, %s, xrefs: 000000014003698A
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\ProcessUtils.cpp, xrefs: 00000001400369B0, 0000000140036A60
Timed out waiting for process = %s to complete, xrefs: 0000000140036A3A
ProcessUtils, xrefs: 0000000140036996, 0000000140036A46

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: CloseHandle
String ID: D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\ProcessUtils.cpp$Error waiting for process = %s, %s$ProcessUtils$Timed out waiting for process = %s to complete$mb::common::system::ProcessUtils::RunProcess
API String ID: 2962429428-736685494
Opcode ID: d633e290a468bb55dcca76d4bf9d34330a68f9745e317e56a982112744ded800
Instruction ID: 53520191e7dd1020d5252804e307f7974c283abbcb0436c4ff4f17d7b5862060
Opcode Fuzzy Hash: d633e290a468bb55dcca76d4bf9d34330a68f9745e317e56a982112744ded800
Instruction Fuzzy Hash: BB519C72710A8181FA139B6AE0443EE63A0E78DBE4F418612EBAD177F9DF78C581C340

Function 000000014003A2E0 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 218COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014003A356
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000000014003A3A2
std::_Lockit::~_Lockit.LIBCPMT ref: 000000014003A4E7
Concurrency::cancel_current_task.LIBCPMT ref: 000000014003A500
Concurrency::cancel_current_task.LIBCPMT ref: 000000014003A513
Concurrency::cancel_current_task.LIBCPMT ref: 000000014003A519
std::_Lockit::_Lockit.LIBCPMT ref: 000000014003A54B
std::_Lockit::_Lockit.LIBCPMT ref: 000000014003A570
std::_Lockit::~_Lockit.LIBCPMT ref: 000000014003A59A
std::_Lockit::~_Lockit.LIBCPMT ref: 000000014003A62B

Strings

false, xrefs: 000000014003A419
true, xrefs: 000000014003A449
bad locale name, xrefs: 000000014003A506

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: std::_$Lockit$Concurrency::cancel_current_taskLockit::_Lockit::~_$Locinfo::_Locinfo_ctor
String ID: bad locale name$false$true
API String ID: 1486878244-1062449267
Opcode ID: b809507398d5140daaecabadf8c44e7591a094269cc9e2850de97db1ee4c1cdb
Instruction ID: 7534540067920b88e5e7eb1bf51e4358e90caed4b63b60b23605e3ce2a7512bb
Opcode Fuzzy Hash: b809507398d5140daaecabadf8c44e7591a094269cc9e2850de97db1ee4c1cdb
Instruction Fuzzy Hash: 84A16D36215B8086FB27DF66E4507EE33B0FB89B84F184125EB8917AB9DB38C555C344

Function 000000014000F8E0 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 225comsleepCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 000000014000F911
CoCreateInstance.OLE32 ref: 000000014000F9B5
Sleep.KERNEL32 ref: 000000014000FAE1
CoUninitialize.OLE32 ref: 000000014000FA40

Part of subcall function 000000014000B7C0: SwitchToThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000014000AB7D), ref: 000000014000B89D
Part of subcall function 000000014000B7C0: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000014000AB7D), ref: 000000014000B8AA

CoUninitialize.OLE32 ref: 000000014000FBE8

Part of subcall function 000000014000EBD0: OpenSCManagerW.ADVAPI32 ref: 000000014000ED56

Strings

wsccom::PerformWscOperation, xrefs: 000000014000F95E, 000000014000FA1D, 000000014000FB4E, 000000014000FBC5
%hs operation failed with error %08X, xrefs: 000000014000FB21
Failed to intialize COM %08X, xrefs: 000000014000F931
Failed to create %hs with error %08X, xrefs: 000000014000F9F2
MBAMWsc, xrefs: 000000014000F93D, 000000014000F9FE, 000000014000FB2D, 000000014000FBA4
D:\Jenkins\workspace\N_MBAMWsc\src\wsccom.h, xrefs: 000000014000F957, 000000014000FA16, 000000014000FB47, 000000014000FBBE
%hs operation succeeded, xrefs: 000000014000FB98

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: SleepUninitialize$CreateInitializeInstanceManagerOpenSwitchThread
String ID: %hs operation failed with error %08X$%hs operation succeeded$D:\Jenkins\workspace\N_MBAMWsc\src\wsccom.h$Failed to create %hs with error %08X$Failed to intialize COM %08X$MBAMWsc$wsccom::PerformWscOperation
API String ID: 3937220661-2729994674
Opcode ID: c7fef79e8bbe42b6a6fc89a96eb80cb3d0f48e99b2ffc64067655ec7bf735adb
Instruction ID: 0a099f440a5ffeba8f8ba95b688c0b903fbc44dad2b734f68776baead0ec466c
Opcode Fuzzy Hash: c7fef79e8bbe42b6a6fc89a96eb80cb3d0f48e99b2ffc64067655ec7bf735adb
Instruction Fuzzy Hash: ACA187B6204B4496EB12DF22E4947A937A0F78DBC4F945122EB4E87BB4DF78C145D740

Function 000000014000CA00 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 225comsleepCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000014000C9BE), ref: 000000014000CA31
CoCreateInstance.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000014000C9BE), ref: 000000014000CAD5
Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000014000C9BE), ref: 000000014000CC01
CoUninitialize.OLE32 ref: 000000014000CB60

Part of subcall function 000000014000B7C0: SwitchToThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000014000AB7D), ref: 000000014000B89D
Part of subcall function 000000014000B7C0: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000014000AB7D), ref: 000000014000B8AA

CoUninitialize.OLE32 ref: 000000014000CD08

Part of subcall function 000000014000EBD0: OpenSCManagerW.ADVAPI32 ref: 000000014000ED56

Strings

wsccom::PerformWscOperation, xrefs: 000000014000CA7E, 000000014000CB3D, 000000014000CC6E, 000000014000CCE5
%hs operation failed with error %08X, xrefs: 000000014000CC41
Failed to intialize COM %08X, xrefs: 000000014000CA51
Failed to create %hs with error %08X, xrefs: 000000014000CB12
MBAMWsc, xrefs: 000000014000CA5D, 000000014000CB1E, 000000014000CC4D, 000000014000CCC4
D:\Jenkins\workspace\N_MBAMWsc\src\wsccom.h, xrefs: 000000014000CA77, 000000014000CB36, 000000014000CC67, 000000014000CCDE
%hs operation succeeded, xrefs: 000000014000CCB8

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: SleepUninitialize$CreateInitializeInstanceManagerOpenSwitchThread
String ID: %hs operation failed with error %08X$%hs operation succeeded$D:\Jenkins\workspace\N_MBAMWsc\src\wsccom.h$Failed to create %hs with error %08X$Failed to intialize COM %08X$MBAMWsc$wsccom::PerformWscOperation
API String ID: 3937220661-2729994674
Opcode ID: 387ecaf826ad825417d1f8c639b61aaf22df31e30c1e67de20dbbe22fac656fe
Instruction ID: f54efe713470790398bc6acc87ea05565f9e4a8c35b2e352f00cce6a0e2c715f
Opcode Fuzzy Hash: 387ecaf826ad825417d1f8c639b61aaf22df31e30c1e67de20dbbe22fac656fe
Instruction Fuzzy Hash: FDA16576215B4486EB22DF22E494BAA37A1F78CBC4F941126EB4E47BB4DF78C185C740

Function 000000014000E177 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 206COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000000014000E39B
GetLastError.KERNEL32 ref: 000000014000E3A6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000E48D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000E493
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000E499
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000E49F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000E4A5

Strings

Unable to renew. MBAM.exe not found., xrefs: 000000014000E3AF
Running MBAM.exe to allow the user to renew from within the UI., xrefs: 000000014000E2E2
\MBAM.exe, xrefs: 000000014000E1B6
D:\Jenkins\workspace\N_MBAMWsc\src\wscApp.cpp, xrefs: 000000014000E2FB, 000000014000E3C8
wscApp::StartUI, xrefs: 000000014000E2F4, 000000014000E3C1

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLast
String ID: D:\Jenkins\workspace\N_MBAMWsc\src\wscApp.cpp$Running MBAM.exe to allow the user to renew from within the UI.$Unable to renew. MBAM.exe not found.$\MBAM.exe$wscApp::StartUI
API String ID: 3964982034-2749715901
Opcode ID: a2c317415937a591dda9f6822fd405d552ca31da9b70ec88461424471f1fe3a0
Instruction ID: 1409f0f41a22f678ab47fe46961c9c04dd1ffa017a2fa52575aae2632c261655
Opcode Fuzzy Hash: a2c317415937a591dda9f6822fd405d552ca31da9b70ec88461424471f1fe3a0
Instruction Fuzzy Hash: C6918CB2720B8594FB02DB66E4543ED2361E749BD8F405622FB6D27AF9DE78C285C300

Function 0000000140146B04 Relevance: 19.9, APIs: 13, Instructions: 361COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 0000000140146B55
DName::operator+.LIBVCRUNTIME ref: 0000000140146C1E
DName::operator+.LIBVCRUNTIME ref: 0000000140146C67
DName::operator+.LIBVCRUNTIME ref: 0000000140146C78

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: ced1b9e1ae3291a376d97cb8cdc71d8be10b1b2046d8044dd26887b720c14143
Instruction ID: e7de062e02c99b5ebeab4365ebb3593a7ab62677071afae590ab2aad0122d94c
Opcode Fuzzy Hash: ced1b9e1ae3291a376d97cb8cdc71d8be10b1b2046d8044dd26887b720c14143
Instruction Fuzzy Hash: CCF15876B00A809AEB12DFB6E4903EC37B1E308B4CF454426EB4A67BB9DA74C559C741

Function 0000000140149468 Relevance: 19.6, APIs: 5, Strings: 6, Instructions: 359COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 000000014014990C
DName::DName.LIBVCRUNTIME ref: 000000014014993C
DName::operator+.LIBVCRUNTIME ref: 000000014014998C

Strings

`template-type-parameter-, xrefs: 00000001401499AD
NULL, xrefs: 0000000140149535
lambda, xrefs: 000000014014982C
nullptr, xrefs: 0000000140149651
`generic-method-parameter-, xrefs: 0000000140149959
`generic-class-parameter-, xrefs: 000000014014999D

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: NameName::$Name::operator+
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$lambda$nullptr
API String ID: 826178784-2441609178
Opcode ID: 819c3618de74dfa5dc9eb9d21f3e73f85e00453ac3ff858ee773a0cbadd207bb
Instruction ID: f562cf4fd72b348b98da37fb4846fb8b724129f14434e23c19c411854dda40ed
Opcode Fuzzy Hash: 819c3618de74dfa5dc9eb9d21f3e73f85e00453ac3ff858ee773a0cbadd207bb
Instruction Fuzzy Hash: D0F18C72A1061084FB17DB6BC9A53FC27A5A74EF44F574136CF0A2AAFADA78C945C340

Function 0000000140167A10 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000000140167A1F
FlsGetValue.KERNEL32 ref: 0000000140167A34
FlsSetValue.KERNEL32 ref: 0000000140167A55
FlsSetValue.KERNEL32 ref: 0000000140167A82
FlsSetValue.KERNEL32 ref: 0000000140167A93
FlsSetValue.KERNEL32 ref: 0000000140167AA4
SetLastError.KERNEL32 ref: 0000000140167ABF
FlsGetValue.KERNEL32 ref: 0000000140167AF5
FlsSetValue.KERNEL32 ref: 0000000140167B14

Part of subcall function 000000014016A098: HeapAlloc.KERNEL32(?,?,00000000,0000000140167BEA,?,?,000045F42809D22C,00000001401548D9,?,?,?,?,000000014016EC66,?,?,00000000), ref: 000000014016A0ED

FlsSetValue.KERNEL32 ref: 0000000140167B3C

Part of subcall function 0000000140167D70: HeapFree.KERNEL32(?,?,0F33E82583480000,00000001401734AE,?,?,?,000000014017382B,?,?,00000000,0000000140173D35,?,?,0000000140165A06,0000000140173C67), ref: 0000000140167D86
Part of subcall function 0000000140167D70: GetLastError.KERNEL32(?,?,0F33E82583480000,00000001401734AE,?,?,?,000000014017382B,?,?,00000000,0000000140173D35,?,?,0000000140165A06,0000000140173C67), ref: 0000000140167D90

FlsSetValue.KERNEL32 ref: 0000000140167B4D
FlsSetValue.KERNEL32 ref: 0000000140167B5E

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 6fb280773c261191e5205d109ce90158d526da447b5a306f5cc78d9f9789c596
Instruction ID: d73c95da8eebc20ef8bff53ca693855745d5e0f11272634882566d3ea5c8345a
Opcode Fuzzy Hash: 6fb280773c261191e5205d109ce90158d526da447b5a306f5cc78d9f9789c596
Instruction Fuzzy Hash: 3B416B3021128047FAAB67739D55BFD62529B8CFB0F580F25AB3E07BF6EA39D5408640

Function 000000014001B930 Relevance: 17.9, APIs: 5, Strings: 5, Instructions: 392COMMON

Download Yara Rule

Strings

true, xrefs: 000000014001BA47, 000000014001C3AE
false, xrefs: 000000014001BA4E, 000000014001C3A7
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\RegistryUtilities.cpp, xrefs: 000000014001C431
mb::common::system::RegistryUtilities::EnumerateOfflineKeyImpl, xrefs: 000000014001C438
Exit: <- RegistryUtilities::EnumerateOfflineKeyImpl(%p, %ls, %p, %i, %p:%i, %p:%ls), xrefs: 000000014001C418

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID:
String ID: D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\RegistryUtilities.cpp$Exit: <- RegistryUtilities::EnumerateOfflineKeyImpl(%p, %ls, %p, %i, %p:%i, %p:%ls)$false$mb::common::system::RegistryUtilities::EnumerateOfflineKeyImpl$true
API String ID: 0-2350909114
Opcode ID: ff673658baa75ce793c006bad514cad36dc9babd8f94592b8ec5495efda8e05e
Instruction ID: 382b135f274541b43b6d6caace4a782826f4cfa1d9850ae111180f6cb1a4597a
Opcode Fuzzy Hash: ff673658baa75ce793c006bad514cad36dc9babd8f94592b8ec5495efda8e05e
Instruction Fuzzy Hash: CBF16672A10B808AEB11CF66E8807DD77B4F748B88F148126EF9D5BBA9DB74C591C740

Function 00000001401449E8 Relevance: 16.7, APIs: 11, Instructions: 158COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 0000000140144A50
DName::operator+.LIBVCRUNTIME ref: 0000000140144B4D
DName::operator+.LIBVCRUNTIME ref: 0000000140144BA6
DName::operator+.LIBVCRUNTIME ref: 0000000140144BD2
DName::operator+.LIBVCRUNTIME ref: 0000000140144BE4
DName::operator+.LIBVCRUNTIME ref: 0000000140144C13

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 536d155ff77887aee090ba886be595260276b993b91fd58ecf4b56afdb8a2922
Instruction ID: 2800bd264709c01dea67a649882f85adfa1e0bd059473b0e80193fb1657a9420
Opcode Fuzzy Hash: 536d155ff77887aee090ba886be595260276b993b91fd58ecf4b56afdb8a2922
Instruction Fuzzy Hash: 8F713D72710A41AAEB12DFA6D4903DC33B1E748B8CF465525DF0967AB9EF70C619C384

Function 000000014003DA90 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 231libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 000000014003DB1C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003DDDD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003DDE3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003DDE9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003DDEF

Strings

D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\DynamicLibrary.cpp, xrefs: 000000014003DC6F, 000000014003DD64
mb::common::system::DynamicLibrary::GetFunctionAddress, xrefs: 000000014003DC76, 000000014003DD6B
Could not load '%s' function ptr from DLL, %s, xrefs: 000000014003DC50
Could not load '%s' function ptr from DLL because DLL is not loaded, xrefs: 000000014003DD45

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$AddressProc
String ID: Could not load '%s' function ptr from DLL because DLL is not loaded$Could not load '%s' function ptr from DLL, %s$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\DynamicLibrary.cpp$mb::common::system::DynamicLibrary::GetFunctionAddress
API String ID: 1230731272-560569770
Opcode ID: a49e30e0549e96d7b52b5eb2b38217757a5b1c39450f1bbd7fcbd44854d91e30
Instruction ID: ec9f815a35aff084cab028937da5dc540590b5f542e012cadce9fa68b7cd6d52
Opcode Fuzzy Hash: a49e30e0549e96d7b52b5eb2b38217757a5b1c39450f1bbd7fcbd44854d91e30
Instruction Fuzzy Hash: C4A17EB2721B8095EB12CF6AE4943DD73A1E749BD8F409612EB6C57AA9DF78C185C300

Function 000000014014634C Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00000001401463A6
DName::operator+.LIBVCRUNTIME ref: 00000001401464DC

Strings

`unknown ecsu', xrefs: 0000000140146372
struct , xrefs: 0000000140146500
union , xrefs: 0000000140146509
class , xrefs: 00000001401464F1
enum , xrefs: 00000001401464B9
coclass , xrefs: 0000000140146495
cointerface , xrefs: 0000000140146483

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: Name::operator+
String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
API String ID: 2943138195-1464470183
Opcode ID: 2eaaf7d4005071d23eb4c0f5f255f35bee69f90fd73084f6d67c33011e2648cd
Instruction ID: 57182be866b82b315a826a3767d317f8670486a4151317bdac16802e215984a1
Opcode Fuzzy Hash: 2eaaf7d4005071d23eb4c0f5f255f35bee69f90fd73084f6d67c33011e2648cd
Instruction Fuzzy Hash: 2D515A32B10A6099FB12CB76E8847EC37B1B708B88F550129DF0A67BB9DB75C545CB01

Function 0000000140045A50 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 123COMMON

Download Yara Rule

APIs

GetNamedSecurityInfoW.ADVAPI32 ref: 0000000140045AEB
MapGenericMask.ADVAPI32 ref: 0000000140045BA2
AreAllAccessesGranted.ADVAPI32 ref: 0000000140045BB0
LocalFree.KERNEL32 ref: 0000000140045BCA

Strings

D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\Permissions.cpp, xrefs: 0000000140045B3E, 0000000140045C24
Permissions, xrefs: 0000000140045B24, 0000000140045C0A
mb::common::system::Permissions::AccessCheckByFilePath, xrefs: 0000000140045B45, 0000000140045C2B
Invalid parameter %p %ls %u, xrefs: 0000000140045BFE
Failed to get security information for %ls %u, xrefs: 0000000140045B18

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: AccessesFreeGenericGrantedInfoLocalMaskNamedSecurity
String ID: D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\Permissions.cpp$Failed to get security information for %ls %u$Invalid parameter %p %ls %u$Permissions$mb::common::system::Permissions::AccessCheckByFilePath
API String ID: 2574652830-1742175897
Opcode ID: 549c6dfb294b73f883a01d668710bcec24bf5c3b65c788fbfa44142b41e9a300
Instruction ID: 96df7a6bb2a53517f70fd46415591a760f9cb0e61fd3347a896aed6453b617fe
Opcode Fuzzy Hash: 549c6dfb294b73f883a01d668710bcec24bf5c3b65c788fbfa44142b41e9a300
Instruction Fuzzy Hash: 1A518132204B448AEB52DF12F48479A77B4F78CB94F544226EB8903B75DF78C559CB40

Function 0000000140047A40 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON

Download Yara Rule

APIs

CreateWellKnownSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140045569), ref: 0000000140047A7B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140045569), ref: 0000000140047A95
CreateWellKnownSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140045569), ref: 0000000140047B0B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140045569), ref: 0000000140047B25

Strings

Unable to calculate size. Error %u, xrefs: 0000000140047A9F
Failed to create SID. Error %u, xrefs: 0000000140047B2F
SidUtilities, xrefs: 0000000140047AAB, 0000000140047B3B
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\Sid.cpp, xrefs: 0000000140047AC5, 0000000140047B55
mb::common::system::Sid::CreateFromWellKnownId, xrefs: 0000000140047ACC, 0000000140047B5C

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: CreateErrorKnownLastWell
String ID: D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\Sid.cpp$Failed to create SID. Error %u$SidUtilities$Unable to calculate size. Error %u$mb::common::system::Sid::CreateFromWellKnownId
API String ID: 593908311-745277635
Opcode ID: cc4cff6892311a6c1e3498ffb2864b1d503bb009f51c5358d7cc8204457a50a0
Instruction ID: c4972b71db0ae2d34d9fa3694a88b8a04fba8128dfb2a48cd8b29d3000e36761
Opcode Fuzzy Hash: cc4cff6892311a6c1e3498ffb2864b1d503bb009f51c5358d7cc8204457a50a0
Instruction Fuzzy Hash: 89417C33205B8086EB128F66E884B9AB7A4F78CBA4F158126EF8D43B74DF78C555C740

Function 0000000140153BC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 480COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000140153C0C
_invalid_parameter_noinfo.LIBCMT ref: 0000000140153FEF
_invalid_parameter_noinfo.LIBCMT ref: 0000000140154296

Strings

p, xrefs: 0000000140153D36
:, xrefs: 0000000140153DC5
-, xrefs: 0000000140153CA2
f, xrefs: 0000000140153D2E
p, xrefs: 0000000140153CBE

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 5d83d6891c745ba87f30799c271509f88d6f175bdfdb4357c0eb11f97c89a9b5
Instruction ID: 74a4b8f5d7082b8e80b5c2295f0020de8079cab5c72f5d5a0f6e922a9e1071bb
Opcode Fuzzy Hash: 5d83d6891c745ba87f30799c271509f88d6f175bdfdb4357c0eb11f97c89a9b5
Instruction Fuzzy Hash: C0120636A0416287FB269B56E0443EEB6A1F358FA8FDC4116E7924F6E4D73AC590CB01

Function 00000001400372B0 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 222COMMON

Download Yara Rule

APIs

QueryServiceConfigW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,0000EA60), ref: 00000001400373D3
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,0000EA60), ref: 00000001400373F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400375E0

Strings

Failed to call QueryServiceConfig for %ls, error %u, xrefs: 000000014003741B
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\WindowsService.cpp, xrefs: 0000000140037338, 000000014003743A, 0000000140037546
Invalid data buffer, xrefs: 0000000140037527
Invalid service handle for %ls, xrefs: 0000000140037319
mb::common::system::WindowsService::CallQueryServiceConfig, xrefs: 000000014003733F, 0000000140037441, 000000014003754D

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: ConfigErrorLastQueryService_invalid_parameter_noinfo_noreturn
String ID: D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\WindowsService.cpp$Failed to call QueryServiceConfig for %ls, error %u$Invalid data buffer$Invalid service handle for %ls$mb::common::system::WindowsService::CallQueryServiceConfig
API String ID: 2057177955-775020918
Opcode ID: a40d3db1cefc73c5813ac865f5ec5311c5b3718884f7ada95a1ef65a4e4a8d54
Instruction ID: 047b188f8f061827e1493370f1094a22d848c17937309e98af42965ffc519344
Opcode Fuzzy Hash: a40d3db1cefc73c5813ac865f5ec5311c5b3718884f7ada95a1ef65a4e4a8d54
Instruction Fuzzy Hash: 34917972710A5485FB26CF66E484BAE27A0FB48BD8F145216EB5D27BA8CF78C591C340

Function 0000000140047200 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 207COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400474F1

Strings

NUL, xrefs: 0000000140047475
LPT, xrefs: 000000014004730B
COM, xrefs: 0000000140047347
CON, xrefs: 00000001400473D7
PRN, xrefs: 000000014004740C
\\.\, xrefs: 00000001400472B6
AUX, xrefs: 000000014004743E

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: AUX$COM$CON$LPT$NUL$PRN$\\.\
API String ID: 3668304517-431953350
Opcode ID: 11b31c2ee0db22a3558905b1bc3c5419560a738c0f79a28d60b9fb32397422e6
Instruction ID: 5bc9f3eba1f897a59fdc517d27536db70d78d94185ff9d74dcff53f5879f9d21
Opcode Fuzzy Hash: 11b31c2ee0db22a3558905b1bc3c5419560a738c0f79a28d60b9fb32397422e6
Instruction Fuzzy Hash: 9571C4B3714A80D2EA628F66D014BF967A1F369B84F968121FB8D436F4DB7DCA41C604

Function 0000000140036A98 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 117COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 0000000140036B66
CloseHandle.KERNEL32 ref: 0000000140036B70

Strings

mb::common::system::ProcessUtils::RunProcess, xrefs: 0000000140036B12
Error getting exit code of process = %s, %s, xrefs: 0000000140036AE5
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\ProcessUtils.cpp, xrefs: 0000000140036B0B
ProcessUtils, xrefs: 0000000140036AF1

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: CloseHandle
String ID: D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\ProcessUtils.cpp$Error getting exit code of process = %s, %s$ProcessUtils$mb::common::system::ProcessUtils::RunProcess
API String ID: 2962429428-2781858381
Opcode ID: d88e912a8a15424c2bc31cc8cd76dcc175a2b214fd51519bf180b0a7f2857127
Instruction ID: 6e94396ed04217719b0a5edb4fb581e35fc32233c976419dbe42b2f74155664c
Opcode Fuzzy Hash: d88e912a8a15424c2bc31cc8cd76dcc175a2b214fd51519bf180b0a7f2857127
Instruction Fuzzy Hash: 88418D72710A8085EE02DB6AE4543EE63A1E78DBE4F409612EBAD577F9DF78C581C300

Function 0000000140148054 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 0000000140148208

Part of subcall function 0000000140144D3C: DName::operator+.LIBVCRUNTIME ref: 00000001401452AD
Part of subcall function 0000000140144D3C: DName::operator+.LIBVCRUNTIME ref: 00000001401452E2

DName::operator+.LIBVCRUNTIME ref: 00000001401481BA

Strings

std::nullptr_t, xrefs: 0000000140148133
cli::pin_ptr<, xrefs: 00000001401481D1
cli::array<, xrefs: 0000000140148187
void, xrefs: 000000014014809E
void , xrefs: 00000001401480C6
std::nullptr_t , xrefs: 0000000140148146

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: Name::operator+
String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
API String ID: 2943138195-2239912363
Opcode ID: ff0c7a5896472f3944db5f8cec5ff0fa6d411fdf6fdcc3d3148b8152eb8ce105
Instruction ID: 90d58a23994952c08b1bcbe8f49be64a7913f429874871fc7b6f18f56aad4abd
Opcode Fuzzy Hash: ff0c7a5896472f3944db5f8cec5ff0fa6d411fdf6fdcc3d3148b8152eb8ce105
Instruction Fuzzy Hash: 355157B2A14B5099FB12CB62E8847EC37B0B74CB48F454126DF4A23BB9DBB8C195C710

Function 0000000140035440 Relevance: 13.7, APIs: 9, Instructions: 235COMMON

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMT ref: 000000014003558C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003567D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140035683
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140035689
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003568F

Part of subcall function 00000001400128D0: WideCharToMultiByte.KERNEL32 ref: 000000014001294A
Part of subcall function 00000001400128D0: WideCharToMultiByte.KERNEL32 ref: 0000000140012A18

std::bad_exception::bad_exception.LIBCMT ref: 0000000140035767
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400357EE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400357F4
CloseHandle.KERNEL32 ref: 0000000140035816

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ByteCharMultiWidestd::bad_exception::bad_exception$CloseHandle
String ID:
API String ID: 1007650202-0
Opcode ID: ee35f23eab8eb1b3641a80946236ceecabace32f793b0acd2ca6f84ca75f7666
Instruction ID: 65ce164cb7276dfde234dfb0f2906340d26cf9e31f4f4c77ce2e5564ef4f5986
Opcode Fuzzy Hash: ee35f23eab8eb1b3641a80946236ceecabace32f793b0acd2ca6f84ca75f7666
Instruction Fuzzy Hash: EA91B7726156C580EE63AB6AE0563EF6351E78DBE1F505721A7BC07AF6EE78C084C700

Function 0000000140028B90 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 316COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140028E45
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140028E4B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140028E51
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140028F43

Strings

mb::common::system::RegistryUtilities::CreateRegKeyImpl, xrefs: 0000000140028D1F
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\RegistryUtilities.cpp, xrefs: 0000000140028D18
Failed to create reg key %ls\%ls, wow64 = 0x%x, %ls, xrefs: 0000000140028CF9

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\RegistryUtilities.cpp$Failed to create reg key %ls\%ls, wow64 = 0x%x, %ls$mb::common::system::RegistryUtilities::CreateRegKeyImpl
API String ID: 3668304517-3498662468
Opcode ID: f8b150574f845ef828c000daf84a0881a56d81eb36987d8157a1ae8ca23b0ebc
Instruction ID: 31a579414711654e769ef75ec47890e0750260992f5b024917c0aed097b5a76d
Opcode Fuzzy Hash: f8b150574f845ef828c000daf84a0881a56d81eb36987d8157a1ae8ca23b0ebc
Instruction Fuzzy Hash: 49C189B6215B8486EA61DF1AF44479EB7A1F789BD4F544216EF9C03BA8DF38C485CB00

Function 0000000140139BF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,000000014013A375), ref: 0000000140139C41
RegCreateKeyExW.ADVAPI32 ref: 0000000140139C87
RegSetValueExW.ADVAPI32 ref: 0000000140139CC0
RegCloseKey.ADVAPI32 ref: 0000000140139CCD
RegCloseKey.ADVAPI32 ref: 0000000140139CDB

Strings

Software\Microsoft\Security Center\Monitoring, xrefs: 0000000140139C16
DisableMonitoring, xrefs: 0000000140139CA1

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: Close$CreateOpenValue
String ID: DisableMonitoring$Software\Microsoft\Security Center\Monitoring
API String ID: 678895439-4070697454
Opcode ID: 81dea28931f6972ae66c8845ef20e11d780cf120f9648db2e64d902f2fc82963
Instruction ID: d855fb5c4d86a42225a7e31c8f0b97991da4a637e0b984f8b4f5a8d306e729f1
Opcode Fuzzy Hash: 81dea28931f6972ae66c8845ef20e11d780cf120f9648db2e64d902f2fc82963
Instruction Fuzzy Hash: 17212E32608B9182E7618B66F48474AB7A4F788B94F505215EB8987F68EF7CC2558B04

Function 0000000140056220 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 0000000140056234
ResetEvent.KERNEL32 ref: 000000014005624B
std::bad_exception::bad_exception.LIBCMT ref: 0000000140056282
WaitForMultipleObjects.KERNEL32 ref: 00000001400562D2
ResetEvent.KERNEL32 ref: 00000001400562E8
ReleaseMutex.KERNEL32 ref: 00000001400562F1

Strings

cannot lock reader/writer lock, xrefs: 0000000140056263

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: EventResetWait$MultipleMutexObjectObjectsReleaseSinglestd::bad_exception::bad_exception
String ID: cannot lock reader/writer lock
API String ID: 293155808-3465051855
Opcode ID: e59351486e9443f9e40111e54a9b2ef31e98472e9c7443791f11b6325c379572
Instruction ID: 0e75493302944bd9e7b15dbc3a9dfd89c2f59db9818a00f8541147089c47b245
Opcode Fuzzy Hash: e59351486e9443f9e40111e54a9b2ef31e98472e9c7443791f11b6325c379572
Instruction Fuzzy Hash: AC215932300E0492EB22DF26E8543A97370F798F98F545121EB5D476B5DF39CA49C700

Function 0000000140153150 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000140153193
_invalid_parameter_noinfo.LIBCMT ref: 0000000140153580
_invalid_parameter_noinfo.LIBCMT ref: 000000014015381C

Strings

p, xrefs: 0000000140153245
f, xrefs: 00000001401532B5
p, xrefs: 00000001401532BD

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: 5ba8f657296955fa3f66b8da595bac26607bddac8d7bcaaa97e56423690fea3d
Instruction ID: 85a71509cee07936f6f148524e4d0acc7eaf99a934b7d397918794e3f2d5a0b8
Opcode Fuzzy Hash: 5ba8f657296955fa3f66b8da595bac26607bddac8d7bcaaa97e56423690fea3d
Instruction Fuzzy Hash: F512D5B2A1428286FB669B16E0547FAB7A1F388F50FDC4115E7924F6E4E73BC580CB00

Function 0000000140011FF0 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 314COMMON

Download Yara Rule

Strings

ios_base::failbit set, xrefs: 000000014001227F
ios_base::badbit set, xrefs: 0000000140012272
ios_base::eofbit set, xrefs: 0000000140012286
vector too long, xrefs: 0000000140011FF4

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID:
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$vector too long
API String ID: 0-2271544611
Opcode ID: e55702b65e16a2f69c4260a70adfe00c358c37ab95e76d92afce820b356e44d5
Instruction ID: ae729dea0abd5e62fc7225159c118ed7ae842a659b7ee57d970ddd36ab6cafe9
Opcode Fuzzy Hash: e55702b65e16a2f69c4260a70adfe00c358c37ab95e76d92afce820b356e44d5
Instruction Fuzzy Hash: 8CB18E32200A8491EB66CB16D4847AD77A1F78CFD4F598622EF5E4B7B1DB3AC462C340

Function 000000014014A3E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 000000014014A45C
DName::operator+.LIBVCRUNTIME ref: 000000014014A46B

Part of subcall function 0000000140148618: DName::operator+.LIBVCRUNTIME ref: 00000001401486A9
Part of subcall function 0000000140148618: DName::operator+.LIBVCRUNTIME ref: 00000001401486E2
Part of subcall function 0000000140148618: DName::operator+.LIBVCRUNTIME ref: 0000000140148A0D

DName::operator+.LIBVCRUNTIME ref: 000000014014A50B
DName::operator+.LIBVCRUNTIME ref: 000000014014A51B
DName::operator+.LIBVCRUNTIME ref: 000000014014A5C7

Strings

{for , xrefs: 000000014014A494

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: Name::operator+
String ID: {for
API String ID: 2943138195-864106941
Opcode ID: 70abbf3ee22149e307f55b43cb72c4d1799d44a00a3e84a400823ab5df7b9196
Instruction ID: e2c0deb88fc7b94ae7e76a4b51ce622b935d2c65a0afa69aea29462c96dc48f1
Opcode Fuzzy Hash: 70abbf3ee22149e307f55b43cb72c4d1799d44a00a3e84a400823ab5df7b9196
Instruction Fuzzy Hash: 0D516C72610B84AAFB029F66D5453EC37A0F348B88F868422EB4D5BBB5DFB8C555C340

Function 0000000140037120 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 95COMMON

Download Yara Rule

APIs

QueryServiceStatusEx.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00000000,000000014000EEEC), ref: 00000001400371E2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,000000014000EEEC), ref: 000000014003720F

Strings

D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\WindowsService.cpp, xrefs: 0000000140037184, 0000000140037235
mb::common::system::WindowsService::QueryStatusEx, xrefs: 000000014003719D, 000000014003724D
Invalid service handle for %ls, xrefs: 000000014003718B
QueryServiceStatusEx failed on %1s. Error %u., xrefs: 0000000140037241

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: ErrorLastQueryServiceStatus
String ID: D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\WindowsService.cpp$Invalid service handle for %ls$QueryServiceStatusEx failed on %1s. Error %u.$mb::common::system::WindowsService::QueryStatusEx
API String ID: 3544625541-3834371814
Opcode ID: f940c91df44b36f97ba3843cdf7b4ad9b75e6f0394553b3ebe38a5465a4717d4
Instruction ID: 60fb98fce8a23e0466891abd8b850b8b7e5c64f9e6be64cfb437abacac22fa47
Opcode Fuzzy Hash: f940c91df44b36f97ba3843cdf7b4ad9b75e6f0394553b3ebe38a5465a4717d4
Instruction Fuzzy Hash: 534139B2604B8482EB66CF62F44079A77A4F79CB88F445216EB8C47768DF78C195CB40

Function 0000000140056450 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 31synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140056220: WaitForSingleObject.KERNEL32 ref: 0000000140056234
Part of subcall function 0000000140056220: ResetEvent.KERNEL32 ref: 000000014005624B

WaitForMultipleObjects.KERNEL32 ref: 0000000140056487
ResetEvent.KERNEL32 ref: 00000001400564A3
ResetEvent.KERNEL32 ref: 00000001400564AD
ReleaseMutex.KERNEL32 ref: 00000001400564B6

Strings

cannot lock reader/writer lock, xrefs: 0000000140056385
cannot unlock reader/writer lock, xrefs: 0000000140056412

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: EventReset$Wait$MultipleMutexObjectObjectsReleaseSingle
String ID: cannot lock reader/writer lock$cannot unlock reader/writer lock
API String ID: 1008919174-2331149746
Opcode ID: f278338fa424768d87383f8a38bbf6ad8ce8a3eb2052e3059145dd6ecefd0307
Instruction ID: 2c51c9a2cf7b20b4ab62582ab8a17ce6d8da9bcbc5fca1e46bbf1657fba6e54a
Opcode Fuzzy Hash: f278338fa424768d87383f8a38bbf6ad8ce8a3eb2052e3059145dd6ecefd0307
Instruction Fuzzy Hash: B501F632200B0486EB269F36E85079D7360F788F99F084121DE9A473A9CF39C699CB41

Function 0000000140008830 Relevance: 9.3, APIs: 6, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140008978
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000897E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140008A92
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140008A98

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID:
API String ID: 3936042273-0
Opcode ID: 47ac7a7365b90ab4f4ea6d3041da5dd1c441095ef817d8b65f6d8979793d65e3
Instruction ID: f0ba0ac5c0db4927016258d603e1d80b91c1bd942e65dac1f9016bc60554a08c
Opcode Fuzzy Hash: 47ac7a7365b90ab4f4ea6d3041da5dd1c441095ef817d8b65f6d8979793d65e3
Instruction Fuzzy Hash: 52C19072614B8481EA22DB26E4513ED6360F799BE4F549321EBAC07BE6EF78C5D1C340

Function 000000014013C8A0 Relevance: 9.2, APIs: 6, Instructions: 200COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 000000014013C912
MultiByteToWideChar.KERNEL32 ref: 000000014013C9BA
LCMapStringEx.KERNEL32 ref: 000000014013C9F1
LCMapStringEx.KERNEL32 ref: 000000014013CA4A
LCMapStringEx.KERNEL32 ref: 000000014013CAF7
WideCharToMultiByte.KERNEL32 ref: 000000014013CB39

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 1ad9458f6110a64eaf78223e7508bf1f0d9e9f0bde86025a7688cb32f63c554a
Instruction ID: 9a620ab765e4878969c1eacdabf29c938fe4217996ed460ef6f3529f6a991c5d
Opcode Fuzzy Hash: 1ad9458f6110a64eaf78223e7508bf1f0d9e9f0bde86025a7688cb32f63c554a
Instruction Fuzzy Hash: DC81813321078486FB618F26E4407EAB7E1FB59FE8F184615EB5957BE8DB38C5158700

Function 0000000140006900 Relevance: 9.1, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014000692B
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140006950
std::_Lockit::~_Lockit.LIBCPMT ref: 000000014000697A
std::_Facet_Register.LIBCPMT ref: 00000001400069F1
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140006A0B
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140006A33

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: a51ffa365af961e9e657dfdc85cfb8d31fe91408219503cf46cab9aa6d051666
Instruction ID: c2ac795c2f0c21321cc7c93fa587029711438d4417d8fa265569bdf59029a98f
Opcode Fuzzy Hash: a51ffa365af961e9e657dfdc85cfb8d31fe91408219503cf46cab9aa6d051666
Instruction Fuzzy Hash: 7B317C72215A4084FA26DF27F4847DA63A5F78CBE8F481222EB8E177F5DE38C4558700

Function 0000000140007150 Relevance: 9.1, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014000717B
std::_Lockit::_Lockit.LIBCPMT ref: 00000001400071A0
std::_Lockit::~_Lockit.LIBCPMT ref: 00000001400071CA
std::_Facet_Register.LIBCPMT ref: 0000000140007241
std::_Lockit::~_Lockit.LIBCPMT ref: 000000014000725B
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140007283

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: ae6fc260dac909998aad872746bea46f964fb71e7e2e3663e7e262a08e17c3a2
Instruction ID: 287997294f2af973b1583e57968790a3780f2042e4d8cfe7b4a3c0247e476c68
Opcode Fuzzy Hash: ae6fc260dac909998aad872746bea46f964fb71e7e2e3663e7e262a08e17c3a2
Instruction Fuzzy Hash: E7313672604A4080EA26DF16F884BDA63A0F79CBD4F480622AB9E072B9DF78C4558744

Function 0000000140007290 Relevance: 9.1, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00000001400072BB
std::_Lockit::_Lockit.LIBCPMT ref: 00000001400072E0
std::_Lockit::~_Lockit.LIBCPMT ref: 000000014000730A
std::_Facet_Register.LIBCPMT ref: 0000000140007381
std::_Lockit::~_Lockit.LIBCPMT ref: 000000014000739B
Concurrency::cancel_current_task.LIBCPMT ref: 00000001400073C3

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: b8031d3ce14c389318d4f2f958ae011d571469996da26fa6a8f524c0c4619768
Instruction ID: 80df17189ee19fd901b970c0d5c24fc72d5d36fa09cf65dcdb7ff04ff09797b1
Opcode Fuzzy Hash: b8031d3ce14c389318d4f2f958ae011d571469996da26fa6a8f524c0c4619768
Instruction Fuzzy Hash: D6314872604B4081FA26DF17F445BDA63A1F78CBE8F580622AF8E073B5DE79C5558704

Function 0000000140167B88 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,000045F42809D22C,00000001401548D9,?,?,?,?,000000014016EC66,?,?,00000000,00000001401649FF,?,?,?), ref: 0000000140167B97
FlsSetValue.KERNEL32(?,?,000045F42809D22C,00000001401548D9,?,?,?,?,000000014016EC66,?,?,00000000,00000001401649FF,?,?,?), ref: 0000000140167BCD
FlsSetValue.KERNEL32(?,?,000045F42809D22C,00000001401548D9,?,?,?,?,000000014016EC66,?,?,00000000,00000001401649FF,?,?,?), ref: 0000000140167BFA
FlsSetValue.KERNEL32(?,?,000045F42809D22C,00000001401548D9,?,?,?,?,000000014016EC66,?,?,00000000,00000001401649FF,?,?,?), ref: 0000000140167C0B
FlsSetValue.KERNEL32(?,?,000045F42809D22C,00000001401548D9,?,?,?,?,000000014016EC66,?,?,00000000,00000001401649FF,?,?,?), ref: 0000000140167C1C
SetLastError.KERNEL32(?,?,000045F42809D22C,00000001401548D9,?,?,?,?,000000014016EC66,?,?,00000000,00000001401649FF,?,?,?), ref: 0000000140167C37

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: a48a770b4761676df5049221d2361d904eaada45cecb2da31b9b22047447a242
Instruction ID: cf83103111ac15da5ee6f1fbd3c6a61e743c274bb870845df3326e910256b861
Opcode Fuzzy Hash: a48a770b4761676df5049221d2361d904eaada45cecb2da31b9b22047447a242
Instruction Fuzzy Hash: 62113A3131068043FA9B67339E55BF962629B8CFB0F544F25AB3A07BF6EE79D4414640

Function 00000001400082C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014000832A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0000000140008372
_Getctype.LIBCPMT ref: 000000014000838A
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140008442

Strings

bad locale name, xrefs: 0000000140008465

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2967684691-1405518554
Opcode ID: da7205e4d3090da993bd70d538c7045fe935b9be17360c01237a60171a5e39a2
Instruction ID: ca96636f042f5223933b571fd6b47802c03752461e8a14668bf6921d8558fcba
Opcode Fuzzy Hash: da7205e4d3090da993bd70d538c7045fe935b9be17360c01237a60171a5e39a2
Instruction Fuzzy Hash: C5512732B45B808AFB16CBB6E4503EC3374BB98B88F084525DF8927A66DB34C5669344

Function 00000001401499B8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 0000000140149A9A

Strings

void, xrefs: 00000001401499FE
`template-parameter, xrefs: 0000000140149AA8

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: NameName::
String ID: `template-parameter$void
API String ID: 1333004437-4057429177
Opcode ID: c1809ff316c2ca2c45a902e0da5cbaafba1e99388b5c63b68634db8828e58bb5
Instruction ID: c0d34d732f0af6c1f5b87027a59c14e8fcff88424753aee7a655c319da20d4cc
Opcode Fuzzy Hash: c1809ff316c2ca2c45a902e0da5cbaafba1e99388b5c63b68634db8828e58bb5
Instruction Fuzzy Hash: 98414832B10B5499FB02CBA6D8557EC23B1BB4CB98F951125DF092BBB9DFB8C5458300

Function 00000001400562A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32 ref: 00000001400562D2
ResetEvent.KERNEL32 ref: 00000001400562E8
ReleaseMutex.KERNEL32 ref: 00000001400562F1
std::bad_exception::bad_exception.LIBCMT ref: 000000014005631F

Strings

cannot lock reader/writer lock, xrefs: 0000000140056263, 0000000140056300, 00000001400564CD

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: EventMultipleMutexObjectsReleaseResetWaitstd::bad_exception::bad_exception
String ID: cannot lock reader/writer lock
API String ID: 2739960895-3465051855
Opcode ID: dc359fc11c38174b8224d2634e75c0b50ca414a80f47cb31c0377533414e0148
Instruction ID: 7998604c3a9102f2150f04ad27db98e6da05c95a7b9b456042232f93d9de2e1d
Opcode Fuzzy Hash: dc359fc11c38174b8224d2634e75c0b50ca414a80f47cb31c0377533414e0148
Instruction Fuzzy Hash: 52017172310E0492EB21DF2AE8507D97320F798B98F445121EB9D476B5DF79C648C700

Function 000000014000C1F0 Relevance: 7.7, APIs: 5, Instructions: 180COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNEL32 ref: 000000014000C3F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000C451
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000C457
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000C45D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000C463

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$DebugOutputString
String ID:
API String ID: 2094900029-0
Opcode ID: 327c7d7336889510ee4ed1d629614a92e23b16bb5f77fa56660626976aa0b9c2
Instruction ID: b36ed0d8b268d4ba27a55bedf1659f5c9ea122582247bffe9707be164eae009b
Opcode Fuzzy Hash: 327c7d7336889510ee4ed1d629614a92e23b16bb5f77fa56660626976aa0b9c2
Instruction Fuzzy Hash: 66718EB3B20A8486EB01DBBAE4417ED6362F7897D8F105312AF5C17AAADF74D181C340

Function 00000001401461A4 Relevance: 7.6, APIs: 5, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 000000014014621F
DName::operator+.LIBVCRUNTIME ref: 0000000140146241
DName::DName.LIBVCRUNTIME ref: 0000000140146250
DName::DName.LIBVCRUNTIME ref: 0000000140146287
DName::DName.LIBVCRUNTIME ref: 0000000140146292

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: NameName::$Name::operator+
String ID:
API String ID: 826178784-0
Opcode ID: ba6654f4b376d28a48223d92461b0fc23439baae17d4d7f94e7a49911b44ce06
Instruction ID: 36fe011757a991a2c4ccf27f790faa28e1a33d44b65646c093d83b53312f297a
Opcode Fuzzy Hash: ba6654f4b376d28a48223d92461b0fc23439baae17d4d7f94e7a49911b44ce06
Instruction Fuzzy Hash: 9F416B32311A50A5EB12CB22E890BEC37B4B75CF84F964526DF4A237B5DBB5C919C701

Function 0000000140167C50 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000000014014C16F,?,?,00000000,000000014014C40A,?,?,?,?,?,000000014014C396), ref: 0000000140167C6F
FlsSetValue.KERNEL32(?,?,?,000000014014C16F,?,?,00000000,000000014014C40A,?,?,?,?,?,000000014014C396), ref: 0000000140167C8E
FlsSetValue.KERNEL32(?,?,?,000000014014C16F,?,?,00000000,000000014014C40A,?,?,?,?,?,000000014014C396), ref: 0000000140167CB6
FlsSetValue.KERNEL32(?,?,?,000000014014C16F,?,?,00000000,000000014014C40A,?,?,?,?,?,000000014014C396), ref: 0000000140167CC7
FlsSetValue.KERNEL32(?,?,?,000000014014C16F,?,?,00000000,000000014014C40A,?,?,?,?,?,000000014014C396), ref: 0000000140167CD8

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 046c2e0dc215b76133a85a9bfc8f09b6f8f8064bdf1d9940554f4cdb3f29d40e
Instruction ID: de56f534fdb3ef53aa8ff706109013e6bf9de45ae4fbd6bc753bffc9c91aef68
Opcode Fuzzy Hash: 046c2e0dc215b76133a85a9bfc8f09b6f8f8064bdf1d9940554f4cdb3f29d40e
Instruction Fuzzy Hash: 30116D7031068143FA9A9B3B9D51BF96552AF8CFB0F544F25AB3E067F6DE38D5418600

Function 0000000140010C70 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 340COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400111AF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400111B5

Strings

UNKNOWN, xrefs: 0000000140010E53
NULL, xrefs: 0000000140010E88

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: NULL$UNKNOWN
API String ID: 3668304517-1702702805
Opcode ID: 6d22b8edb13444eaba12218aef5f33c8faed01fd0078e557a101a74a5c2c6a68
Instruction ID: d988c613f7871877e55e696108978b7194945110669dbe465829733ff935218e
Opcode Fuzzy Hash: 6d22b8edb13444eaba12218aef5f33c8faed01fd0078e557a101a74a5c2c6a68
Instruction Fuzzy Hash: 92E1AAB2700A8492EB05DB66E4843DE73A2F789BC8F404512EF5C5BBAADF79C595C340

Function 0000000140010940 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 216timeCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140010B20
GetLocalTime.KERNEL32 ref: 0000000140010B7F
GetTickCount.KERNEL32 ref: 0000000140010BEF

Strings

NULL, xrefs: 0000000140010970

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: CountLocalTickTime_invalid_parameter_noinfo_noreturn
String ID: NULL
API String ID: 2617042107-324932091
Opcode ID: 9eea1394cd220d565c10a6f1157f121d1e714a70e2003470300d37bfc92b9d49
Instruction ID: c772afeb89a265b1c28c664051977f340156a854098f5626edbb3aa3806fab08
Opcode Fuzzy Hash: 9eea1394cd220d565c10a6f1157f121d1e714a70e2003470300d37bfc92b9d49
Instruction Fuzzy Hash: 16819D72618B9485EA11DB66A4407AEB7A0F7C9BD4F504226FFD947BA9DF7CC081CB00

Function 000000014003DAA0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 159libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 000000014003DB1C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003DDDD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003DDE3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003DDE9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003DDEF

Strings

D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\DynamicLibrary.cpp, xrefs: 000000014003DC6F
mb::common::system::DynamicLibrary::GetFunctionAddress, xrefs: 000000014003DC76
Could not load '%s' function ptr from DLL, %s, xrefs: 000000014003DC50

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$AddressProc
String ID: Could not load '%s' function ptr from DLL, %s$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\DynamicLibrary.cpp$mb::common::system::DynamicLibrary::GetFunctionAddress
API String ID: 1230731272-4139386056
Opcode ID: 1061a028fe493cee1872c8485793ead55ba370b63807753ca0677535ee79a9db
Instruction ID: 812c2e6998b0f9f352243bede7c63ee51f2c355518dfd79b4ee4fd2b478071d3
Opcode Fuzzy Hash: 1061a028fe493cee1872c8485793ead55ba370b63807753ca0677535ee79a9db
Instruction Fuzzy Hash: 03616EB2B21B8095EB12CB6AE4543DD7361E788BD8F409612EF6C57BA9DF78C185C340

Function 00000001400399A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140039A0A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0000000140039A52
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140039AE2

Strings

bad locale name, xrefs: 0000000140039B05

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2775327233-1405518554
Opcode ID: 49088ce8b2e5767c4ed8ccdddf3b75674d69078aa35bb5f09a7bac20184de9ea
Instruction ID: 6c7efa32fcf971d34321b93e835ab57b3080dd86c245248caded277330a92e57
Opcode Fuzzy Hash: 49088ce8b2e5767c4ed8ccdddf3b75674d69078aa35bb5f09a7bac20184de9ea
Instruction Fuzzy Hash: 05413633342A8089FB56DFA6E4907ED33A4EB48B88F084525EB4927EB5DE38C525D345

Function 00000001400079D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140007A3A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0000000140007A82
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140007B12

Strings

bad locale name, xrefs: 0000000140007B35

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2775327233-1405518554
Opcode ID: 5503059cc9a078d1ce4e2c0a60ecb17a4fd153e4c1fd92222cef4641eb8eb0eb
Instruction ID: b203d7cbc7aa485389eff5955ca433a3002ad10fdbab3e9d5be72a3c8ebceffc
Opcode Fuzzy Hash: 5503059cc9a078d1ce4e2c0a60ecb17a4fd153e4c1fd92222cef4641eb8eb0eb
Instruction Fuzzy Hash: 29412A33752A8089FB56DF72E490BED33A4EB49B48F084425EF4927AA5DE38C6259344

Function 0000000140139B30 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46commemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,?,?,?,?,?,?,?,00000000,0000000140139E5B), ref: 0000000140139B62
SysAllocString.OLEAUT32 ref: 0000000140139B78
SysFreeString.OLEAUT32 ref: 0000000140139BBE

Strings

\\.\root\SecurityCenter, xrefs: 0000000140139B6C

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: String$AllocCreateFreeInstance
String ID: \\.\root\SecurityCenter
API String ID: 391255401-3879495660
Opcode ID: 477889bc36b94cdf336964be665b76fd8f01a141538cf9a670d5d35525c3f305
Instruction ID: a66105b6de9b8549b41adadc4c78a8f29c57513e5d546d07c5ed463642c00647
Opcode Fuzzy Hash: 477889bc36b94cdf336964be665b76fd8f01a141538cf9a670d5d35525c3f305
Instruction Fuzzy Hash: 82113472608B5482EB11DB26F484B8AB7A5F78CF84F444116EB8943F68DF38D255CB40

Function 000000014003B110 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,?,?,?,00000000,00000001400353F4), ref: 000000014003B130
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003B17E

Strings

*#?[, xrefs: 000000014003BDC9
\\?\, xrefs: 000000014003B7FB

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: AttributesFile_invalid_parameter_noinfo_noreturn
String ID: *#?[$\\?\
API String ID: 4085684281-1416793408
Opcode ID: 341ce1fcadb7b34fcd00d92a3e31b855a5d46ba2d74d3b0e543e14f9d589ee5d
Instruction ID: e3826b3e8af972dab3b9d7d7725173b1b0866ba78d9935e9cc4c0fd1a9bb1f99
Opcode Fuzzy Hash: 341ce1fcadb7b34fcd00d92a3e31b855a5d46ba2d74d3b0e543e14f9d589ee5d
Instruction Fuzzy Hash: 79F096B271064491EE13AB6AD45939E6391E78CBE8F404621FB7D077F5DD38C5848300

Function 0000000140019B40 Relevance: 6.3, APIs: 4, Instructions: 275COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140019D6D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140019D79
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140019E5F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140019ECD

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: ea0061aaaca18e862210f63c976e41b390a6599fb10e853f66fac53096f5395a
Instruction ID: be65ef7267e40faa84b5fa134effab412aa6cc79844e511da6459c784097def7
Opcode Fuzzy Hash: ea0061aaaca18e862210f63c976e41b390a6599fb10e853f66fac53096f5395a
Instruction Fuzzy Hash: B6A19EB2714B8485EB21DB2AE44039EA7A1F78DBE4F544612EF9C47BA9DF78C581C700

Function 0000000140035170 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140035220
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400353C0

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: a51d54e093470f5a1b4e2f6b55290b6b802ae337c843becb5acb8b187c56173f
Instruction ID: ea393c662d65376652dcbd7205264fd7189d2d14800c5fbcd9f31c30c11199c5
Opcode Fuzzy Hash: a51d54e093470f5a1b4e2f6b55290b6b802ae337c843becb5acb8b187c56173f
Instruction Fuzzy Hash: 4771EFB2B1068481EE56AB6BE1413EF63A1E78DFD5F444121EF6D0BBF5DA38C5818340

Function 0000000140012AB0 Relevance: 6.1, APIs: 4, Instructions: 131COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 0000000140012B21
MultiByteToWideChar.KERNEL32 ref: 0000000140012BF0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140012C7A
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140012C86

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: ByteCharMultiWide$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 143101810-0
Opcode ID: b6551e8d1c13d3c25d7ff8937ea8d1eae6de0220b2913642ef14812ec7c8ff84
Instruction ID: 3a847b099823ca26131f19a692db5aed14ca0cda2ad5bef10cbc4d24aa4189ca
Opcode Fuzzy Hash: b6551e8d1c13d3c25d7ff8937ea8d1eae6de0220b2913642ef14812ec7c8ff84
Instruction Fuzzy Hash: F2510472614B8442EA15CF67E44439EB3A1F78DBE4F244225FBAC07BE8DB79C4918740

Function 00000001400128D0 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 000000014001294A
WideCharToMultiByte.KERNEL32 ref: 0000000140012A18
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140012A98
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140012AA4

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: ByteCharMultiWide$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 143101810-0
Opcode ID: 4c3cfe6864c9d7d38577500d1b95826d81f8be3f7532701bbabf940380d9b2e1
Instruction ID: 76633529d9eafcef87484edceb09ffe62ee1534dc96728213f41976dea224908
Opcode Fuzzy Hash: 4c3cfe6864c9d7d38577500d1b95826d81f8be3f7532701bbabf940380d9b2e1
Instruction Fuzzy Hash: 5751D032614B8086EA25CF67E44039EB7A1FB88BE0F544225BBA907BA5DF79D091C740

Function 0000000140148AD0 Relevance: 6.1, APIs: 4, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000014014A5F4: Replicator::operator[].LIBVCRUNTIME ref: 000000014014A64E

Part of subcall function 0000000140148618: DName::operator+.LIBVCRUNTIME ref: 00000001401486A9
Part of subcall function 0000000140148618: DName::operator+.LIBVCRUNTIME ref: 00000001401486E2
Part of subcall function 0000000140148618: DName::operator+.LIBVCRUNTIME ref: 0000000140148A0D

DName::operator+.LIBVCRUNTIME ref: 0000000140148B50
DName::operator+.LIBVCRUNTIME ref: 0000000140148B5F
DName::operator+.LIBVCRUNTIME ref: 0000000140148BDC
DName::operator+.LIBVCRUNTIME ref: 0000000140148BEB

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: Name::operator+$Replicator::operator[]
String ID:
API String ID: 3863519203-0
Opcode ID: 32701a683d00f4047edd853e6b9576ee3a8e9ec03156c55c1a02d554fbe271af
Instruction ID: 29f59a5a0f8e8bf00a366a705d560d2c53b67c14e32d9f076a576580f3e95b68
Opcode Fuzzy Hash: 32701a683d00f4047edd853e6b9576ee3a8e9ec03156c55c1a02d554fbe271af
Instruction Fuzzy Hash: DC4148B2A00B9099FB02CFA6D8543EC37B0F348B48F598525DF496B7A9DBB8C445C740

Function 000000014013DC3C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000014013DC68
GetCurrentThreadId.KERNEL32 ref: 000000014013DC76
GetCurrentProcessId.KERNEL32 ref: 000000014013DC82
QueryPerformanceCounter.KERNEL32 ref: 000000014013DC92

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 2bdd47dfd6c4fb17b1c3a864db2b1a1a1abb014928fcd48528d2ad794ee673df
Instruction ID: 5e8cf9600bcedfe04a0903642396ed8186a91d381a17148e10052b1e61b7b15c
Opcode Fuzzy Hash: 2bdd47dfd6c4fb17b1c3a864db2b1a1a1abb014928fcd48528d2ad794ee673df
Instruction Fuzzy Hash: 6F11F736710F008AEB41CF65E8553A933A4F75DB68F441E25EF6D867A4EFB8D2948340

Function 0000000140009480 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000959A

Strings

string too long, xrefs: 0000000140009464
HKEY_CLASSES_ROOT, xrefs: 0000000140009485

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: HKEY_CLASSES_ROOT$string too long
API String ID: 3668304517-669301083
Opcode ID: 89b3b8a4cb50dc5c4e1928be09276d36fbe45692aa0b69731c297bcec2e37c39
Instruction ID: 99a023ac1a8dad6ea3ba3aa7e648dc9493d144c39321f98eb073844f2c633bf4
Opcode Fuzzy Hash: 89b3b8a4cb50dc5c4e1928be09276d36fbe45692aa0b69731c297bcec2e37c39
Instruction Fuzzy Hash: 5B51BCB2710B8485EA56CF5AE4403ED63A1F789FD8F588622EF5D477A5EB39C192C300

Function 000000014000D890 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140015240: CoInitializeEx.OLE32 ref: 000000014001528B
Part of subcall function 0000000140015240: CoCreateInstance.OLE32 ref: 00000001400152BA
Part of subcall function 0000000140015240: CoUninitialize.OLE32 ref: 0000000140015672

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000DA54
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000DA5A

Strings

Malwarebytes, xrefs: 000000014000D921

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CreateInitializeInstanceUninitialize
String ID: Malwarebytes
API String ID: 273938800-1399732342
Opcode ID: 6e185ec63b5e80506e589ad6579432b63accc9dba0bc74bac8098311b851cde8
Instruction ID: 2d540a640d5d9a85d61436de65ce4afb88fe29467fc7e8fa20315361429e7535
Opcode Fuzzy Hash: 6e185ec63b5e80506e589ad6579432b63accc9dba0bc74bac8098311b851cde8
Instruction Fuzzy Hash: 78417E72724A8081EA51DB2BF5453ED6761A789BF0F555322FB69077E9CA38C481C700

Function 000000014014699C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00000001401469F6

Strings

%lf, xrefs: 0000000140146A31, 0000000140146A65, 0000000140146A95

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: NameName::
String ID: %lf
API String ID: 1333004437-2891890143
Opcode ID: 26d0d7eb62b33114c850b8c470d2869356a3e04c9ccae6a18ccd8aecc8e518e4
Instruction ID: c7edaf5f38504274949752bf9b5b2eb6b73046673dea82f03097cd260d72a1d3
Opcode Fuzzy Hash: 26d0d7eb62b33114c850b8c470d2869356a3e04c9ccae6a18ccd8aecc8e518e4
Instruction Fuzzy Hash: 0B31D171204B8486EB22CB23B8503EA73A0FB5DFC4F558226EF8A677B5DA38C545C740

Function 0000000140008170 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140008187
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00000001400081C6

Part of subcall function 000000014013BE70: _Yarn.LIBCPMT ref: 000000014013BE9E

Strings

bad locale name, xrefs: 00000001400081DA

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_Yarn
String ID: bad locale name
API String ID: 1838369231-1405518554
Opcode ID: eea2ecb1fbcab68af80ac54c6ec57019c3cc4956c90f059e6f203255c2b815b5
Instruction ID: 557562a38ce3c42ac8dd400b930b8ee48cb69af7c3111a89bd66db26b68c2eb6
Opcode Fuzzy Hash: eea2ecb1fbcab68af80ac54c6ec57019c3cc4956c90f059e6f203255c2b815b5
Instruction Fuzzy Hash: 90118273101B80C9D756DF76B88039933A5FB5CF84F1851249B8C8776AEB34C490C340

Function 0000000140002A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0000000140002A27
std::bad_exception::bad_exception.LIBCMT ref: 0000000140002A6A

Strings

cannot allocate thread context key, xrefs: 0000000140002A4B

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: Allocstd::bad_exception::bad_exception
String ID: cannot allocate thread context key
API String ID: 287486779-1710566765
Opcode ID: 8a419b5cec5fbabe226d8f00ab716875f1def469e240a1042e8fa260f1b4cc27
Instruction ID: 727f44e000f00508497cecc79bae0313f168b1963e06c36c554f12ef8679cbed
Opcode Fuzzy Hash: 8a419b5cec5fbabe226d8f00ab716875f1def469e240a1042e8fa260f1b4cc27
Instruction Fuzzy Hash: 5E016D71620945A2FA22EB36E8857E96320F79D748FD01612E35E835F6DE7CC35ACB00

Function 000000014013F490 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,000000014013B96E), ref: 000000014013F4E0
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000000014013B96E), ref: 000000014013F521

Strings

csm, xrefs: 000000014013F50E

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: bbf4c8d96c2d1b13b2eb055c5be80afc231ee68d77ba38fb6be477ab8f8d0845
Instruction ID: 623220740b85b1f462730b002427edb6323ddaa5476250331664a54d396c729c
Opcode Fuzzy Hash: bbf4c8d96c2d1b13b2eb055c5be80afc231ee68d77ba38fb6be477ab8f8d0845
Instruction Fuzzy Hash: A7111932215B8092EB228B16E44439A77E5F78CF94F685225EB8D07768DF38C6558B00

Function 0000000140055C70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,00000001400556C1,?,?,?,0000000140055688), ref: 0000000140055C9E

Strings

D:\Jenkins\workspace\N_Poco-VS2022\poco-1.12.4\Foundation\src\File_WIN32U.cpp, xrefs: 0000000140055CC9
!_path.empty(), xrefs: 0000000140055CD6

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: AttributesFile
String ID: !_path.empty()$D:\Jenkins\workspace\N_Poco-VS2022\poco-1.12.4\Foundation\src\File_WIN32U.cpp
API String ID: 3188754299-3037167476
Opcode ID: 894283fa9d00d58927e02be5b7d7a4faa3245e5ab04c4c2ea587933cb224d54c
Instruction ID: f6421971dd98383fa2bb279480063023fa215071a108ea19ab6c79a5d2d13a48
Opcode Fuzzy Hash: 894283fa9d00d58927e02be5b7d7a4faa3245e5ab04c4c2ea587933cb224d54c
Instruction Fuzzy Hash: EDF0E97360060045FB25E726D8A03E81690A71D784F640511D729875F0DF3ACACAC301

Function 0000000140055C10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,00000001400556C1,?,?,?,0000000140055688), ref: 0000000140055C2E

Strings

D:\Jenkins\workspace\N_Poco-VS2022\poco-1.12.4\Foundation\src\File_WIN32U.cpp, xrefs: 0000000140055C51
!_path.empty(), xrefs: 0000000140055C5E

Memory Dump Source

Source File: 00000000.00000002.3387760348.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3387748638.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387846978.0000000140193000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387910053.000000014024D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387921683.000000014024E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387932973.000000014024F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387944360.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387956329.0000000140258000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014025A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.0000000140270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3387981533.000000014027E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_sGfciyumij.jbxd

Similarity

API ID: AttributesFile
String ID: !_path.empty()$D:\Jenkins\workspace\N_Poco-VS2022\poco-1.12.4\Foundation\src\File_WIN32U.cpp
API String ID: 3188754299-3037167476
Opcode ID: 8c8d8a6ddb9321c10c85db20912533d3d5159feabeddeee5cb6a6ad149b972a3
Instruction ID: b1fe4f926ec61f6afbf768ef6877448f59e8084cf699c84078ed8c021526a2fe
Opcode Fuzzy Hash: 8c8d8a6ddb9321c10c85db20912533d3d5159feabeddeee5cb6a6ad149b972a3
Instruction Fuzzy Hash: FAF0A777A1090481FE2AE726D4A47E81690E769B85F640511D72A475F1FF36CB86C300

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sGfciyumij.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
sGfciyumij.exe

Function 0000000140001D40 Relevance: 54.8, APIs: 10, Strings: 21, Instructions: 528
COMMON

Function 0000000140033958 Relevance: 38.6, APIs: 2, Strings: 20, Instructions: 93
nativememoryCOMMON

Function 000000014000D2F0 Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 361
memoryCOMMON

Function 0000000140014BA0 Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 364
registryCOMMON

Function 000000014000A9F8 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 231
COMMON

Function 02004D00 Relevance: 10.8, APIs: 7, Instructions: 282
COMMON

Function 0000000140046A30 Relevance: 9.2, APIs: 6, Instructions: 247
COMMON

Function 000000014000DA60 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 185
registryCOMMON

Function 01FFF3A0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 215
processthreadCOMMON

Function 00000001400147C0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 69
registrylibraryloaderCOMMON

Function 000000014016CAC4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Function 00000001400560C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81
synchronizationCOMMON

Function 01FE7830 Relevance: 6.3, APIs: 4, Instructions: 340
networkCOMMON

Function 000000014000A960 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 148
COMMON

Function 00000001400520C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25
networkCOMMON