Edit tour

Windows Analysis Report
49GqFpn1V8.exe

Overview

General Information

Sample name:	49GqFpn1V8.exe renamed because original name is a hash value
Original sample name:	e7cb46c59bd25d286e55ea5d61aef64e5ed103ed375250485071cd56ccb884a3.exe
Analysis ID:	1509588
MD5:	fce92b546ef981e56e070b8d419da291
SHA1:	f736163e9d6539302cf7f81a78cd5fd019efb5ce
SHA256:	e7cb46c59bd25d286e55ea5d61aef64e5ed103ed375250485071cd56ccb884a3
Tags:	62-192-173-45exe
Infos:

Detection

BruteRatel

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected BruteRatel

AI detected suspicious sample

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to debug other processes

Contains functionality to delete services

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

49GqFpn1V8.exe (PID: 5912 cmdline: "C:\Users\user\Desktop\49GqFpn1V8.exe" MD5: FCE92B546EF981E56E070B8D419DA291)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Brute Ratel C4, BruteRatel	Brute Ratel is a a Customized Command and Control Center for Red Team and Adversary SimulationSMB and TCP payloads provide functionality to write custom external C2 channels over legitimate websites such as Slack, Discord, Microsoft Teams and more.Built-in debugger to detect EDR userland hooks.Ability to keep memory artifacts hidden from EDRs and AV.Direct Windows SYS calls on the fly.	No Attribution	https://0xdarkvortex.dev/hiding-in-plainsight/ https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/ https://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities https://blog.krakz.fr/articles/latrodectus/ https://blog.reveng.ai/latrodectus-distribution-via-brc4/	https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: 49GqFpn1V8.exe PID: 5912	JoeSecurity_BruteRatel_2	Yara detected BruteRatel	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00457650 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GlobalMemoryStatusEx,GetDiskFreeSpaceExW,GetSystemTimes,QueryPerformanceCounter,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,	0_2_00457650
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04239DFC CryptStringToBinaryA,CryptStringToBinaryA,	0_2_04239DFC
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04228FD8 CryptImportKey,	0_2_04228FD8
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_042290A4 CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptImportKey,CryptImportKey,CryptDestroyKey,	0_2_042290A4
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_042248B0 CryptAcquireContextW,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,	0_2_042248B0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04229884 CryptGetProvParam,	0_2_04229884
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_042298E0 CryptGetProvParam,CryptGetProvParam,	0_2_042298E0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0423C128 CryptBinaryToStringW,CryptBinaryToStringW,GetLastError,	0_2_0423C128
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0423C1C4 CryptBinaryToStringA,CryptBinaryToStringA,GetLastError,	0_2_0423C1C4
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0422A368 CryptReleaseContext,CryptAcquireContextA,	0_2_0422A368
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04229344 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_04229344

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Code function: 0_2_0422C4A0 MD5Init,MD5Update,MD5Update,MD5Final,

0_2_0422C4A0

Source: 49GqFpn1V8.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:

Binary string: C:\BUILD\work\e0dd96435fde7cb0\BUILDS\Release\x86\avDump.pdb source: 49GqFpn1V8.exe

Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0048F710 FindFirstFileExW,		0_2_0048F710
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_042410D0 FindFirstFileW,FindFirstFileW,CreateFileW,GetFileTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,GetLastError,CreateFileW,GetFileTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,GetLastError,FindNextFileW,FindClose,GetLastError,		0_2_042410D0

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Code function: 0_2_04226008 InternetOpenW,InternetConnectW,HttpOpenRequestW,InternetSetOptionW,HttpSendRequestA,HttpAddRequestHeadersW,InternetQueryDataAvailable,InternetReadFile,RtlReAllocateHeap,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_04226008

Source: global traffic

DNS traffic detected: DNS query: weblineinfo.com

Source: 49GqFpn1V8.exe, 00000000.00000002.3441263884.00000000026B1000.00000004.00000020.00020000.00000000.sdmp, 49GqFpn1V8.exe, 00000000.00000003.3179005554.000000000267D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/
Source: 49GqFpn1V8.exe, 00000000.00000002.3441263884.000000000267F000.00000004.00000020.00020000.00000000.sdmp, 49GqFpn1V8.exe, 00000000.00000003.3179005554.000000000267D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/5-40f1-ac21-573d1d5ce43f
Source: 49GqFpn1V8.exe, 00000000.00000002.3441263884.000000000267F000.00000004.00000020.00020000.00000000.sdmp, 49GqFpn1V8.exe, 00000000.00000003.2548031192.000000000267A000.00000004.00000020.00020000.00000000.sdmp, 49GqFpn1V8.exe, 00000000.00000003.3179005554.000000000267D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/B
Source: 49GqFpn1V8.exe, 00000000.00000002.3441263884.000000000267F000.00000004.00000020.00020000.00000000.sdmp, 49GqFpn1V8.exe, 00000000.00000003.2548031192.000000000267A000.00000004.00000020.00020000.00000000.sdmp, 49GqFpn1V8.exe, 00000000.00000003.3179005554.000000000267D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/P
Source: 49GqFpn1V8.exe, 00000000.00000002.3441263884.000000000267F000.00000004.00000020.00020000.00000000.sdmp, 49GqFpn1V8.exe, 00000000.00000002.3441200504.000000000267A000.00000004.00000020.00020000.00000000.sdmp, 49GqFpn1V8.exe, 00000000.00000003.2548031192.000000000267A000.00000004.00000020.00020000.00000000.sdmp, 49GqFpn1V8.exe, 00000000.00000003.2548031192.000000000266A000.00000004.00000020.00020000.00000000.sdmp, 49GqFpn1V8.exe, 00000000.00000002.3441200504.000000000266B000.00000004.00000020.00020000.00000000.sdmp, 49GqFpn1V8.exe, 00000000.00000003.3179005554.000000000267D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues
Source: 49GqFpn1V8.exe, 00000000.00000002.3441263884.000000000267F000.00000004.00000020.00020000.00000000.sdmp, 49GqFpn1V8.exe, 00000000.00000003.2548031192.000000000267A000.00000004.00000020.00020000.00000000.sdmp, 49GqFpn1V8.exe, 00000000.00000003.3179005554.000000000267D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues)
Source: 49GqFpn1V8.exe, 00000000.00000002.3441263884.000000000267F000.00000004.00000020.00020000.00000000.sdmp, 49GqFpn1V8.exe, 00000000.00000003.2548031192.000000000267A000.00000004.00000020.00020000.00000000.sdmp, 49GqFpn1V8.exe, 00000000.00000003.3179005554.000000000267D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues8
Source: 49GqFpn1V8.exe, 00000000.00000002.3441200504.000000000266B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesf;
Source: 49GqFpn1V8.exe, 00000000.00000002.3441263884.000000000267F000.00000004.00000020.00020000.00000000.sdmp, 49GqFpn1V8.exe, 00000000.00000003.3179005554.000000000267D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValueshqos.dll.mui

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 61818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61818
Source: unknown	Network traffic detected: HTTP traffic on port 61822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61822

Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04228FD8 CryptImportKey,		0_2_04228FD8
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_042290A4 CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptImportKey,CryptImportKey,CryptDestroyKey,		0_2_042290A4

Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_3_041DA070 NtProtectVirtualMemory,	0_3_041DA070
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_3_041D9FD0 NtAllocateVirtualMemory,	0_3_041D9FD0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00477A51 NtAllocateVirtualMemory,NtProtectVirtualMemory,	0_2_00477A51
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00402400 GetFileAttributesW,CreateFileW,NtSystemDebugControl,CloseHandle,GetLastError,DeleteFileW,	0_2_00402400
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_004565F0 NtOpenKey,std::bad_exception::bad_exception,	0_2_004565F0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00456710 NtQueryKey,	0_2_00456710
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_004567C0 RegCloseKey,SetLastError,NtDeleteKey,NtClose,RegCloseKey,SetLastError,	0_2_004567C0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00477BC6 NtAllocateVirtualMemory,	0_2_00477BC6
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00477CCE NtProtectVirtualMemory,	0_2_00477CCE
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04253CC8 NtQueueApcThread,	0_2_04253CC8
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04253EAC NtReadVirtualMemory,	0_2_04253EAC
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04252EF4 NtCreateThreadEx,	0_2_04252EF4
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04253F70 NtResumeThread,	0_2_04253F70
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04253FF0 NtSetContextThread,	0_2_04253FF0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0425382C NtProtectVirtualMemory,	0_2_0425382C
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04253170 NtDuplicateObject,	0_2_04253170
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_042541A4 NtSuspendThread,	0_2_042541A4
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04254224 NtTerminateThread,	0_2_04254224
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_042532F8 NtFreeVirtualMemory,	0_2_042532F8
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04252B7C NtClose,	0_2_04252B7C
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_042533A8 NtGetContextThread,	0_2_042533A8
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04253428 NtMapViewOfSection,	0_2_04253428
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04252CB8 NtCreateFile,	0_2_04252CB8
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04222C94 NtCreateSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,	0_2_04222C94
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0425355C NtOpenFile,	0_2_0425355C
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04253D8C NtReadFile,	0_2_04253D8C
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04253638 NtOpenProcess,	0_2_04253638
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04252E00 NtCreateSection,	0_2_04252E00
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_042536E8 NtOpenProcessToken,	0_2_042536E8
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0425377C NtOpenThread,	0_2_0425377C
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0425303C NtCreateTransaction,	0_2_0425303C
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04254070 NtSetEvent,	0_2_04254070
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_042538F0 NtQueryInformationFile,	0_2_042538F0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_042540F0 NtSignalAndWaitForSingleObject,	0_2_042540F0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_042241A8 CreateRemoteThread,RtlCreateUserThread,NtCreateThreadEx,QueueUserAPC,GetLastError,NtQueueApcThread,RtlRemoteCall,ResumeThread,NtResumeThread,NtAlertResumeThread,	0_2_042241A8
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_042539B4 NtQueryInformationProcess,	0_2_042539B4
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_042229EC NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,	0_2_042229EC
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04252A20 NtAlertResumeThread,	0_2_04252A20
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04253264 NtFlushInstructionCache,	0_2_04253264
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04253A78 NtQueryInformationThread,	0_2_04253A78
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_042542A4 NtWriteVirtualMemory,	0_2_042542A4
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04252AA0 NtAllocateVirtualMemory,	0_2_04252AA0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04245AB8 RtlSetCurrentTransaction,RtlInitUnicodeString,RtlSetCurrentTransaction,NtClose,GetFileSizeEx,NtClose,NtClose,NtClose,WaitForSingleObject,ReleaseMutex,WaitForSingleObject,ReleaseMutex,GetLastError,WaitForSingleObject,ReleaseMutex,NtClose,NtClose,NtClose,NtClose,	0_2_04245AB8
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04253B3C NtQuerySystemInformation,	0_2_04253B3C
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04252BEC NtCreateEvent,	0_2_04252BEC
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04253BEC NtQueryVirtualMemory,	0_2_04253BEC

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Code function: 0_2_00415300: OpenProcess,K32GetProcessImageFileNameW,CloseHandle,DebugActiveProcess,DebugSetProcessKillOnExit,WaitForDebugEvent,SetEvent,CreateFileW,GetLastError,EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,OpenProcess,DebugBreakProcess,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle,ContinueDebugEvent,CloseHandle,OpenProcess,ReadProcessMemory,CloseHandle,OpenThread,SetThreadToken,CloseHandle,OpenThread,GetThreadContext,DebugSetProcessKillOnExit,GetThreadContext,GetSystemTimeAsFileTime,GetFileAttributesExW,CloseHandle,CreateFileW,GetLastError,DebugActiveProcessStop,DeviceIoControl,GetLastError,CloseHandle,DebugActiveProcessStop,GetLastError,GetLastError,

0_2_00415300

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Code function: 0_2_0042E8B0 QueryServiceConfig2W,ChangeServiceConfig2W,GetLastError,SetDllDirectoryW,GetModuleHandleW,GetProcAddress,GetFileAttributesW,StartServiceCtrlDispatcherW,GetLastError,OpenSCManagerW,OpenServiceW,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,SetConsoleCtrlHandler,WaitForSingleObject,RpcServerUnregisterIf,RpcServerUnregisterIf,RpcServerUnregisterIf,OpenSCManagerW,GetModuleFileNameW,CreateServiceW,OpenServiceW,QueryServiceConfig2W,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW,CloseServiceHandle,ChangeServiceConfigW,OpenSCManagerW,OpenServiceW,ControlService,GetLastError,CloseServiceHandle,GetLastError,GetLastError,RegCloseKey,SetLastError,CloseServiceHandle,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,

0_2_0042E8B0

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Code function: 0_2_0424A4C4 CreateProcessWithLogonW,GetLastError,

0_2_0424A4C4

Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00414000	0_2_00414000
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00483033	0_2_00483033
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0042B150	0_2_0042B150
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0046F160	0_2_0046F160
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00409250	0_2_00409250
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00408260	0_2_00408260
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0040D2E0	0_2_0040D2E0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_004062F0	0_2_004062F0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00410350	0_2_00410350
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00415300	0_2_00415300
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0040F3E0	0_2_0040F3E0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_004184F0	0_2_004184F0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_004954FF	0_2_004954FF
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00451480	0_2_00451480
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00468560	0_2_00468560
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_004015B0	0_2_004015B0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00435630	0_2_00435630
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0046D6C0	0_2_0046D6C0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0044F6D0	0_2_0044F6D0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_004076B0	0_2_004076B0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_004806B5	0_2_004806B5
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0040C820	0_2_0040C820
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00408890	0_2_00408890
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0046B8A0	0_2_0046B8A0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0042E8B0	0_2_0042E8B0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00423980	0_2_00423980
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0048B9AC	0_2_0048B9AC
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00480A43	0_2_00480A43
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00434A30	0_2_00434A30
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00440B20	0_2_00440B20
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00410BB0	0_2_00410BB0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0041CBB0	0_2_0041CBB0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00473C40	0_2_00473C40
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00459C70	0_2_00459C70
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0040DC30	0_2_0040DC30
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00468CC0	0_2_00468CC0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00436CF0	0_2_00436CF0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00476C93	0_2_00476C93
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0040CCA0	0_2_0040CCA0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00464D50	0_2_00464D50
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0040BD10	0_2_0040BD10
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00491E40	0_2_00491E40
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00406E60	0_2_00406E60
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0048CEA4	0_2_0048CEA4
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00484FE0	0_2_00484FE0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04221300	0_2_04221300

Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: String function: 00413D00 appears 60 times
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: String function: 004729C0 appears 48 times

Source: 49GqFpn1V8.exe

Binary or memory string: OriginalFilenameavDump.exe* vs 49GqFpn1V8.exe

Source: 49GqFpn1V8.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 49GqFpn1V8.exe

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: 49GqFpn1V8.exe

Binary string: DUnable to retrieve the path of the module!Unable to get the path of the module!Unable to store the path of the module!SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersUnable to retrieve a path of the known folder ({})!Common AppData%APPDATA%%LOCALAPPDATA%ProgramFilesProgramFiles(x86)ProgramFilesDirSOFTWARE\Microsoft\Windows\CurrentVersionProgramFilesDir (x86)CommonProgramFilesCommonProgramFiles(x86)CommonFilesDirCommonFilesDir (x86)\\?\Unable to enumerate volumes!Unable to convert NT path '{}' to a volume GUID path!Unable to retrieve volume paths for volume '{}'!\Device\LanmanRedirector\\Device\Mup\\SystemRoot\\\.\GLOBALROOTString environment expansion failedString environment expansion failed due to unexpected buffer sizeCannot open registry keyCannot create registry keyUnable to open registry key handle using NtOpenKeyCannot query kernel mode registry key pathCannot delete registry keyCannot delete registry key treeCannot delete registry valueCannot write key valueCannot query registry valueCannot query registry value sizeCannot query registry value dataCannot query registry data due to value changed too oftenbad variant access

Source: classification engine

Classification label: mal52.troj.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Code function: 0_2_0423781C LookupPrivilegeValueA,AdjustTokenPrivileges,LookupPrivilegeValueA,PrivilegeCheck,GetLastError,

0_2_0423781C

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Code function: 0_2_00457650 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GlobalMemoryStatusEx,GetDiskFreeSpaceExW,GetSystemTimes,QueryPerformanceCounter,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

0_2_00457650

Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: QueryServiceConfig2W,ChangeServiceConfig2W,GetLastError,SetDllDirectoryW,GetModuleHandleW,GetProcAddress,GetFileAttributesW,StartServiceCtrlDispatcherW,GetLastError,OpenSCManagerW,OpenServiceW,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,SetConsoleCtrlHandler,WaitForSingleObject,RpcServerUnregisterIf,RpcServerUnregisterIf,RpcServerUnregisterIf,OpenSCManagerW,GetModuleFileNameW,CreateServiceW,OpenServiceW,QueryServiceConfig2W,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW,CloseServiceHandle,ChangeServiceConfigW,OpenSCManagerW,OpenServiceW,ControlService,GetLastError,CloseServiceHandle,GetLastError,GetLastError,RegCloseKey,SetLastError,CloseServiceHandle,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,	0_2_0042E8B0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: CreateFileA,WriteFile,GetLastError,OpenSCManagerA,GetLastError,CreateServiceW,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,	0_2_04246CE0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: OpenSCManagerA,GetLastError,CreateServiceW,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,	0_2_0424B18C

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Code function: 0_2_0423D5C8 GetCurrentProcessId,GetCurrentThreadId,CreateToolhelp32Snapshot,Thread32First,Thread32Next,

0_2_0423D5C8

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Code function: 0_2_0043B1C0 OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,GetLastError,GetLastError,GetLastError,

0_2_0043B1C0

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

0_2_0042E8B0

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Mutant created: NULL

Source: 49GqFpn1V8.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: 49GqFpn1V8.exe

Static file information: File size 1321984 > 1048576

Source: 49GqFpn1V8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 49GqFpn1V8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 49GqFpn1V8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 49GqFpn1V8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 49GqFpn1V8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 49GqFpn1V8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 49GqFpn1V8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\BUILD\work\e0dd96435fde7cb0\BUILDS\Release\x86\avDump.pdb source: 49GqFpn1V8.exe

Source: 49GqFpn1V8.exe

Static PE information: real checksum: 0x1130ee should be: 0x14da41

Source: 49GqFpn1V8.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00472782 push ecx; ret	0_2_00472795
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04226448 push eax; mov dword ptr [esp], 00000000h	0_2_042265C0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0423567C push ecx; mov dword ptr [esp], eax	0_2_04235773
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04249C4C push edx; mov dword ptr [esp], eax	0_2_0424A388
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04232C58 push edx; mov dword ptr [esp], eax	0_2_0423308E
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04235CE4 push ecx; mov dword ptr [esp], eax	0_2_04235E85
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0424C528 push eax; mov dword ptr [esp], edi	0_2_0424C73D
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04243D68 push eax; mov dword ptr [esp], edi	0_2_04244255
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0422956C push ecx; mov dword ptr [esp], edi	0_2_0422986C
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04244DEC push edi; mov dword ptr [esp], ebx	0_2_0424502A
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04244DEC push ecx; mov dword ptr [esp], eax	0_2_042451F0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_042476A8 push eax; mov dword ptr [esp], 0425AE5Ch	0_2_042476CF
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_042476A8 push edx; mov dword ptr [esp], esi	0_2_042476EA
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_042366AC push eax; mov dword ptr [esp], ebx	0_2_042369DD
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04239EB4 push ecx; mov dword ptr [esp], eax	0_2_0423A26B
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04239EB4 push eax; mov dword ptr [esp], esi	0_2_0423A29E
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0422175C push edx; mov dword ptr [esp], edi	0_2_04221848
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0424F78C push edx; mov dword ptr [esp], eax	0_2_0424F833
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0422C07C push esi; mov dword ptr [esp], ebx	0_2_0422C312
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_042520BF push esi; mov dword ptr [esp], eax	0_2_04251FFD
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_042520BF push edi; mov dword ptr [esp], eax	0_2_042522D5
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04249904 push eax; mov dword ptr [esp], 00000000h	0_2_04249AF1
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04252145 push esi; mov dword ptr [esp], eax	0_2_04251FFD
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04252145 push edi; mov dword ptr [esp], eax	0_2_042522D5
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_042521B6 push esi; mov dword ptr [esp], eax	0_2_04251FFD
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_042521B6 push edi; mov dword ptr [esp], eax	0_2_042522D5
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0425219E push esi; mov dword ptr [esp], eax	0_2_04251FFD
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0425219E push edi; mov dword ptr [esp], eax	0_2_042522D5
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0423C9D4 push eax; mov dword ptr [esp], esi	0_2_0423CE16
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0424F1DC push ecx; mov dword ptr [esp], eax	0_2_0424F5EF
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0424F1DC push ebx; mov dword ptr [esp], esi	0_2_0424F702

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

0_2_0042E8B0

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Code function: 0_2_00457650 rdtsc

0_2_00457650

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Code function: 0_2_0423D5C8 GetCurrentProcessId,GetCurrentThreadId,CreateToolhelp32Snapshot,Thread32First,Thread32Next,

0_2_0423D5C8

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Code function: OpenSCManagerA,EnumServicesStatusW,EnumServicesStatusW,GetLastError,CloseServiceHandle,

0_2_0424BF88

Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetCurrentProcessId,GetModuleFileNameW,GetNativeSystemInfo,RtlGetVersion,GetCurrentThreadId,GetAdaptersInfo,GetAdaptersInfo,		0_2_042433A0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: GetAdaptersInfo,GetIpForwardTable,GetLastError,GetAdaptersInfo,GetIpForwardTable,inet_ntoa,inet_ntoa,inet_ntoa,		0_2_04248E90

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-69403

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

API coverage: 5.0 %

Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0048F710 FindFirstFileExW,		0_2_0048F710
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_042410D0 FindFirstFileW,FindFirstFileW,CreateFileW,GetFileTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,GetLastError,CreateFileW,GetFileTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,GetLastError,FindNextFileW,FindClose,GetLastError,		0_2_042410D0

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Code function: 0_2_0045A3EE VirtualQuery,GetSystemInfo,

0_2_0045A3EE

Source: 49GqFpn1V8.exe, 00000000.00000002.3441200504.0000000002638000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: 49GqFpn1V8.exe, 00000000.00000003.3179005554.00000000026A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 49GqFpn1V8.exe, 00000000.00000002.3441263884.000000000267F000.00000004.00000020.00020000.00000000.sdmp, 49GqFpn1V8.exe, 00000000.00000003.2548031192.000000000267A000.00000004.00000020.00020000.00000000.sdmp, 49GqFpn1V8.exe, 00000000.00000003.3179005554.000000000267D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW#

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Code function: 0_2_00457650 rdtsc

0_2_00457650

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Code function: 0_2_0422B7E8 LdrGetProcedureAddress,

0_2_0422B7E8

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Code function: 0_2_0047D0A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0047D0A3

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Code function: 0_2_0423D5C8 GetCurrentProcessId,GetCurrentThreadId,CreateToolhelp32Snapshot,Thread32First,Thread32Next,

0_2_0423D5C8

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Code function: 0_2_00415300 OpenProcess,K32GetProcessImageFileNameW,CloseHandle,DebugActiveProcess,DebugSetProcessKillOnExit,WaitForDebugEvent,SetEvent,CreateFileW,GetLastError,EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,OpenProcess,DebugBreakProcess,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle,ContinueDebugEvent,CloseHandle,OpenProcess,ReadProcessMemory,CloseHandle,OpenThread,SetThreadToken,CloseHandle,OpenThread,GetThreadContext,DebugSetProcessKillOnExit,GetThreadContext,GetSystemTimeAsFileTime,GetFileAttributesExW,CloseHandle,CreateFileW,GetLastError,DebugActiveProcessStop,DeviceIoControl,GetLastError,CloseHandle,DebugActiveProcessStop,GetLastError,GetLastError,

0_2_00415300

Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_3_041D8C42 mov edx, dword ptr fs:[00000030h]	0_3_041D8C42
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_3_041D9170 mov eax, dword ptr fs:[00000030h]	0_3_041D9170
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_3_041D9070 mov eax, dword ptr fs:[00000030h]	0_3_041D9070
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00478023 mov eax, dword ptr fs:[00000030h]	0_2_00478023
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0048DD5A mov eax, dword ptr fs:[00000030h]	0_2_0048DD5A
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0048DD16 mov eax, dword ptr fs:[00000030h]	0_2_0048DD16
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_00488D22 mov ecx, dword ptr fs:[00000030h]	0_2_00488D22
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0422B8C8 mov eax, dword ptr fs:[00000030h]	0_2_0422B8C8
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0422BA04 mov eax, dword ptr fs:[00000030h]	0_2_0422BA04
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04236A70 mov eax, dword ptr fs:[00000030h]	0_2_04236A70

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Code function: 0_2_00457C80 GetModuleHandleW,GetClassInfoExW,GetLastError,Sleep,GetProcessHeap,asw_process_storage_allocate_connector,HeapAlloc,asw_process_storage_allocate_connector,InitializeCriticalSection,GetProcessHeap,GetProcessHeap,RegisterClassExW,asw_process_storage_deallocate_connector,HeapFree,asw_process_storage_deallocate_connector,DeleteCriticalSection,GetProcessHeap,asw_process_storage_deallocate_connector,HeapFree,asw_process_storage_deallocate_connector,GetLastError,GetLastError,

0_2_00457C80

Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0047D0A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0047D0A3
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_004722A1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004722A1
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_004724B9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004724B9
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0423567C RtlAddVectoredExceptionHandler,LoadLibraryExA,LoadLibraryA,TpAllocWork,TpPostWork,TpReleaseWork,WaitForSingleObject,RtlRemoveVectoredExceptionHandler,	0_2_0423567C
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_04242B0C WaitForSingleObject,ReleaseMutex,RtlAddVectoredExceptionHandler,WaitForSingleObject,CancelSynchronousIo,WaitForSingleObject,RtlRemoveVectoredExceptionHandler,WaitForSingleObject,ReleaseMutex,	0_2_04242B0C
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0423AB18 RtlAddVectoredExceptionHandler,swprintf_s,RtlRemoveVectoredExceptionHandler,	0_2_0423AB18

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Code function: 0_2_04242788 WaitForSingleObject,LogonUserW,ImpersonateLoggedOnUser,GetLastError,ReleaseMutex,

0_2_04242788

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Code function: 0_2_00471E77 cpuid

0_2_00471E77

Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_0049238F
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: EnumSystemLocalesW,	0_2_0048D4FD
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: EnumSystemLocalesW,	0_2_00492637
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: EnumSystemLocalesW,	0_2_00492682
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: EnumSystemLocalesW,	0_2_0049271D
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_004927B0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: GetLocaleInfoW,	0_2_0048DA44
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: GetLocaleInfoW,	0_2_00492A10
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00492B39
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: GetLocaleInfoW,	0_2_00492C3F
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00492D0E
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: GetLocaleInfoEx,FormatMessageA,	0_2_0045DDFD

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Code function: 0_2_0045E1B5 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_0045E1B5

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

Code function: 0_2_042433A0 GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetCurrentProcessId,GetModuleFileNameW,GetNativeSystemInfo,RtlGetVersion,GetCurrentThreadId,GetAdaptersInfo,GetAdaptersInfo,

0_2_042433A0

Source: C:\Users\user\Desktop\49GqFpn1V8.exe

0_2_042433A0

Stealing of Sensitive Information

Yara detected BruteRatel

Source: Yara match

File source: Process Memory Space: 49GqFpn1V8.exe PID: 5912, type: MEMORYSTR

Remote Access Functionality

Yara detected BruteRatel

Source: Yara match

File source: Process Memory Space: 49GqFpn1V8.exe PID: 5912, type: MEMORYSTR

Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0043B090 I_RpcBindingInqLocalClientPID,EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,	0_2_0043B090
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0042E8B0 QueryServiceConfig2W,ChangeServiceConfig2W,GetLastError,SetDllDirectoryW,GetModuleHandleW,GetProcAddress,GetFileAttributesW,StartServiceCtrlDispatcherW,GetLastError,OpenSCManagerW,OpenServiceW,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,SetConsoleCtrlHandler,WaitForSingleObject,RpcServerUnregisterIf,RpcServerUnregisterIf,RpcServerUnregisterIf,OpenSCManagerW,GetModuleFileNameW,CreateServiceW,OpenServiceW,QueryServiceConfig2W,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW,CloseServiceHandle,ChangeServiceConfigW,OpenSCManagerW,OpenServiceW,ControlService,GetLastError,CloseServiceHandle,GetLastError,GetLastError,RegCloseKey,SetLastError,CloseServiceHandle,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,	0_2_0042E8B0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0043AF40 I_RpcBindingInqLocalClientPID,	0_2_0043AF40
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_042495A0 socket,inet_addr,htons,bind,listen,closesocket,WaitForSingleObject,accept,RtlExitUserThread,	0_2_042495A0
Source: C:\Users\user\Desktop\49GqFpn1V8.exe	Code function: 0_2_0424F1DC WaitForSingleObject,ReleaseMutex,WaitForSingleObject,ReleaseMutex,getaddrinfo,GetLastError,socket,GetLastError,bind,listen,accept,GetLastError,closesocket,inet_ntoa,WaitForSingleObject,ReleaseMutex,FreeAddrInfoW,shutdown,closesocket,closesocket,WaitForSingleObject,ReleaseMutex,	0_2_0424F1DC

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	12 Service Execution	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	22 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	14 Windows Service	21 Access Token Manipulation	21 Access Token Manipulation	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	14 Windows Service	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Image File Execution Options Injection	1 DLL Side-Loading	2 Obfuscated Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Image File Execution Options Injection	1 DLL Side-Loading	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Service Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	25 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
49GqFpn1V8.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://weblineinfo.com/B	0%	Avira URL Cloud	safe
https://weblineinfo.com/	0%	Avira URL Cloud	safe
https://weblineinfo.com/5-40f1-ac21-573d1d5ce43f	0%	Avira URL Cloud	safe
https://weblineinfo.com/P	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
weblineinfo.com	62.192.173.45	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://weblineinfo.com/P	49GqFpn1V8.exe, 00000000.00000002.3441263884.000000000267F000.00000004.00000020.00020000.00000000.sdmp, 49GqFpn1V8.exe, 00000000.00000003.2548031192.000000000267A000.00000004.00000020.00020000.00000000.sdmp, 49GqFpn1V8.exe, 00000000.00000003.3179005554.000000000267D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://weblineinfo.com/B	49GqFpn1V8.exe, 00000000.00000002.3441263884.000000000267F000.00000004.00000020.00020000.00000000.sdmp, 49GqFpn1V8.exe, 00000000.00000003.2548031192.000000000267A000.00000004.00000020.00020000.00000000.sdmp, 49GqFpn1V8.exe, 00000000.00000003.3179005554.000000000267D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://weblineinfo.com/	49GqFpn1V8.exe, 00000000.00000002.3441263884.00000000026B1000.00000004.00000020.00020000.00000000.sdmp, 49GqFpn1V8.exe, 00000000.00000003.3179005554.000000000267D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://weblineinfo.com/5-40f1-ac21-573d1d5ce43f	49GqFpn1V8.exe, 00000000.00000002.3441263884.000000000267F000.00000004.00000020.00020000.00000000.sdmp, 49GqFpn1V8.exe, 00000000.00000003.3179005554.000000000267D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
62.192.173.45	weblineinfo.com	Lithuania		25780	HUGESERVER-NETWORKSUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1509588
Start date and time:	2024-09-11 20:21:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	49GqFpn1V8.exe renamed because original name is a hash value
Original Sample Name:	e7cb46c59bd25d286e55ea5d61aef64e5ed103ed375250485071cd56ccb884a3.exe
Detection:	MAL
Classification:	mal52.troj.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 39 Number of non-executed functions: 226
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 49GqFpn1V8.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
62.192.173.45	10kmr9d7.dll	Get hash	malicious	Unknown	Browse
62.192.173.45	10kmr9d7.dll	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
weblineinfo.com	10kmr9d7.dll	Get hash	malicious	Unknown	Browse	62.192.173.45
weblineinfo.com	10kmr9d7.dll	Get hash	malicious	Unknown	Browse	62.192.173.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HUGESERVER-NETWORKSUS	sbuvJk8Zn8.exe	Get hash	malicious	XenoRAT	Browse	2.58.85.196
	10kmr9d7.dll	Get hash	malicious	Unknown	Browse	62.192.173.45
	10kmr9d7.dll	Get hash	malicious	Unknown	Browse	62.192.173.45
	mirai.spc.elf	Get hash	malicious	Mirai	Browse	171.22.79.159
	ClientAny.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	2.58.84.229
	https://denizfirsatgsmtektikbuo.xyz/	Get hash	malicious	HTMLPhisher	Browse	2.58.85.5
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	107.161.53.91
	lKXAJFq3ih.exe	Get hash	malicious	AsyncRAT	Browse	2.58.85.145
	peign94sXb.elf	Get hash	malicious	Unknown	Browse	171.22.79.111
	jSlv5GLHad.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	185.133.35.50

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.07704702699029
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	49GqFpn1V8.exe
File size:	1'321'984 bytes
MD5:	fce92b546ef981e56e070b8d419da291
SHA1:	f736163e9d6539302cf7f81a78cd5fd019efb5ce
SHA256:	e7cb46c59bd25d286e55ea5d61aef64e5ed103ed375250485071cd56ccb884a3
SHA512:	112e4655b619b891c862150725d902da0611cb81b379bbf631259336a9e6860957d80d86f28749838828c6eb68e779fed29c27694cf5926ebd7320f20d17ca6d
SSDEEP:	24576:15fvrZFtYuBY9VEFn5qSh0lhSMXl0yJkdV4Km2Dtm3v2B5:xvhWVKn5qPvJIV4P+4vw
TLSH:	2655BF207546C072E45202F15E29EBBA963DFA315BB306CF63D45A3E9D242C22F37A57
File Content Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........U3u.4]&.4]&.4]&IF^'.4]&IFX',4]&IFY'.4]&...&.4]&..Y'.4]&..^'.4]&C@X'.4]&..X'.4]&.L.&.4]&.4]&.4]&IF\'.4]&.4\&.5]&..T'.4]&..]'.4]

File Icon


Icon Hash:	cc8d0d191e1e107c

Static PE Info

General

Entrypoint:	0x4590d0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	GUARD_CF
Time Stamp:	0x65BBAFE7 [Thu Feb 1 14:51:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	8df706b74441c0b8af906390f7c80b82

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
call 00007F50B8B66AC7h
jmp 00007F50B8B4D24Bh
int3
int3
int3
int3
int3
int3
push esi
push edi
push 004D47E0h
mov edi, ecx
call 00007F50B8B4E2F7h
lea esi, dword ptr [edi+14h]
mov dword ptr [edi], 004D485Ch
xorps xmm0, xmm0
movq qword ptr [esi], xmm0
push esi
mov dword ptr [esi+04h], 00000000h
call 00007F50B8B504A8h
push esi
call 00007F50B8B504B1h
add esp, 08h
mov eax, edi
pop edi
pop esi
ret
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push FFFFFFFFh
push 0049FA50h
mov eax, dword ptr fs:[00000000h]
push eax
sub esp, 20h
push ebx
push esi
push edi
mov eax, dword ptr [004E6140h]
xor eax, ebp
push eax
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
mov dword ptr [ebp-10h], esp
mov dword ptr [ebp-04h], 00000000h
mov edi, dword ptr [ecx+24h]
test edi, edi
je 00007F50B8B4D491h
mov eax, dword ptr [edi]
mov esi, dword ptr [eax+08h]
mov ecx, esi
call dword ptr [004A3338h]
mov ecx, edi
call esi
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
ret
mov eax, 00459182h
ret
mov eax, 0045916Ah
ret
call 00007F50B8B4F5B2h
lea ecx, dword ptr [ebp-2Ch]
mov dword ptr [ebp-10h], esp
mov byte ptr [ebp-04h], 00000002h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xe4370	0xe4	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x148000	0xa0	.reloc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xef000	0x4fa90	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x108448	0x2978	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13f000	0x8a6c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xd4b30	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xd4bc0	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xc3ff0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa3000	0x338	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xe4134	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa1aca	0xa1c00	b8ed0d689c8dce59fb9c748365307d93	False	0.4761202545401855	data	6.57540696589682	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa3000	0x42816	0x42a00	a0ef3dc0196d798dfc7239313536be25	False	0.39479508677298314	data	5.918301265257993	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0xe6000	0x77c4	0x5200	a82e2d973c60c5f56cf07078511dc926	False	0.15744092987804878	DOS executable (block device driver)	4.771186847893238	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0xee000	0x28	0x200	9583e9156e6fb8c2e6048c71d56857b9	False	0.072265625	data	0.43720409275959127	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xef000	0x4fa90	0x4fc00	996a9ac47fc9123096eeaf157c70c98a	False	0.9487840419278997	data	7.916843748420818	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x13f000	0x90dd	0x9200	4433cc0d245fdac1e40eeb3b89e52cdb	False	0.6458154965753424	data	6.523522205754765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xef328	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.3108108108108108
RT_ICON	0xef450	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colors	English	United States	0.8648843930635838
RT_ICON	0xef9b8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.25806451612903225
RT_ICON	0xefca0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colors	English	United States	0.7454873646209387
RT_ICON	0xf0548	0xb6d0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.999423076923077
RT_ICON	0xfbc18	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.7659574468085106
RT_ICON	0xfc080	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.7971311475409836
RT_ICON	0xfca08	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.7448405253283302
RT_ICON	0xfdab0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.6373443983402489
RT_ICON	0x100058	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.5634152102031176
RT_GROUP_ICON	0x104280	0x92	data	English	United States	0.6917808219178082
RT_VERSION	0x104314	0x374	data	English	United States	0.4592760180995475
RT_ANICURSOR	0x104688	0x3a110	data			0.998116380760175
RT_MANIFEST	0x13e798	0x2f6	XML 1.0 document, ASCII text, with very long lines (719)	English	United States	0.5158311345646438

Imports

DLL	Import
RPCRT4.dll	RpcServerUseProtseqEpW, NdrClientCall2, RpcStringFreeW, RpcServerUnregisterIf, I_RpcBindingInqLocalClientPID, NdrServerCall2, RpcServerRegisterIfEx, RpcBindingFromStringBindingW, RpcStringBindingComposeW
SHELL32.dll	SHGetFolderPathW
ntdll.dll	VerSetConditionMask, NtSystemDebugControl, RtlNtStatusToDosError, NtClose, NtQueryKey, NtDeleteKey, NtOpenKey, RtlUnwind
KERNEL32.dll	SetLastError, GetModuleHandleExW, GetCurrentThreadId, Sleep, LocalFree, SetFilePointerEx, UnlockFileEx, LockFileEx, GetFileSizeEx, ReadFile, CompareStringW, GetCurrentThread, WriteFile, InitializeCriticalSectionEx, FlushFileBuffers, GetFileInformationByHandle, GetFullPathNameW, OutputDebugStringA, FileTimeToSystemTime, GetCurrentProcessId, TlsAlloc, TlsGetValue, TlsSetValue, FreeLibrary, GetSystemInfo, QueryPerformanceFrequency, QueryPerformanceCounter, ExpandEnvironmentStringsW, GetFileAttributesW, LoadLibraryExW, GetWindowsDirectoryW, GetSystemDirectoryW, HeapFree, VirtualProtect, HeapReAlloc, GlobalMemoryStatusEx, GetExitCodeThread, TlsFree, MoveFileExW, FindClose, CreateDirectoryW, FindFirstFileExW, FindNextFileW, QueryDosDeviceW, WriteConsoleW, SetFileInformationByHandle, GetDiskFreeSpaceExW, K32GetMappedFileNameW, FindFirstVolumeW, FindNextVolumeW, GetVolumePathNamesForVolumeNameW, FindVolumeClose, VirtualQuery, GetSystemTimes, GetTickCount64, RaiseException, UnhandledExceptionFilter, IsProcessorFeaturePresent, GetCPInfo, GetProcessHeap, HeapAlloc, GetModuleFileNameW, SetConsoleCtrlHandler, SetDllDirectoryW, WaitForSingleObject, GetProcessId, GetNamedPipeServerProcessId, GetFileTime, MultiByteToWideChar, ContinueDebugEvent, DebugActiveProcessStop, GetFileAttributesExW, GetSystemTimeAsFileTime, ReadProcessMemory, OpenThread, DebugBreakProcess, SetEvent, WaitForDebugEvent, DebugSetProcessKillOnExit, DebugActiveProcess, WideCharToMultiByte, VirtualQueryEx, GetThreadContext, K32GetProcessImageFileNameW, K32GetModuleBaseNameW, K32EnumProcessModules, WaitForMultipleObjects, CreateEventW, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, DeleteFileW, VerifyVersionInfoW, K32GetPerformanceInfo, DeviceIoControl, CreateFileW, GetLastError, CloseHandle, OpenProcess, GetProcAddress, GetModuleHandleW, GetCurrentProcess, TerminateProcess, SetUnhandledExceptionFilter, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, InterlockedPushEntrySList, InitializeCriticalSectionAndSpinCount, CreateThread, ExitThread, FreeLibraryAndExitThread, GetStdHandle, GetCommandLineA, GetCommandLineW, ExitProcess, GetFileType, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetConsoleOutputCP, GetConsoleMode, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, HeapSize, GetEnvironmentVariableW, DecodePointer, EncodePointer, LCMapStringEx, GetLocaleInfoEx, TryAcquireSRWLockExclusive, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, SleepConditionVariableSRW, WakeAllConditionVariable, LoadLibraryExA, GetStringTypeW, WaitForSingleObjectEx, FormatMessageA, WakeConditionVariable
USER32.dll	RegisterClassExW, GetClassInfoExW
ADVAPI32.dll	CryptReleaseContext, CryptGenRandom, CryptAcquireContextW, RegDeleteTreeW, RegQueryInfoKeyW, RegDeleteValueW, RegSetValueExW, RegCreateKeyExW, RegQueryValueExW, RegOpenKeyExW, StartServiceW, QueryServiceStatus, RevertToSelf, ImpersonateSelf, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, CloseServiceHandle, ControlService, ChangeServiceConfigW, CreateServiceW, DeleteService, OpenServiceW, OpenSCManagerW, StartServiceCtrlDispatcherW, ChangeServiceConfig2W, QueryServiceConfig2W, RegisterServiceCtrlHandlerExW, SetServiceStatus, SetThreadToken
ole32.dll	CoInitialize, CoInstall

Exports

Name	Ordinal	Address
asw_process_storage_allocate_connector	1	0x457bd0
asw_process_storage_deallocate_connector	2	0x457bf0
on_avast_dll_unload	3	0x453510
onexit_register_connector_avast_2	4	0x457a50

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 11, 2024 20:22:19.529598951 CEST	49711	443	192.168.2.6	62.192.173.45
Sep 11, 2024 20:22:19.529702902 CEST	443	49711	62.192.173.45	192.168.2.6
Sep 11, 2024 20:22:19.529838085 CEST	49711	443	192.168.2.6	62.192.173.45
Sep 11, 2024 20:22:19.544351101 CEST	49711	443	192.168.2.6	62.192.173.45
Sep 11, 2024 20:22:19.544367075 CEST	443	49711	62.192.173.45	192.168.2.6
Sep 11, 2024 20:22:51.636115074 CEST	49711	443	192.168.2.6	62.192.173.45
Sep 11, 2024 20:23:22.679569960 CEST	61818	443	192.168.2.6	62.192.173.45
Sep 11, 2024 20:23:22.679667950 CEST	443	61818	62.192.173.45	192.168.2.6
Sep 11, 2024 20:23:22.679758072 CEST	61818	443	192.168.2.6	62.192.173.45
Sep 11, 2024 20:23:22.680008888 CEST	61818	443	192.168.2.6	62.192.173.45
Sep 11, 2024 20:23:22.680047989 CEST	443	61818	62.192.173.45	192.168.2.6
Sep 11, 2024 20:23:54.731791019 CEST	61818	443	192.168.2.6	62.192.173.45
Sep 11, 2024 20:24:20.784265995 CEST	61822	443	192.168.2.6	62.192.173.45
Sep 11, 2024 20:24:20.784356117 CEST	443	61822	62.192.173.45	192.168.2.6
Sep 11, 2024 20:24:20.784452915 CEST	61822	443	192.168.2.6	62.192.173.45
Sep 11, 2024 20:24:20.784907103 CEST	61822	443	192.168.2.6	62.192.173.45
Sep 11, 2024 20:24:20.784944057 CEST	443	61822	62.192.173.45	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 11, 2024 20:22:19.506644011 CEST	53205	53	192.168.2.6	1.1.1.1
Sep 11, 2024 20:22:19.524235010 CEST	53	53205	1.1.1.1	192.168.2.6
Sep 11, 2024 20:23:04.627062082 CEST	53	58177	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 11, 2024 20:22:19.506644011 CEST	192.168.2.6	1.1.1.1	0xd021	Standard query (0)	weblineinfo.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 11, 2024 20:22:19.524235010 CEST	1.1.1.1	192.168.2.6	0xd021	No error (0)	weblineinfo.com		62.192.173.45	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	14:22:14
Start date:	11/09/2024
Path:	C:\Users\user\Desktop\49GqFpn1V8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\49GqFpn1V8.exe"
Imagebase:	0x400000
File size:	1'321'984 bytes
MD5 hash:	FCE92B546EF981E56E070B8D419DA291
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	96.8%
Signature Coverage:	13.1%
Total number of Nodes:	1469
Total number of Limit Nodes:	18

Executed Functions

Function 04226008 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 270
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET ref: 04226068
InternetConnectW.WININET ref: 042260BA
HttpOpenRequestW.WININET ref: 0422611A
InternetSetOptionW.WININET ref: 042261BA
HttpSendRequestA.WININET ref: 04226205
HttpAddRequestHeadersW.WININET ref: 04226233
InternetQueryDataAvailable.WININET ref: 0422628C
InternetReadFile.WININET ref: 042262BD
RtlReAllocateHeap.NTDLL ref: 042262F5
InternetCloseHandle.WININET ref: 04226369
InternetCloseHandle.WININET ref: 0422637C
InternetCloseHandle.WININET ref: 0422638F

Strings

,, xrefs: 0422618C

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: Internet$CloseHandleHttpRequest$Open$AllocateAvailableConnectDataFileHeadersHeapOptionQueryReadSend
String ID: ,
API String ID: 1983710032-3772416878
Opcode ID: eb10fb10853a950345251c4a0e38b7aae45bed6c18c6d854b5a4907ed69dfe1d
Instruction ID: f02171e96412f4865695cc2654f1db25463d75761bb59c13ec754a8464aa05dd
Opcode Fuzzy Hash: eb10fb10853a950345251c4a0e38b7aae45bed6c18c6d854b5a4907ed69dfe1d
Instruction Fuzzy Hash: E0C1F6B1A147159FDB10EF68D28879EBBF4FF88704F04882DE8989B241E778A545CF52

Function 042433A0 Relevance: 16.7, APIs: 11, Instructions: 224
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32 ref: 04243433
GetComputerNameExW.KERNEL32(00000000,00000000), ref: 04243450
GetComputerNameExW.KERNEL32 ref: 04243489
GetTokenInformation.KERNELBASE ref: 042434E5
GetCurrentProcessId.KERNEL32 ref: 04243541
GetModuleFileNameW.KERNEL32 ref: 04243560
GetNativeSystemInfo.KERNEL32 ref: 042435C8
GetCurrentThreadId.KERNEL32 ref: 042436A4
GetAdaptersInfo.IPHLPAPI ref: 042436D5
RtlGetVersion.NTDLL ref: 04243645

Part of subcall function 04249B10: RtlAllocateHeap.NTDLL ref: 04249B33

GetAdaptersInfo.IPHLPAPI ref: 04243725

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: Name$Info$AdaptersComputerCurrent$AllocateFileHeapInformationModuleNativeProcessSystemThreadTokenUserVersion
String ID:
API String ID: 324440343-0
Opcode ID: ccb499e2d6ac5e98f86a2863e28c877a28ed09699eea2b3ef21ad026ac489cf1
Instruction ID: 9888047520d604cccd9b85d87fcfc90d4465f4168f2b863ab65a9d39679a1657
Opcode Fuzzy Hash: ccb499e2d6ac5e98f86a2863e28c877a28ed09699eea2b3ef21ad026ac489cf1
Instruction Fuzzy Hash: 01B1D8B0A187159FDB10EF24D88839ABBF4FF84745F0088ADD88897350D775AA89CF52

Function 0423567C Relevance: 12.1, APIs: 8, Instructions: 101
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 042356C5
LoadLibraryExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,04257207,?), ref: 0423570C
RtlRemoveVectoredExceptionHandler.NTDLL(?), ref: 042357D1

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: ExceptionHandlerVectored$LibraryLoadRemove
String ID:
API String ID: 1796811586-0
Opcode ID: 9620e8e50f0a5852a0c7d49de9cab420cf4506d42d3ab5b4c9b7b539d1704df4
Instruction ID: cf54d202221c2a395656cb3926a5b950654cba21cbc356a3f763c1a148be80e4
Opcode Fuzzy Hash: 9620e8e50f0a5852a0c7d49de9cab420cf4506d42d3ab5b4c9b7b539d1704df4
Instruction Fuzzy Hash: 6241E8B0A19301EFD700AF69D54876EBBF8EF88755F00C91DE89997250D778A884CF92

Function 0423D5C8 Relevance: 7.7, APIs: 5, Instructions: 156
threadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 04249B10: RtlAllocateHeap.NTDLL ref: 04249B33

GetCurrentProcessId.KERNEL32 ref: 0423D60A
GetCurrentThreadId.KERNEL32 ref: 0423D612
CreateToolhelp32Snapshot.KERNEL32 ref: 0423D637
Thread32First.KERNEL32 ref: 0423D65A
Thread32Next.KERNEL32 ref: 0423D83A

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: CurrentThread32$AllocateCreateFirstHeapNextProcessSnapshotThreadToolhelp32
String ID:
API String ID: 838877906-0
Opcode ID: ccfb6b85dfc4310a3586e0b528f5a3f9672412446111905abba4b4782aa28d66
Instruction ID: c2234f75409b605bdc555da8d74e576557a0919aea96e39a2947e379e1fb9cbc
Opcode Fuzzy Hash: ccfb6b85dfc4310a3586e0b528f5a3f9672412446111905abba4b4782aa28d66
Instruction Fuzzy Hash: 9771B2B4A24319DFEB10DF64C944B9EBBF4BF48304F0089AAD988A7241D775A985CF91

Function 00477A51 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 399
memorynativeCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL ref: 00477C89

Strings

@, xrefs: 00477CD8

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID: @
API String ID: 2167126740-2766056989
Opcode ID: b890004c7abea6c62d470f20a65b7b6c4f830a5fe88326dac2859a4c4d4e472a
Instruction ID: 0a72693664407814b5ec88c9e25993d5366997829bb91b242848a74b3fefa402
Opcode Fuzzy Hash: b890004c7abea6c62d470f20a65b7b6c4f830a5fe88326dac2859a4c4d4e472a
Instruction Fuzzy Hash: B2024971E111198FCF44CFBCCA84ADDBBF2BB8C314F189129E408F7249EA35A9558B25

Function 041D8C42 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL ref: 041D8F10

Strings

, xrefs: 041D8E22

Memory Dump Source

Source File: 00000000.00000003.2218936476.00000000041A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_41a0000_49GqFpn1V8.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-3916222277
Opcode ID: 92841c94aab4c5d20aeb8b1a9b947da3a67dbe4f7d951e4c6514275865ec4314
Instruction ID: e41c1a023c4022dc5770026afb26fbeac40e35c8386ff11f0ebfdff535b40083
Opcode Fuzzy Hash: 92841c94aab4c5d20aeb8b1a9b947da3a67dbe4f7d951e4c6514275865ec4314
Instruction Fuzzy Hash: BAA1B2B5909305DFD750EF28C18465ABBF0BF88714F118A6EE89987351E734E984CF82

Function 04253170 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P.8w, xrefs: 0425318C, 04253253

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID: P.8w
API String ID: 0-23388976
Opcode ID: 831916bd8b75d5e59f177ac73cc522ff6a79bbc20b6518f161d7db6f19065e36
Instruction ID: e64408636baf3437f9ebbd9ce7bfa47d24b6b4f2f2785d6e9e6c6aeb165913ae
Opcode Fuzzy Hash: 831916bd8b75d5e59f177ac73cc522ff6a79bbc20b6518f161d7db6f19065e36
Instruction Fuzzy Hash: 383190B4A193469FCB00DF6AE58459ABBE4FF88250F00892EEC98D7310D774E944CF92

Function 04253CC8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

.8w, xrefs: 04253CE4, 04253D7A

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID: .8w
API String ID: 0-3228709624
Opcode ID: 847d4f9bc4d122c5139e59cc273eb2ad27738ce75316a36586dbd958394c2200
Instruction ID: 06f135f1ac1980cd50aa738b181181dad9240b980a8a4ea71fd03f0dd5325ea5
Opcode Fuzzy Hash: 847d4f9bc4d122c5139e59cc273eb2ad27738ce75316a36586dbd958394c2200
Instruction Fuzzy Hash: 2D21A4B4A193469BCB14DF6AD18556AFBF4FF84690F00892EEC98C7210D374E954CBD2

Function 042532F8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

p,8w, xrefs: 04253314, 04253395

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID: p,8w
API String ID: 0-2731710560
Opcode ID: 100c65a4c89ba08e36a5cd32c22c5b3ca843de502ce136a7c50920730af4a543
Instruction ID: 8eb6e44e3a9f0b5f5afbcc2ef13b9183862e5cc064debf2b2441cd277889c172
Opcode Fuzzy Hash: 100c65a4c89ba08e36a5cd32c22c5b3ca843de502ce136a7c50920730af4a543
Instruction Fuzzy Hash: BF21C9B1A19306ABDB14DF2AD58455EFBE8EF84750F00D92EEC8897210E774E854CF92

Function 042541A4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

PF8wp<5w, xrefs: 042541BA, 04254213

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID: PF8wp<5w
API String ID: 0-2652524466
Opcode ID: ca554b8bacb4004121bea1d092030fd52d2c3e15dfa654ee5a732d3f60de422b
Instruction ID: 1f7b645420c8182eb195f06a302f92b36a77837cca2c9dd63773acc2a957c2ff
Opcode Fuzzy Hash: ca554b8bacb4004121bea1d092030fd52d2c3e15dfa654ee5a732d3f60de422b
Instruction Fuzzy Hash: 230192B0714311ABDB00BF6AA98466AFBF8EB84754F01C42EEC48C3200DA74E880CB51

Function 04252B7C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL ref: 04252BDC

Strings

`+8w`5#v, xrefs: 04252B98, 04252BDC

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: Close
String ID: `+8w`5#v
API String ID: 3535843008-3319912635
Opcode ID: 7b65066e3061772dee720345ec8efccff96422e252000af461d4473f6f449ab2
Instruction ID: d54d28420c246c8064ed5a02e2c741bdb8eca3410c9613c8ed16c039ee9ecd27
Opcode Fuzzy Hash: 7b65066e3061772dee720345ec8efccff96422e252000af461d4473f6f449ab2
Instruction Fuzzy Hash: 5CF0D134728306DB9710AF29ADC07AAB7ECEF44254B004699DC468B280E738F880CBA1

Function 00477CCE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 00477CF8

Strings

@, xrefs: 00477CD8

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID: @
API String ID: 2706961497-2766056989
Opcode ID: 1cca97dd1ddff716478dffc6238824e7563a13297ee4ba7f0ede381e2ab95bf5
Instruction ID: f0fbc70ff26b06d150efd3baddbe35f2bc094d6b675f3c8ceb0c64c792f0c14d
Opcode Fuzzy Hash: 1cca97dd1ddff716478dffc6238824e7563a13297ee4ba7f0ede381e2ab95bf5
Instruction Fuzzy Hash: A2F0F970819244EFDB00EFA8D5443DEBFF0FF44324F50896EE5A897290D37895498B86

Function 04252EF4 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5e3f974d196a2c7e11159fc11005cb400fc8336cf9a7f95896d364ea6157543
Instruction ID: d0739e8efe7c48b6b11799692d504ab894042a7f482fabe066edd2b5d9e7f955
Opcode Fuzzy Hash: a5e3f974d196a2c7e11159fc11005cb400fc8336cf9a7f95896d364ea6157543
Instruction Fuzzy Hash: 96414DB4A183459FCB40DF29D58099ABBE4BF88654F00892EFC98D3310D374E955CF92

Function 0422B7E8 Relevance: 1.6, APIs: 1, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

LdrGetProcedureAddress.NTDLL ref: 0422B8A4

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: AddressProcedure
String ID:
API String ID: 3653107232-0
Opcode ID: a2da4e3bfd36ee88faddd135db0541106da8096015eec0c8587ef9a12e48bd89
Instruction ID: f144053eaefe7e00f5d701f15ab8f2363be19cca242e284e1eeaf56e48c13965
Opcode Fuzzy Hash: a2da4e3bfd36ee88faddd135db0541106da8096015eec0c8587ef9a12e48bd89
Instruction Fuzzy Hash: A331C375E14219AFDB00DFA8D980A9DBBF4FF48314F14852AE858E7300E774A955CF91

Function 0425382C Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4951094edc4a41a4fd262ab2954257b06371cea6be0ee9a3a28a351953f5a2a1
Instruction ID: b41f2440ad44b106577e862e87252153161913bf73e41a273e33e801b0f33821
Opcode Fuzzy Hash: 4951094edc4a41a4fd262ab2954257b06371cea6be0ee9a3a28a351953f5a2a1
Instruction Fuzzy Hash: C321A5B0A15306AFDB04EF6AD58455EBBE4FF84690F00C82EEC9887310D374E954DB92

Function 04253EAC Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16febca19c88bba32c9b6430b48e1dd54ba7b8c9988e453caa591077146cfe42
Instruction ID: 240c43590d0e15108c2c6b6ef27d466691685b09f6565abcf3b9e4b0a3bfd8de
Opcode Fuzzy Hash: 16febca19c88bba32c9b6430b48e1dd54ba7b8c9988e453caa591077146cfe42
Instruction Fuzzy Hash: 6221A2B0A18306EBCB04DF2AD18555EBBF5FF88690F00882EEC9897210D374E954CB92

Function 00477BC6 Relevance: 1.6, APIs: 1, Instructions: 62nativememoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 00477C89
NtProtectVirtualMemory.NTDLL ref: 00477CF8

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: MemoryVirtual$AllocateProtect
String ID:
API String ID: 2931642484-0
Opcode ID: 61066eed946818fefa02b46f0facadbb90eb2f40c8e216ec0237ee528f3e9623
Instruction ID: a7e023a2979e2ee4f3d0b61bfd62bfe83ba5b5501ca396eac6e8405ec8dd232a
Opcode Fuzzy Hash: 61066eed946818fefa02b46f0facadbb90eb2f40c8e216ec0237ee528f3e9623
Instruction Fuzzy Hash: BB21C4B09093159FDB00DFA9D58838EBBF0FF44318F11891EE458AB250D3798944DF96

Function 04254224 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e96274e3b312b5c66466644ec159fd444d74e306e59cffde5ae1ec2c7e3d28
Instruction ID: 1bb821ac8a7a2b166c16657a9cee019dbe574ad7bd549e58fdd3ce5c03bc7692
Opcode Fuzzy Hash: 05e96274e3b312b5c66466644ec159fd444d74e306e59cffde5ae1ec2c7e3d28
Instruction Fuzzy Hash: 72014071724321EBD710BFAAA98466AFBB8FB84654F05881EEC44C7200DA74E880CB91

Function 04253F70 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acece7206b957eab9f4facf5be182b745aedb749a0a85026ecba0a53f3199dbe
Instruction ID: 1ce7981681db017b5b4028b4ff30cf64dff93e7dca729cad10d6b94e0befc2d5
Opcode Fuzzy Hash: acece7206b957eab9f4facf5be182b745aedb749a0a85026ecba0a53f3199dbe
Instruction Fuzzy Hash: 5C017571714315ABD710EF29E54496EBBF8EF84794F01D82EFC4887200D6B4E840DB62

Function 042533A8 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd4dd62f9b7f2942cbfa27badb503024a11b0d78288467292e2a2130af987bc
Instruction ID: 6be846e775c144a0b3af260e0a124c9047dc56b43f1b1997d3eff9e2bfd84686
Opcode Fuzzy Hash: 3bd4dd62f9b7f2942cbfa27badb503024a11b0d78288467292e2a2130af987bc
Instruction Fuzzy Hash: EE019E70724711ABDB10EF6AE94057ABBE8EF84794F01C93EED8583200D674E800CBA1

Function 04253FF0 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d763ef795f919419d26acecb9d766382734c504f7bf9bd589227e259179a81cc
Instruction ID: 4b61046818dab9788285aca96eea85ccaee6137ed99408c7191fbaf33de9b718
Opcode Fuzzy Hash: d763ef795f919419d26acecb9d766382734c504f7bf9bd589227e259179a81cc
Instruction Fuzzy Hash: 59019271724315ABDB10BF29994066AFBE8EB84714F11C42EEC4487201DA75E880CBA2

Function 041D9FD0 Relevance: 1.5, APIs: 1, Instructions: 45memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 041DA019

Memory Dump Source

Source File: 00000000.00000003.2218936476.00000000041A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_41a0000_49GqFpn1V8.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: ea29e981e7bac5fd10ace86a4c5a87f74444b95e80f2b988931521c9dc6e9535
Instruction ID: 57e6995c483eee2e40c5f2bfac1d25d9c76e727d7216bd7094fbd1eb255ca725
Opcode Fuzzy Hash: ea29e981e7bac5fd10ace86a4c5a87f74444b95e80f2b988931521c9dc6e9535
Instruction Fuzzy Hash: 04111AB9A0A3419FC784DF29C58491EBBF0BF89651F40986EF998C7310E331E9848B42

Function 041DA070 Relevance: 1.5, APIs: 1, Instructions: 41nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 041DA0B1

Memory Dump Source

Source File: 00000000.00000003.2218936476.00000000041A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_41a0000_49GqFpn1V8.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 5ad92c1f2c280be75a7639dcb3dd361ff4306af00a84458e2b61ef632d616c7e
Instruction ID: 087aa35f4260c54b17e7cd0ea9a7b68a2162a0109b2d954a457956563315d5f3
Opcode Fuzzy Hash: 5ad92c1f2c280be75a7639dcb3dd361ff4306af00a84458e2b61ef632d616c7e
Instruction Fuzzy Hash: 03113DB590A3419FC780EF29C5C451ABBF0BF88650F409C6EF998C7310E335E9848B52

Function 04236B04 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 136
threadsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

rand.MSVCRT ref: 04236B53
WaitForSingleObjectEx.KERNEL32 ref: 04236BB0
WaitForSingleObject.KERNEL32 ref: 04236BCD
ConvertThreadToFiber.KERNEL32(00000000,00000000), ref: 04236C78
CreateFiber.KERNEL32 ref: 04236CBA
SwitchToFiber.KERNEL32 ref: 04236CC8
ConvertFiberToThread.KERNEL32(00000000), ref: 04236CCF
DeleteFiber.KERNELBASE ref: 04236CD8

Strings

2, xrefs: 04236BBE

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: Fiber$ConvertObjectSingleThreadWait$CreateDeleteSwitchrand
String ID: 2
API String ID: 3169661363-450215437
Opcode ID: b41f16aadb561dedbbacff7c47b7ec4aeca51daeab347a4be4c68889f98976c2
Instruction ID: 1de270ba8c0cfde2f835da677e0bd0e54fb368147fd29a7992e969ecd5d3665e
Opcode Fuzzy Hash: b41f16aadb561dedbbacff7c47b7ec4aeca51daeab347a4be4c68889f98976c2
Instruction Fuzzy Hash: 3151B1B1A14304AFD710AF6CE58875DBBF8EF88725F008629E899D7290D738E881CF51

Function 04226448 Relevance: 10.7, APIs: 7, Instructions: 214
synchronizationnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

time.MSVCRT(00000000,00000000), ref: 042265CD
srand.MSVCRT ref: 042265D6
WSAStartup.WS2_32 ref: 04226668
WaitForSingleObject.KERNEL32(?,?), ref: 04226687
WaitForSingleObject.KERNEL32 ref: 04226757
ReleaseMutex.KERNEL32(00000000,00000000), ref: 04226773

Part of subcall function 04249B10: RtlAllocateHeap.NTDLL ref: 04249B33

Part of subcall function 04236B04: rand.MSVCRT ref: 04236B53
Part of subcall function 04236B04: ConvertThreadToFiber.KERNEL32(00000000,00000000), ref: 04236C78
Part of subcall function 04236B04: CreateFiber.KERNEL32 ref: 04236CBA
Part of subcall function 04236B04: SwitchToFiber.KERNEL32 ref: 04236CC8
Part of subcall function 04236B04: ConvertFiberToThread.KERNEL32(00000000), ref: 04236CCF
Part of subcall function 04236B04: DeleteFiber.KERNELBASE ref: 04236CD8

WSACleanup.WS2_32 ref: 04226839

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: Fiber$ConvertObjectSingleThreadWait$AllocateCleanupCreateDeleteHeapMutexReleaseStartupSwitchrandsrandtime
String ID:
API String ID: 1992830391-0
Opcode ID: 1e93e8c59afb9b2fcb82c3a4263d127b11fc77304c7cd92464954c265e0cbe3f
Instruction ID: 64724ff2d4cf25c37a96d665c6c828ef596626a7d42181795324fee8f335f193
Opcode Fuzzy Hash: 1e93e8c59afb9b2fcb82c3a4263d127b11fc77304c7cd92464954c265e0cbe3f
Instruction Fuzzy Hash: 20B1CBB491472ADFDB54DF28C98469DBBF4FF48314F0089A9E88897341DB74AA84CF52

Function 042258B8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105
librarysynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNEL32 ref: 042258C7

Part of subcall function 04222580: LdrGetDllHandleEx.NTDLL ref: 0422F6EE

LdrDisableThreadCalloutsForDll.NTDLL ref: 0422592F
SetProcessValidCallTargets.KERNELBASE ref: 042259A3
WaitForSingleObject.KERNEL32 ref: 04225A81

Strings

x, xrefs: 042258CD

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: CallCalloutsConsoleDisableFreeHandleObjectProcessSingleTargetsThreadValidWait
String ID: x
API String ID: 3435649234-2363233923
Opcode ID: d30041eac3ed802c1115bae50e72755397bd2bb7740d580974393fbe486d66af
Instruction ID: 6ee6fdee09426be05417a67b800bff9dc5d933624b73413dfffdac13f4919af3
Opcode Fuzzy Hash: d30041eac3ed802c1115bae50e72755397bd2bb7740d580974393fbe486d66af
Instruction Fuzzy Hash: 6A51A5B0618311DFD700EF58D59875ABBE4FF84358F00895DE8985B391D3B99488CF92

Function 0422684C Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 773
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 04249B40: RtlSizeHeap.NTDLL ref: 04249B64
Part of subcall function 04249B40: RtlFreeHeap.NTDLL ref: 04249B9D

inet_addr.WS2_32 ref: 04226CE2
inet_addr.WS2_32 ref: 04226CF5
RtlExitUserThread.NTDLL ref: 0422743C

Part of subcall function 04249B10: RtlAllocateHeap.NTDLL ref: 04249B33

Strings

|, xrefs: 0422727F

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: Heap$inet_addr$AllocateExitFreeSizeThreadUser
String ID: |
API String ID: 4210540982-2343686810
Opcode ID: dd824d86eeb88faaad60f6249e769276bcfe097ff17d6cefb493ef26242e4fbc
Instruction ID: 7d0aec36544f721fb31616ba0389d9984267cf623b7d8914008901be6aa57377
Opcode Fuzzy Hash: dd824d86eeb88faaad60f6249e769276bcfe097ff17d6cefb493ef26242e4fbc
Instruction Fuzzy Hash: 7382B6B0A18715DFDB04EF64C5846AEBBF0FF88344F11886DD8989B240EB78A585DF52

Function 00458EC0 Relevance: 6.1, APIs: 4, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___scrt_release_startup_lock.LIBCMT ref: 00458FA2
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00458FB7
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00458FE2
___scrt_uninitialize_crt.LIBCMT ref: 0045903E

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ___scrt_is_nonwritable_in_current_image$___scrt_release_startup_lock___scrt_uninitialize_crt
String ID:
API String ID: 3089971210-0
Opcode ID: 7bec385d76df037eb8bdb71287f87b22cc99e751acbb1fae669072a7d7b5718f
Instruction ID: d567cbca2186cea49997bd25490dcfbb88d44addc3d2683d2f9401c5b4dfdaee
Opcode Fuzzy Hash: 7bec385d76df037eb8bdb71287f87b22cc99e751acbb1fae669072a7d7b5718f
Instruction Fuzzy Hash: EF413472A44240ABCB10BB658D037DE7762AB11709F14046FFC096B3D3EFAE5908879E

Function 04231E58 Relevance: 4.7, APIs: 3, Instructions: 199
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32 ref: 04231E71
ReleaseMutex.KERNEL32 ref: 04231E8F

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: MutexObjectReleaseSingleWait
String ID:
API String ID: 2017088797-0
Opcode ID: aeab49d9877d56e97553d9c17e20a8a8f85042f34d8b47531cad0fc9b5cf6a4b
Instruction ID: 9ac61ea3c969c1a869731b976679ce75dd1ae32e99d45ab97bacbed925f16618
Opcode Fuzzy Hash: aeab49d9877d56e97553d9c17e20a8a8f85042f34d8b47531cad0fc9b5cf6a4b
Instruction Fuzzy Hash: 8E91A3B5B153109FE740EF7DE68961ABBF8EB49710F81886EE488D7204E778E844CB51

Function 0423D578 Relevance: 4.7, APIs: 3, Instructions: 178
threadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 0423D612
CreateToolhelp32Snapshot.KERNEL32 ref: 0423D637
Thread32First.KERNEL32 ref: 0423D65A

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: CreateCurrentFirstSnapshotThreadThread32Toolhelp32
String ID:
API String ID: 1995798346-0
Opcode ID: f712ca7c921ab4bf5cfbe4f1e6ed5ee753a40fd77dfe44a2721bdb9c8a990df6
Instruction ID: ba501190e019ea1c84ff7e2e5d4699a297e3b5553e4fb12c8b77d9a6fd536c97
Opcode Fuzzy Hash: f712ca7c921ab4bf5cfbe4f1e6ed5ee753a40fd77dfe44a2721bdb9c8a990df6
Instruction Fuzzy Hash: 2D8128B1A243198FEB10DF64C98479EBBF0BF48308F1489AAD888A7241D775E945CF91

Function 04231C50 Relevance: 4.6, APIs: 3, Instructions: 129
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32 ref: 04231C69
ReleaseMutex.KERNEL32 ref: 04231C87

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: MutexObjectReleaseSingleWait
String ID:
API String ID: 2017088797-0
Opcode ID: 8e35f5e997ba21217a0d933d320c37a3d7d53609fbba6972e9f30a5dc5f65c0e
Instruction ID: 9640016fa091b7c759440b318e0fd0abe3d25d228706e39d97c775f1e02a57dc
Opcode Fuzzy Hash: 8e35f5e997ba21217a0d933d320c37a3d7d53609fbba6972e9f30a5dc5f65c0e
Instruction Fuzzy Hash: CF5192B5B253159FD740EF6DE68861EBBE8FB48604F81896DE488D7240E778EC40CB52

Function 0422E7D0 Relevance: 4.6, APIs: 3, Instructions: 115
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32 ref: 0422E7E9
ReleaseMutex.KERNEL32 ref: 0422E807
ReleaseMutex.KERNEL32 ref: 0422E988

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: MutexRelease$ObjectSingleWait
String ID:
API String ID: 257779224-0
Opcode ID: c1781e85b503260adf85e9ed24d841573469e84af2061937527b474c494f4da6
Instruction ID: fa82120350f082ad3efbc6d469dd5564b1f27ffe8a260fa6b2f9eaa8cce1ea00
Opcode Fuzzy Hash: c1781e85b503260adf85e9ed24d841573469e84af2061937527b474c494f4da6
Instruction Fuzzy Hash: 104108B5B14310EFD710AF6DE68821ABBE8FB44754F81892ED888C7340E778E840DB52

Function 04249B40 Relevance: 3.0, APIs: 2, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlSizeHeap.NTDLL ref: 04249B64
RtlFreeHeap.NTDLL ref: 04249B9D

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: Heap$FreeSize
String ID:
API String ID: 190658663-0
Opcode ID: 5bdb2e7e52bbfa040cf86f8706e2efe195ae12f7a167f348a3d1aa4733cbfe11
Instruction ID: 382ff19c78cdecfb75f1f006df7b3254f48f55d3491ea86175b8d506fdd2592d
Opcode Fuzzy Hash: 5bdb2e7e52bbfa040cf86f8706e2efe195ae12f7a167f348a3d1aa4733cbfe11
Instruction Fuzzy Hash: E701B2B06143059FDB00EF7CE18970ABBF4EB89344F008868E8888B345E775E844CB52

Function 042340F4 Relevance: 2.2, APIs: 1, Instructions: 663COMMON

Download Yara Rule

APIs

Part of subcall function 04249B10: RtlAllocateHeap.NTDLL ref: 04249B33

Part of subcall function 0423D5C8: GetCurrentProcessId.KERNEL32 ref: 0423D60A
Part of subcall function 0423D5C8: GetCurrentThreadId.KERNEL32 ref: 0423D612
Part of subcall function 0423D5C8: CreateToolhelp32Snapshot.KERNEL32 ref: 0423D637
Part of subcall function 0423D5C8: Thread32First.KERNEL32 ref: 0423D65A

SwitchToFiber.KERNEL32 ref: 04234D31

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: Current$AllocateCreateFiberFirstHeapProcessSnapshotSwitchThreadThread32Toolhelp32
String ID:
API String ID: 2488212455-0
Opcode ID: 01c5af525eead3dd38d0e3f1fac264489a0cd38a78cff0d5a7dac9e76908a036
Instruction ID: 688a62fd291adb75f342086ef175687d8cbfd9f9b3d615d7e35c58a6be4d2152
Opcode Fuzzy Hash: 01c5af525eead3dd38d0e3f1fac264489a0cd38a78cff0d5a7dac9e76908a036
Instruction Fuzzy Hash: 5782E1B4A14315CFEB10DF28C594B99BBF4FF48314F048AAAD948AB381D774A985CF91

Function 042277B0 Relevance: 1.7, APIs: 1, Instructions: 191synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32 ref: 042277F3

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 7d87ca5910fbf0fac48ae778744ad19ca3cec243070ba1ee218a62cedcc61f2b
Instruction ID: 3c2b3e18b02e39d926f03e74b5061e0c7c2a0845f378ba84777408359c3334af
Opcode Fuzzy Hash: 7d87ca5910fbf0fac48ae778744ad19ca3cec243070ba1ee218a62cedcc61f2b
Instruction Fuzzy Hash: 84C169B02A93429EE742DF14D19831BBBE4BBC4748F109D6CE8985B260D374E64D8F97

Function 041D8E31 Relevance: 1.6, APIs: 1, Instructions: 60threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL ref: 041D8F10

Memory Dump Source

Source File: 00000000.00000003.2218936476.00000000041A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_41a0000_49GqFpn1V8.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: d68d6ac12cd5d8a14f00940641ae0700c2043c1d23cd0657201e84b51a416b43
Instruction ID: e4e9ac2980f876a920ae6b3c90c60fed0c405c6cd31636afa6a11fba5449fb20
Opcode Fuzzy Hash: d68d6ac12cd5d8a14f00940641ae0700c2043c1d23cd0657201e84b51a416b43
Instruction Fuzzy Hash: 9E2187B5904740CFD750EF68D188B5ABBF0FF88710F118969E8998B755D734D888CB92

Function 041D8F21 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL ref: 041D8F10

Memory Dump Source

Source File: 00000000.00000003.2218936476.00000000041A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_41a0000_49GqFpn1V8.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 3a19c502d56c18c7ee5c58eeb10d8e32fcbc1b071d5cfba4f84ab5cd64d1192a
Instruction ID: b2810241e42ddb5a3af40c617ddb6533604e57f24bde21a5a222c1bfa64e21ce
Opcode Fuzzy Hash: 3a19c502d56c18c7ee5c58eeb10d8e32fcbc1b071d5cfba4f84ab5cd64d1192a
Instruction Fuzzy Hash: 1C2172B5A08700CFD750EF68D184B5ABBF0FF88710F118969E8988B755D734E888CB92

Function 04249B10 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 04249B33

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 80819d2718afa210225e8e9e266df28322b98e9972afab1d4a46fb48374adfd7
Instruction ID: 8950bb3922a8c42e013945eaef226bb8fd5492c795aaa56c7151cdba45087554
Opcode Fuzzy Hash: 80819d2718afa210225e8e9e266df28322b98e9972afab1d4a46fb48374adfd7
Instruction Fuzzy Hash: F7D017706243049BCB00EF7CE04960A7FE5BB80204F40C92CE884C7244E6B8D8448B82

Function 04232764 Relevance: 1.5, APIs: 1, Instructions: 227COMMON

Download Yara Rule

APIs

Part of subcall function 04231C50: WaitForSingleObject.KERNEL32 ref: 04231C69
Part of subcall function 04231C50: ReleaseMutex.KERNEL32 ref: 04231C87

Part of subcall function 04249B40: RtlSizeHeap.NTDLL ref: 04249B64
Part of subcall function 04249B40: RtlFreeHeap.NTDLL ref: 04249B9D

Part of subcall function 04249B10: RtlAllocateHeap.NTDLL ref: 04249B33

sprintf.MSVCRT ref: 04232937

Part of subcall function 04226008: InternetOpenW.WININET ref: 04226068
Part of subcall function 04226008: InternetConnectW.WININET ref: 042260BA
Part of subcall function 04226008: HttpOpenRequestW.WININET ref: 0422611A
Part of subcall function 04226008: InternetSetOptionW.WININET ref: 042261BA

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: HeapInternet$Open$AllocateConnectFreeHttpMutexObjectOptionReleaseRequestSingleSizeWaitsprintf
String ID:
API String ID: 2057200146-0
Opcode ID: 365fd04b757bdccc244df0b217cd9a63cd56305d3691d542807d924daa4ca5e1
Instruction ID: 6f5b0c2c72ecb29a63d7fe96302d4b127d33cc16fb3479e989228db2d73d67eb
Opcode Fuzzy Hash: 365fd04b757bdccc244df0b217cd9a63cd56305d3691d542807d924daa4ca5e1
Instruction Fuzzy Hash: FCB160B4A18B05AFDB44EF68C18469EFBF0BF88304F01892DE49897300E774A595CF96

Non-executed Functions

Function 0042E8B0 Relevance: 162.6, APIs: 48, Strings: 44, Instructions: 1559servicelibraryloaderCOMMON

Download Yara Rule

APIs

QueryServiceConfig2W.ADVAPI32(?,0000000C,00000000,00000004,?), ref: 0042E8D8
ChangeServiceConfig2W.ADVAPI32(?,0000000C,00000000,?,0000000C,00000000,00000004,?), ref: 0042E8F7
GetLastError.KERNEL32(Unable to set debug service as antimalware process!,?,0000000C,00000000,?,0000000C,00000000,00000004,?), ref: 0042E915
SetDllDirectoryW.KERNEL32(004D1AE8), ref: 0042E986
GetModuleHandleW.KERNEL32(kernel32.dll,SetDefaultDllDirectories), ref: 0042E996
GetProcAddress.KERNEL32(00000000), ref: 0042E99D
StartServiceCtrlDispatcherW.ADVAPI32(?,?,?,00000000), ref: 0042F04A
GetLastError.KERNEL32(?,?,00000000), ref: 0042F054
OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,?,?,00000000), ref: 0042F0D0
OpenServiceW.ADVAPI32(00000000,004E6C48,00010004,?,?,00000000), ref: 0042F101
DeleteService.ADVAPI32(00000000,?,?,00000000), ref: 0042F119
GetLastError.KERNEL32(?,?,00000000), ref: 0042F123
CloseServiceHandle.ADVAPI32(00000000,?,?,00000000), ref: 0042F18A
CloseServiceHandle.ADVAPI32(00000000,?,?,00000000), ref: 0042F191
GetFileAttributesW.KERNEL32(?), ref: 0042E9E6

Part of subcall function 004046D0: ___std_exception_destroy.LIBVCRUNTIME ref: 00404756

Part of subcall function 00471E11: AcquireSRWLockExclusive.KERNEL32(004EB5C8,?,?,?,00413873,004EC1F8,2881E606,00000000,?,?,004139AA,?,004025A8,?,?), ref: 00471E1C
Part of subcall function 00471E11: ReleaseSRWLockExclusive.KERNEL32(004EB5C8,?,00413873,004EC1F8,2881E606,00000000,?,?,004139AA,?,004025A8,?,?,?,004025A8,?), ref: 00471E56

Part of subcall function 00444BC0: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00443559), ref: 00444BCD
Part of subcall function 00444BC0: GetProcAddress.KERNEL32(00000000,on_avast_dll_unload), ref: 00444BD9
Part of subcall function 00444BC0: GetModuleHandleW.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,?,00443559), ref: 00444BE7

Part of subcall function 00471DC0: AcquireSRWLockExclusive.KERNEL32(004EB5C8,?,?,004138A1,004EC1F8,?,004139AA,?,004025A8,?,?,?,004025A8,?), ref: 00471DCA
Part of subcall function 00471DC0: ReleaseSRWLockExclusive.KERNEL32(004EB5C8,?,004138A1,004EC1F8,?,004139AA,?,004025A8,?,?,?,004025A8,?), ref: 00471DFD
Part of subcall function 00471DC0: WakeAllConditionVariable.KERNEL32(004EB5C4,?,004138A1,004EC1F8,?,004139AA,?,004025A8,?,?,?,004025A8,?), ref: 00471E08

SetConsoleCtrlHandler.KERNEL32(Function_0002E880,00000001,?,?,?,?,00000000), ref: 0042F397
WaitForSingleObject.KERNEL32(000000FF,?,?,?,?,00000000), ref: 0042F3B1
RpcServerUnregisterIf.RPCRT4(004D1CF8,00000000,00000001), ref: 0042F3C0
RpcServerUnregisterIf.RPCRT4(004D1FE0,00000000,00000001), ref: 0042F3CF
RpcServerUnregisterIf.RPCRT4(004D1F88,00000000,00000001), ref: 0042F3DE
GetLastError.KERNEL32(Unable to open the service control manager!), ref: 0042FF7A
GetLastError.KERNEL32(Unable to query own process module path!,?,004E3840,00000000), ref: 0042FFA2
GetLastError.KERNEL32(?,004E3840,00000000), ref: 0042FFCF
GetLastError.KERNEL32(?,004E3840,00000000,Unable to create service '{}'!,0000001E,004E6C48), ref: 0042FFFE
GetLastError.KERNEL32(Unable to modify debugger service binary path!,?,004E3840,00000000,Unable to modify debugger service configuration using c_ChangeConfig!,?,004E3840,00000000,Unable to create debugger rpc endpoint!,?,004E3840,00000000,Unable to open service '{}'!,0000001C,004E6C48), ref: 0043008A

Strings

Unable to create service '{}'!, xrefs: 0042FFDC
/runassvc, xrefs: 0042EF3C
/register, xrefs: 0042F48B
RpcSs, xrefs: 0042FA9D
HlN, xrefs: 0042F022
!, xrefs: 0042FD43
DeleteService(self) failure: gle={}, xrefs: 0042F164
StartServiceCtrlDispatcher failure: gle={}, xrefs: 0042F095
Debugger service is starting., xrefs: 0042EFB8
OpenSCManager failure: gle={}, xrefs: 0042F24C, 0042FC65
kernel32.dll, xrefs: 0042E991
Debugger app is starting., xrefs: 0042F32D
E5026373, xrefs: 0042EF83
AvDumper, xrefs: 0042EC71, 0042F824
E502, xrefs: 0042FC90
Unable to modify debugger service configuration using c_ChangeConfig!, xrefs: 00430059
HlN, xrefs: 0042F6AE
HlN, xrefs: 0042FBA6
SetDefaultDllDirectories, xrefs: 0042E98C
Unable to query own process module path!, xrefs: 0042FF9D
0lN, xrefs: 0042EE0F
ControlService(SERVICE_CONTROL_UNREGISTER) failure: gle={}, xrefs: 0042FC1B
/runasapp, xrefs: 0042F2B1
ServicesActive, xrefs: 0042F0C9, 0042F4B9, 0042FB81
HlN, xrefs: 0042F73C
" /runassvc, xrefs: 0042F584
HlN, xrefs: 0042F0EE
/unregister, xrefs: 0042FB51
6373, xrefs: 0042FC7D
HlN, xrefs: 0042EC9D
HlN, xrefs: 0042FB69
Unable to create debugger rpc endpoint!, xrefs: 00430037
Unable to set debug service as antimalware process!, xrefs: 0042E910
ProfSvc_Group, xrefs: 0042F6E5, 0042FAA4
Unable to open service '{}'!, xrefs: 0043000B
Unable to modify debugger service binary path!, xrefs: 00430085
RpcSS, xrefs: 0042F6DE
HlN, xrefs: 0042FCBF
ncalrpc, xrefs: 0042F98E
StartServer failure: retval={}, xrefs: 0042F421
OpenService failure: gle={}, xrefs: 0042F1DD, 0042FC4F
HlN, xrefs: 0042EDD5
HlN, xrefs: 0042F6C9
Unable to open the service control manager!, xrefs: 0042FF75

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ErrorLast$Service$Handle$ExclusiveLock$ModuleServerUnregister$AcquireAddressCloseConfig2CtrlOpenProcRelease$AttributesChangeConditionConsoleDeleteDirectoryDispatcherFileHandlerManagerObjectQuerySingleStartVariableWaitWake___std_exception_destroy
String ID: !$" /runassvc$/register$/runasapp$/runassvc$/unregister$0lN$6373$AvDumper$ControlService(SERVICE_CONTROL_UNREGISTER) failure: gle={}$Debugger app is starting.$Debugger service is starting.$DeleteService(self) failure: gle={}$E502$E5026373$HlN$HlN$HlN$HlN$HlN$HlN$HlN$HlN$HlN$HlN$OpenSCManager failure: gle={}$OpenService failure: gle={}$ProfSvc_Group$RpcSS$RpcSs$ServicesActive$SetDefaultDllDirectories$StartServer failure: retval={}$StartServiceCtrlDispatcher failure: gle={}$Unable to create debugger rpc endpoint!$Unable to create service '{}'!$Unable to modify debugger service binary path!$Unable to modify debugger service configuration using c_ChangeConfig!$Unable to open service '{}'!$Unable to open the service control manager!$Unable to query own process module path!$Unable to set debug service as antimalware process!$kernel32.dll$ncalrpc
API String ID: 254121127-1021687069
Opcode ID: 4024e36da7fe51d2f0326d27c3692053690187404231844fc67de0897de28ae5
Instruction ID: 470cf11895992f53b4534e0b6a9cac22d936de9c14f92e9bb127768c30fbee63
Opcode Fuzzy Hash: 4024e36da7fe51d2f0326d27c3692053690187404231844fc67de0897de28ae5
Instruction Fuzzy Hash: CBD2D270E002589FDB14DFA4DC95BDDBBB1BF09304F50416AE809A73A1EB786A84CF59

Function 00415300 Relevance: 120.4, APIs: 44, Strings: 24, Instructions: 1410fileCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(02000000,00000000,?,2881E606,00412285,?), ref: 004153B9
K32GetProcessImageFileNameW.KERNEL32(00000000,?,00000000,00000104,00000000), ref: 0041543B
CloseHandle.KERNEL32(00000000,00000000,00000000), ref: 00415486
DebugActiveProcess.KERNEL32(?), ref: 004154F9
DebugSetProcessKillOnExit.KERNEL32(00000000), ref: 004155C9
WaitForDebugEvent.KERNEL32(?,000000FF,?, PID: ,?,Debugger attached to process: ), ref: 0041564A
SetEvent.KERNEL32(?,?, PID: ,?,Debugger attached to process: ), ref: 004156E9
CreateFileW.KERNEL32(00000000,00000000,?, PID: ,?,Debugger attached to process: ), ref: 00415719
GetLastError.KERNEL32(?, PID: ,?,Debugger attached to process: ), ref: 00415726
EnterCriticalSection.KERNEL32(004ED2A4,?, PID: ,?,Debugger attached to process: ), ref: 0041578A
LeaveCriticalSection.KERNEL32(004ED2A4,?,?, PID: ,?,Debugger attached to process: ), ref: 004157B1
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?, PID: ,?,Debugger attached to process: ), ref: 004158C2
GetLastError.KERNEL32(Debugging of own process is not supported), ref: 00416FC7
GetLastError.KERNEL32(?,004E3908,-00000018,004E3840,Unable to start debugging of process with id {}, error code: {},0000003F,-00000018,?), ref: 00417023

Strings

P`(, xrefs: 0041579A
Debugger exception 0x{:08X} successfully dumped process {} into '{}' (dump level: {}), xrefs: 004168B0
Unable to start debugging of process with id {}, error code: {}, xrefs: 00416FED
Event:{} Process:{} Thread:{}, xrefs: 004156B3
F59A, xrefs: 00415812
- Cause: , xrefs: 00415E5D
F59A, xrefs: 00415694
verifier.dll, xrefs: 00415AE4
Debugging of own process is not supported, xrefs: 00416F60
Cause: VectoredExceptionHandler, xrefs: 00415C1E, 00415FF3
689A, xrefs: 0041686D
unp%u%ux-manual.mdmp, xrefs: 00416699
F59A, xrefs: 00416F1D
689A, xrefs: 004157EF
PID: , xrefs: 0041559F
Unable to wait for debugging event of process with id {}, error code: {}, xrefs: 00417049
689A, xrefs: 00415671
unp%u%ux-unhandled.mdmp, xrefs: 004166AB, 004166B3
F59A, xrefs: 00416890
689A, xrefs: 00416F0D
Debugger attached to process: , xrefs: 0041557D
EXCEPTION_DEBUG_EVENT Process:{} Thread:{} Exception:0x{:08X} FirstChance:{} ExceptionFlags:0x{:08X}, xrefs: 00415841
689A, xrefs: 0041551F
F59A, xrefs: 0041553B

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Process$CriticalDebugErrorLastSection$EnterEventFile$ActiveCloseCreateExitHandleImageKillLeaveNameOpenWait
String ID: - Cause: $ PID: $689A$689A$689A$689A$689A$Cause: VectoredExceptionHandler$Debugger attached to process: $Debugger exception 0x{:08X} successfully dumped process {} into '{}' (dump level: {})$Debugging of own process is not supported$EXCEPTION_DEBUG_EVENT Process:{} Thread:{} Exception:0x{:08X} FirstChance:{} ExceptionFlags:0x{:08X}$Event:{} Process:{} Thread:{}$F59A$F59A$F59A$F59A$F59A$P`($Unable to start debugging of process with id {}, error code: {}$Unable to wait for debugging event of process with id {}, error code: {}$unp%u%ux-manual.mdmp$unp%u%ux-unhandled.mdmp$verifier.dll
API String ID: 284013344-2335573558
Opcode ID: 7c6d2cd7363a1f0ceec297a1fc116c5efe08d8a55805ad0ae65a689b06aa5c57
Instruction ID: 4e5a2c4d54a6722ad588cefe912123578963766483c9a62d44bd421164deb9e5
Opcode Fuzzy Hash: 7c6d2cd7363a1f0ceec297a1fc116c5efe08d8a55805ad0ae65a689b06aa5c57
Instruction Fuzzy Hash: E1E249B0D042689BDB24DB24CC44BEDBBB4AF45304F1481DAE549A7291DB78AFC4CF99

Function 004015B0 Relevance: 63.9, APIs: 18, Strings: 18, Instructions: 854libraryloaderfileCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,2881E606), ref: 004015F3
GetProcAddress.KERNEL32(00000000,PssCaptureSnapshot), ref: 00401601
GetProcAddress.KERNEL32(00000000,PssFreeSnapshot), ref: 00401615
GetProcAddress.KERNEL32(00000000,PssQuerySnapshot), ref: 00401627
OpenProcess.KERNEL32(02000000,00000000,?), ref: 0040165C
GetFileAttributesW.KERNEL32(?), ref: 00401682
CreateFileW.KERNEL32(?,10000000,00000000,00000000,00000002,00000080,00000000), ref: 00401842
DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 00401885
K32GetPerformanceInfo.KERNEL32(?,00000038,Dumped by AvDump,00000010), ref: 00401A6C
GetLastError.KERNEL32 ref: 00401C98
GetLastError.KERNEL32 ref: 00401D24
GetLastError.KERNEL32 ref: 00401EFA
CloseHandle.KERNEL32(00000000), ref: 00402221
CloseHandle.KERNEL32(?), ref: 0040222D
GetLastError.KERNEL32 ref: 00402256
GetLastError.KERNEL32(?,004E3840,00000005,Dump file {} already exists,0000001B,?,?,004E3840,?,Failed to open process with id {}, error code: {},00000031,?,?), ref: 004022BF
GetLastError.KERNEL32(?,004E3840,?,Dump file '{}' could not be created, error code: {},00000033,?,?,?,Failed to open process with id {}, error code: {},00000031,?,?), ref: 00402304
GetLastError.KERNEL32 ref: 0040239A

Strings

Failed to dump process with error {:#x}, retrying with limited dump content settings..., xrefs: 00401D2C
PssQuerySnapshot, xrefs: 0040161B
Dump file {} already exists, xrefs: 00402297
Failed to open process with id {}, error code: {}, xrefs: 0040226F
PerfInfo [MB]: CommitTotal: %llu, CommitLimit: %llu, PhysAvail: %llu, KrnlPaged: %llu, KrnlNonPaged: %llu, Handles: %u, Processe, xrefs: 00401B8F
E26A9CC4, xrefs: 00401E7F
PssCaptureSnapshot, xrefs: 004015FB
Dumped by AvDump, xrefs: 004019A3
kernel32.dll, xrefs: 004015E4
dump, xrefs: 00401E33, 00402009, 0040237A
Failed to dump process with error {:#x}, xrefs: 0040230C
Failed to dump process with error {:#x}, retrying with minimal content settings..., xrefs: 00401F02
E26A9CC4, xrefs: 00402055
mdmp, xrefs: 004017C3
Dump file '{}' could not be created, error code: {}, xrefs: 004022D8
PssFreeSnapshot, xrefs: 00401607
dmp, xrefs: 00401737
MiniDumpWriteDump failed, error: {}, xrefs: 004023AF

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ErrorLast$AddressHandleProc$CloseFile$AttributesControlCreateDeviceInfoModuleOpenPerformanceProcess
String ID: PerfInfo [MB]: CommitTotal: %llu, CommitLimit: %llu, PhysAvail: %llu, KrnlPaged: %llu, KrnlNonPaged: %llu, Handles: %u, Processe$Dump file '{}' could not be created, error code: {}$Dump file {} already exists$Dumped by AvDump$E26A9CC4$E26A9CC4$Failed to dump process with error {:#x}$Failed to dump process with error {:#x}, retrying with limited dump content settings...$Failed to dump process with error {:#x}, retrying with minimal content settings...$Failed to open process with id {}, error code: {}$MiniDumpWriteDump failed, error: {}$PssCaptureSnapshot$PssFreeSnapshot$PssQuerySnapshot$dmp$dump$kernel32.dll$mdmp
API String ID: 443402310-3745844466
Opcode ID: 236cca63449b0165dcbb305957aa5c10d3dbc423c9988a6fba7d1c3a1254a5d9
Instruction ID: 3933b95b1d02934212a5ee458d7ba27b7f597e0e06501cc1d7414815d031fc21
Opcode Fuzzy Hash: 236cca63449b0165dcbb305957aa5c10d3dbc423c9988a6fba7d1c3a1254a5d9
Instruction Fuzzy Hash: FC827B719012699BDB25DF24CD89BDDB7B4AF05304F1042EAE409A72A1DBB89FC4CF58

Function 0042B150 Relevance: 41.1, Strings: 31, Instructions: 2346COMMON

Download Yara Rule

Strings

h4L, xrefs: 0042B601
amount of information to include in minidump. 0 - default, 1 - full memory., xrefs: 0042B38F
thread_id, xrefs: 0042B37C, 0042C132, 0042C42A, 0042C642
create live kernel memory dump, xrefs: 0042B28F
Command-line usage, xrefs: 0042B1E5
address of the exception pointers structure, xrefs: 0042B349
create dump containing data segments information, xrefs: 0042B3C1
pid, xrefs: 0042B283, 0042B7D0, 0042BE26, 0042C885
Not enough arguments supplied, xrefs: 0042D28C, 0042D2DD
this, obviously, xrefs: 0042B41E
create dump containing process handle information, xrefs: 0042B3A8
Argument dump_file not specified, xrefs: 0042D236
help, xrefs: 0042B423, 0042B4D0
dbg, xrefs: 0042B2AD, 0042BCE6, 0042C1B3
<, xrefs: 0042CE8D
handle_data, xrefs: 0042B3AE, 0042CEA6, 0042CF44
Invalid arguments supplied, xrefs: 0042D210, 0042D2B2
flood control - minimal interval in minutes to elapse since saving last dump. Default is 60., xrefs: 0042B40C
data_segs, xrefs: 0042B3C7, 0042CF96, 0042D0C9
filename of dump to generate, xrefs: 0042B3DA
attach to process as debugger and watch it for exceptions, xrefs: 0042B2A7
min_interval, xrefs: 0042B412, 0042CD17, 0042CE4A
kernel, xrefs: 0042B294, 0042B698
optional comment to include into dump, xrefs: 0042B3F3
process ID to dump, xrefs: 0042B27D
comment, xrefs: 0042B3F9, 0042C964, 0042CAAF
?L, xrefs: 0042BC58, 0042BC65, 0042C6A3, 0042C6B0, 0042C7C6, 0042C7D3, 0042C8E6, 0042C8F3, 0042CB64, 0042CB71
dump_file, xrefs: 0042B3E0, 0042B920, 0042BBF7, 0042BF36, 0042C465, 0042CB03
thread ID that caused the exception, xrefs: 0042B376
exception_ptr, xrefs: 0042B35E, 0042C0E5, 0042C313, 0042C74A
dump_level, xrefs: 0042B395, 0042BA74, 0042BBA7, 0042CC29, 0042CCC7

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID: <$Argument dump_file not specified$Command-line usage$Invalid arguments supplied$Not enough arguments supplied$address of the exception pointers structure$amount of information to include in minidump. 0 - default, 1 - full memory.$attach to process as debugger and watch it for exceptions$comment$create dump containing data segments information$create dump containing process handle information$create live kernel memory dump$data_segs$dbg$dump_file$dump_level$exception_ptr$filename of dump to generate$flood control - minimal interval in minutes to elapse since saving last dump. Default is 60.$h4L$handle_data$help$kernel$min_interval$optional comment to include into dump$pid$process ID to dump$this, obviously$thread ID that caused the exception$thread_id$?L
API String ID: 0-2660089391
Opcode ID: 17f72e249bc9a9e21074dfdf5efa27aa49148dd25ba9a5b25394d8f301be9199
Instruction ID: b76f014070c3332a03efde8671b22923ba6cf0124367734ea26f81760a64f843
Opcode Fuzzy Hash: 17f72e249bc9a9e21074dfdf5efa27aa49148dd25ba9a5b25394d8f301be9199
Instruction Fuzzy Hash: 87231731E002688BDB21DB24DC947EEB771AF05304F5442DBE449A7292DB78AEC1CF98

Function 00476C93 Relevance: 39.4, APIs: 21, Strings: 1, Instructions: 944COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00476CE1
operator+.LIBVCRUNTIME ref: 00476CFB
DName::operator+.LIBCMT ref: 00476E29
DName::operator+.LIBCMT ref: 00476E46
DName::operator+.LIBCMT ref: 00476EFA
DName::operator+.LIBCMT ref: 00476F09

Part of subcall function 0047C5A7: DName::operator+.LIBCMT ref: 0047C5EB
Part of subcall function 0047C5A7: DName::operator+.LIBCMT ref: 0047C5F7
Part of subcall function 0047C5A7: DName::operator+.LIBCMT ref: 0047C672
Part of subcall function 0047C5A7: DName::operator+=.LIBCMT ref: 0047C6B5

DName::operator+.LIBCMT ref: 00476E95

Part of subcall function 00476AEC: DName::operator=.LIBVCRUNTIME ref: 00476B0D

Part of subcall function 00476A94: shared_ptr.LIBCMT ref: 00476AB0

Part of subcall function 00478588: shared_ptr.LIBCMT ref: 0047862E

DName::operator+.LIBCMT ref: 00477473
DName::operator+.LIBCMT ref: 0047748F
DName::operator+.LIBCMT ref: 0047772E

Part of subcall function 004769BF: DName::operator+.LIBCMT ref: 004769E0

Strings

@LL, xrefs: 0047770D

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Name::operator+$shared_ptr$NameName::Name::operator+=Name::operator=operator+
String ID: @LL
API String ID: 3939309840-2893896032
Opcode ID: 7286c925c2df4cd3463497aa056168450883e1fd027105068084001b9d13557a
Instruction ID: 9c6f964d4446e9e3318cdbb09dcfc1eb3a73e83b0687eed1b8faaaf06fa07741
Opcode Fuzzy Hash: 7286c925c2df4cd3463497aa056168450883e1fd027105068084001b9d13557a
Instruction Fuzzy Hash: 8D62A1B2A145099ADB14DFA9CC91BEE77B9EB04304F54813FE50AE7281EB3CD905CB58

Function 00457C80 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 197memorysleepregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,{9C7565A2-47C2-4869-B388-8C7F9AD8E577},00000030,2881E606,00000005,00000000), ref: 00457CDB
GetClassInfoExW.USER32(00000000), ref: 00457CE2
GetLastError.KERNEL32 ref: 00457CF0
Sleep.KERNEL32(00000001), ref: 00457CFA
GetProcessHeap.KERNEL32 ref: 00457D12
HeapAlloc.KERNEL32(00000000,00000000,00000034), ref: 00457D27
asw_process_storage_allocate_connector.49GQFPN1V8 ref: 00457D37
InitializeCriticalSection.KERNEL32(00000000), ref: 00457D4A
GetProcessHeap.KERNEL32 ref: 00457D50
GetProcessHeap.KERNEL32 ref: 00457D6E
RegisterClassExW.USER32(00000030), ref: 00457D90
HeapFree.KERNEL32(?,00000000,00000000), ref: 00457DC4
asw_process_storage_deallocate_connector.49GQFPN1V8 ref: 00457DD4
DeleteCriticalSection.KERNEL32(?), ref: 00457DEF
GetProcessHeap.KERNEL32 ref: 00457DF5
HeapFree.KERNEL32(00000000,00000000,?), ref: 00457E0B
asw_process_storage_deallocate_connector.49GQFPN1V8 ref: 00457E1B
GetLastError.KERNEL32 ref: 00457E20
GetLastError.KERNEL32(?,004E3DCC,?,004E3E28,00000000,00000000), ref: 00457E93

Strings

{9C7565A2-47C2-4869-B388-8C7F9AD8E577}, xrefs: 00457CD4
FM, xrefs: 00457D89

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Heap$Process$ErrorLast$ClassCriticalFreeSectionasw_process_storage_deallocate_connector$AllocDeleteHandleInfoInitializeModuleRegisterSleepasw_process_storage_allocate_connector
String ID: {9C7565A2-47C2-4869-B388-8C7F9AD8E577}$FM
API String ID: 502576007-787359926
Opcode ID: 5cae3e1968f310739fe95416efc60ff071fbbeafd15c884b341dc88b18ae38f1
Instruction ID: 246766c206a542290af8d906c40d7c04e23c1e5a6bc3a2aa318a18f4b32ba5e1
Opcode Fuzzy Hash: 5cae3e1968f310739fe95416efc60ff071fbbeafd15c884b341dc88b18ae38f1
Instruction Fuzzy Hash: 5361A9319003149FDB119FA5EC49BAEBBB4EF05716F10453AFC0697391EB38AE058B98

Function 00414000 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 467COMMON

Download Yara Rule

APIs

Part of subcall function 00447360: OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,2881E606,00000000,?,0049DE45,000000FF,?,00414079,Bprotect,00000008,2881E606), ref: 00447398
Part of subcall function 00447360: OpenServiceW.ADVAPI32(00000000,?,00000001,?,0049DE45,000000FF,?,00414079,Bprotect,00000008,2881E606), ref: 004473BC
Part of subcall function 00447360: GetLastError.KERNEL32(?,0049DE45,000000FF,?,00414079,Bprotect,00000008,2881E606), ref: 004473CF
Part of subcall function 00447360: CloseServiceHandle.ADVAPI32(00000000,?,?,0049DE45,000000FF,?,00414079,Bprotect,00000008,2881E606), ref: 004473E7
Part of subcall function 00447360: CloseServiceHandle.ADVAPI32(00000000,?,?,0049DE45,000000FF,?,00414079,Bprotect,00000008,2881E606), ref: 004473EE

Part of subcall function 00412BE0: CloseHandle.KERNEL32(00000000,?,?,?,?,2881E606,004E37B0,2881E606), ref: 00412C7B

Part of subcall function 00447360: GetLastError.KERNEL32(Unable to open the service control manager!,?,0049DE45,000000FF,?,00414079,Bprotect,00000008,2881E606), ref: 00447417
Part of subcall function 00447360: GetLastError.KERNEL32(@8N,004E3840,00000000,?,0049DE45,000000FF,?,00414079,Bprotect,00000008,2881E606), ref: 00447434

EnterCriticalSection.KERNEL32(004ED28C,Bprotect,00000008,2881E606), ref: 004142AA
LeaveCriticalSection.KERNEL32(004ED28C,?,?), ref: 0041431E
InitializeCriticalSection.KERNEL32(00000000), ref: 0041434D

Strings

Bprotect, xrefs: 0041404B
689AF59A, xrefs: 004141A7
Driver incompatible with debugger detected., xrefs: 004141D0
Unable to create sync event, xrefs: 004145C5
^, xrefs: 004141B0
BprotectEx, xrefs: 00414085

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CloseCriticalErrorHandleLastSectionService$Open$EnterInitializeLeaveManager
String ID: 689AF59A$Bprotect$BprotectEx$Driver incompatible with debugger detected.$Unable to create sync event$^
API String ID: 902469739-1982611679
Opcode ID: a7d6483c903e10e3bcb40b2d3012da50e37589c665af99d1c9988de8f5d743f6
Instruction ID: f6a23e82ccad9e8b0f9b8a3864994adec15952b72cbec382ba69473ffb7d3a47
Opcode Fuzzy Hash: a7d6483c903e10e3bcb40b2d3012da50e37589c665af99d1c9988de8f5d743f6
Instruction Fuzzy Hash: 80129074E013489FDB10CFA4C844BEDBBB1BF85314F24425AE815AB391DB79AA85CF84

Function 0043B1C0 Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 220serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,?,2881E606), ref: 0043B28B
OpenServiceW.ADVAPI32(00000000,004E6C48,00000002,?,2881E606), ref: 0043B2B9
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000002,000000FF,?,?,00000000,00000000,00000000,00000000,00000000,?,2881E606), ref: 0043B382
CloseServiceHandle.ADVAPI32(00000000,?,2881E606), ref: 0043B439
CloseServiceHandle.ADVAPI32(00000000,?,2881E606), ref: 0043B440
GetLastError.KERNEL32(Unable to open the service control manager!,?,2881E606), ref: 0043B469
GetLastError.KERNEL32(?,004E3840,00000000,?,2881E606), ref: 0043B48C
GetLastError.KERNEL32(?,004E3840,00000000,Unable to open the service '{}'!,00000020,004E6C48,?,2881E606), ref: 0043B4BB

Strings

F519FCC9, xrefs: 0043B236
HlN, xrefs: 0043B2A9
Unable to modify service '{}' binary path!, xrefs: 0043B4C8
s_ChangeConfig: type:{} path:'{}' loadorder:'{}' depends:'{}', xrefs: 0043B259
Unable to open the service '{}'!, xrefs: 0043B499
null, xrefs: 0043B1F4
c, xrefs: 0043B26C
ServicesActive, xrefs: 0043B284
Unable to open the service control manager!, xrefs: 0043B464

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Service$ErrorLast$CloseHandleOpen$ChangeConfigManager
String ID: F519FCC9$HlN$ServicesActive$Unable to modify service '{}' binary path!$Unable to open the service '{}'!$Unable to open the service control manager!$c$null$s_ChangeConfig: type:{} path:'{}' loadorder:'{}' depends:'{}'
API String ID: 2026481396-312531528
Opcode ID: 57f90829e782dbdfc63764e8c57eb1423db241a1a23c945a2692473aad6422b8
Instruction ID: ee8670491973e96c424609abf908ccb3f45639aab8b543c8c0275998abdd2342
Opcode Fuzzy Hash: 57f90829e782dbdfc63764e8c57eb1423db241a1a23c945a2692473aad6422b8
Instruction Fuzzy Hash: 3781B171E00218ABDB14DFA9DC45BEEB7B5EF58701F20812BF915A7290D778AA04CB58

Function 04222C94 Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 302nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL ref: 04222DB5
NtCreateSection.NTDLL ref: 04222E01
NtMapViewOfSection.NTDLL ref: 04222F76
NtMapViewOfSection.NTDLL ref: 04222FDD
NtMapViewOfSection.NTDLL ref: 04223037
NtMapViewOfSection.NTDLL ref: 042230C0
NtUnmapViewOfSection.NTDLL ref: 042230E5
NtUnmapViewOfSection.NTDLL ref: 042230FF
NtUnmapViewOfSection.NTDLL ref: 04223160
NtUnmapViewOfSection.NTDLL ref: 0422318D

Strings

0/8w,8w, xrefs: 04222DB5, 04222E01
, xrefs: 04222FF8
@, xrefs: 04222D28

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: Section$View$Unmap$Create
String ID: $0/8w,8w$@
API String ID: 157120367-1276036414
Opcode ID: 3fcd550496c7bef2e01878b7624e95bb505775ab846f6f84d9431d66b0b02f5d
Instruction ID: 4888740e90c6067882e9f1b37ed52ff01680a2ed34fbe2ff00dc85e7770c0a6d
Opcode Fuzzy Hash: 3fcd550496c7bef2e01878b7624e95bb505775ab846f6f84d9431d66b0b02f5d
Instruction Fuzzy Hash: 36E1C2B0A19305EFDB00DF69D19879EBBF4BF84304F00891DE894A7280E7B99548CF92

Function 00402400 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 320filenativeCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?), ref: 004024F6
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,A0000000,00000000), ref: 00402685
NtSystemDebugControl.NTDLL(00000025,?,00000028,00000000,00000000,?), ref: 004026E7
CloseHandle.KERNEL32(00000000), ref: 004026F3

Part of subcall function 00473A64: RaiseException.KERNEL32(E06D7363,00000001,00000003,00412B7C,?,?,?,?,00412B7C,2881E606,004E37B0,2881E606), ref: 00473AC4

GetLastError.KERNEL32(00000009,004E3840,00000005,Dump file {} already exists,0000001B,?,00000009,004E3840,00000009,Windows 8.1 or later is required for live kernel dumping,?), ref: 00402770
DeleteFileW.KERNEL32(00000000,00000033,004E3840,?,Dump file '{}' could not be created, error code: {},00000033,?,?), ref: 004027A8

Strings

Windows 8.1 or later is required for live kernel dumping, xrefs: 0040272B
Dump file {} already exists, xrefs: 0040274E
mdmp, xrefs: 0040260C
NtSystemDebugControl failed, status: {:#010x}, xrefs: 004027B4
Dump file '{}' could not be created, error code: {}, xrefs: 00402783
dmp, xrefs: 00402596

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: File$AttributesCloseControlCreateDebugDeleteErrorExceptionHandleLastRaiseSystem
String ID: Dump file '{}' could not be created, error code: {}$Dump file {} already exists$NtSystemDebugControl failed, status: {:#010x}$Windows 8.1 or later is required for live kernel dumping$dmp$mdmp
API String ID: 3197884041-707501722
Opcode ID: 61f3de1857afabaa9348f4b7651c36c24971cea040bcfd86890814efbcc0a076
Instruction ID: 14ce4c380a83900e77ec9a0c9d5759f2cd18b411dcfc947a475adbe2c518e68d
Opcode Fuzzy Hash: 61f3de1857afabaa9348f4b7651c36c24971cea040bcfd86890814efbcc0a076
Instruction Fuzzy Hash: 49B1F371900244ABDB10DF68DD8ABDEB7B4EF05308F10422FF915B72D2D7B8AA458B59

Function 00457650 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 153encryptiontimethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0045767A
GetCurrentProcessId.KERNEL32 ref: 00457693
GetCurrentThreadId.KERNEL32 ref: 004576AF
GlobalMemoryStatusEx.KERNEL32(00000040), ref: 004576EC
GetDiskFreeSpaceExW.KERNEL32(00000000,?,00000000,00000000), ref: 00457723
GetSystemTimes.KERNEL32(?,?,?), ref: 0045774C
QueryPerformanceCounter.KERNEL32(?), ref: 004577BD
CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000040), ref: 00457807
CryptGenRandom.ADVAPI32(?,00000008,?), ref: 00457822
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00457844

Strings

@, xrefs: 004576D0
Microsoft Base Cryptographic Provider v1.0, xrefs: 004577FF

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Crypt$ContextCurrentSystemTime$AcquireCounterDiskFileFreeGlobalMemoryPerformanceProcessQueryRandomReleaseSpaceStatusThreadTimes
String ID: @$Microsoft Base Cryptographic Provider v1.0
API String ID: 1216455848-3036034798
Opcode ID: 4c862e3b35e4177acae12d27d537bfbe715f8ee4e836dae2b6a0fd341b29d26e
Instruction ID: 92ada2c5474398197d22ce0d6c842790364eacae523c63c75b4d7a71ff078d25
Opcode Fuzzy Hash: 4c862e3b35e4177acae12d27d537bfbe715f8ee4e836dae2b6a0fd341b29d26e
Instruction Fuzzy Hash: 20515E70D00219ABDF10EFA0DC82BDEB775AF14306F008569B609A6192EB746B4CCF99

Function 00451480 Relevance: 15.5, APIs: 9, Strings: 1, Instructions: 490COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,2881E606), ref: 00451500
LeaveCriticalSection.KERNEL32(?,?,?), ref: 00451577
EnterCriticalSection.KERNEL32(?,2881E606,00000000), ref: 004516FE
LeaveCriticalSection.KERNEL32(?), ref: 00451759
EnterCriticalSection.KERNEL32(?), ref: 00451775
EnterCriticalSection.KERNEL32(?), ref: 00451852
LeaveCriticalSection.KERNEL32(?,?,?), ref: 004518F1
LeaveCriticalSection.KERNEL32(?), ref: 00451953
LeaveCriticalSection.KERNEL32(?,?,?), ref: 004519C7

Strings

Callback not found, xrefs: 004519EB

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID: Callback not found
API String ID: 2978645861-2466553093
Opcode ID: 90ea8b37dbc7f5b3297ccac717f73238374040b2e44ddecdebbf04d8d0dac6e4
Instruction ID: fc4674fd61dd75d93fbb44e801c718cf3d25313459c9e98003137e275be466d5
Opcode Fuzzy Hash: 90ea8b37dbc7f5b3297ccac717f73238374040b2e44ddecdebbf04d8d0dac6e4
Instruction Fuzzy Hash: 77129D75A00209DFCB10CF69C484BAEBBB5FF48311F24815AE816AB361DB38AD44CF94

Function 00410BB0 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 323COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00410C7B
std::_Lockit::_Lockit.LIBCPMT ref: 00410D36
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00410D91
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00410ED3
std::_Lockit::~_Lockit.LIBCPMT ref: 00410F77
Concurrency::cancel_current_task.LIBCPMT ref: 00410FA9
std::_Lockit::_Lockit.LIBCPMT ref: 00410FE6
std::_Lockit::_Lockit.LIBCPMT ref: 00411009
std::_Lockit::~_Lockit.LIBCPMT ref: 00411029
std::_Lockit::~_Lockit.LIBCPMT ref: 004110BD

Strings

false, xrefs: 00410E2F
true, xrefs: 00410E45

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskLocinfo::_$Locinfo_ctorLocinfo_dtor
String ID: false$true
API String ID: 1411682675-2658103896
Opcode ID: c03d51a324e3956f51e41c9e98d1aabe3069f72f658f8134c2ea80d35bcc6565
Instruction ID: 77950552026c3dab55a0dd63c2dd85042cc3e8649af3aa45298994ca9c867bac
Opcode Fuzzy Hash: c03d51a324e3956f51e41c9e98d1aabe3069f72f658f8134c2ea80d35bcc6565
Instruction Fuzzy Hash: 2FC155B1D003589BDB10DFA5DD45BDEB7B8BF18308F14416AE808B7242F7799A84CBA5

Function 004567C0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 147registrynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00457520: RegOpenKeyExW.ADVAPI32(?,?,?,00000000,00000001,00000005,2881E606,00000000,?), ref: 004575C4

Part of subcall function 00456990: RegDeleteTreeW.ADVAPI32(00000000,00000000,00000000,0000000B,00000000,2881E606,00000000,?,?,2881E606,00000000), ref: 004569E2
Part of subcall function 00456990: RegCloseKey.ADVAPI32(?,?,2881E606,00000000), ref: 00456A0A
Part of subcall function 00456990: SetLastError.KERNEL32(00000000,?,2881E606,00000000), ref: 00456A15

RegCloseKey.ADVAPI32(00000000,?,0000000B,00000001,2881E606,00000000), ref: 0045686D
SetLastError.KERNEL32(00000000), ref: 00456878
NtDeleteKey.NTDLL(00000000), ref: 004568B6
NtClose.NTDLL ref: 004568D3
RegCloseKey.ADVAPI32(?), ref: 0045693D
SetLastError.KERNEL32(00000000), ref: 00456948

Strings

Cannot delete registry key, xrefs: 004568BC

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Close$ErrorLast$Delete$OpenTree
String ID: Cannot delete registry key
API String ID: 1581412740-3173408930
Opcode ID: c9022d3fafa45137d26d4862dc7de2edbd21416ce64a52935648af525914cc27
Instruction ID: 6fffae341b74c581201a930e6e3a99c01f0b345ff172e75bdc49082d48f2212a
Opcode Fuzzy Hash: c9022d3fafa45137d26d4862dc7de2edbd21416ce64a52935648af525914cc27
Instruction Fuzzy Hash: 9951A470D042489BDF14DFA5DD49BEEBBB4EF05305F50456EF805A3281EB399A48CB58

Function 042290A4 Relevance: 12.2, APIs: 8, Instructions: 192encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32 ref: 042290E1
CryptGenKey.ADVAPI32 ref: 04229117
CryptExportKey.ADVAPI32 ref: 04229158
CryptExportKey.ADVAPI32 ref: 0422919D
CryptDestroyKey.ADVAPI32 ref: 04229318

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: Crypt$Export$AcquireContextDestroy
String ID:
API String ID: 390627236-0
Opcode ID: 7cd81d6cb7d0d31e6f12dcea8301fc937bb9aaa324837568d4cea26a4454db5b
Instruction ID: 043d840cdfda2e45a5cc45cf8f9d73677cb6c5dd6f2dc0e58f3f379c0a83a78c
Opcode Fuzzy Hash: 7cd81d6cb7d0d31e6f12dcea8301fc937bb9aaa324837568d4cea26a4454db5b
Instruction Fuzzy Hash: 9E81D3B0A147169FDB00DF69C55879EFBF0AF88304F058969E894AB341E779E844CF92

Function 00492D0E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0048B399: GetLastError.KERNEL32(00000010,00000000,00491BD1,004E35F0,0000000C,0048B7BC,0000000C,?,0048167D,00000000,0000000C,?,00000000,00000000,?,00000000), ref: 0048B39D
Part of subcall function 0048B399: SetLastError.KERNEL32(00000000,00000000,00000000,0048982C,2881E606,?,004E3310,00000010,00000003,0047D0A2,?,0047D011,?,00000000,0047D220), ref: 0048B43F

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00492E1A
IsValidCodePage.KERNEL32(00000000), ref: 00492E63
IsValidLocale.KERNEL32(?,00000001), ref: 00492E72
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00492EBA
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00492ED9

Strings

|L, xrefs: 00492DC7

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: |L
API String ID: 415426439-416395229
Opcode ID: 853e0d3bc91009e356020eced0659bc6278f4077a6ceb2e62af761512a7d8c90
Instruction ID: 4cd80cc738eefe5fd360d56e5cbfbabd7d0504263a1f4cd05c59fc44ce182a9c
Opcode Fuzzy Hash: 853e0d3bc91009e356020eced0659bc6278f4077a6ceb2e62af761512a7d8c90
Instruction Fuzzy Hash: 7E518071900205BBDF11EFA5DD81AAF7BB8FF48301F14457AB511E7250E7B89A008B69

Function 0423781C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

LookupPrivilegeValueA.ADVAPI32 ref: 0423788C
AdjustTokenPrivileges.ADVAPI32 ref: 042378D5
LookupPrivilegeValueA.ADVAPI32 ref: 042378F9
PrivilegeCheck.ADVAPI32 ref: 0423793B
GetLastError.KERNEL32 ref: 04237969

Strings

c, xrefs: 04237957

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: Privilege$LookupValue$AdjustCheckErrorLastPrivilegesToken
String ID: c
API String ID: 3551316436-112844655
Opcode ID: 5934d1d385f5223fe0516ad8aad7017ff04d83f29114802559efc6c7951355e7
Instruction ID: cca803356b9f89115351cf29d4af7a07c4143dd668a2ce9da6f99d4ca43dcb6b
Opcode Fuzzy Hash: 5934d1d385f5223fe0516ad8aad7017ff04d83f29114802559efc6c7951355e7
Instruction Fuzzy Hash: 7341B5B4A143059BDB00EFA8D58839EBBF4FF84355F00892DE88497351D779A589CB52

Function 004954FF Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 004956E3

Strings

1#INF, xrefs: 00495635
1#IND, xrefs: 00495604
1#SNAN, xrefs: 0049560B
1#QNAN, xrefs: 00495612

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 7c558f9957c8d5d44cbdbe7d593b563478ce9c633113fdb0f08acc4676f2f10e
Instruction ID: 91d168c5f4649db22b35448aa35312fe65aea06af9b7b1bed853f31fe6a617e3
Opcode Fuzzy Hash: 7c558f9957c8d5d44cbdbe7d593b563478ce9c633113fdb0f08acc4676f2f10e
Instruction Fuzzy Hash: 18D21671E086288FDF65DE28DD40BEABBB5EB44315F2541EAD40DE7240E738AE818F45

Function 0046F160 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1403COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00470324

Strings

, xrefs: 0046F546
&, xrefs: 00470364
F, xrefs: 0046F50C
, xrefs: 0046F8D8

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: $ $&$F
API String ID: 118556049-2468950496
Opcode ID: 7bf27dc53be720b7cba08cf811c7fa4d4ef8f3cecb6261f68e4d4d02aa72448a
Instruction ID: 7e4254186d43047139e0a5051c619395a74d983f6b80e9c7b440075edf9850e5
Opcode Fuzzy Hash: 7bf27dc53be720b7cba08cf811c7fa4d4ef8f3cecb6261f68e4d4d02aa72448a
Instruction Fuzzy Hash: FDD26B71D002188FDB18CFA8D984B9DBBB1BF49304F2481AED449AB352E778AE45CF55

Function 0043B090 Relevance: 9.1, APIs: 6, Instructions: 105COMMON

Download Yara Rule

APIs

I_RpcBindingInqLocalClientPID.RPCRT4(00000000,?), ref: 0043B0B2
EnterCriticalSection.KERNEL32(004ED28C), ref: 0043B0D8
LeaveCriticalSection.KERNEL32(004ED28C,?,?), ref: 0043B110
EnterCriticalSection.KERNEL32(00000000), ref: 0043B11A
LeaveCriticalSection.KERNEL32(00000000), ref: 0043B182

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CriticalSection$EnterLeave$BindingClientLocal
String ID:
API String ID: 514859658-0
Opcode ID: 4fd8f3489c9731c3c6195381f91afde74890889e32c18ce98f3d339833675f54
Instruction ID: d66c53f07d55ef50245005d62ac57983485f5da521fd3d423b46b5d663418263
Opcode Fuzzy Hash: 4fd8f3489c9731c3c6195381f91afde74890889e32c18ce98f3d339833675f54
Instruction Fuzzy Hash: 0831F671A00249AFCB10DF69E885BEEBBB5FF09301F1541AEE80687241DB35BA54CBD5

Function 042248B0 Relevance: 9.1, APIs: 6, Instructions: 103encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32 ref: 042248EC
CryptSetKeyParam.ADVAPI32 ref: 0422495F
CryptSetKeyParam.ADVAPI32 ref: 04224990
CryptDecrypt.ADVAPI32 ref: 042249EE
CryptDestroyKey.ADVAPI32 ref: 04224A14
CryptReleaseContext.ADVAPI32 ref: 04224A29

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: Crypt$ContextParam$AcquireDecryptDestroyRelease
String ID:
API String ID: 3659060813-0
Opcode ID: ef06900fd408705e8d2b6b98ce7053499090ff5e274e323f2bc1bb6de98c8c26
Instruction ID: 82837b33364889174c340fc14309a6d1ce882ad2a304d7771a0f2a2cdcf47742
Opcode Fuzzy Hash: ef06900fd408705e8d2b6b98ce7053499090ff5e274e323f2bc1bb6de98c8c26
Instruction Fuzzy Hash: EB4172B4604716AFDB00EF69D59879EBBF4EB88344F00882DE99497340E779E944CF92

Function 0049238F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 257COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0048B399: GetLastError.KERNEL32(00000010,00000000,00491BD1,004E35F0,0000000C,0048B7BC,0000000C,?,0048167D,00000000,0000000C,?,00000000,00000000,?,00000000), ref: 0048B39D
Part of subcall function 0048B399: SetLastError.KERNEL32(00000000,00000000,00000000,0048982C,2881E606,?,004E3310,00000010,00000003,0047D0A2,?,0047D011,?,00000000,0047D220), ref: 0048B43F

GetACP.KERNEL32(?,?,?,?,?,?,00487AE4,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00492450
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00487AE4,?,?,?,00000055,?,-00000050,?,?), ref: 0049247B
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 004925E4

Strings

utf8, xrefs: 0049254D
|L, xrefs: 00492406

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8$|L
API String ID: 607553120-2439244186
Opcode ID: fa11a84404245600eb8c62c39f6116d21cfbf1c0ab63a8c285ad010495ad5cfc
Instruction ID: fd7c559d5dfb32f6e31d34b33faf54d6bcc8a290a1e4eded057ab885b8e17035
Opcode Fuzzy Hash: fa11a84404245600eb8c62c39f6116d21cfbf1c0ab63a8c285ad010495ad5cfc
Instruction Fuzzy Hash: 8271F871A00202BADF25AB75CD42BAB7BA8EF44714F11443BF905D7281E7BCE940876D

Function 00492B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00492E57,00000002,00000000,?,?,?,00492E57,?,00000000), ref: 00492BD2
GetLocaleInfoW.KERNEL32(?,20001004,00492E57,00000002,00000000,?,?,?,00492E57,?,00000000), ref: 00492BFB
GetACP.KERNEL32(?,?,00492E57,?,00000000), ref: 00492C10

Strings

ACP, xrefs: 00492B57
OCP, xrefs: 00492B8D

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 81be9eb7b40576d6bd154b4ac10d9a1f3a1026fc30c33a5d6424cb9f037c9860
Instruction ID: 378be3ceac67b0497ed3cf27fcdc7647dec956a3a968576a270ca381318c4fee
Opcode Fuzzy Hash: 81be9eb7b40576d6bd154b4ac10d9a1f3a1026fc30c33a5d6424cb9f037c9860
Instruction Fuzzy Hash: EB21A762600101BBDF348F14CB05B9B7BE6BB54B64B168476E90AD7301F77AEE41C398

Function 004565F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85nativeCOMMON

Download Yara Rule

APIs

NtOpenKey.NTDLL ref: 004566A3
std::bad_exception::bad_exception.LIBCMT ref: 004566F6

Strings

@, xrefs: 0045666D
Unable to open registry key handle using NtOpenKey, xrefs: 004566EE

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Openstd::bad_exception::bad_exception
String ID: @$Unable to open registry key handle using NtOpenKey
API String ID: 1804759629-1644191564
Opcode ID: e4247a4e267bbce4f6a3c2d5740e7b48804cd138052c6fc3d99dc5423b650661
Instruction ID: ed19fc0b0ae54f485dfee0bc54a78ee9f90e493c5b6454bb504bd016f72e912a
Opcode Fuzzy Hash: e4247a4e267bbce4f6a3c2d5740e7b48804cd138052c6fc3d99dc5423b650661
Instruction Fuzzy Hash: 8F312BB0D103189BDB14DF99D855BEEBBB8FF48714F10412EE405A7380EBB85A48CB98

Function 0046D6C0 Relevance: 7.1, APIs: 2, Strings: 1, Instructions: 1830COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0046EAB0
Concurrency::cancel_current_task.LIBCPMT ref: 0046F036

Strings

-, xrefs: 0046E751

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: -
API String ID: 118556049-2547889144
Opcode ID: e7f2b7b18f439a2522872b1f11f8c6fc6cdff2f412c6931b500fab79c6b8985e
Instruction ID: 3c03fa0f385eb885946883002a0ef7a6e635cd59b92fa04a8838dec469ae6796
Opcode Fuzzy Hash: e7f2b7b18f439a2522872b1f11f8c6fc6cdff2f412c6931b500fab79c6b8985e
Instruction Fuzzy Hash: 34F2AD71D002198FDB24CF69C944BEDBBF5AF48304F14819AE459AB381E778AE84CF95

Function 00468CC0 Relevance: 6.8, Strings: 5, Instructions: 562COMMON

Download Yara Rule

Strings

'%prefix%, xrefs: 00469035, 0046919B
and , xrefs: 00469119
and matches , xrefs: 00468FC0
', , xrefs: 00469048
different versions of , xrefs: 00469167

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID: and matches $'%prefix%$', $and $different versions of
API String ID: 0-7343509
Opcode ID: 96769cac2c0dc9b77f9c1cca16320ffc4a064adc3fb7ea5f6d62c83765679c3f
Instruction ID: 83c112888a3c580403efaf278ae9a6acb54094b51b0dbb792db3f40e62cb0fce
Opcode Fuzzy Hash: 96769cac2c0dc9b77f9c1cca16320ffc4a064adc3fb7ea5f6d62c83765679c3f
Instruction Fuzzy Hash: 58221671A002489FDB18DFA8C944BEDBBB5FF45304F24421EE415AB392D778AE44CB59

Function 00440B20 Relevance: 6.5, APIs: 4, Instructions: 476fileCOMMON

Download Yara Rule

APIs

LockFileEx.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?), ref: 00441002
UnlockFileEx.KERNEL32(?,00000000,FFFFFFFF,00000000,?), ref: 0044102E
SetLastError.KERNEL32(00000000,?,?), ref: 0044104B
CloseHandle.KERNEL32(00000000), ref: 004410A3

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: File$CloseErrorHandleLastLockUnlock
String ID:
API String ID: 1994953073-0
Opcode ID: 36fa488b27b554e2a7c35fcab4488896469b92208a1bf340945656d02f40f6c2
Instruction ID: ffdec8b8faafeafbc01f339c72eb80c497d2f9e468fa492fbc6fecd09bbaca49
Opcode Fuzzy Hash: 36fa488b27b554e2a7c35fcab4488896469b92208a1bf340945656d02f40f6c2
Instruction Fuzzy Hash: A3024B71E002049FEB14DFA8CC85BAEF7B5EF44304F20861EE915A7391DB78A955CB94

Function 0048B9AC Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0048BA39

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: f5cada7fe8063b693c0dc6151ffd257ca42a88930e98b8d8a2ca3897189036aa
Instruction ID: 46199507b45f4702752ea1ebb1eb489822cf52ccf81fc4bb5daebcfebb6b928c
Opcode Fuzzy Hash: f5cada7fe8063b693c0dc6151ffd257ca42a88930e98b8d8a2ca3897189036aa
Instruction Fuzzy Hash: F6B148729042459FDB15AF28C881BEFBBA5EF55314F18896BE801AB341D73CAD01C7E9

Function 0422C4A0 Relevance: 6.2, APIs: 4, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: a964274f050a386798325e653df0447ace3adbcb117a87e43cd81e702fe71acf
Instruction ID: 9f878ecb27f2861cc5cacf7d0fe65f259e1088f2c01b53393f9e6df2f77e9f84
Opcode Fuzzy Hash: a964274f050a386798325e653df0447ace3adbcb117a87e43cd81e702fe71acf
Instruction Fuzzy Hash: 02A19DB0A283159FE711EF69C58875EBBF4AF84348F00895DE8889B250D774E988DF53

Function 004724B9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004724C5
IsDebuggerPresent.KERNEL32 ref: 00472591
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004725AA
UnhandledExceptionFilter.KERNEL32(?), ref: 004725B4

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 33490149da6fc1095631cb325564fed21f3e53702eaa5fe61110ac8c90fdd743
Instruction ID: 6331a12f2f6de563fded9c1c90170183e109067b2fb94eb0870e29ccfcd2f5fa
Opcode Fuzzy Hash: 33490149da6fc1095631cb325564fed21f3e53702eaa5fe61110ac8c90fdd743
Instruction Fuzzy Hash: 8E312775D052199BDF20DFA4D9497CDBBB8BF08300F1081EAE40CAB250EBB49B848F49

Function 004062F0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

/Kim, xrefs: 00406385

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID: /Kim
API String ID: 0-585551710
Opcode ID: 228faf5df3ce2d80decd902d426b6d844324676680fb397ff07eddac3f642062
Instruction ID: 77d926e8f973c196e57694f3b001a4345d3b57152b5fc7a4fcd7a0b053960e9f
Opcode Fuzzy Hash: 228faf5df3ce2d80decd902d426b6d844324676680fb397ff07eddac3f642062
Instruction Fuzzy Hash: 6D91C771F002184FCB18CE6D9C8069DFBA6EBC9310F16457FE84AEB396D6789C058794

Function 00406E60 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 258COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 00407066
__aulldvrm.LIBCMT ref: 00407099

Strings

/Kim, xrefs: 00406EB7

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: __aulldvrm
String ID: /Kim
API String ID: 1302938615-585551710
Opcode ID: dbb94ed02faa18c3c159a93f769016ea994ae5c0a16957ff253bff0316483cd1
Instruction ID: 82e9a143a703646f8dfe577aa75d4dd805d02aa31441dc9244c3c6e85e8593a7
Opcode Fuzzy Hash: dbb94ed02faa18c3c159a93f769016ea994ae5c0a16957ff253bff0316483cd1
Instruction Fuzzy Hash: A581D571F042188FCB08CEADCC816AEFBA6EBC9310F19417EE549EB381D6785C068795

Function 0045A3EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0045A3FF
GetSystemInfo.KERNEL32(?), ref: 0045A41A

Strings

D, xrefs: 0045A40E

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 5164bc2a9ed695097950342e50630c92ace10fa3cae7bd4ef203273723a2db24
Instruction ID: 35d9e5e540b11b716dd041ce31d0e6b2fa580a5c92a8acc9415a5c213e0d0fd0
Opcode Fuzzy Hash: 5164bc2a9ed695097950342e50630c92ace10fa3cae7bd4ef203273723a2db24
Instruction Fuzzy Hash: 03012B326001096BDB14DF69CC09BDF7BAAAFC5325F0CC221ED19DB245E678D9168684

Function 0045DDFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,?,00000002,2881E606,?,0044E673,?,2881E606), ref: 0045DE11
FormatMessageA.KERNEL32(00001300,00000000,00000000,?,2881E606,00000000,00000000,?,?,0044E673,?,2881E606), ref: 0045DE38

Strings

!x-sys-default-locale, xrefs: 0045DE0C

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: cf9267e61772d7cf61828dde6add861c26439e00069ea5aeb582dd5a4e9d28a0
Instruction ID: 67dfdc818822c27192277d747dd761da0bb1ab8049e3712ee038a45bb6ec7bf5
Opcode Fuzzy Hash: cf9267e61772d7cf61828dde6add861c26439e00069ea5aeb582dd5a4e9d28a0
Instruction Fuzzy Hash: F1F0A0BA510104FFEB14AF84DC0AEAF3BACEF19355B00401AB902DA040E2B1AE009765

Function 004927B0 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0048B399: GetLastError.KERNEL32(00000010,00000000,00491BD1,004E35F0,0000000C,0048B7BC,0000000C,?,0048167D,00000000,0000000C,?,00000000,00000000,?,00000000), ref: 0048B39D
Part of subcall function 0048B399: SetLastError.KERNEL32(00000000,00000000,00000000,0048982C,2881E606,?,004E3310,00000010,00000003,0047D0A2,?,0047D011,?,00000000,0047D220), ref: 0048B43F

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00492804
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0049284E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00492914

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: bd54b8b179976bea9ba479b0ce7b0995ab51fd3014a2ccf6081e36b8cf4885ab
Instruction ID: 38371c8fa54bd0b0af6ba91184da36c4a87ba9783d1058e53d83f73bdadba19f
Opcode Fuzzy Hash: bd54b8b179976bea9ba479b0ce7b0995ab51fd3014a2ccf6081e36b8cf4885ab
Instruction Fuzzy Hash: ED6170B1610217AFDF64AF25CE86BAB7BA8EF04304F10417BED05C6285E7B8D941DB58

Function 0047D0A3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,2881E606), ref: 0047D19B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,2881E606), ref: 0047D1A5
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,2881E606), ref: 0047D1B2

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: da9eca7a0d7955ecd8340c769727c364092f962767b1a8e137e54a1e3e7b0369
Instruction ID: 02e52d5cfe34ef61acd80ba997a418b0ed0a5b9e27c1dff76b7ecd6ee45d0627
Opcode Fuzzy Hash: da9eca7a0d7955ecd8340c769727c364092f962767b1a8e137e54a1e3e7b0369
Instruction Fuzzy Hash: C931B375911218ABCB21DF69D8897CDBBB4BF08311F5081EAE40CA7251E7749F858F49

Function 00435630 Relevance: 4.4, Strings: 2, Instructions: 1926COMMON

Download Yara Rule

Strings

gfff, xrefs: 00436C60
0123456789ABCDEFabcdef-+XxPp, xrefs: 004356A6

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_$Lockit::~_
String ID: 0123456789ABCDEFabcdef-+XxPp$gfff
API String ID: 1965920666-2564223115
Opcode ID: 21e2c9a6a5ffa810beb91a919fbb7fdfd0a1092946604035f2390d4beb04d2c4
Instruction ID: e4bd4dbde3e6953cba2538d8bc2a0a93f14746de8c17df1cbd84420ade7ad3d3
Opcode Fuzzy Hash: 21e2c9a6a5ffa810beb91a919fbb7fdfd0a1092946604035f2390d4beb04d2c4
Instruction Fuzzy Hash: EE031634A00245DFCF25CF28C4507AABBB1AF4A314F29919ED8999B392C739EC46CF54

Function 0043AF40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

I_RpcBindingInqLocalClientPID.RPCRT4(00000000,?), ref: 0043AF97

Strings

Debugger, xrefs: 0043B03F

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: BindingClientLocal
String ID: Debugger
API String ID: 3127989631-681389119
Opcode ID: dafb08954b22f39334798b41237fcf7722b02a85bdacc3ce71a59ea6c322a71a
Instruction ID: 794e9660aa6eb1f5402932300721a5358b810dc3d54144d7d8ae4739bde0c104
Opcode Fuzzy Hash: dafb08954b22f39334798b41237fcf7722b02a85bdacc3ce71a59ea6c322a71a
Instruction Fuzzy Hash: 6441CE71D102989BDB04DFA0D8407EEBBB2FF58304F14425EE8406B251EBB85E84CB85

Function 00456710 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51nativeCOMMON

Download Yara Rule

APIs

NtQueryKey.NTDLL ref: 0045676C

Strings

Cannot query kernel mode registry key path, xrefs: 00456772

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Query
String ID: Cannot query kernel mode registry key path
API String ID: 3850148591-149775156
Opcode ID: ca9d2ad82bbed5f87ff8deda769993b4266dcaf408b9867faba1765bb3c6d032
Instruction ID: 6bd24f02fd68eb2e54bede4cdb07648a4b5cc8135329e9b474471b2cd5ec7e08
Opcode Fuzzy Hash: ca9d2ad82bbed5f87ff8deda769993b4266dcaf408b9867faba1765bb3c6d032
Instruction Fuzzy Hash: 9B11CC71A003099BE710DF55DC5ABEEB7B8EF80304F1042AEE51997292DBB46F948B94

Function 00484FE0 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a476ecbd7e204a4c5902bfcbda9a3cde8357ad6e7a39cf289158df1d78fa6fa
Instruction ID: 6c5a97f722463215f22e3f00a9ef8b1eb015736c9a495c0cf22e2dc3d65f9d9e
Opcode Fuzzy Hash: 4a476ecbd7e204a4c5902bfcbda9a3cde8357ad6e7a39cf289158df1d78fa6fa
Instruction Fuzzy Hash: 19F16071E006199FDF14DFA9D8806AEB7B1FF89314F15866EE815A7380D7349D41CB84

Function 0045E1B5 Relevance: 3.0, APIs: 2, Instructions: 15timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,0045DB9B,00000000,?,?,?,0043FC99,?,000F4240,00000000), ref: 0045E1CE
GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,0045DB9B,00000000,?,?,?,0043FC99,?,000F4240,00000000), ref: 0045E1D2

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID:
API String ID: 743729956-0
Opcode ID: d03c9537e33158e5fa0771749dc25a54b6225393a74a700a49606963a6602309
Instruction ID: f5e049887a8897a5526ee96748cb70a9ab8ff5b4880f10078d5282390c457076
Opcode Fuzzy Hash: d03c9537e33158e5fa0771749dc25a54b6225393a74a700a49606963a6602309
Instruction Fuzzy Hash: 0DD0A932904528AB8A062F86AC044AEBF18EA45B533080072FC055B2228B60AA008BCD

Function 004184F0 Relevance: 2.9, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

%, xrefs: 004188E1
+, xrefs: 004188F0

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID: %$+
API String ID: 0-2626897407
Opcode ID: f8729162d327d276129640cb30458a141aec593201e099bd30574a27856d5f69
Instruction ID: 3862e3a25da76ab96ab8f28ebf5b6021c8899e36f90935b74cb75a59fdc03282
Opcode Fuzzy Hash: f8729162d327d276129640cb30458a141aec593201e099bd30574a27856d5f69
Instruction Fuzzy Hash: BFE1C271D001089FCB19DF68DC41AEFBBB6EF45304F14822EF815AB291DB389955CB99

Function 0041CBB0 Relevance: 2.9, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

%, xrefs: 0041CFA1
+, xrefs: 0041CFB0

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID: %$+
API String ID: 0-2626897407
Opcode ID: 1a7b95cba408dcfc505f5d6b7a28041d1df54de62d4afbbe36e4df0782e4f475
Instruction ID: 6de3d63901f962e4f51f343ce45c6f4e0dda25f9a11b11c84b60ff2235bd32c5
Opcode Fuzzy Hash: 1a7b95cba408dcfc505f5d6b7a28041d1df54de62d4afbbe36e4df0782e4f475
Instruction Fuzzy Hash: 9FE1E472D006099BCB15DF68DC81BEFBBB6EF45304F14422AF815AB281E7389D51CB99

Function 00459C70 Relevance: 2.6, Strings: 2, Instructions: 133COMMON

Download Yara Rule

Strings

HIM, xrefs: 00459CC2
HJM, xrefs: 00459D8A

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID: HIM$HJM
API String ID: 0-832462223
Opcode ID: 48e9a55e7bc6b1c1d6c75120d7fe46365e933f603ed3308380760c0b8d81a6eb
Instruction ID: bd8d7a299e4ce5ff935b66e86f5c3931eb1b390f5f9eb0106c334b5bc41a85a4
Opcode Fuzzy Hash: 48e9a55e7bc6b1c1d6c75120d7fe46365e933f603ed3308380760c0b8d81a6eb
Instruction Fuzzy Hash: 00519375E002198FCB84CFADC98169EBBF1FF8C214B1581AAD819E7306D734AE558F94

Function 00464D50 Relevance: 2.4, Strings: 1, Instructions: 1194COMMON

Download Yara Rule

Strings

/, xrefs: 00465D6F

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 47ba7d3478b69d6724bad9d857c567678f04d7e67c6b4df6ce90207b874f3eae
Instruction ID: 6c592b9b363057b08b4cabf6500bea1fbc5ab8513a5fb4458cd8817f325f5217
Opcode Fuzzy Hash: 47ba7d3478b69d6724bad9d857c567678f04d7e67c6b4df6ce90207b874f3eae
Instruction Fuzzy Hash: EBB2AC70900618DFDB24CF68C944B9EBBB1BF49304F14819EE449AB391E779AE84CF95

Function 00434A30 Relevance: 2.2, Strings: 1, Instructions: 986COMMON

Download Yara Rule

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00434AEC

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 593203224-2799312399
Opcode ID: 2ebabf7ea6c1917a152ddfe63e285c9fda3ca78bf6dbeb9dc92c119987ac6444
Instruction ID: 36743c68702d5e252512489b700670230d4997f88764eb9fd5622b71e811bb9d
Opcode Fuzzy Hash: 2ebabf7ea6c1917a152ddfe63e285c9fda3ca78bf6dbeb9dc92c119987ac6444
Instruction Fuzzy Hash: BC92E034904644CFDB25CF28C4507AEBBB2AF9A314F28919ED8959B392C739EC42DF54

Function 0040D2E0 Relevance: 1.8, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

gfff, xrefs: 0040D8C5

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: f74f196277786c8ba57d444ad804091e35325bb89dd9b183c155cdac343bb847
Instruction ID: fc689eda8fbbd30f93b042acaecc412fff0e5e9a90cee9223c7c1cb6d852f77b
Opcode Fuzzy Hash: f74f196277786c8ba57d444ad804091e35325bb89dd9b183c155cdac343bb847
Instruction Fuzzy Hash: A3226075E041198BDF08CFE9D8916AEB7F2EB88314F24813ED815F7380E63999468B95

Function 0040BD10 Relevance: 1.8, Strings: 1, Instructions: 545COMMON

Download Yara Rule

Strings

gfff, xrefs: 0040C3A2

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: cbe61facfd01b6561be24484d734aad446480008e0794f79a77a808fce0e0d1f
Instruction ID: 24e422443c03602fff38b04f637f47ed8af1ebf13fa001025b0cbe27856d374b
Opcode Fuzzy Hash: cbe61facfd01b6561be24484d734aad446480008e0794f79a77a808fce0e0d1f
Instruction Fuzzy Hash: 7312D335A002068BDB189F6DD9957ADB6A6EF45300F18813BE906FB3E1D33D994087DE

Function 0048CEA4 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0048CE9F,?,?,00000008,?,?,00499115,00000000), ref: 0048D0D1

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: e278348abb4acf488cd90a12bd208e2e79d9896f2acc2ff9b6d6df4dca11d5e7
Instruction ID: 452dcae707d515994d2858da45ce4ce9306148d8ac5531aef6b8d62eb0d399a5
Opcode Fuzzy Hash: e278348abb4acf488cd90a12bd208e2e79d9896f2acc2ff9b6d6df4dca11d5e7
Instruction Fuzzy Hash: 39B17D31611604DFD718DF28C48AB697BA1FF05364F258A5AE999CF3E1C339E982CB44

Function 00471E77 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A,?,004720D6,?,00458EFA,00000001,2881E606), ref: 00471E8D

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: b7645b8691180b513d8ce224680a8f12ad30644aca6592983f79e2a3741c349d
Instruction ID: 72aeef96c09bff6f937be084af997d318ee5448e2fe6c3e8784905c212a010ae
Opcode Fuzzy Hash: b7645b8691180b513d8ce224680a8f12ad30644aca6592983f79e2a3741c349d
Instruction Fuzzy Hash: F0518B71A006568BDB18CF59D9857ABBBF0FB44314F14C47AD508EB362E3799900CFA8

Function 0048F710 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ced69d0d0db35ac7a211570f5a0d1af756310bbab0ba52edf3596048a5ab7cf
Instruction ID: 9fd570e8d113bbac02ed5522288f71eb66112ac7fca7bf2be9b820dbf3adfc56
Opcode Fuzzy Hash: 9ced69d0d0db35ac7a211570f5a0d1af756310bbab0ba52edf3596048a5ab7cf
Instruction Fuzzy Hash: 6231E672900219AFDB20FFA9CCC9DAFB77DEB84314F14456AF80597244EA349E448B64

Function 04252CB8 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2f1aaea2d38b673d7982336bc4da97170c1d9318cb8d77b29785f5495c4659
Instruction ID: ed62229c7c0e2376b57e963f33d1d6a130e179c80304b1e153af3125ea449ee2
Opcode Fuzzy Hash: 8e2f1aaea2d38b673d7982336bc4da97170c1d9318cb8d77b29785f5495c4659
Instruction Fuzzy Hash: 73414EB4A19349DFCB40DF29D58099ABBE4BF88654F00892EFC98D3350D374E9548F92

Function 04253428 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d0ce02c4195c17a7c79055c15e1c50a4f39f25d4b1b4cdde97a2816800911c
Instruction ID: 27d8a3e396a7736ac842cbbe65351a1df7a37c967812be45a66cbcf694d6900f
Opcode Fuzzy Hash: e5d0ce02c4195c17a7c79055c15e1c50a4f39f25d4b1b4cdde97a2816800911c
Instruction Fuzzy Hash: C0414DB4A183069FCB40DF2AD58059ABBE4BF88754F00892EFC98D3310E374E9548F92

Function 0425303C Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae3bee822d2bf013ac467f64dc0c6fe8e58c4e084c6d0ad84e031901b2929201
Instruction ID: b1785f8d2b2975b4f6743727fbe641834e4a57e69097a39a96217045388dd245
Opcode Fuzzy Hash: ae3bee822d2bf013ac467f64dc0c6fe8e58c4e084c6d0ad84e031901b2929201
Instruction Fuzzy Hash: 86414DB4A183469FCB40DF2AD58499ABBE4FF88654F00892EFC98D3310D774E9548F96

Function 00492A10 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0048B399: GetLastError.KERNEL32(00000010,00000000,00491BD1,004E35F0,0000000C,0048B7BC,0000000C,?,0048167D,00000000,0000000C,?,00000000,00000000,?,00000000), ref: 0048B39D
Part of subcall function 0048B399: SetLastError.KERNEL32(00000000,00000000,00000000,0048982C,2881E606,?,004E3310,00000010,00000003,0047D0A2,?,0047D011,?,00000000,0047D220), ref: 0048B43F

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00492A64

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 590bdc057485edfe4fafbca18bb4bc016bea8aca01d744e3b6173c9f810e8bc6
Instruction ID: 4ac01bff117f6cfb26222663d7b83b4f24bb8166ddd6e62d23578a50ef9f5f38
Opcode Fuzzy Hash: 590bdc057485edfe4fafbca18bb4bc016bea8aca01d744e3b6173c9f810e8bc6
Instruction Fuzzy Hash: 40217173600206BBDF38EE26DD41ABB7BA8EB44315B14007FFD01C6251EBB89D458B58

Function 00492682 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0048B399: GetLastError.KERNEL32(00000010,00000000,00491BD1,004E35F0,0000000C,0048B7BC,0000000C,?,0048167D,00000000,0000000C,?,00000000,00000000,?,00000000), ref: 0048B39D
Part of subcall function 0048B399: SetLastError.KERNEL32(00000000,00000000,00000000,0048982C,2881E606,?,004E3310,00000010,00000003,0047D0A2,?,0047D011,?,00000000,0047D220), ref: 0048B43F

EnumSystemLocalesW.KERNEL32(004927B0,00000001,00000000,?,-00000050,?,00492DEE,00000000,?,?,?,00000055,?), ref: 004926F4

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 7aaa375078e161d46b4082e9e88ab0fb770be8b2cdfc10913d036e35195826c5
Instruction ID: 7b03d4edc08f3d0f2d067dfe3aa5a198b420d204ff36da0bc98544f1663aa4dc
Opcode Fuzzy Hash: 7aaa375078e161d46b4082e9e88ab0fb770be8b2cdfc10913d036e35195826c5
Instruction Fuzzy Hash: 2E11063A2003016FDF18AF79899167ABB91FF84319B15443EE94697B40D7B56942C744

Function 04254070 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb603dbc249681306c9129ad887fdcfd30c0931a57d0f7e841a3b87f3ca85162
Instruction ID: 85572002c0428512df2a083c48140232768d372a79bac3e73209845145bf2619
Opcode Fuzzy Hash: fb603dbc249681306c9129ad887fdcfd30c0931a57d0f7e841a3b87f3ca85162
Instruction Fuzzy Hash: 7A019EB1724315EBD710BF29D94067AFBE8EB84754F11C82EE88483202D675E894CB91

Function 00492C3F Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 0048B399: GetLastError.KERNEL32(00000010,00000000,00491BD1,004E35F0,0000000C,0048B7BC,0000000C,?,0048167D,00000000,0000000C,?,00000000,00000000,?,00000000), ref: 0048B39D
Part of subcall function 0048B399: SetLastError.KERNEL32(00000000,00000000,00000000,0048982C,2881E606,?,004E3310,00000010,00000003,0047D0A2,?,0047D011,?,00000000,0047D220), ref: 0048B43F

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004929CC,00000000,00000000,?), ref: 00492C6B

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 68c83fbcc2952931a11e650aaf1fbd120fadb0767df3841072b8ca63c4a4fee4
Instruction ID: 8d9d5c0dc3a2785bee8aefe851346d42e1e3c71319cc86fb7faa524cb1eae172
Opcode Fuzzy Hash: 68c83fbcc2952931a11e650aaf1fbd120fadb0767df3841072b8ca63c4a4fee4
Instruction Fuzzy Hash: 39F0A932500111BBDF285A668A057BF7F58FB80754F15447AEC05A3240EAB8FE41C694

Function 0049271D Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0048B399: GetLastError.KERNEL32(00000010,00000000,00491BD1,004E35F0,0000000C,0048B7BC,0000000C,?,0048167D,00000000,0000000C,?,00000000,00000000,?,00000000), ref: 0048B39D
Part of subcall function 0048B399: SetLastError.KERNEL32(00000000,00000000,00000000,0048982C,2881E606,?,004E3310,00000010,00000003,0047D0A2,?,0047D011,?,00000000,0047D220), ref: 0048B43F

EnumSystemLocalesW.KERNEL32(00492A10,00000001,00000000,?,-00000050,?,00492DB2,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00492767

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: abfe2b8ced45a47676d8108dd7851b9c7093e7af74fa0a44939c6cb9e6f39b66
Instruction ID: 29281990ee1539d5928fac8e778169313d7711f8cd0d5b3898412c26d0a46e6c
Opcode Fuzzy Hash: abfe2b8ced45a47676d8108dd7851b9c7093e7af74fa0a44939c6cb9e6f39b66
Instruction Fuzzy Hash: F9F022362003047FCF246F799C81A7B7F94EF81368B0444BEF9019B690D2B99C02C748

Function 0048D4FD Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00488FD1: EnterCriticalSection.KERNEL32(?,?,0048AA17,00000000,004E33F0,0000000C,0048A9DE,2881E606,?,0048CA1F,2881E606,?,0048B537,00000001,00000364,?), ref: 00488FE0

EnumSystemLocalesW.KERNEL32(0048D4F0,00000001,004E3510,0000000C,0048D940,00000000), ref: 0048D535

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: c5ee30f8a22c92e4aafb5d284eb1de8a9256d5c97989946cce1ce8bf8562c663
Instruction ID: 319f54fa5b736407ddfcac14c9f192b42cd8ed31cb0dd32f14e4724d96315ad8
Opcode Fuzzy Hash: c5ee30f8a22c92e4aafb5d284eb1de8a9256d5c97989946cce1ce8bf8562c663
Instruction Fuzzy Hash: C5F04F72A04300EFDB00EF99E882B9D77F1EB44725F10456BF514DB2E2D77959458B48

Function 00492637 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0048B399: GetLastError.KERNEL32(00000010,00000000,00491BD1,004E35F0,0000000C,0048B7BC,0000000C,?,0048167D,00000000,0000000C,?,00000000,00000000,?,00000000), ref: 0048B39D
Part of subcall function 0048B399: SetLastError.KERNEL32(00000000,00000000,00000000,0048982C,2881E606,?,004E3310,00000010,00000003,0047D0A2,?,0047D011,?,00000000,0047D220), ref: 0048B43F

EnumSystemLocalesW.KERNEL32(00492590,00000001,00000000,?,?,00492E10,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0049266E

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 93810ff05fbc63b2d980e511971fb177bb5090e1b3a488d419bdca2aff92f1ba
Instruction ID: 4dce86eec73909c4df63ccc2ec7db8dcbdcf8e76b47a65578c0512ed8e134303
Opcode Fuzzy Hash: 93810ff05fbc63b2d980e511971fb177bb5090e1b3a488d419bdca2aff92f1ba
Instruction Fuzzy Hash: 84F0553A300304A7CF04AF3AE81576B7F94EFC2720B07046AEA058B660C7B99C42C794

Function 04229884 Relevance: 1.5, APIs: 1, Instructions: 29encryptionCOMMON

Download Yara Rule

APIs

CryptGetProvParam.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0422A3E4), ref: 042298B9

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: CryptParamProv
String ID:
API String ID: 4265472505-0
Opcode ID: 2a9e24df1a5bd80ee721baea54bb41895703086d9e897bad2c599eb952c01714
Instruction ID: 8610c59e3fb7d78475cbfcc4a6676c05fb949a73be0e5eec99bd4964e77cb716
Opcode Fuzzy Hash: 2a9e24df1a5bd80ee721baea54bb41895703086d9e897bad2c599eb952c01714
Instruction Fuzzy Hash: 95F0F9B0A04309ABDB04EF29D19566EBBB4EF44344F00881CE89587350D774E944CF92

Function 0048DA44 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0048864A,?,20001004,00000000,00000002,?,?,00487C4C), ref: 0048DA78

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b178c3dcd891c1be9b2b104e610cbbf14eecd28529bd6cb586c35c90db9fc5bd
Instruction ID: c5e7f940106ff58c384a3ae32826b3123f18fa15c777c578646a038df6308949
Opcode Fuzzy Hash: b178c3dcd891c1be9b2b104e610cbbf14eecd28529bd6cb586c35c90db9fc5bd
Instruction Fuzzy Hash: C5E0483190511CB7CF127F61DC04EAE7F16EF44751F104815FC0565161DB759A2197DD

Function 0044F6D0 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0044F73C

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID: VUUU
API String ID: 0-2040033107
Opcode ID: 74ef98c9db8747d343e1075c83eb1440d53e05a53b831d627a80a0cabb7f2220
Instruction ID: 285bd4e64d056a42a156965213963fa0fed5e626d9613602cecdda0a81078625
Opcode Fuzzy Hash: 74ef98c9db8747d343e1075c83eb1440d53e05a53b831d627a80a0cabb7f2220
Instruction Fuzzy Hash: 7951E2B2904AA55FD315CF2984007AAFFF1EB85600F08C29FE494CB382D238DB45DB91

Function 0046B8A0 Relevance: .6, Instructions: 618COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2384a1499e3fc8dff880e0f0aa54c0df58980b24091195a769022a4ffc9d2e8a
Instruction ID: ef6ae44683f4f019d9fe00e2e5c7d1dc374d2f3d8bd903f7bf90d34f76482b4c
Opcode Fuzzy Hash: 2384a1499e3fc8dff880e0f0aa54c0df58980b24091195a769022a4ffc9d2e8a
Instruction Fuzzy Hash: BE42A0719002188FDB28CF18C954BEEB7B5EF44304F14859EE45AA7391EB78AE84CF95

Function 00408260 Relevance: .6, Instructions: 561COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83279d5f27e4a3b653283e79e98023e5f25eab4448ae52bd1e531608c9743e9b
Instruction ID: c6dc5e7f1f69acfeec44950b35d68645d5b3144d2d9c3af1dad0b7cd89aaaefc
Opcode Fuzzy Hash: 83279d5f27e4a3b653283e79e98023e5f25eab4448ae52bd1e531608c9743e9b
Instruction Fuzzy Hash: 4C127D32F0112A8BCF18CEADC9916EDF7F6AB88310F19816AD855F7390DB349945CB94

Function 00468560 Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e380bb2d16accf82c9fe565635732809b381370ed2d84d496c9409754bf5184
Instruction ID: 4902b2b457f3e9406435497eaaa6d62299613bcc41c4bf4d5e65f6f8de13e4a4
Opcode Fuzzy Hash: 8e380bb2d16accf82c9fe565635732809b381370ed2d84d496c9409754bf5184
Instruction Fuzzy Hash: AFF1F5719002089FDB08DF68CD54BEEBBB5FF45304F14825EE805AB391DB78AA45CB95

Function 0040C820 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdfc8d23d17b7c8b9453808f38cd2801b05740186b223f1c97c00512666a1494
Instruction ID: 6ce459c5c932ed4a6527d7dc4f208f5724d7a2ca66cc844020040d0302300a50
Opcode Fuzzy Hash: fdfc8d23d17b7c8b9453808f38cd2801b05740186b223f1c97c00512666a1494
Instruction Fuzzy Hash: ECE19F71E04119CBDF18CFA8D8D16AEBBB1EB98304F14427ED80AF7391D73999458B94

Function 00480A43 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01b3759b5efbab0a8b53493ded897541dc4083d8118bfea12da31173d00cab12
Instruction ID: ce9b7ca28792806cfa874abb4e86bb6b7a12258c560967fc630f3a6307ffc238
Opcode Fuzzy Hash: 01b3759b5efbab0a8b53493ded897541dc4083d8118bfea12da31173d00cab12
Instruction Fuzzy Hash: C4E1AF706206058FCBA8EF68C480AAFB7F1BF45314B244E4ED4569B391D738AD4ACB59

Function 004806B5 Relevance: .3, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99b2f23a9e4a2e8bfd5b82997d66da222343b700f58d721262441522bce95354
Instruction ID: 03ab571973c46bbe09fa6301645fee923e8ee14374bf4d7315be4ad3b3bd9f45
Opcode Fuzzy Hash: 99b2f23a9e4a2e8bfd5b82997d66da222343b700f58d721262441522bce95354
Instruction Fuzzy Hash: 61C1C27091064A8FDBA4EF68C49067FB7A1BF05314F144E1FD49697392C738AC8ACB99

Function 00436CF0 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc338720f3c5c28bbc4cbaa416970f2d82bbcae4e7c04b3a46813b7b2768ef5
Instruction ID: eed5dff23b32be4cda3ddf4ba20aa14fd0932476358db7ce8f89498cab27663d
Opcode Fuzzy Hash: ddc338720f3c5c28bbc4cbaa416970f2d82bbcae4e7c04b3a46813b7b2768ef5
Instruction Fuzzy Hash: 27D10374A04259DFCF15CFA8D4806ADBBB2BF0D304F29919AE845AB342C735AC46CF94

Function 00491E40 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 3471368781-0
Opcode ID: d05db9af934b02bd585cefd346e2af82dd3377ddb648ce988ed53822f7915e20
Instruction ID: ac3773bc9865019d9898d6e2fc7097d62eedb4d535b9f519ba2ca888c5a09f14
Opcode Fuzzy Hash: d05db9af934b02bd585cefd346e2af82dd3377ddb648ce988ed53822f7915e20
Instruction Fuzzy Hash: B8B139355003069BCF38DB25CC92AB7B7A8EF44308F14453FEA47C6695EBB9A985C708

Function 0040CCA0 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c786e36d94ff7ef7a5ba316c38a86443fe575fbd1e79678ff8428fa2e860f5
Instruction ID: 3e1251aff20dea3eee100cb7d46d472527b41a6b32f90c7a94887c4f640989da
Opcode Fuzzy Hash: a2c786e36d94ff7ef7a5ba316c38a86443fe575fbd1e79678ff8428fa2e860f5
Instruction Fuzzy Hash: 11A14672F001199BDF0CCE6DDD913ADB6B6EB88310F19C13AE91AE7391E6749D418B84

Function 0040DC30 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976f5e3193978b91e4cdde49ffc5452839ae363369755e517770879cf809bf51
Instruction ID: a665f0f22af24f1af797b2c5b5d81d73043884c84654c6dbe628828c334e9ee0
Opcode Fuzzy Hash: 976f5e3193978b91e4cdde49ffc5452839ae363369755e517770879cf809bf51
Instruction Fuzzy Hash: AB81A571F012189BDB14CFADD88169DBBF2EF98314F28813EE415E7385D6785946CB44

Function 00409250 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d794903e04f65901e2a0d5da8f7399cc580c325f9ae068bfeba24ecb1397a4
Instruction ID: 316a239de8ce8497372a1b25e04198bdba1eba8e9788f75d9f51092871b68e90
Opcode Fuzzy Hash: 20d794903e04f65901e2a0d5da8f7399cc580c325f9ae068bfeba24ecb1397a4
Instruction Fuzzy Hash: D451E532F051199BDB14CA6DD8806EEBBB2EB88314F14827EE855A7386D6389C05CB94

Function 00408890 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e126a4a80261b3ae64c9bbbc4e08979ae81ab97c1735009c1cf8a58b5380aae
Instruction ID: 0a834bc76f4086a2726f0e00a9b586c3db637df905cfb7e99c9eea93de1cf2a8
Opcode Fuzzy Hash: 2e126a4a80261b3ae64c9bbbc4e08979ae81ab97c1735009c1cf8a58b5380aae
Instruction Fuzzy Hash: 1751B9B2F0021987CF14DF5DDA843ADB6A2AB84310F16813FD849F77D1DA385D418B9A

Function 00483033 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f908d879ce3b787061be19565c288f96329275f6b34520fc4f893a89cb793d
Instruction ID: 8daa14c957ca07184c27c6ea26a456edc0946945426b9ac6b2bec05915c449ed
Opcode Fuzzy Hash: 05f908d879ce3b787061be19565c288f96329275f6b34520fc4f893a89cb793d
Instruction Fuzzy Hash: DF519172E00219EFDF04DF99C940AAEBBB2EF88704F19845DE815AB341D7349E50DB94

Function 00423980 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5849864ac7c7170793132ae26b0f5b3aa11f52ede6189f311fc719152e4f81c
Instruction ID: 98782ddb4f22fe674a91673aa419b3034d34269b179a8f9d6fc140adb877b3e1
Opcode Fuzzy Hash: e5849864ac7c7170793132ae26b0f5b3aa11f52ede6189f311fc719152e4f81c
Instruction Fuzzy Hash: AD4177523041758BEF158E19B4A13FABBE0DB92356FA444AFD8C54F343D52E4B0B83A8

Function 00410350 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2717cf8433d011fe40458a6493ce7d24a743247614db36ef98398d5392704d0e
Instruction ID: be4188e371be0a49404fdfa5e9dc0f8cd6f95fcbe6623e1178adf772c05f267d
Opcode Fuzzy Hash: 2717cf8433d011fe40458a6493ce7d24a743247614db36ef98398d5392704d0e
Instruction Fuzzy Hash: A941693170414A8BDF1CCE2D94E15FEBBA1DB55304B14006FD9C6CF302E6E898C687A9

Function 0040F3E0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6683b961ca70fb81a0d1c191e6a22180155933233b9e9b2d072628885f1d1ed7
Instruction ID: 937957c0acab1b541f9c41cb4eba2343374227188306e273af483fd1c358fa26
Opcode Fuzzy Hash: 6683b961ca70fb81a0d1c191e6a22180155933233b9e9b2d072628885f1d1ed7
Instruction Fuzzy Hash: 5B4178216041068BCB3CCE2D58515FFBBA1DBA5218B18407FD886EB783D638980FD7A5

Function 004076B0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddf4fa54a6bc19d92c0212e8c64efa5432c5235693cb242d09706417db8e530d
Instruction ID: b16d62ce7863b0e1c6264b205f4fdbffa1294798d604f92a6eade62c8e0d9d4d
Opcode Fuzzy Hash: ddf4fa54a6bc19d92c0212e8c64efa5432c5235693cb242d09706417db8e530d
Instruction Fuzzy Hash: 7E318525D0C5658BEF058A1999603E6BBC2DB923D0F2444ABD8C42F383D13E394BC2F6

Function 00473C40 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: f0031f03d68c035ee2e0f6c37c10b1839de4420a77e4cdd456d6ae6e3d039003
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: B5113BB72000414BD6068E3DC5BC5F7A395EAC532372DC36BE04A6B758D22AA741B608

Function 041D9070 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2218936476.00000000041A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_41a0000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f74449dd74daad1ff051b658996f5c3b2bdcb1535b21bfc72cedbca6d5ea5f
Instruction ID: 17ad2d5f783a1b06aa910b9a7e4618f2cdf5c3b7dbfa4a11957060b8b8806636
Opcode Fuzzy Hash: e3f74449dd74daad1ff051b658996f5c3b2bdcb1535b21bfc72cedbca6d5ea5f
Instruction Fuzzy Hash: B2219DF63143418BDB208E29D4C0BAAB3F4BF89724F0945ADD9889B201D735E805CB92

Function 0048DD16 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78bc79daa85861c633bb892a80de8145a199c307f62a728ffbefec20452e18c1
Instruction ID: 97e6e415803759666096dfb4fba850289bf0668d73b273993cbc4495f7fa4a8f
Opcode Fuzzy Hash: 78bc79daa85861c633bb892a80de8145a199c307f62a728ffbefec20452e18c1
Instruction Fuzzy Hash: 4FF0A031A12220DBCB12EB4CC445A89B3F8EB44B21F11445BE000DB291C6B4DD00C7C4

Function 0048DD5A Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56572f7e671e7454d9a3e69858a1ebaffa2e5bc6aad6fdd9b2cc9c78ec907470
Instruction ID: 317d0890a3a5eaf211d7a9055cf34abb6f201297ff47e3ecef169a2236b97d61
Opcode Fuzzy Hash: 56572f7e671e7454d9a3e69858a1ebaffa2e5bc6aad6fdd9b2cc9c78ec907470
Instruction Fuzzy Hash: CAE08C32D12228EBCB15EB8DC90498EF3FCEB49B54B1148ABB511D3280C274DE00D7E4

Function 041D9170 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2218936476.00000000041A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_41a0000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 684b7d094939317cfead4f7649dfe2586d93379080e397a849353f61ed111d46
Instruction ID: 7c76ba7a401cf3ab7ed2ac53a634a5505f0ffdc58b75f13b5159bc7dacc9865f
Opcode Fuzzy Hash: 684b7d094939317cfead4f7649dfe2586d93379080e397a849353f61ed111d46
Instruction Fuzzy Hash: FFD017F0620506EFCB258F18C4E89A07374FB88630B4150D4C0024FA91D33CB941DA40

Function 00488D22 Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3efb2b279b22a63946ce57e726024d2ca2718cc5c5f8b5de15a08d716c7bb611
Instruction ID: 1077e648f202f4adc7e1141b878e5d6876df1df427b2a3a4c73eeb9a02721c73
Opcode Fuzzy Hash: 3efb2b279b22a63946ce57e726024d2ca2718cc5c5f8b5de15a08d716c7bb611
Instruction Fuzzy Hash: 4EC08C340019008ACE29A91082713AE33E4B3A1782FC02C8EC8028F7C2C91EAC86D704

Function 00478023 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d65e64ef1c86cc0e64eaf23c17f21a758d51de7d78ade4abc8007c8f4b1c3ce6
Instruction ID: 641e10fff6a4a70ac22f676f7482022fb92819af8983c4b67cf38864b7708b40
Opcode Fuzzy Hash: d65e64ef1c86cc0e64eaf23c17f21a758d51de7d78ade4abc8007c8f4b1c3ce6
Instruction Fuzzy Hash: 50A00235262980CFC252CB08C194F00B3F4F704A60F058450E40587A11C228E900C900

Function 00446DB0 Relevance: 65.1, APIs: 29, Strings: 8, Instructions: 385serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,2881E606,?,00000000), ref: 00446DE8
OpenServiceW.ADVAPI32(00000000,004E6C48,00000100,?,00000000), ref: 00446E1B
QueryServiceStatus.ADVAPI32(00000000,?,?,00000000), ref: 00446E4A
GetLastError.KERNEL32(?,00000000), ref: 00446E54
ControlService.ADVAPI32(00000000,?,?), ref: 004471C0
GetLastError.KERNEL32 ref: 004471CA
GetLastError.KERNEL32(Unable to open the service control manager!,?,00000000), ref: 00447308
GetLastError.KERNEL32(?,004E3840,00000000,?,00000000), ref: 0044732B

Strings

Unable to send control code {} to the service '{}'!, xrefs: 004471D7
Unable to query status of the service '{}'!, xrefs: 00446E61
Unable to open the service '{}'!, xrefs: 00447338
HlN, xrefs: 00446E72
HlN, xrefs: 00446E09
Unable to start the service '{}'!, xrefs: 00447216
ServicesActive, xrefs: 00446DE1
Unable to open the service control manager!, xrefs: 00447303

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ErrorLast$Service$Open$ControlManagerQueryStatus
String ID: HlN$HlN$ServicesActive$Unable to open the service '{}'!$Unable to open the service control manager!$Unable to query status of the service '{}'!$Unable to send control code {} to the service '{}'!$Unable to start the service '{}'!
API String ID: 3142372742-928775896
Opcode ID: 6f5e5449ab8022f0c9b011b5af30e7d6b44c247607fdfb8ad6abe511161859b8
Instruction ID: 8ac98648b8a830ad45d7914eb7cf1dbb31d4f791662a4624780e51749a547e3b
Opcode Fuzzy Hash: 6f5e5449ab8022f0c9b011b5af30e7d6b44c247607fdfb8ad6abe511161859b8
Instruction Fuzzy Hash: CEF1D370D042589FEB20DF64DC48B9EBBB8AF05305F10459AF509E3291EB789B89CF59

Function 00444BC0 Relevance: 40.3, APIs: 3, Strings: 20, Instructions: 83libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00443559), ref: 00444BCD
GetProcAddress.KERNEL32(00000000,on_avast_dll_unload), ref: 00444BD9
GetModuleHandleW.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,?,00443559), ref: 00444BE7

Strings

prf, xrefs: 004451B9
ModuleId, xrefs: 00444BED, 00444C38
piriform, xrefs: 004451C8, 004451DF, 004451E0
asw, xrefs: 00444EF6
ProductId, xrefs: 00444C54
privax, xrefs: 004450E8, 004450FF, 00445100
avr, xrefs: 00445299
on_avast_dll_unload, xrefs: 00444BD3
Piriform, xrefs: 00445142, 0044515F, 00445160
avast, xrefs: 00444F05, 00444F1F, 00444F20
pvx, xrefs: 004450D9
AVG Technologies, xrefs: 00444FCB
avg, xrefs: 00444FDA, 00444FF1, 00444FF2
avira, xrefs: 004452A8, 004452BF, 004452C0
AVG, xrefs: 00444F7E, 00444F95, 00444F96
Avast, xrefs: 00444EC1
Privax, xrefs: 00445061, 0044507F, 00445080
Avira, xrefs: 00445222, 0044523F, 00445240
Avast Software, xrefs: 00444E93, 00444EAF, 00444EB0
Avg, xrefs: 00445027

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: AVG$AVG Technologies$Avast$Avast Software$Avg$Avira$ModuleId$Piriform$Privax$ProductId$asw$avast$avg$avira$avr$on_avast_dll_unload$piriform$prf$privax$pvx
API String ID: 1883125708-1486029972
Opcode ID: 23d6e532e18a8028fb65de02d78cc23058bda081730e0e38439862ba44135e81
Instruction ID: 96d03b21c3be4a4da6ce88e7db4c7ee775adab07a375543d18315f2041b6f4c1
Opcode Fuzzy Hash: 23d6e532e18a8028fb65de02d78cc23058bda081730e0e38439862ba44135e81
Instruction Fuzzy Hash: FA21986174120113F7107EA19E467A772999BA071AF49443BFD099B7C2EB5DCE02C27E

Function 00459350 Relevance: 37.0, APIs: 11, Strings: 10, Instructions: 231libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll,?,00000000), ref: 0045939C
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 004593B7
GetModuleHandleW.KERNEL32(kernel32,?,00000000), ref: 004593D7
GetProcAddress.KERNEL32(00000000,IsWow64Process2), ref: 004593E7
GetCurrentProcess.KERNEL32(ntdll,RtlGetVersion,?,00000000), ref: 00459405
GetModuleHandleW.KERNEL32(kernel32,?,00000000), ref: 004594A7
GetProcAddress.KERNEL32(00000000,GetProductInfo), ref: 004594BE
GetLastError.KERNEL32(?,00000000), ref: 004594CA
GetLastError.KERNEL32(?,00000000), ref: 00459516
GetLastError.KERNEL32(?,004E3840,00000000,GetModuleHandleW ({}),00000015,ntdll,?,00000000), ref: 0045953E
GetLastError.KERNEL32(Unable to determine native architecture of the system!,?,004E3840,00000000,?,GetProcAddress ({}),00000013,?,00000000), ref: 0045956B

Strings

GetProcAddress ({}), xrefs: 004594D2, 00459546
ntdll, xrefs: 00459397, 00459404, 0045951F
xHM, xrefs: 004594B7
dHM, xrefs: 004594A0
RtlGetVersion, xrefs: 004593AA, 004593B0, 00459400
GetModuleHandleW ({}), xrefs: 00459522
GetProductInfo, xrefs: 004594B1, 004594DA, 0045954E
IsWow64Process2, xrefs: 004593E1
Unable to determine native architecture of the system!, xrefs: 00459566
kernel32, xrefs: 004593D2, 0045949B

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ErrorLast$AddressHandleModuleProc$CurrentProcess
String ID: GetModuleHandleW ({})$GetProcAddress ({})$GetProductInfo$IsWow64Process2$RtlGetVersion$Unable to determine native architecture of the system!$dHM$kernel32$ntdll$xHM
API String ID: 3004960629-723682474
Opcode ID: 43ac8ca744312209bfaddd7cd406c3b5e1122d615fff7cb0e9aa9ece2810a4e2
Instruction ID: f734860fe8c9488349073969f21935b6f1cb51b799c76362fceb68e1afe45d2c
Opcode Fuzzy Hash: 43ac8ca744312209bfaddd7cd406c3b5e1122d615fff7cb0e9aa9ece2810a4e2
Instruction Fuzzy Hash: 16710875A00305EBCB10EFA5CC45BEEB7A8AF45712F10456BF81593391EB389E09CB59

Function 04249C4C Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 416threadsynchronizationpipeCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 04249C78
ReleaseMutex.KERNEL32(00000000,00000000), ref: 04249CA3
CreatePipe.KERNEL32(00000000), ref: 04249D51
SetHandleInformation.KERNEL32 ref: 04249D7B
InitializeProcThreadAttributeList.KERNELBASE ref: 04249E6C
InitializeProcThreadAttributeList.KERNELBASE ref: 04249EA4
UpdateProcThreadAttribute.KERNELBASE ref: 04249EF0

Part of subcall function 04245254: WaitForSingleObject.KERNEL32 ref: 04245273
Part of subcall function 04245254: ReleaseMutex.KERNEL32 ref: 04245298
Part of subcall function 04245254: InitializeProcThreadAttributeList.KERNELBASE(00000000), ref: 04245354
Part of subcall function 04245254: InitializeProcThreadAttributeList.KERNELBASE ref: 04245392
Part of subcall function 04245254: UpdateProcThreadAttribute.KERNELBASE ref: 04245450

GetLastError.KERNEL32 ref: 0424A10F
ResumeThread.KERNEL32 ref: 0424A1D1
GetExitCodeThread.KERNEL32 ref: 0424A273
PeekNamedPipe.KERNEL32(?,?), ref: 0424A2BF
ReadFile.KERNEL32 ref: 0424A319
WaitForSingleObject.KERNEL32 ref: 0424A347
ResumeThread.KERNEL32 ref: 0424A37B
DeleteProcThreadAttributeList.KERNELBASE ref: 0424A3C0

Strings

H, xrefs: 04249D1A

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: Thread$AttributeProc$List$Initialize$ObjectSingleWait$MutexPipeReleaseResumeUpdate$CodeCreateDeleteErrorExitFileHandleInformationLastNamedPeekRead
String ID: H
API String ID: 2356579323-2852464175
Opcode ID: 2021e7ee10937f781673fca4f2253f8cd2e1e7a04715bba8612a2ec2cc36b677
Instruction ID: 6026f592cf080e039cef1bc5291b67dfa870be028a62b67c360ecfeb74e2010b
Opcode Fuzzy Hash: 2021e7ee10937f781673fca4f2253f8cd2e1e7a04715bba8612a2ec2cc36b677
Instruction Fuzzy Hash: 6222A4B4A18355DFEB10DF28D54879ABBF4FF84344F41889DE88897240D7B5AA88CF52

Function 0044B660 Relevance: 28.5, APIs: 8, Strings: 8, Instructions: 490COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,2881E606,?,?,?,?,?,?,?,?,?,?,?,?,0049E525,000000FF), ref: 0044B699
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0049E525,000000FF), ref: 0044B6BD
GetFileSizeEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0049E525,000000FF), ref: 0044B6DD
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0049E525,000000FF), ref: 0044B716
GetFileSizeEx.KERNEL32(0044ADF3,0049E525,?,?,?,?,?,?,?,?,?,?,?,?,0049E525,000000FF), ref: 0044B733
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0049E525,000000FF), ref: 0044B82C
GetLastError.KERNEL32(Unable to get file size!,?,?,?,?,?,?,?,?,?,?,?,?,0049E525,000000FF), ref: 0044B88C

Part of subcall function 00473A64: RaiseException.KERNEL32(E06D7363,00000001,00000003,00412B7C,?,?,?,?,00412B7C,2881E606,004E37B0,2881E606), ref: 00473AC4

GetLastError.KERNEL32(Unable to get file size!,?,004E3840,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044B8AE

Strings

?L, xrefs: 0044BAFA
Exception: , xrefs: 0044B975
Code: , xrefs: 0044BA7F, 0044BA89
{:#010x} ({}), xrefs: 0044BAA4
Code: , xrefs: 0044BA7A
?L, xrefs: 0044BA50, 0044BAFF
?L, xrefs: 0044BA4B
Unable to get file size!, xrefs: 0044B887, 0044B8A9

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CriticalSection$EnterErrorFileLastLeaveSize$ExceptionRaise
String ID: Code: $Code: $Exception: $Unable to get file size!${:#010x} ({})$?L$?L$?L
API String ID: 937547979-86384901
Opcode ID: b830547bcf7a0fb8ccf2d68d79edd543563a98809329bc1a9d463e2ea63e6b0c
Instruction ID: f4b0019bb752bd17d7b89c8dd2de266221d64edce801725f23c1a3a83318599f
Opcode Fuzzy Hash: b830547bcf7a0fb8ccf2d68d79edd543563a98809329bc1a9d463e2ea63e6b0c
Instruction Fuzzy Hash: FB02D470A002089FDB14DF69C885BAEBBB5FF45315F10825AE411AB391DB78EE45CBD8

Function 0423C4A4 Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 282timeCOMMON

Download Yara Rule

APIs

Part of subcall function 04239DFC: CryptStringToBinaryA.CRYPT32 ref: 04239E3D
Part of subcall function 04239DFC: CryptStringToBinaryA.CRYPT32 ref: 04239E8A

GetFullPathNameW.KERNEL32 ref: 0423C52F
GetLastError.KERNEL32 ref: 0423C53C

Part of subcall function 042377A4: WaitForSingleObject.KERNEL32 ref: 042377C2
Part of subcall function 042377A4: ReleaseMutex.KERNEL32 ref: 0423780B

RtlDosPathNameToNtPathName_U.NTDLL ref: 0423C56B
FileTimeToLocalFileTime.KERNEL32 ref: 0423C6F6
FileTimeToSystemTime.KERNEL32 ref: 0423C715

Strings

@, xrefs: 0423C5D6
8, xrefs: 0423C637
:, xrefs: 0423C663
", xrefs: 0423C625
`, xrefs: 0423C5A3

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: Time$FilePath$BinaryCryptNameString$ErrorFullLastLocalMutexName_ObjectReleaseSingleSystemWait
String ID: "$8$:$@$`
API String ID: 130487788-948104002
Opcode ID: e07751af7a003e95a1a4e56aefdd5efe9256fc8dafbc12af004e27bb57db6615
Instruction ID: 9ae06132ad89f6cde83dbe04d84510151e6795aea48923c64a74e73d86b4d3e5
Opcode Fuzzy Hash: e07751af7a003e95a1a4e56aefdd5efe9256fc8dafbc12af004e27bb57db6615
Instruction Fuzzy Hash: D6D1A5F19087159BEB10DF25C88439EBBF4FF84708F01889DE588A7240D779AA88CF56

Function 0047AE35 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 0047AEA0
DName::operator+.LIBCMT ref: 0047AFE3

Part of subcall function 00476A94: shared_ptr.LIBCMT ref: 00476AB0

DName::operator+.LIBCMT ref: 0047AF8E
DName::operator+.LIBCMT ref: 0047B02F
DName::operator+.LIBCMT ref: 0047B03E
DName::operator+.LIBCMT ref: 0047B16A
DName::operator=.LIBVCRUNTIME ref: 0047B1AA
DName::DName.LIBVCRUNTIME ref: 0047B1B4
DName::operator+.LIBCMT ref: 0047B1D1
DName::operator+.LIBCMT ref: 0047B1DD

Part of subcall function 0047C6FB: Replicator::operator[].LIBCMT ref: 0047C738

Strings

\JL, xrefs: 0047B0EF

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]shared_ptr
String ID: \JL
API String ID: 1043660730-4011566322
Opcode ID: 98fa700032a1df780b9f73823a1c57e573a23f2a9e28b9b273a90fc4ddf56964
Instruction ID: b89087c03860e777a2a731b53bd034298c3a1ce0e0bb7a3690e540af5d596186
Opcode Fuzzy Hash: 98fa700032a1df780b9f73823a1c57e573a23f2a9e28b9b273a90fc4ddf56964
Instruction Fuzzy Hash: 3EC1A0B19002089FDB24CFA4D895BEEB7F9EF15304F14845FE54DA7282EB789944CB98

Function 004267B0 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 265COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00426839
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00426885
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0042695D
std::_Lockit::~_Lockit.LIBCPMT ref: 004269F2
Concurrency::cancel_current_task.LIBCPMT ref: 00426A17
Concurrency::cancel_current_task.LIBCPMT ref: 00426A1C
Concurrency::cancel_current_task.LIBCPMT ref: 00426A21
std::_Lockit::_Lockit.LIBCPMT ref: 00426A66
std::_Lockit::_Lockit.LIBCPMT ref: 00426A89
std::_Lockit::~_Lockit.LIBCPMT ref: 00426AA9
std::_Lockit::~_Lockit.LIBCPMT ref: 00426B3D

Strings

false, xrefs: 0042690B
bad locale name, xrefs: 00426A0D
true, xrefs: 00426935

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: std::_$Lockit$Concurrency::cancel_current_taskLockit::_Lockit::~_$Locinfo::_$Locinfo_ctorLocinfo_dtor
String ID: bad locale name$false$true
API String ID: 3080755909-1062449267
Opcode ID: 320db1b6ace86538eadfd49ab0302dbc3ede305bc36fa62a1c2c3bd94b9b21a2
Instruction ID: 83e80b4f3461645757afb49ef37f6e22a3c16ba8268a53a9f4d890722ce40f7c
Opcode Fuzzy Hash: 320db1b6ace86538eadfd49ab0302dbc3ede305bc36fa62a1c2c3bd94b9b21a2
Instruction Fuzzy Hash: 5BA1B4B1E00354DBDB10DFA5E941B9EBBB4EF04308F15416FE805A7392EB79A904CB99

Function 0042E6C0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 101registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerExW.ADVAPI32 ref: 0042E70F
GetLastError.KERNEL32 ref: 0042E803

Part of subcall function 0043B4F0: RpcServerUseProtseqEpW.RPCRT4(ncalrpc,0000000A,004E6C30,00000000), ref: 0043B50D
Part of subcall function 0043B4F0: RpcServerRegisterIfEx.RPCRT4(004D1CF8,00000000,00000000,00000001,000004D2,00000000), ref: 0043B530
Part of subcall function 0043B4F0: RpcServerRegisterIfEx.RPCRT4(004D1FE0,00000000,00000000,00000001,000004D2,00000000), ref: 0043B54A
Part of subcall function 0043B4F0: RpcServerRegisterIfEx.RPCRT4(004D1F88,00000000,00000000,00000001,000004D2,00000000), ref: 0043B565

SetServiceStatus.ADVAPI32(?), ref: 0042E73A
WaitForSingleObject.KERNEL32(000000FF), ref: 0042E748
RpcServerUnregisterIf.RPCRT4(004D1CF8,00000000,00000001), ref: 0042E757
RpcServerUnregisterIf.RPCRT4(004D1FE0,00000000,00000001), ref: 0042E766
RpcServerUnregisterIf.RPCRT4(004D1F88,00000000,00000001), ref: 0042E775
SetServiceStatus.ADVAPI32(?), ref: 0042E7EC

Strings

RegisterServiceCtrlHandlerEx failure: gle={}, xrefs: 0042E842
StartServer failure: retval={}, xrefs: 0042E7B2
HlN, xrefs: 0042E6DB
6373, xrefs: 0042E796
HlN, xrefs: 0042E811, 0042E782

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Server$Register$ServiceUnregister$Status$CtrlErrorHandlerLastObjectProtseqSingleWait
String ID: 6373$HlN$HlN$RegisterServiceCtrlHandlerEx failure: gle={}$StartServer failure: retval={}
API String ID: 548640598-1166386107
Opcode ID: 2e34054a581974642464d8a0f214882233b6ebff767cce66cc0bc6766f31978f
Instruction ID: 7e9392e9cf12ce056729ecdb1c4a6a5c36ff34f00d72b192167388ba27ce0cab
Opcode Fuzzy Hash: 2e34054a581974642464d8a0f214882233b6ebff767cce66cc0bc6766f31978f
Instruction Fuzzy Hash: D841BF70608340EFC300DF65EC86B5ABBF0FB99704F108A2EF5859A2A1E7759644CF4A

Function 00410C90 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 304COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00410D36
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00410D91
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00410ED3
std::_Lockit::~_Lockit.LIBCPMT ref: 00410F77
Concurrency::cancel_current_task.LIBCPMT ref: 00410FA9
std::_Lockit::_Lockit.LIBCPMT ref: 00410FE6
std::_Lockit::_Lockit.LIBCPMT ref: 00411009
std::_Lockit::~_Lockit.LIBCPMT ref: 00411029
std::_Lockit::~_Lockit.LIBCPMT ref: 004110BD

Strings

false, xrefs: 00410E2F
bad locale name, xrefs: 00410F9F
true, xrefs: 00410E45

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Concurrency::cancel_current_taskLocinfo_ctorLocinfo_dtor
String ID: bad locale name$false$true
API String ID: 3216591823-1062449267
Opcode ID: 37990a1e292010cae449886b53bba0b6e9297880bc1755464ecc34c652b8a1c0
Instruction ID: 3acfb2d1fe6e77c20fc0a117dda020916112101b92ceeef8e9014cc0c72d5193
Opcode Fuzzy Hash: 37990a1e292010cae449886b53bba0b6e9297880bc1755464ecc34c652b8a1c0
Instruction Fuzzy Hash: FDC162B1D003489FDB10DFA5D941BDEB7B4FF14314F14416AE908A7252EB78AA88CB99

Function 00479883 Relevance: 19.8, APIs: 13, Instructions: 332COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 0047994C
DName::operator+.LIBCMT ref: 00479989
DName::DName.LIBVCRUNTIME ref: 0047999D
DName::operator+.LIBCMT ref: 004799AC
DName::operator+.LIBCMT ref: 00479A3A
DName::DName.LIBVCRUNTIME ref: 00479A62
DName::operator+.LIBCMT ref: 00479A70
DName::operator+.LIBCMT ref: 00479AAA
DName::operator+.LIBCMT ref: 00479AEB
UnDecorator::getReturnType.LIBCMT ref: 00479B1B
operator+.LIBVCRUNTIME ref: 00479C1D

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Name::operator+$NameName::$Decorator::getReturnTypeoperator+
String ID:
API String ID: 2932655852-0
Opcode ID: 6e8e9b90aa1bfd112ddf208e92ed3575fb9f39bae7f8ee2c271363eca6039059
Instruction ID: 76c92474219d8192e899f83bb4ecf74aaaed2165ba443bbda320e1dbc462e2f4
Opcode Fuzzy Hash: 6e8e9b90aa1bfd112ddf208e92ed3575fb9f39bae7f8ee2c271363eca6039059
Instruction Fuzzy Hash: 53C196B1900208AFCB15DFA5D891DEE77B9EF08304F14815FF60AA7292EB389D45CB59

Function 0424E888 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 356networkCOMMON

Download Yara Rule

APIs

Part of subcall function 04231E58: WaitForSingleObject.KERNEL32 ref: 04231E71
Part of subcall function 04231E58: ReleaseMutex.KERNEL32 ref: 04231E8F

Part of subcall function 04239DFC: CryptStringToBinaryA.CRYPT32 ref: 04239E3D
Part of subcall function 04239DFC: CryptStringToBinaryA.CRYPT32 ref: 04239E8A

inet_pton.WS2_32 ref: 0424EA14
gethostbyname.WS2_32 ref: 0424EA2D
inet_ntoa.WS2_32 ref: 0424EA89
socket.WS2_32 ref: 0424EBE0
inet_addr.WS2_32 ref: 0424EBFD
htons.WS2_32 ref: 0424EC14
sendto.WS2_32 ref: 0424EC4D
recvfrom.WS2_32 ref: 0424ED69

Part of subcall function 042377A4: WaitForSingleObject.KERNEL32 ref: 042377C2
Part of subcall function 042377A4: ReleaseMutex.KERNEL32 ref: 0423780B

Part of subcall function 04249B40: RtlSizeHeap.NTDLL ref: 04249B64
Part of subcall function 04249B40: RtlFreeHeap.NTDLL ref: 04249B9D

closesocket.WS2_32 ref: 0424EE68

Strings

Y, xrefs: 0424EE9C
, xrefs: 0424E958

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: BinaryCryptHeapMutexObjectReleaseSingleStringWait$FreeSizeclosesocketgethostbynamehtonsinet_addrinet_ntoainet_ptonrecvfromsendtosocket
String ID: $Y
API String ID: 555957630-609457924
Opcode ID: b56e40a0407b67935384c0e4dc8a42b8d3a3c3ea865b5cd47a5d5cc125880ce3
Instruction ID: fdef2e28455a958aae28d31a46a21e6d6714c0862743a43084ad271d1b0ba46d
Opcode Fuzzy Hash: b56e40a0407b67935384c0e4dc8a42b8d3a3c3ea865b5cd47a5d5cc125880ce3
Instruction Fuzzy Hash: 740273B06187199FE711EF25C59879EBBF4FF88348F01889DE4889B240D7B99588CF52

Function 0042DAE0 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 263COMMON

Download Yara Rule

Strings

SeDebugPrivilege, xrefs: 0042DBDE
minutes) was not yet reached , xrefs: 0042E1AE
Successfully dumped process {} into '{}' (dump level: {}), xrefs: 0042E0E8
6373, xrefs: 0042E0D6
Minimum interval between dumps (, xrefs: 0042E18F
E5026373, xrefs: 0042DB49
E502, xrefs: 0042E0BF

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID: minutes) was not yet reached $6373$E502$E5026373$Minimum interval between dumps ($SeDebugPrivilege$Successfully dumped process {} into '{}' (dump level: {})
API String ID: 0-389991271
Opcode ID: 311cc02e989313cac400b63e177e6711ed3c4c8722df26fe5291d89f0eb3b7d6
Instruction ID: bca1da96e3b7ea4a01e354188d8f760a27e33d5deb8139f41ce3771297ad2563
Opcode Fuzzy Hash: 311cc02e989313cac400b63e177e6711ed3c4c8722df26fe5291d89f0eb3b7d6
Instruction Fuzzy Hash: 28B17C70E002689FCF10DFA9D841BDDBBB4BF19304F10419EE419A7242EB786A44CF95

Function 00434640 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 183COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00434676
std::_Lockit::_Lockit.LIBCPMT ref: 00434698
std::_Lockit::~_Lockit.LIBCPMT ref: 004346B8
std::_Lockit::~_Lockit.LIBCPMT ref: 004346DF
std::_Lockit::_Lockit.LIBCPMT ref: 00434758
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004347A4
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 004347BE
std::_Lockit::~_Lockit.LIBCPMT ref: 00434853
std::_Facet_Register.LIBCPMT ref: 00434860

Strings

0!C, xrefs: 00434662, 004346E6
bad locale name, xrefs: 00434884

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: 0!C$bad locale name
API String ID: 3375549084-337445399
Opcode ID: 49b21bbfe83a594fc1b3eee6ef764593079f21baec59dc11dc284261285c1910
Instruction ID: 7118165693e23d8ebc592437139c469330174d024030484aa28c5473cc47e97c
Opcode Fuzzy Hash: 49b21bbfe83a594fc1b3eee6ef764593079f21baec59dc11dc284261285c1910
Instruction Fuzzy Hash: 5071A5B5D002489FDF10DFA5D885BDEBBB4EF45358F14402AE805AB352E738AD08CB99

Function 00447360 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 110serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,2881E606,00000000,?,0049DE45,000000FF,?,00414079,Bprotect,00000008,2881E606), ref: 00447398
OpenServiceW.ADVAPI32(00000000,?,00000001,?,0049DE45,000000FF,?,00414079,Bprotect,00000008,2881E606), ref: 004473BC
GetLastError.KERNEL32(?,0049DE45,000000FF,?,00414079,Bprotect,00000008,2881E606), ref: 004473CF
CloseServiceHandle.ADVAPI32(00000000,?,?,0049DE45,000000FF,?,00414079,Bprotect,00000008,2881E606), ref: 004473E7
CloseServiceHandle.ADVAPI32(00000000,?,?,0049DE45,000000FF,?,00414079,Bprotect,00000008,2881E606), ref: 004473EE
GetLastError.KERNEL32(Unable to open the service control manager!,?,0049DE45,000000FF,?,00414079,Bprotect,00000008,2881E606), ref: 00447417
GetLastError.KERNEL32(@8N,004E3840,00000000,?,0049DE45,000000FF,?,00414079,Bprotect,00000008,2881E606), ref: 00447434

Strings

@8N, xrefs: 0044742B, 0044742E
Unable to open the service '{}'!, xrefs: 00447442
Unable to open the service control manager!, xrefs: 00447412
ServicesActive, xrefs: 00447391

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ErrorLastService$CloseHandleOpen$Manager
String ID: @8N$ServicesActive$Unable to open the service '{}'!$Unable to open the service control manager!
API String ID: 467640263-2644672931
Opcode ID: 98d683416df6a5ed34140af1a939def86923d7b01cbe3df00adc3c5014afd05d
Instruction ID: 1d3f1dedc76f401b4e407deb2e9b734afbb08e897ee9351ba584e8029ce10458
Opcode Fuzzy Hash: 98d683416df6a5ed34140af1a939def86923d7b01cbe3df00adc3c5014afd05d
Instruction Fuzzy Hash: CA31D771D44258ABDB21DF94DC45BAEBBB8EB09B11F10056BFC15A7381DB785A00CBA8

Function 004458F0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 73threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0044592C
OpenThreadToken.ADVAPI32(00000000,00000028,00000001,?,?,0042B06B,2881E606,00412285), ref: 00445938
GetLastError.KERNEL32(?,0042B06B,2881E606,00412285), ref: 00445942
ImpersonateSelf.ADVAPI32(00000002,?,0042B06B,2881E606,00412285), ref: 00445951
GetCurrentThread.KERNEL32 ref: 0044595B
OpenThreadToken.ADVAPI32(00000000,00000028,00000001,?,?,0042B06B,2881E606,00412285), ref: 00445967
GetLastError.KERNEL32(Unable to assign the process impersonation token to the thread!,?,0042B06B,2881E606,00412285), ref: 0044598C
GetLastError.KERNEL32(Unable to obtain the thread access token!,?,0042B06B,2881E606,00412285), ref: 004459AE

Strings

Unable to obtain the thread access token!, xrefs: 004459A9
Unable to assign the process impersonation token to the thread!, xrefs: 00445987
Unable to adjust token privilege '{}'!, xrefs: 00445B44

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Thread$ErrorLast$CurrentOpenToken$ImpersonateSelf
String ID: Unable to adjust token privilege '{}'!$Unable to assign the process impersonation token to the thread!$Unable to obtain the thread access token!
API String ID: 3372034192-2596196782
Opcode ID: 057926a1944c60b8c2c3a3fc036a4f5aa5e6a778e7815ec570c0fb8dbf59d8f1
Instruction ID: 9afd256700f0016f8db8de17d2428bd4b10d8b85a51a266bd469e98666420e94
Opcode Fuzzy Hash: 057926a1944c60b8c2c3a3fc036a4f5aa5e6a778e7815ec570c0fb8dbf59d8f1
Instruction Fuzzy Hash: BF21F671944244EBEB109FA5DD0AB8BBFFCEB05B02F10416BF501D2181EBB99A048B68

Function 0047B957 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 297COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 0047BA2D
UnDecorator::getSignedDimension.LIBCMT ref: 0047BA38
UnDecorator::getSignedDimension.LIBCMT ref: 0047BB24
UnDecorator::getSignedDimension.LIBCMT ref: 0047BB41
UnDecorator::getSignedDimension.LIBCMT ref: 0047BB5E
DName::operator+.LIBCMT ref: 0047BB73
UnDecorator::getSignedDimension.LIBCMT ref: 0047BB8D
DName::operator+.LIBCMT ref: 0047BC62
DName::DName.LIBVCRUNTIME ref: 0047BCD9

Strings

dKL, xrefs: 0047BCC2

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Decorator::getDimensionSigned$Name::operator+$NameName::
String ID: dKL
API String ID: 3679549980-3698860443
Opcode ID: ad8bf36fbfc4a41f6a9681ef2d7d52421f7c350188e6b34a5cb136f9f1a368cf
Instruction ID: 414b9b9b2016cfde8fba8cd454176d3f6138c5eb417d332db0fd5f4c48ba812a
Opcode Fuzzy Hash: ad8bf36fbfc4a41f6a9681ef2d7d52421f7c350188e6b34a5cb136f9f1a368cf
Instruction Fuzzy Hash: 0991A7B1D002099ADB15EBB5C99ABFF7768EF05304F10C41FE21EA6581DB3C9A0986DD

Function 00456070 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 238registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00457520: RegOpenKeyExW.ADVAPI32(?,?,?,00000000,00000001,00000005,2881E606,00000000,?), ref: 004575C4

Part of subcall function 00456D10: RegQueryValueExW.ADVAPI32(00000000,00000035,00000000,?,?,?,2881E606,00000035,00000035), ref: 00456DA5

RegCloseKey.ADVAPI32(?,00000035), ref: 004560FE
SetLastError.KERNEL32(00000000), ref: 00456109
ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,00000035), ref: 004561CF
ExpandEnvironmentStringsW.KERNEL32(?,00000035,?,-00000001,00000000,?,00000035), ref: 0045623D
std::bad_exception::bad_exception.LIBCMT ref: 004562FC
std::bad_exception::bad_exception.LIBCMT ref: 00456317
RegCloseKey.ADVAPI32(00000000,00000035,?,004E4000,String environment expansion failed due to unexpected buffer size,?,004E4000,String environment expansion failed,?,00000035), ref: 0045633A
SetLastError.KERNEL32(00000000,?,00000035), ref: 00456345

Strings

String environment expansion failed due to unexpected buffer size, xrefs: 0045630F
String environment expansion failed, xrefs: 004562F4

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CloseEnvironmentErrorExpandLastStringsstd::bad_exception::bad_exception$OpenQueryValue
String ID: String environment expansion failed$String environment expansion failed due to unexpected buffer size
API String ID: 1312300718-527591527
Opcode ID: 89655efb51dbb6777427e30f9b65e1850af19ebafa11f18a8a2f953733b8be61
Instruction ID: e8c674d8fed93c4a7a636273920ae97a1cab873e3b7cc851973a540bc649d481
Opcode Fuzzy Hash: 89655efb51dbb6777427e30f9b65e1850af19ebafa11f18a8a2f953733b8be61
Instruction Fuzzy Hash: F791F370E10304ABDB24DFA5DC45BAEB7B4FF44705F51462EF845A3282EB789A48CB58

Function 004272F0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00427373
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004273BF
__Getctype.LIBCPMT ref: 004273D8
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 004273F4
std::_Lockit::~_Lockit.LIBCPMT ref: 00427489
std::_Lockit::_Lockit.LIBCPMT ref: 004274F6
std::_Lockit::_Lockit.LIBCPMT ref: 00427519
std::_Lockit::~_Lockit.LIBCPMT ref: 00427539
std::_Lockit::~_Lockit.LIBCPMT ref: 004275CD

Strings

bad locale name, xrefs: 004274A7

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$GetctypeLocinfo_ctorLocinfo_dtor
String ID: bad locale name
API String ID: 810752134-1405518554
Opcode ID: 2e43f3cd75911be638aa5b48ec479b51af5a7a353d3e8f95e2475925990d3fea
Instruction ID: f1f57de22520c7cccad319e961172bf9d6b3ddb4d440951761b39309a6619747
Opcode Fuzzy Hash: 2e43f3cd75911be638aa5b48ec479b51af5a7a353d3e8f95e2475925990d3fea
Instruction Fuzzy Hash: FB81A3B1E042599BDB10DF95E881B9EFBB4FF14318F54412EEC04AB342E738A944CB99

Function 0041B7D0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 183COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0041B806
std::_Lockit::_Lockit.LIBCPMT ref: 0041B828
std::_Lockit::~_Lockit.LIBCPMT ref: 0041B848
std::_Lockit::~_Lockit.LIBCPMT ref: 0041B86F
std::_Lockit::_Lockit.LIBCPMT ref: 0041B8E8
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0041B934
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0041B94E
std::_Lockit::~_Lockit.LIBCPMT ref: 0041B9E3
std::_Facet_Register.LIBCPMT ref: 0041B9F0

Strings

bad locale name, xrefs: 0041BA14

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: 06a72901839cf0f38a0b2c9bd3812707db2a7eb782f28a35f9c716a771adf36c
Instruction ID: 4d4471a357ebbeb3365a8d0bd813216273f0f66f60a305df19b2a3a671ec1fc7
Opcode Fuzzy Hash: 06a72901839cf0f38a0b2c9bd3812707db2a7eb782f28a35f9c716a771adf36c
Instruction Fuzzy Hash: 657173B1D002449BDF11DFA5D885BDEBBB4EF04718F14402AE809BB352E738AD49CB99

Function 0041DBB0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 183COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0041DBE6
std::_Lockit::_Lockit.LIBCPMT ref: 0041DC08
std::_Lockit::~_Lockit.LIBCPMT ref: 0041DC28
std::_Lockit::~_Lockit.LIBCPMT ref: 0041DC4F
std::_Lockit::_Lockit.LIBCPMT ref: 0041DCC8
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0041DD14
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0041DD2E
std::_Lockit::~_Lockit.LIBCPMT ref: 0041DDC3
std::_Facet_Register.LIBCPMT ref: 0041DDD0

Strings

bad locale name, xrefs: 0041DDF4

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: b2d50bb7b8ffe5697eec3c4347e257d77ea2d4413e923063c836287fdcf15907
Instruction ID: 835742fa76d772e3b2c9a42387f17594179a0a20bd747d667571875da5e1866b
Opcode Fuzzy Hash: b2d50bb7b8ffe5697eec3c4347e257d77ea2d4413e923063c836287fdcf15907
Instruction Fuzzy Hash: A971A3B0D002449FDF10DFA5D985BDEBBB4EF14318F14442AE805AB342E778AD49CB99

Function 0422D078 Relevance: 16.8, APIs: 11, Instructions: 286registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0422D171
RegOpenKeyExW.ADVAPI32 ref: 0422D1FA
RegQueryInfoKeyW.ADVAPI32 ref: 0422D272
RegEnumKeyExW.ADVAPI32 ref: 0422D31C
_wcsicmp.MSVCRT ref: 0422D340
swscanf_s.MSVCRT ref: 0422D369
RegOpenKeyExW.ADVAPI32 ref: 0422D3A3

Part of subcall function 04249B40: RtlSizeHeap.NTDLL ref: 04249B64
Part of subcall function 04249B40: RtlFreeHeap.NTDLL ref: 04249B9D

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: Open$Heap$EnumFreeInfoQuerySize_wcsicmpswscanf_s
String ID:
API String ID: 1386864525-0
Opcode ID: bbaf61d56318930df31856acedb993cfb66f7fe6f389b74e411bdaba72c0826a
Instruction ID: ed11cc5ab17bf99cffd53af7b60891ed304f509c0b8951cfc913e8e2b19fd374
Opcode Fuzzy Hash: bbaf61d56318930df31856acedb993cfb66f7fe6f389b74e411bdaba72c0826a
Instruction Fuzzy Hash: 3AE182B4A197169FD710DF29D58875ABBF4FB84344F00899DE88897310D778EA88CF92

Function 0044BCB0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 346COMMON

Download Yara Rule

Strings

list too long, xrefs: 0044C6ED
%04hu-%02hu-%02hu %02hu:%02hu:%02hu.%03hu, xrefs: 0044CCF9
@8NW, xrefs: 0044BCF3

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID: %04hu-%02hu-%02hu %02hu:%02hu:%02hu.%03hu$@8NW$list too long
API String ID: 0-963525625
Opcode ID: ae83e017a5f212042843cf1aadf8ace17524925b92e1a112116faab1b9d5f9ad
Instruction ID: 601abef8998a312d6c01236f8901979da70e5e0ad60ad59519cb77f1b2ec0d47
Opcode Fuzzy Hash: ae83e017a5f212042843cf1aadf8ace17524925b92e1a112116faab1b9d5f9ad
Instruction Fuzzy Hash: 1AC1B271D00209DFDB14DFA9C885AEEF7B5FF48715F14821AE415A7290DB38AA05CF98

Function 00475738 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

___TypeMatch.LIBVCRUNTIME ref: 00475965
CatchIt.LIBVCRUNTIME ref: 004759B6
_UnwindNestedFrames.LIBCMT ref: 00475AB7
CallUnexpected.LIBVCRUNTIME ref: 00475AD2

Strings

?L, xrefs: 0047584E
csm, xrefs: 004757E2
csm, xrefs: 00475775
csm, xrefs: 0047588E

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwind
String ID: csm$csm$csm$?L
API String ID: 944608866-1039109468
Opcode ID: 970f991043127ac0147406fd50af7833704ae921f79523d9f534a3feff04baac
Instruction ID: 54b8278056f76be6100d612b9ee25efe763d170259bca506822f36a4edd48380
Opcode Fuzzy Hash: 970f991043127ac0147406fd50af7833704ae921f79523d9f534a3feff04baac
Instruction Fuzzy Hash: B6B17B71800A09DFCF24EFA5C8819EEB7B5FF04314B15856BE8186F212D7B8DA51CB99

Function 00414283 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 235COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004ED28C,Bprotect,00000008,2881E606), ref: 004142AA
LeaveCriticalSection.KERNEL32(004ED28C,?,?), ref: 0041431E
InitializeCriticalSection.KERNEL32(00000000), ref: 0041434D
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?), ref: 00414446
CloseHandle.KERNEL32(?), ref: 00414457
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00004E20), ref: 004144E1
LeaveCriticalSection.KERNEL32(004ED28C,?), ref: 00414565
EnterCriticalSection.KERNEL32(004ED28C), ref: 00414577
GetLastError.KERNEL32(Unable to create sync event), ref: 004145CA
std::_Throw_Cpp_error.LIBCPMT ref: 004145EF
std::_Throw_Cpp_error.LIBCPMT ref: 00414602

Strings

689AF59A, xrefs: 004142C9, 004142D0

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CriticalSection$Cpp_errorEnterLeaveThrow_std::_$CloseCreateErrorEventHandleInitializeLastMultipleObjectsWait
String ID: 689AF59A
API String ID: 1954443996-1751815452
Opcode ID: 95c28a77035dfec3b491b05d51811915bd6628900953fbb441b3378bdbd472da
Instruction ID: 1175d24deb41c4da658f971bcba6bd02c8b8e2c7903eeb525528e0463f563948
Opcode Fuzzy Hash: 95c28a77035dfec3b491b05d51811915bd6628900953fbb441b3378bdbd472da
Instruction Fuzzy Hash: 70A1AF74E01749DFDB10CFA4C8447ADBBB0BF89315F24825AE515AB390DB78A981CF84

Function 0047C6FB Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 185COMMONLIBRARYCODE

Download Yara Rule

APIs

Replicator::operator[].LIBCMT ref: 0047C738

Strings

generic-type-, xrefs: 0047C7BE
template-parameter-, xrefs: 0047C797

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Replicator::operator[]
String ID: generic-type-$template-parameter-
API String ID: 3676697650-13229604
Opcode ID: 37ec077dcd743b35c9fb866fb86f704885d5e19166d4f1c74774c42114729ddf
Instruction ID: 9462e46cd84f2a5e264dd122a067876f06ae5a7a582e4fd2194c35e9c6922a9e
Opcode Fuzzy Hash: 37ec077dcd743b35c9fb866fb86f704885d5e19166d4f1c74774c42114729ddf
Instruction Fuzzy Hash: 4E61A7B1D002099FDB14DFA5D881BEFB7B5EF14304F15802FE609A7252DB789905CB99

Function 00454260 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 158COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00008000,00000000,2881E606,?,00000000), ref: 00454357
K32GetMappedFileNameW.KERNEL32(00000000,00400000,?,00000000), ref: 00454365
GetLastError.KERNEL32(Unable to retrieve the path of the module!), ref: 004544FF
GetLastError.KERNEL32(Unable to get the path of the module!,?,004E3840,00000000), ref: 00454526
GetLastError.KERNEL32(Unable to store the path of the module!,?,004E3840,00000000), ref: 00454548

Strings

Unable to get the path of the module!, xrefs: 00454521
Unable to retrieve the path of the module!, xrefs: 004544FA
Unable to store the path of the module!, xrefs: 00454543

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ErrorLast$CurrentFileMappedNameProcess
String ID: Unable to get the path of the module!$Unable to retrieve the path of the module!$Unable to store the path of the module!
API String ID: 1207367512-2385983247
Opcode ID: 22628d585fa9e1da1d6abf30a376d57348d36874ca31c4dae202806717b5c386
Instruction ID: 66cd3fa87ba4e963d8f9bce7f482f91aa82944f91d443a191219fd4e0d674959
Opcode Fuzzy Hash: 22628d585fa9e1da1d6abf30a376d57348d36874ca31c4dae202806717b5c386
Instruction Fuzzy Hash: E551D471D10208ABCB04DFA8DD45BDEBBB5FF48705F20426EF805A7291EB786A44CB59

Function 00453D50 Relevance: 13.6, APIs: 9, Instructions: 133COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0044B0B8), ref: 00453D6A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0044B0B8), ref: 00453D78
GetFileAttributesW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0044B0B8), ref: 00453D8E
SetLastError.KERNEL32(000000B7,?,?,?,?,?,?,?,?,?,0044B0B8), ref: 00453DA6
CreateDirectoryW.KERNEL32(?,00000000,00000000,?), ref: 00453E2E
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0044B0B8), ref: 00453E89
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0044B0B8), ref: 00453E93
GetFileAttributesW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0044B0B8), ref: 00453EA4
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0044B0B8), ref: 00453EB4

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ErrorLast$CreateDirectory$AttributesFile
String ID:
API String ID: 2650082360-0
Opcode ID: 924f2976c5ac1199c431d7ccd54ce25dbff8280bcaab1bd13b77424097197997
Instruction ID: 372e9864d96c42958a841e8f68055f25dcba20e5af4a2ced173c5bf5920cdbf3
Opcode Fuzzy Hash: 924f2976c5ac1199c431d7ccd54ce25dbff8280bcaab1bd13b77424097197997
Instruction Fuzzy Hash: CD41C331A042009BC7249F28D84A66FB3F4AF85757F100E2FF895D7281E734AE4D8B99

Function 00446590 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 467registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00457520: RegOpenKeyExW.ADVAPI32(?,?,?,00000000,00000001,00000005,2881E606,00000000,?), ref: 004575C4

RegCloseKey.ADVAPI32(?,?,00000003,?,?,80000002,?,?,?), ref: 004466C6
SetLastError.KERNEL32(00000000,?,?,80000002,?,?,?), ref: 004466D1
RegCloseKey.ADVAPI32(00000000), ref: 00446835
SetLastError.KERNEL32(00000000), ref: 00446840

Strings

HlN, xrefs: 004465C8

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CloseErrorLast$Open
String ID: HlN
API String ID: 1674861978-3655617878
Opcode ID: cbe1cc2958fbd4b0aa01db45a206e275a4d043f5222000f25a94a9d889e1cf6e
Instruction ID: fce12c24d64c37b3d72d0b41dbee94c2c87a7c44cc2920756beb5a68f4b362af
Opcode Fuzzy Hash: cbe1cc2958fbd4b0aa01db45a206e275a4d043f5222000f25a94a9d889e1cf6e
Instruction Fuzzy Hash: 5D12C1B0D002598BEB28DF28CD557EEBBB4EF46304F15419EE449A7281D738AE84CF95

Function 004146F0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00414793
LeaveCriticalSection.KERNEL32(004ED2C4), ref: 004147C7
LeaveCriticalSection.KERNEL32(004ED2C4), ref: 00414B14
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00414BA1

Strings

Exception stack: , xrefs: 004149C6
Module base:, xrefs: 00414A5E
M, xrefs: 00414B7F

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CriticalSection$Leave$EnterIos_base_dtorstd::ios_base::_
String ID: Exception stack: $Module base:$M
API String ID: 1215633889-3793661877
Opcode ID: fce99c12bd5a233a6daef023d37e6c86fad79f8ff06f1371df2fe5567c8dfb07
Instruction ID: ca596ec8809227da866b857e5010162684c022dbb7953c9da259660a5acc9b55
Opcode Fuzzy Hash: fce99c12bd5a233a6daef023d37e6c86fad79f8ff06f1371df2fe5567c8dfb07
Instruction Fuzzy Hash: 92D17170B002199FDB20DF65CC45BAEBBB4FF46304F1041AAE409AB781DB799A84CF95

Function 00494686 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 004948FF

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 25601373ebeae14a2fe66c7dfc5ef67b97a87a52955c16640d3c1c2a06331a46
Instruction ID: 96fc496f47034e8a3ea81cced5d05068c6ceff61b03397a354a82c903761be8b
Opcode Fuzzy Hash: 25601373ebeae14a2fe66c7dfc5ef67b97a87a52955c16640d3c1c2a06331a46
Instruction Fuzzy Hash: C2B1C270A002499FDF11EFA9D880FAE7FB1AF85304F14417AE4056B392D7789943CB69

Function 0422C07C Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 266COMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL ref: 0422C307
RtlGUIDFromString.NTDLL(?,?), ref: 0422C319
ConvertSidToStringSidW.ADVAPI32 ref: 0422C36C
RtlInitUnicodeString.NTDLL ref: 0422C3CB
RtlGUIDFromString.NTDLL(00000000,00000000), ref: 0422C3DD

Strings

@, xrefs: 0422C29B
8, xrefs: 0422C08F

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: String$FromInitUnicode$Convert
String ID: 8$@
API String ID: 2356314574-1376636172
Opcode ID: 4ef095118cb3a9552dd21da0067e772479b3f6b238f2c926898301b2b07aa809
Instruction ID: 4d3807a918e48e84dd12e37f6a11d273f3221faf32cf6597a67320c312c83af9
Opcode Fuzzy Hash: 4ef095118cb3a9552dd21da0067e772479b3f6b238f2c926898301b2b07aa809
Instruction Fuzzy Hash: D4C1C3B4A14709AFDB00DFA9C58469EBBF4FF88354F018929E88897340EB75E945CF52

Function 00455720 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 257COMMON

Download Yara Rule

APIs

FindVolumeClose.KERNEL32(00000000,?,?,004E3840,00000057,2881E606,00000000), ref: 00455D2B

Strings

\Device\Mup\, xrefs: 0045593B
Unable to retrieve volume paths for volume '{}'!, xrefs: 004556F6
Unable to convert NT path '{}' to a volume GUID path!, xrefs: 004552B3, 004552E9
Unable to enumerate volumes!, xrefs: 004552BB
\SystemRoot\, xrefs: 004559E7
\Device\LanmanRedirector\, xrefs: 00455794

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CloseFindVolume
String ID: Unable to convert NT path '{}' to a volume GUID path!$Unable to enumerate volumes!$Unable to retrieve volume paths for volume '{}'!$\Device\LanmanRedirector\$\Device\Mup\$\SystemRoot\
API String ID: 664902110-2894288616
Opcode ID: 70a491454d5c0e2f47e725ad4076a4e797f72cf52c89390ed15bbd4f2dfc6d01
Instruction ID: c293d70058148eebb6ae44e1d3f1cce2a97c7572fe9639956fa82ca9acb17378
Opcode Fuzzy Hash: 70a491454d5c0e2f47e725ad4076a4e797f72cf52c89390ed15bbd4f2dfc6d01
Instruction Fuzzy Hash: 55A1A071A00204DFCF04DF69D995AAEBBB5EF44304F14865EE805AB352D738AE49CB94

Function 00446110 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 235registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?), ref: 004461EC
SetLastError.KERNEL32(00000000), ref: 004461F7
RegCloseKey.ADVAPI32(?,?), ref: 00446260
SetLastError.KERNEL32(00000000), ref: 0044626B

Part of subcall function 00473A64: RaiseException.KERNEL32(E06D7363,00000001,00000003,00412B7C,?,?,?,?,00412B7C,2881E606,004E37B0,2881E606), ref: 00473AC4

Strings

HlN, xrefs: 004465C8
_iD, xrefs: 00446135, 00446365
The order list of the service group '{}' is malformed!, xrefs: 004463A2

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CloseErrorLast$ExceptionRaise
String ID: HlN$The order list of the service group '{}' is malformed!$_iD
API String ID: 2920836812-1373884431
Opcode ID: 54bc79e57acf31587877a708266b68c7d3e5f670fab2ea487c22e7fac5916514
Instruction ID: 76155ebad37b75edc37cb1ad7686b219f2b9287c0146dfd780c886ba5157a586
Opcode Fuzzy Hash: 54bc79e57acf31587877a708266b68c7d3e5f670fab2ea487c22e7fac5916514
Instruction Fuzzy Hash: C381C271D00219AFEB14DFA9D885BEEBBB4BF45304F10416EE815A7381EB78AE04CB55

Function 00441F50 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 168fileCOMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(00000000,?,2881E606), ref: 00441FDC
ReadFile.KERNEL32(?,?,?,00000000,?), ref: 0044206F
GetLastError.KERNEL32(get_file_content: GetFileSizeEx), ref: 004420F7
GetLastError.KERNEL32(get_file_content: ReadFile,00000000,004E3840,00000000), ref: 00442119

Strings

get_file_content, xrefs: 004420E6
get_file_content: ReadFile, xrefs: 00442114
get_file_content: GetFileSizeEx, xrefs: 004420F2

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ErrorFileLast$ReadSize
String ID: get_file_content$get_file_content: GetFileSizeEx$get_file_content: ReadFile
API String ID: 3509033087-2648918662
Opcode ID: e62ce290d2964fed998aed286979194899f6c6d0d45cd69941576b2a5fc31146
Instruction ID: c64799c1dc4fcddaf69cd5ed591be4afe2919822430900eb3da3f2ecb0ada6ba
Opcode Fuzzy Hash: e62ce290d2964fed998aed286979194899f6c6d0d45cd69941576b2a5fc31146
Instruction Fuzzy Hash: 4B516271A002099FDB14DFA9CA45BAEFBF5FF44704F60822EF515A3250EBB86944CB58

Function 00454C70 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

Part of subcall function 00426500: ___std_exception_copy.LIBVCRUNTIME ref: 0042654E
Part of subcall function 00426500: ___std_exception_destroy.LIBVCRUNTIME ref: 0042655E
Part of subcall function 00426500: ___std_exception_copy.LIBVCRUNTIME ref: 00426568
Part of subcall function 00426500: ___std_exception_destroy.LIBVCRUNTIME ref: 0042657B

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00454D93
GetLastError.KERNEL32 ref: 00454D9D

Strings

Unable to retrieve a path of the known folder ({})!, xrefs: 00454DD9
Unable to convert NT path '{}' to a volume GUID path!, xrefs: 004552B3, 004552E9
\\?\, xrefs: 00454ED0
\SystemRoot\, xrefs: 004559E7
\Device\LanmanRedirector\, xrefs: 00455794

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ___std_exception_copy___std_exception_destroy$EnvironmentErrorExpandLastStrings
String ID: Unable to convert NT path '{}' to a volume GUID path!$Unable to retrieve a path of the known folder ({})!$\Device\LanmanRedirector\$\SystemRoot\$\\?\
API String ID: 90833314-234152875
Opcode ID: fb95ae3b88dd480d0bfa7bd051479b05691a80742e90c52fdc5316ec8c43bd9a
Instruction ID: 7db227c778073ea7527ce9a0d232a0d1aa14c522da4de172f64471fb18959019
Opcode Fuzzy Hash: fb95ae3b88dd480d0bfa7bd051479b05691a80742e90c52fdc5316ec8c43bd9a
Instruction Fuzzy Hash: 3D41D471A002049FCB04DF59DC85AAEBBB8FF88315F10461AFC149B391E774AE54CBA9

Function 004031E0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 0042A940: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00403245,00000000,00000000,00000000,00000000,2881E606,00000000), ref: 0042A9EA
Part of subcall function 0042A940: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00403245,00000018,?,00000000,00000000,00000000,00000000), ref: 0042AA30

___std_exception_copy.LIBVCRUNTIME ref: 00403271
___std_exception_destroy.LIBVCRUNTIME ref: 00403281
___std_exception_copy.LIBVCRUNTIME ref: 0040328E
___std_exception_destroy.LIBVCRUNTIME ref: 004032A1
___std_exception_destroy.LIBVCRUNTIME ref: 00403317

Strings

hOJ, xrefs: 00403299
hOJ, xrefs: 00403310

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ___std_exception_destroy$ByteCharMultiWide___std_exception_copy
String ID: hOJ$hOJ
API String ID: 112462581-1090812952
Opcode ID: 0c33c864e860d9edfcfc3466674005fa3eb24c727ae9e6b9c86794512abf6943
Instruction ID: bc838aa122d4b050eddc502b3a511840f477fa3ad76a66899bd66d7ebb7f4c10
Opcode Fuzzy Hash: 0c33c864e860d9edfcfc3466674005fa3eb24c727ae9e6b9c86794512abf6943
Instruction Fuzzy Hash: A741D871D002489BCB10DFA9D841ADEBBF8EF55311F10862FF815B7641E7786A44CB99

Function 0044D7C0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0049A040,000000FF,?,004485B2), ref: 0044D7E4
GetProcAddress.KERNEL32(00000000), ref: 0044D7F4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0049A040,000000FF,?,004485B2), ref: 0044D80E
GetLastError.KERNEL32(?,004E3840,00000000,GetModuleHandleW ({}),00000015,?), ref: 0044D839

Strings

GetProcAddress ({}), xrefs: 0044D841
GetModuleHandleW ({}), xrefs: 0044D81B
ntdll.dll, xrefs: 0044D7D5, 0044D7DC

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ErrorLast$AddressHandleModuleProc
String ID: GetModuleHandleW ({})$GetProcAddress ({})$ntdll.dll
API String ID: 1762409328-4210645558
Opcode ID: c2a1a81f7ca23298cca39fa9daaf713f2e1fbe300a5b0648da302ec2cca63db4
Instruction ID: cb17c4b300b6cab4cbf5bce618ae08df27cd55fd93f733b4f6dd4b477fa0be86
Opcode Fuzzy Hash: c2a1a81f7ca23298cca39fa9daaf713f2e1fbe300a5b0648da302ec2cca63db4
Instruction Fuzzy Hash: 6D012571244301ABD310FF61CC0AA9BBBD8AB49706F004A1FB49992190EB28EB04C75E

Function 00440BB0 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 440fileCOMMON

Download Yara Rule

APIs

LockFileEx.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?), ref: 00441002
UnlockFileEx.KERNEL32(?,00000000,FFFFFFFF,00000000,?), ref: 0044102E
SetLastError.KERNEL32(00000000,?,?), ref: 0044104B
CloseHandle.KERNEL32(00000000), ref: 004410A3

Strings

couldn't obtain shared file lock, xrefs: 004410F4

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: File$CloseErrorHandleLastLockUnlock
String ID: couldn't obtain shared file lock
API String ID: 1994953073-3717060661
Opcode ID: 3ab0eda90e9a2856ecbdd1c8ec26ddbd040ca7f7f9c076ddd7047f71d1cc55c8
Instruction ID: 8e2587972f8e6a2c5ba525d5b57c5b5cde4bc4475f559c5407a6d550dec93fdc
Opcode Fuzzy Hash: 3ab0eda90e9a2856ecbdd1c8ec26ddbd040ca7f7f9c076ddd7047f71d1cc55c8
Instruction Fuzzy Hash: 9BF1F671D002089FEB14DFA8CC85BEEBBB5EF45314F20821EE815A7391DB78A995CB54

Function 00458760 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,2881E606), ref: 004587BA
LeaveCriticalSection.KERNEL32(?,00000000,?), ref: 0045885E
GetModuleHandleExW.KERNEL32(00000004,00000000,?), ref: 00458874
FreeLibrary.KERNEL32(00000000), ref: 004588C9
LeaveCriticalSection.KERNEL32(?), ref: 0045890A

Strings

Provided module is invalid or already unloaded, xrefs: 00458957

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CriticalSection$Leave$EnterFreeHandleLibraryModule
String ID: Provided module is invalid or already unloaded
API String ID: 2523167316-250373487
Opcode ID: 6a9fd1f3fc1bee28436e1aa9b9a9676846c0b15e754d1e8451afcf72e0e572d1
Instruction ID: 9d461b01e4b856578e19a9732f3e25a7d042570bc7a55a1b9a042307d085042e
Opcode Fuzzy Hash: 6a9fd1f3fc1bee28436e1aa9b9a9676846c0b15e754d1e8451afcf72e0e572d1
Instruction Fuzzy Hash: 57815E75A002099FCB00DF69C884BAEBBB5FF49711F15816EE815A7391DB38AE05CF94

Function 0043FB00 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 229fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,08000000,00000000,2881E606,?,?), ref: 0043FB9E
GetLastError.KERNEL32(?,000F4240,00000000), ref: 0043FBBF
__Xtime_get_ticks.LIBCPMT ref: 0043FC94
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043FCF3
CloseHandle.KERNEL32(?,?,?,000F4240,00000000), ref: 0043FD50

Part of subcall function 00473A64: RaiseException.KERNEL32(E06D7363,00000001,00000003,00412B7C,?,?,?,?,00412B7C,2881E606,004E37B0,2881E606), ref: 00473AC4

Strings

couldn't open file, xrefs: 0043FD7F

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CloseCreateErrorExceptionFileHandleLastRaiseUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
String ID: couldn't open file
API String ID: 3970899653-3645828643
Opcode ID: 44c5451b1792db9af507a8038fcca4d26693f7650fb8e9db935d48c10ce091e9
Instruction ID: 4193bb4f3a36d185f9fc446e66d557003d21d7b6e053712a1dc59920b6c652e6
Opcode Fuzzy Hash: 44c5451b1792db9af507a8038fcca4d26693f7650fb8e9db935d48c10ce091e9
Instruction Fuzzy Hash: 8681A871E002189BCB24DFA9D88169DB7B5FF48714F24523BE825BB391D7746C098B58

Function 00445670 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 219COMMON

Download Yara Rule

Strings

StringFileInfo, xrefs: 0044575C
There is no resource section in module, xrefs: 0044568F
Resource section is empty, xrefs: 004456B8
Unable to determine product identifier from resources!, xrefs: 004458D7

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID: Resource section is empty$StringFileInfo$There is no resource section in module$Unable to determine product identifier from resources!
API String ID: 0-3023212541
Opcode ID: eddfefc27d1e2ecc2abe115a84b40a570674005a370be14430f52ecd0cd06200
Instruction ID: a39b397f3735d68b94bd2fbf7258ac9c476507c577a34bd940896d2736f7b28b
Opcode Fuzzy Hash: eddfefc27d1e2ecc2abe115a84b40a570674005a370be14430f52ecd0cd06200
Instruction Fuzzy Hash: 16810432D005258BDF10DF68DC816AEF7B1FF95320F19836AD824AB2D1E7789954CB94

Function 00454680 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?,2881E606,?,?), ref: 004546E9
GetWindowsDirectoryW.KERNEL32(?,00000104,?,?), ref: 0045470E
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0045473D
GetLastError.KERNEL32(?,004E3840,00000000,Unable to retrieve a path of the known folder ({})!,00000033,?,?,?), ref: 004548F4
GetLastError.KERNEL32(?,004E3840,000000EA,Unable to retrieve a path of the known folder ({})!,00000033,?,?,004E3840,00000000,Unable to retrieve a path of the known folder ({})!,00000033,?,?,?), ref: 00454954

Strings

Unable to retrieve a path of the known folder ({})!, xrefs: 004548D2, 00454903, 0045492E, 00454963, 0045498E

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: DirectoryErrorLast$FolderPathSystemWindows
String ID: Unable to retrieve a path of the known folder ({})!
API String ID: 1744653567-3064207712
Opcode ID: b672f5a5d88c0440839e61885968bdcf3a0e821c5ebcfc7eb103b8e408a97012
Instruction ID: 13efbaf171d2127b39923144ba6c2d2721112c846566516be76ffb96fc8abf18
Opcode Fuzzy Hash: b672f5a5d88c0440839e61885968bdcf3a0e821c5ebcfc7eb103b8e408a97012
Instruction Fuzzy Hash: F4612F71A002146BDB10EF65DC4AF9EB7B8AB4570AF10419BF8059B181E7785BCCCB59

Function 00440EC0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 184fileCOMMON

Download Yara Rule

APIs

LockFileEx.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?), ref: 00441002
UnlockFileEx.KERNEL32(?,00000000,FFFFFFFF,00000000,?), ref: 0044102E
SetLastError.KERNEL32(00000000,?,?), ref: 0044104B
CloseHandle.KERNEL32(00000000), ref: 004410A3

Strings

couldn't obtain shared file lock, xrefs: 004410F4

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: File$CloseErrorHandleLastLockUnlock
String ID: couldn't obtain shared file lock
API String ID: 1994953073-3717060661
Opcode ID: 0ff97ea20820d82488d102a52ec43f552f16ac6dc5becb6523da94e4878542fb
Instruction ID: 59daf06f24dc253eebacff006d5c90e33f44346136f241fc4100bb1a4453bd0a
Opcode Fuzzy Hash: 0ff97ea20820d82488d102a52ec43f552f16ac6dc5becb6523da94e4878542fb
Instruction Fuzzy Hash: EF61AF71D002489FEB14DFA8CC49BDEBBB4FF49314F10825EE815AB291DB786A44CB64

Function 0047A821 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 178COMMONLIBRARYCODE

Download Yara Rule

APIs

shared_ptr.LIBCMT ref: 0047A88C
operator+.LIBVCRUNTIME ref: 0047A8DC
shared_ptr.LIBCMT ref: 0047A9A8
DName::DName.LIBVCRUNTIME ref: 0047A9D8
operator+.LIBVCRUNTIME ref: 0047AA39

Strings

LL, xrefs: 0047AA27

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: operator+shared_ptr$NameName::
String ID: LL
API String ID: 2894330373-3348601134
Opcode ID: 5268c9658def88da4740668619ccc4769680f4ccbabb7c8488d099488b75f67a
Instruction ID: 879972b7fd58513efc2630b6f0e8d6b05d9f44a96e867e72c0ef972d87d43f64
Opcode Fuzzy Hash: 5268c9658def88da4740668619ccc4769680f4ccbabb7c8488d099488b75f67a
Instruction Fuzzy Hash: CC619EF180411AEFCB04DF64C8449EE7BB5FB84304F15C56BE50C9A212D7399626DF9A

Function 00456D10 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 174registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000035,00000000,?,?,?,2881E606,00000035,00000035), ref: 00456DA5
RegQueryValueExW.ADVAPI32(?,00000035,00000000,?,?,00000100,00000100,00000000), ref: 00456E7D
std::bad_exception::bad_exception.LIBCMT ref: 00456EFA

Part of subcall function 00473A64: RaiseException.KERNEL32(E06D7363,00000001,00000003,00412B7C,?,?,?,?,00412B7C,2881E606,004E37B0,2881E606), ref: 00473AC4

Strings

Cannot query registry value size, xrefs: 00456E18
Cannot query registry value data, xrefs: 00456E95
Cannot query registry data due to value changed too often, xrefs: 00456EEF

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: QueryValue$ExceptionRaisestd::bad_exception::bad_exception
String ID: Cannot query registry data due to value changed too often$Cannot query registry value data$Cannot query registry value size
API String ID: 3497148868-756855248
Opcode ID: 099c3c436f4ea15cec64d59142a1d43da43bd8ed06e718d3652bacdf68fe6462
Instruction ID: 28c2839787b32857990faf0b0791c46214fad675c5dc7c4b74a10ccac585a7e3
Opcode Fuzzy Hash: 099c3c436f4ea15cec64d59142a1d43da43bd8ed06e718d3652bacdf68fe6462
Instruction Fuzzy Hash: A5519F71D01209EBCB04CFA5D955BEEF7B5FF98304F10426AE805B7251EB746A88CB94

Function 00456F20 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 161registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,2881E606,?,00000001), ref: 00456FB3
std::bad_exception::bad_exception.LIBCMT ref: 004570F7

Part of subcall function 00473A64: RaiseException.KERNEL32(E06D7363,00000001,00000003,00412B7C,?,?,?,?,00412B7C,2881E606,004E37B0,2881E606), ref: 00473AC4

Strings

Cannot query registry value size, xrefs: 00456FF7
Cannot query registry value data, xrefs: 004570A2
Cannot query registry data due to value changed too often, xrefs: 004570EC

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ExceptionQueryRaiseValuestd::bad_exception::bad_exception
String ID: Cannot query registry data due to value changed too often$Cannot query registry value data$Cannot query registry value size
API String ID: 200596742-756855248
Opcode ID: 4a8379902eb58e5ec057af016afc4e079c35d108f3c25b647580f34d02de2502
Instruction ID: 586832c42021c9819da4c5360b35e09997b81e58a56896108b394109c5b0edd9
Opcode Fuzzy Hash: 4a8379902eb58e5ec057af016afc4e079c35d108f3c25b647580f34d02de2502
Instruction Fuzzy Hash: 93510771E042199FCF14CF95D881BEEBBF5FB48705F10816AE909B7281D7386A48CBA5

Function 004133C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00413449
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0041349E
__Getctype.LIBCPMT ref: 004134B7
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00413501
std::_Lockit::~_Lockit.LIBCPMT ref: 0041359F

Strings

bad locale name, xrefs: 004135BD

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: bcd51e8952e00252a67ffeda2384af786ca1de5819c2522bbcf816e886d6e415
Instruction ID: 34eed5310a10daf2188ff4abdc0babb0d74b33061f0e7723510524be07d501d2
Opcode Fuzzy Hash: bcd51e8952e00252a67ffeda2384af786ca1de5819c2522bbcf816e886d6e415
Instruction Fuzzy Hash: CC5183B1D003589BEB10DFA5D9417DEBBB4BF14708F14816AD848A7342EB38EA88CB55

Function 00456B10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 127registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,00000004,2881E606,?), ref: 00456BC3
SetLastError.KERNEL32(00000000), ref: 00456BCE
RegSetValueExW.ADVAPI32(?,00000004,00000000,00000004,?,?,2881E606,?), ref: 00456C06
RegCloseKey.ADVAPI32(?), ref: 00456C27
SetLastError.KERNEL32(00000000), ref: 00456C32

Part of subcall function 00456360: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00000000,00000000,2881E606,00000000,00000000), ref: 004563CC
Part of subcall function 00456360: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,?,?,00000000,?,00000000,?), ref: 00456450
Part of subcall function 00456360: RegCloseKey.ADVAPI32(?), ref: 00456472
Part of subcall function 00456360: SetLastError.KERNEL32(00000000), ref: 0045647D

Strings

Cannot write key value, xrefs: 00456C0C

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CloseErrorLast$Create$Value
String ID: Cannot write key value
API String ID: 1002417207-3393872497
Opcode ID: 7f689ae28262fd26bb55a9386f6a09788f25ea5f44364e94a0c10ac32789ec39
Instruction ID: e514bd36899bb119646ff7702ceb51675e819b346702d49c9e095bfbb624b10e
Opcode Fuzzy Hash: 7f689ae28262fd26bb55a9386f6a09788f25ea5f44364e94a0c10ac32789ec39
Instruction Fuzzy Hash: 8941D631901218ABCB20DF64DD45BEEBBF4EF09705F50456EFC09A7251DB38AA04CB99

Function 00472E30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00472E67
___except_validate_context_record.LIBVCRUNTIME ref: 00472E6F
_ValidateLocalCookies.LIBCMT ref: 00472EF8
__IsNonwritableInCurrentImage.LIBCMT ref: 00472F23
_ValidateLocalCookies.LIBCMT ref: 00472F78

Strings

csm, xrefs: 00472F0D

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: d399de7e5801b0b7f576a9ce6e260c286ff77950143132c50ab7bacabc2234ec
Instruction ID: c14e02b4177d75e422336933cffb0e1156aab5777846a20a030222bd6738a3ba
Opcode Fuzzy Hash: d399de7e5801b0b7f576a9ce6e260c286ff77950143132c50ab7bacabc2234ec
Instruction Fuzzy Hash: 9B41B334A002099BCF10DF69C980ADEBBB5FF44318F14C06AED185B392D779AD05CB99

Function 004136B0 Relevance: 10.6, APIs: 7, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004136E6
std::_Lockit::_Lockit.LIBCPMT ref: 00413709
std::_Lockit::~_Lockit.LIBCPMT ref: 00413729
std::_Facet_Register.LIBCPMT ref: 0041379B
std::_Lockit::~_Lockit.LIBCPMT ref: 004137BD
Concurrency::cancel_current_task.LIBCPMT ref: 004137E0
__Towlower.LIBCPMT ref: 004137FA

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_RegisterTowlower
String ID:
API String ID: 843868180-0
Opcode ID: a892d7dfd0532070ef282f702a36f7dbee076a6f84c1744faba16098797cddd3
Instruction ID: 32ec9f75b714e15a6aff60cdbbe4d46d3caee8ce3ffd8c4df4ecdc7810a904c7
Opcode Fuzzy Hash: a892d7dfd0532070ef282f702a36f7dbee076a6f84c1744faba16098797cddd3
Instruction Fuzzy Hash: 1F4112B18002499FCB01EF54D881AEEF7B5FB44325F14812BE8156B392D738AE45CBD9

Function 00416D5A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000), ref: 00416E7A
GetLastError.KERNEL32 ref: 00416E87
DebugActiveProcessStop.KERNEL32(?), ref: 00416E93
DeviceIoControl.KERNEL32(00000000,B2D601C4,?,00000005,00000000,00000000,?,00000000), ref: 00416ECD
GetLastError.KERNEL32 ref: 00416ED7
CloseHandle.KERNEL32(00000000), ref: 00416EDE
DebugActiveProcessStop.KERNEL32(?), ref: 00416EEA

Strings

F59A, xrefs: 00416DA0
Process exited: {}, PID: {}, Exit Code: {}, xrefs: 00416DB5
689A, xrefs: 00416D7D

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ActiveDebugErrorLastProcessStop$CloseControlCreateDeviceFileHandle
String ID: 689A$F59A$Process exited: {}, PID: {}, Exit Code: {}
API String ID: 4222496201-3519298127
Opcode ID: 6fc7d36402be2a32eedfc0a8bac1d458b25770bc77dbead0199594376dd7fd08
Instruction ID: c182d6a0f055ff6deca771fb5f694e6df5e12a530cd6a9bce4d0e3bb2591c14a
Opcode Fuzzy Hash: 6fc7d36402be2a32eedfc0a8bac1d458b25770bc77dbead0199594376dd7fd08
Instruction Fuzzy Hash: E3318DB1D04228DBEB249F24DC85BDCB7B0FB05314F1482DAE98967291DF346AC48F98

Function 0048D6C6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,2881E606,?,0048D7D3,00000008,00458A7A,?,00000000), ref: 0048D787

Strings

api-ms-, xrefs: 0048D71D
ext-ms-, xrefs: 0048D731

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: b65a3d8b2a39b1a871c3072d68ea0604d77326dbb6e2b8ba2b4e283d493447e8
Instruction ID: 02be9c24dc6a93b6e133d1532f367ab289ae7c6357ff58d6f145a25e3dcfe857
Opcode Fuzzy Hash: b65a3d8b2a39b1a871c3072d68ea0604d77326dbb6e2b8ba2b4e283d493447e8
Instruction Fuzzy Hash: 5F210531E02211ABC721BB20AC81A5F7768EB017A0F214936FD15A73D1E738ED00CBD8

Function 00416DD6 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000), ref: 00416E7A
GetLastError.KERNEL32 ref: 00416E87
DebugActiveProcessStop.KERNEL32(?), ref: 00416E93
DeviceIoControl.KERNEL32(00000000,B2D601C4,?,00000005,00000000,00000000,?,00000000), ref: 00416ECD
GetLastError.KERNEL32 ref: 00416ED7
CloseHandle.KERNEL32(00000000), ref: 00416EDE
DebugActiveProcessStop.KERNEL32(?), ref: 00416EEA

Strings

F59A, xrefs: 00416E16
689A, xrefs: 00416DF9
RIP_EVENT occurred {}:{}!, xrefs: 00416E2A

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ActiveDebugErrorLastProcessStop$CloseControlCreateDeviceFileHandle
String ID: 689A$F59A$RIP_EVENT occurred {}:{}!
API String ID: 4222496201-1075497469
Opcode ID: 6f6faed3e3ed8145caef85b2ab6d08d9d12b5bd1a8b6d8124c2dc54f4274550d
Instruction ID: 92436b6613acad2930f26f28d3c289c50f9fdc5d4aba72710058944703017fd1
Opcode Fuzzy Hash: 6f6faed3e3ed8145caef85b2ab6d08d9d12b5bd1a8b6d8124c2dc54f4274550d
Instruction Fuzzy Hash: D731AFB1D042289BDB249F24DC857DCB7B0FB45314F1482DAE58967291DF346AC48F89

Function 0045A339 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0045A3B4,0045A55D), ref: 0045A350
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0045A366
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0045A37B

Strings

ReleaseSRWLockExclusive, xrefs: 0045A370
AcquireSRWLockExclusive, xrefs: 0045A360
KERNEL32.DLL, xrefs: 0045A34B

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 2b613d5b08db9d7b3b2556108446da49d057d7f221c6337edea987320bc871ab
Instruction ID: 5cf40c1aabe0958897496d7a71e66991ebb41487b0407152467e89a14370b27a
Opcode Fuzzy Hash: 2b613d5b08db9d7b3b2556108446da49d057d7f221c6337edea987320bc871ab
Instruction Fuzzy Hash: A2F0FF337822238B8B304EA45C8066B73C8AB0231B315823BEC21D3252E72C9C1982DF

Function 0043B4F0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

RpcServerUseProtseqEpW.RPCRT4(ncalrpc,0000000A,004E6C30,00000000), ref: 0043B50D
RpcServerRegisterIfEx.RPCRT4(004D1CF8,00000000,00000000,00000001,000004D2,00000000), ref: 0043B530
RpcServerRegisterIfEx.RPCRT4(004D1FE0,00000000,00000000,00000001,000004D2,00000000), ref: 0043B54A
RpcServerRegisterIfEx.RPCRT4(004D1F88,00000000,00000000,00000001,000004D2,00000000), ref: 0043B565

Strings

ncalrpc, xrefs: 0043B508
0lN, xrefs: 0043B4F7

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Server$Register$Protseq
String ID: 0lN$ncalrpc
API String ID: 1860028169-3487564567
Opcode ID: c228bb683c680778d95effe3dfc59d4e9d47b720121f7f70ed7b667744bb3b22
Instruction ID: 0687d03bce9415c0e3a79890f4c6fce2e7a80d45c941683f1f0a4677e9a08cc3
Opcode Fuzzy Hash: c228bb683c680778d95effe3dfc59d4e9d47b720121f7f70ed7b667744bb3b22
Instruction Fuzzy Hash: 71F04FB23C13117AFA304A946D8BF762908E724F86F208063FF00F92E0D6D88C4086AC

Function 0045DF7D Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001,?,?,?), ref: 0045DFC6
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 0045E031
LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045E04E
LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0045E08D
LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045E0EC
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0045E10F

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 1ff8d75f475445619a1b0895cc48088a98174858e692ceb4dc472ef94073a047
Instruction ID: 77c6174db5ba4a1c5e56dda10a4d7dc8258cd6f6a9d526d2aec7c39d1959a8f0
Opcode Fuzzy Hash: 1ff8d75f475445619a1b0895cc48088a98174858e692ceb4dc472ef94073a047
Instruction Fuzzy Hash: D6513372900216AFDB249F52CC45FAF7BA9EF04782F10402AFD05D6292D779DE04CB58

Function 0047C5A7 Relevance: 9.1, APIs: 6, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 0047C5EB
DName::operator+.LIBCMT ref: 0047C5F7

Part of subcall function 00476A94: shared_ptr.LIBCMT ref: 00476AB0

DName::operator+=.LIBCMT ref: 0047C6B5

Part of subcall function 0047AE35: DName::operator+.LIBCMT ref: 0047AEA0
Part of subcall function 0047AE35: DName::operator+.LIBCMT ref: 0047B16A

Part of subcall function 004769BF: DName::operator+.LIBCMT ref: 004769E0

DName::operator+.LIBCMT ref: 0047C672

Part of subcall function 00476AEC: DName::operator=.LIBVCRUNTIME ref: 00476B0D

DName::DName.LIBVCRUNTIME ref: 0047C6D9
DName::operator+.LIBCMT ref: 0047C6E5

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
String ID:
API String ID: 2795783184-0
Opcode ID: 437c7bb94ce4771be97e06912110b6f51ff991b419c26601f57b32a1df20cfbd
Instruction ID: a04053652c0193979666036eb9fe032de5bd5ac559a7b721d3effd073995e1ad
Opcode Fuzzy Hash: 437c7bb94ce4771be97e06912110b6f51ff991b419c26601f57b32a1df20cfbd
Instruction Fuzzy Hash: 1541C6B0A00648AFDB14DFA4C8D1ADE7BE9AF09304F04945EE14EAB292D7386D45CB5C

Function 00426A30 Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00426A66
std::_Lockit::_Lockit.LIBCPMT ref: 00426A89
std::_Lockit::~_Lockit.LIBCPMT ref: 00426AA9

Part of subcall function 004267B0: std::_Lockit::_Lockit.LIBCPMT ref: 00426839
Part of subcall function 004267B0: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00426885

std::_Facet_Register.LIBCPMT ref: 00426B1B
std::_Lockit::~_Lockit.LIBCPMT ref: 00426B3D
Concurrency::cancel_current_task.LIBCPMT ref: 00426B60

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_$Lockit::~_$Concurrency::cancel_current_taskFacet_Locinfo::_Locinfo_ctorRegister
String ID:
API String ID: 2294326227-0
Opcode ID: 9a49372dd966e4e8f3589624a187d91407ae49f60f0c586e29f487d0aab386c8
Instruction ID: f69394294ad0c6ca6c83cf33842223cfc9ef38da9ff82f63ab46af680fddd1fa
Opcode Fuzzy Hash: 9a49372dd966e4e8f3589624a187d91407ae49f60f0c586e29f487d0aab386c8
Instruction Fuzzy Hash: ED41F271E002A99FCB10DF58E881AAEF7B0FB45324F26412FD805A7352D738AD05CB99

Function 00410FB0 Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00410FE6
std::_Lockit::_Lockit.LIBCPMT ref: 00411009
std::_Lockit::~_Lockit.LIBCPMT ref: 00411029

Part of subcall function 00410C90: std::_Lockit::_Lockit.LIBCPMT ref: 00410D36
Part of subcall function 00410C90: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00410D91

std::_Facet_Register.LIBCPMT ref: 0041109B
std::_Lockit::~_Lockit.LIBCPMT ref: 004110BD
Concurrency::cancel_current_task.LIBCPMT ref: 004110E0

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_$Lockit::~_$Concurrency::cancel_current_taskFacet_Locinfo::_Locinfo_ctorRegister
String ID:
API String ID: 2294326227-0
Opcode ID: 4074f6258a447ab938bfcfbfbc5469b09436cb964f324bb7db5b0e61916d4a70
Instruction ID: 5ff14d7bd3fd23a9fa76ded0d419c009cbc66849201f79df8ac8ecadd7471239
Opcode Fuzzy Hash: 4074f6258a447ab938bfcfbfbc5469b09436cb964f324bb7db5b0e61916d4a70
Instruction Fuzzy Hash: 3241B075D00285DFCB11DF54D881AEEBBB0FB48324F24412AD905AB362DB38AD85CB99

Function 0047B1F3 Relevance: 9.1, APIs: 6, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0047C6FB: Replicator::operator[].LIBCMT ref: 0047C738

DName::operator=.LIBVCRUNTIME ref: 0047B29F

Part of subcall function 0047AE35: DName::operator+.LIBCMT ref: 0047AEA0
Part of subcall function 0047AE35: DName::operator+.LIBCMT ref: 0047B16A

DName::operator+.LIBCMT ref: 0047B259
DName::operator+.LIBCMT ref: 0047B265
DName::DName.LIBVCRUNTIME ref: 0047B2A9
DName::operator+.LIBCMT ref: 0047B2C6
DName::operator+.LIBCMT ref: 0047B2D2

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
String ID:
API String ID: 955152517-0
Opcode ID: 653bad337b0bf081576c1198559a53e727f4edaa860af5c73cc5da122fd6ec90
Instruction ID: c680a1199a2d39915b128e72ec73dcc1d3d59c246026407d0f444cc4e59e52b3
Opcode Fuzzy Hash: 653bad337b0bf081576c1198559a53e727f4edaa860af5c73cc5da122fd6ec90
Instruction Fuzzy Hash: 5531C2B0A013049FCB14DF65C458AEEBBF5EF99304F10C49EE58AA7352E7389944CB58

Function 004753CA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004753C1,0047312F,0045C187,2881E606,00000000,?,?,00000000,0049FC4D,000000FF,?,004338AA,00000000,00000000), ref: 004753D8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004753E6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004753FF
SetLastError.KERNEL32(00000000,004753C1,0047312F,0045C187,2881E606,00000000,?,?,00000000,0049FC4D,000000FF,?,004338AA,00000000,00000000,004316C7), ref: 00475451

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: dd12c9d2579c7930a61b9b94535bd0e898c368af7b40a179d0369ced978764ea
Instruction ID: 3766d5fc1b4f6f3f992747e3b6e7112040862a90ecfec702697d36167646710e
Opcode Fuzzy Hash: dd12c9d2579c7930a61b9b94535bd0e898c368af7b40a179d0369ced978764ea
Instruction Fuzzy Hash: 3201D232109A115EAA1127756CC56A76B84AB213BF730833FF51C681E2EE994C41924C

Function 0044D3E0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 306COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?,?), ref: 0044D606
DeleteCriticalSection.KERNEL32(?), ref: 0044D61B
std::_Throw_Cpp_error.LIBCPMT ref: 0044D67C
std::_Throw_Cpp_error.LIBCPMT ref: 0044D68A

Part of subcall function 0045DC05: WakeConditionVariable.KERNEL32(?,?,0044D4A8,?), ref: 0045DC0F

Strings

(4M, xrefs: 0044D425

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Cpp_errorCriticalDeleteSectionThrow_std::_$ConditionVariableWake
String ID: (4M
API String ID: 3021290238-2052587664
Opcode ID: 0aa6a883cabe618f3cfd14f8ca3265d57d75fd87fb25f9426fc44eed566cb15e
Instruction ID: 5092006306b2aabc2542a8c94e2bb3d9ac4b43e7b2502b497efe93b35ec8ff4f
Opcode Fuzzy Hash: 0aa6a883cabe618f3cfd14f8ca3265d57d75fd87fb25f9426fc44eed566cb15e
Instruction Fuzzy Hash: 56A1F471E002119FE724DF28C885B5AF3A5EF04718F05866EE8099B792DB78BD15CF98

Function 0045E1DB Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0045E1E2
std::_Lockit::_Lockit.LIBCPMT ref: 0045E1EC

Part of subcall function 00412D70: std::_Lockit::_Lockit.LIBCPMT ref: 00412D8D
Part of subcall function 00412D70: std::_Lockit::~_Lockit.LIBCPMT ref: 00412DA9

codecvt.LIBCPMT ref: 0045E226
std::_Facet_Register.LIBCPMT ref: 0045E23D
std::_Lockit::~_Lockit.LIBCPMT ref: 0045E25D
Concurrency::cancel_current_task.LIBCPMT ref: 0045E26A

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: a534462d3b035b1b867fe2d5d2d85c77a227a3dd0c7641f29178ad99b069c399
Instruction ID: 66accf8ef1c5ef858a0dd9d0f95a10386f50346d2c590cd708e9b050a0acee0b
Opcode Fuzzy Hash: a534462d3b035b1b867fe2d5d2d85c77a227a3dd0c7641f29178ad99b069c399
Instruction Fuzzy Hash: 5E0104359001159BCB08AF61CA066AE7775AF8431AF10401FF811AB392CF7C9F098788

Function 0045C87D Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0045C884
std::_Lockit::_Lockit.LIBCPMT ref: 0045C88E

Part of subcall function 00412D70: std::_Lockit::_Lockit.LIBCPMT ref: 00412D8D
Part of subcall function 00412D70: std::_Lockit::~_Lockit.LIBCPMT ref: 00412DA9

codecvt.LIBCPMT ref: 0045C8C8
std::_Facet_Register.LIBCPMT ref: 0045C8DF
std::_Lockit::~_Lockit.LIBCPMT ref: 0045C8FF
Concurrency::cancel_current_task.LIBCPMT ref: 0045C90C

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: 091370b2c8fa778513c7bf4319d6e5be891d6539d5d9f838a348072db778f357
Instruction ID: bfc4aa9fe987700a3e1c2aae3d30152f9b9651d999cb3773195ba7400aeea689
Opcode Fuzzy Hash: 091370b2c8fa778513c7bf4319d6e5be891d6539d5d9f838a348072db778f357
Instruction Fuzzy Hash: 6F0104359002599FCB14EF60C9856AE7770AF44316F10401EE800AB3D3CF7C9E098789

Function 0045D6E7 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 183COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0045D84A

Strings

?-C, xrefs: 0045D6EA, 0045D864, 0045D708
?-C, xrefs: 0045D854
-, xrefs: 0045D878
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 0045D7A8, 0045D7DF, 0045D7E4

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: __aulldiv
String ID: -$0123456789abcdefghijklmnopqrstuvwxyz$?-C$?-C
API String ID: 3732870572-150209914
Opcode ID: ab35184f134e2e61168e997294cf2edbce2c36f018174c37beca1cb2f2ce8def
Instruction ID: d9cb8f95c3f77d791619727fa86a955c26c4d75121166d60e8175881bf40a80e
Opcode Fuzzy Hash: ab35184f134e2e61168e997294cf2edbce2c36f018174c37beca1cb2f2ce8def
Instruction Fuzzy Hash: 32510734E04245ABCF35AFA984407BFBBB5AF49302F14446FECA197346C27C894A8B59

Function 00479299 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 004792CC

Part of subcall function 00476A72: DName::operator+=.LIBCMT ref: 00476A88

Strings

\NL, xrefs: 004793C0, 004793CA

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Name::operator+Name::operator+=
String ID: \NL
API String ID: 382699925-2339856886
Opcode ID: 4ced79d058f3f7b76f0b8cb8c45671513d693b8480bfa0d74c41ebe9d0fb4e51
Instruction ID: e74ad05917681eff2282e0ee1b07663bf2b0d453b68f74f0980dff1947f70cc7
Opcode Fuzzy Hash: 4ced79d058f3f7b76f0b8cb8c45671513d693b8480bfa0d74c41ebe9d0fb4e51
Instruction Fuzzy Hash: E2417AB1C0020A9ACF04CFA9D585AEFBBB5FB48304F10841FE909A7341D7789A85CB98

Function 00455F30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 117registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00457520: RegOpenKeyExW.ADVAPI32(?,?,?,00000000,00000001,00000005,2881E606,00000000,?), ref: 004575C4

RegQueryValueExW.ADVAPI32(00000000,00000011,00000000,00000000,000000FF,?,?,00000001,?,2881E606,2881E606,?,?,?,?,?), ref: 00455F8C
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?), ref: 00455FBD
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 00455FC8

Part of subcall function 00473A64: RaiseException.KERNEL32(E06D7363,00000001,00000003,00412B7C,?,?,?,?,00412B7C,2881E606,004E37B0,2881E606), ref: 00473AC4

___std_exception_copy.LIBVCRUNTIME ref: 0045603F

Strings

Cannot query registry value, xrefs: 00455F92

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CloseErrorExceptionLastOpenQueryRaiseValue___std_exception_copy
String ID: Cannot query registry value
API String ID: 617419043-1100310711
Opcode ID: 01bd368a768f3845d357d69e5c22cf9b6e6a9cebfa2773e50c9df8d8afe0cc02
Instruction ID: 05352ad66a3074df794e3c98a21acab4290dbf0fc8449f4c784bc7f4c1a07d5e
Opcode Fuzzy Hash: 01bd368a768f3845d357d69e5c22cf9b6e6a9cebfa2773e50c9df8d8afe0cc02
Instruction Fuzzy Hash: 2B3155B1900609AFCB10DFA5D845BAEF7F8FF09711F10452AF915E7641E778AA08CB64

Function 00456360 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00000000,00000000,2881E606,00000000,00000000), ref: 004563CC
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,?,?,00000000,?,00000000,?), ref: 00456450
RegCloseKey.ADVAPI32(?), ref: 00456472
SetLastError.KERNEL32(00000000), ref: 0045647D

Strings

Cannot create registry key, xrefs: 0045648B

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Create$CloseErrorLast
String ID: Cannot create registry key
API String ID: 3551974399-2366797263
Opcode ID: 8d39cdd0523fe77025226f6c68cf19d48da4d0396ac27e4f2bc0ff56c7d03e1f
Instruction ID: ebd3fb1684f1a4f9e5d6a31436920e5f196159563b87815fade8fc6603186848
Opcode Fuzzy Hash: 8d39cdd0523fe77025226f6c68cf19d48da4d0396ac27e4f2bc0ff56c7d03e1f
Instruction Fuzzy Hash: A74150B0A00209AFDB20DF95DC45BAEFBF4FB48705F10456EE50AA7280D774AA44CB58

Function 00450810 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,2881E606,?,?), ref: 00450860

Strings

FTimeToSysTime fail, xrefs: 00450875
{:04}-{:02}-{:02} {:02}:{:02}:{:02}.{:03}, xrefs: 004508DC
$9M, xrefs: 00450912
#9M, xrefs: 00450870

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Time$FileSystem
String ID: #9M$$9M$FTimeToSysTime fail${:04}-{:02}-{:02} {:02}:{:02}:{:02}.{:03}
API String ID: 2086374402-4156816922
Opcode ID: 58f0a5fdfdfca4d984fd9a54c148b067cbc52a3faa2cb9e1681997f630075f66
Instruction ID: 5944c6115a63958789d0555536ef8dc3ff424ef0999363b3c25e0cf59ad8f3cc
Opcode Fuzzy Hash: 58f0a5fdfdfca4d984fd9a54c148b067cbc52a3faa2cb9e1681997f630075f66
Instruction Fuzzy Hash: B54117B5D00258DBDB20CF95D9807AEFBB4FF08715F20822AE854AB381E7796944CB65

Function 0047BD1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getSignedDimension.LIBCMT ref: 0047BD70

Strings

lKL, xrefs: 0047BD40
tKL, xrefs: 0047BDDA

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Decorator::getDimensionSigned
String ID: lKL$tKL
API String ID: 2996861206-967431576
Opcode ID: 1f217e7812d84e22183143473de4494cd5522af1feb658a1d7dbe84c5dd3ad6c
Instruction ID: 10be07aa28c45eca590bef28f3611af8d2bfae5347ad25d3b76b52519853ddc4
Opcode Fuzzy Hash: 1f217e7812d84e22183143473de4494cd5522af1feb658a1d7dbe84c5dd3ad6c
Instruction Fuzzy Hash: 4131A5719006099FDF14DBE5D995BEFB7F9EB08304F10842FE605B6181DB386A09CBA9

Function 00453400 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,004532EF), ref: 0045341C
CloseHandle.KERNEL32(00000000,00000000,?,?,?,?,004532EF), ref: 0045343D
GetLastError.KERNEL32(?,?,?,?,004532EF), ref: 00453451
CloseHandle.KERNEL32(00000000,?,004E3840,00000000,Cannot create event,?,?,?,?,004532EF), ref: 0045348E

Strings

Cannot create event, xrefs: 00453457

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CloseHandle$CreateErrorEventLast
String ID: Cannot create event
API String ID: 3743700123-3475436419
Opcode ID: 511a83e3b3b18385a42384e133ab14b8a5720e54e3651f70b457416242bd5f9c
Instruction ID: 94f2c9b475ccdec830fd0e6f9a4a1d09e0d9cf3387aa83112d7073f91aaceec6
Opcode Fuzzy Hash: 511a83e3b3b18385a42384e133ab14b8a5720e54e3651f70b457416242bd5f9c
Instruction Fuzzy Hash: BF01B132B002156BDB12EF7D5C09B6777DC9B46B07B0041BBBD05D2251FE28CE0487A9

Function 00426500 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0042654E
___std_exception_destroy.LIBVCRUNTIME ref: 0042655E
___std_exception_copy.LIBVCRUNTIME ref: 00426568
___std_exception_destroy.LIBVCRUNTIME ref: 0042657B

Strings

hOJ, xrefs: 00426573

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: hOJ
API String ID: 2970364248-1483585742
Opcode ID: 9896980892c3a98b8935f1b3c2e051f3e2ee280e310565aeb9f25249f2946c34
Instruction ID: 233b0f0b004ac54def6fddbabf303fb4574bda98b93798bcc130f72daafa75d1
Opcode Fuzzy Hash: 9896980892c3a98b8935f1b3c2e051f3e2ee280e310565aeb9f25249f2946c34
Instruction Fuzzy Hash: 85114CB1D00249ABCB10DFA9D8418DEB7F8EF95701B40866FF815A7201E7B4A754CB95

Function 00488D44 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,2881E606,00000000,?,00000000,0049A4D0,000000FF,?,00488CD4,?,?,00488CA8,00000000), ref: 00488D79
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00488D8B
FreeLibrary.KERNEL32(00000000,?,00000000,0049A4D0,000000FF,?,00488CD4,?,?,00488CA8,00000000), ref: 00488DAD

Strings

CorExitProcess, xrefs: 00488D83
mscoree.dll, xrefs: 00488D72

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d9c0e2816becf89d32a4894494598bf341aa4e6ffd18a30f8d7aa84a75340d3b
Instruction ID: 6254c15b7a0b2e39116dcef1cd91a2ad5f72cb83154d90c3e9f17884bc772c47
Opcode Fuzzy Hash: d9c0e2816becf89d32a4894494598bf341aa4e6ffd18a30f8d7aa84a75340d3b
Instruction Fuzzy Hash: B601A731544655AFDB119F50CC05FAEBBF8FB44B16F10453AF811A22D0DF789900CB98

Function 0045DCAD Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0045DCC1
AcquireSRWLockExclusive.KERNEL32(?), ref: 0045DCE0
AcquireSRWLockExclusive.KERNEL32(?,?,?), ref: 0045DD0E
TryAcquireSRWLockExclusive.KERNEL32(?,?,?), ref: 0045DD69
TryAcquireSRWLockExclusive.KERNEL32(?,?,?), ref: 0045DD80

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: c81d9e19e9adae2e697a57fc7eeeb0dd0a978241788e65b200299c6643dfca30
Instruction ID: 74bb8effae8fa917859ca1e1853203f449e3ea708edbb0df6384785faa847029
Opcode Fuzzy Hash: c81d9e19e9adae2e697a57fc7eeeb0dd0a978241788e65b200299c6643dfca30
Instruction Fuzzy Hash: 75415B31D00606DBCB31DF65C480AAAB3F5FF45356B10492BE806D7652D738E94DCB59

Function 00452250 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,2881E606), ref: 00452291
LeaveCriticalSection.KERNEL32(?,?,?), ref: 004522B9
EnterCriticalSection.KERNEL32(?,?,?,?,?), ref: 0045230F
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?), ref: 00452340

Strings

Module is being registered for the second time, xrefs: 004522DC

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Module is being registered for the second time
API String ID: 3168844106-2588535507
Opcode ID: ba9133903cb1d001576170a2143493e79a207a81e99ee8bffe9327e2fc28db0a
Instruction ID: 1fb64aebfb4505e058157dc30adfcb8521d1a4438b527096d021b389f6e2a394
Opcode Fuzzy Hash: ba9133903cb1d001576170a2143493e79a207a81e99ee8bffe9327e2fc28db0a
Instruction Fuzzy Hash: 9731C672900208AFC710DF55D985AEFBBF8EF45701F10462FF802A7241DB756A49CB94

Function 0045AEE4 Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0045AEEB
std::_Lockit::_Lockit.LIBCPMT ref: 0045AEF6
std::_Lockit::~_Lockit.LIBCPMT ref: 0045AF64

Part of subcall function 0045B047: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0045B05F

std::locale::_Setgloballocale.LIBCPMT ref: 0045AF11
_Yarn.LIBCPMT ref: 0045AF27

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: ce55e9986e60c34f243236171b5fb7f7e7c8b206984e8f5d42762d2bdbc569ad
Instruction ID: 4a2d3bdc794ee18da18178d8280c61d9152eee816cf7a7ab156b32f570e20da9
Opcode Fuzzy Hash: ce55e9986e60c34f243236171b5fb7f7e7c8b206984e8f5d42762d2bdbc569ad
Instruction Fuzzy Hash: 20019E75A006609BCB05EF20D8515BE7B61FF88755B14401EEC015B392DF786A09CBCD

Function 0043F2F0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?), ref: 0043F58E
SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 0043F599

Strings

SYSTEM\Software\, xrefs: 0043F350
\Icarus, xrefs: 0043F3A4

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CloseErrorLast
String ID: SYSTEM\Software\$\Icarus
API String ID: 3262646002-1244725785
Opcode ID: a0d1f071d87d35c58744dc2ee43b015cf6a0bba329caa3d13a9552ba52e1db73
Instruction ID: a44788631639552a1ae9166dacdee16b6a10d6483d646b0d91d1923a91f9e31d
Opcode Fuzzy Hash: a0d1f071d87d35c58744dc2ee43b015cf6a0bba329caa3d13a9552ba52e1db73
Instruction Fuzzy Hash: 9491E570D002089FDB14DF68DD85BAEBBB4EF58304F1042AEE409A7391EB789A44CF95

Function 00444CB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

PersistentStorage, xrefs: 004454EC
IcarusEnabled, xrefs: 0044555D

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID:
String ID: IcarusEnabled$PersistentStorage
API String ID: 0-2101147437
Opcode ID: 1ca7f2c07df37bc8179ef3b26fd3531bb63361d0a687cd36e66c7e8af84af2db
Instruction ID: ba71e1ebbc5c1fddefc459ae9fbaaebf1229a187f152663c84b335f4f8dee055
Opcode Fuzzy Hash: 1ca7f2c07df37bc8179ef3b26fd3531bb63361d0a687cd36e66c7e8af84af2db
Instruction Fuzzy Hash: 1E91C3B0D046C49FDB14DF74ED857A977B0FB58308F10826EE4099B2A2E7786A84CB5D

Function 0042A940 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00403245,00000000,00000000,00000000,00000000,2881E606,00000000), ref: 0042A9EA
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00403245,00000018,?,00000000,00000000,00000000,00000000), ref: 0042AA30

Strings

to_narrow<wchar_t>::WideCharToMultiByte, xrefs: 0042AA68
to_narrow<wchar_t> invalid arguments, xrefs: 0042AA83

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: to_narrow<wchar_t> invalid arguments$to_narrow<wchar_t>::WideCharToMultiByte
API String ID: 626452242-1534530176
Opcode ID: 25f9b91e86d7087a288730c00c9f84f34d2151db3caf4e82975fa1e4a7503638
Instruction ID: e1e8c7474484bea114614adeb9d9a25abdb26005ddd2270d5bdd46dc64624e5d
Opcode Fuzzy Hash: 25f9b91e86d7087a288730c00c9f84f34d2151db3caf4e82975fa1e4a7503638
Instruction Fuzzy Hash: 13612671F00215ABCB10DF55DC45BAFFBB4EF44704F50422BE911A7680D7B8AA90CB9A

Function 00450300 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0045048C
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 004504A0
GetCurrentThreadId.KERNEL32 ref: 004504A9

Strings

p5M, xrefs: 0045036F

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CurrentTime$FileProcessSystemThread
String ID: p5M
API String ID: 2426501826-32263897
Opcode ID: 270e6ace5af8ff28bd475fc5740ebe0754b6b5dcee106a46b24c759333b65aa3
Instruction ID: 6aa7675378c826104df02c4a4c7c10822e087d4e02562409138cdd9e99c6d454
Opcode Fuzzy Hash: 270e6ace5af8ff28bd475fc5740ebe0754b6b5dcee106a46b24c759333b65aa3
Instruction Fuzzy Hash: 9151BEB1D007089FC710DF68D844A9ABBF4FF49304F10865EEC559B352E774A988CB95

Function 0047AA6F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

operator+.LIBVCRUNTIME ref: 0047AAD2
DName::operator+.LIBCMT ref: 0047AB90
operator+.LIBVCRUNTIME ref: 0047ABCF

Strings

tNL, xrefs: 0047AB6C

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: operator+$Name::operator+
String ID: tNL
API String ID: 1198235884-3173611182
Opcode ID: 3b10f4edcf759fbe68e867927c8a96210434abc7357466b2e24c655f1f9222f2
Instruction ID: 3d1651a74b211ee22a2b43ad7333613a4c29f91babbddeab7075c09ae68fb166
Opcode Fuzzy Hash: 3b10f4edcf759fbe68e867927c8a96210434abc7357466b2e24c655f1f9222f2
Instruction Fuzzy Hash: 82416AB0800209DFDF14CF54D955BEF7BF2AB84308F00C05BE6185B252D7B8AA59CB8A

Function 00475ADD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00475B02
CatchIt.LIBVCRUNTIME ref: 00475BE8

Strings

RCC, xrefs: 00475B1C
MOC, xrefs: 00475B14

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: a0f4deb6d8d3e88d4173c09409571d9da67479c85244b62af7df0b4c9f188010
Instruction ID: 0c29ad8366610978c7f197bee0d68bdf2ca94fe674884f4fd268f3866248d822
Opcode Fuzzy Hash: a0f4deb6d8d3e88d4173c09409571d9da67479c85244b62af7df0b4c9f188010
Instruction Fuzzy Hash: 36416C71900609EFCF16DF94CD81AEEBBB5FF48304F18805AF9086B251D3B9A951DB94

Function 0046AD90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 110COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0046AE5E

Strings

O, xrefs: 0046ADE6
C, xrefs: 0046ADED
ine, xrefs: 0046AE1B

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ___std_exception_copy
String ID: C$O$ine
API String ID: 2659868963-14754586
Opcode ID: 98fa6a5f62ec7c70e0625ea0e6b4713d8c6ef181ea749b35f5cade075b67d948
Instruction ID: 91e9c12e2f4b74c1a8dc78aa07ebca08bf3e2c15dc87e83e3b8af3a319ccfd74
Opcode Fuzzy Hash: 98fa6a5f62ec7c70e0625ea0e6b4713d8c6ef181ea749b35f5cade075b67d948
Instruction Fuzzy Hash: 5441F0B0C002898BDB15DF68C9407EDBBB0FF59318F14925EE80867392E7B956C4CB99

Function 0424A850 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107registryCOMMON

Download Yara Rule

APIs

Part of subcall function 04231270: WaitForSingleObject.KERNEL32 ref: 04231289
Part of subcall function 04231270: ReleaseMutex.KERNEL32 ref: 042312A7

Part of subcall function 0423E3B4: DuplicateTokenEx.ADVAPI32 ref: 0423E5B6

RegOpenKeyExW.ADVAPI32 ref: 0424A914
RegCloseKey.ADVAPI32 ref: 0424A9A9

Part of subcall function 0422C9A8: RegOpenKeyExW.ADVAPI32 ref: 0422CA5F
Part of subcall function 0422C9A8: RegOpenKeyExW.ADVAPI32 ref: 0422CA97
Part of subcall function 0422C9A8: RegQueryInfoKeyW.ADVAPI32 ref: 0422CB0D
Part of subcall function 0422C9A8: swscanf_s.MSVCRT ref: 0422CB2D
Part of subcall function 0422C9A8: RegCloseKey.ADVAPI32 ref: 0422CB42

RegOpenKeyExW.ADVAPI32 ref: 0424A978

Part of subcall function 0422D078: RegOpenKeyExW.ADVAPI32 ref: 0422D171

Strings

;, xrefs: 0424A92F

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: Open$Close$DuplicateInfoMutexObjectQueryReleaseSingleTokenWaitswscanf_s
String ID: ;
API String ID: 1359255939-1661535913
Opcode ID: 7050b5642f74c8fe1812cb6a8201d9bb6f1c4a3e9ae642254ffbc954581ec981
Instruction ID: a5caf48b9d807c6f9baa706d5a985e97e7e6079273b8e215184bd8a12335e1de
Opcode Fuzzy Hash: 7050b5642f74c8fe1812cb6a8201d9bb6f1c4a3e9ae642254ffbc954581ec981
Instruction Fuzzy Hash: 975181B4A19305AFEB00EFA9D58869EBBF4FF84344F41881DE89897350D774A5888F52

Function 0047ACED Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 0047ADED

Part of subcall function 00476A94: shared_ptr.LIBCMT ref: 00476AB0

Strings

4ML, xrefs: 0047ADB7
,ML, xrefs: 0047AD98
0ML, xrefs: 0047AD89

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: NameName::shared_ptr
String ID: ,ML$0ML$4ML
API String ID: 2125921051-2046229549
Opcode ID: 714667bc457b796e2e747ce74d32d0ebb4063ef7b3991eb33b5f94f179e50467
Instruction ID: d75f822ed8de5a8f64284565cd10e85829e0243ed976c8255220c4789adff1e8
Opcode Fuzzy Hash: 714667bc457b796e2e747ce74d32d0ebb4063ef7b3991eb33b5f94f179e50467
Instruction Fuzzy Hash: 3131A2B19002199FCB14DFA8C895AEEBBB6EF84305F10C06BE549AB341D7385A44CB99

Function 00441460 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 91COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0044155C

Strings

M, xrefs: 00441520
,?L, xrefs: 0044153A
4?L, xrefs: 004414B5

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ,?L$4?L$M
API String ID: 323602529-987630463
Opcode ID: a62c6a6a60083b94905772ce5e7901d944a515faa739db455d9bc0b9f7117437
Instruction ID: 2a028667ab51525c3d55030f4734716ff8e8a2458e3599000cc7242a3beeb9b0
Opcode Fuzzy Hash: a62c6a6a60083b94905772ce5e7901d944a515faa739db455d9bc0b9f7117437
Instruction Fuzzy Hash: E94154786046469FC710CF09C484E1AFBF5FF48718B2580AEE8188B352EB75E945CF84

Function 00452A50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 004529B0: InitializeCriticalSection.KERNEL32(00000000,?,?,004042B7,?,2881E606,?,00000007), ref: 004529D9
Part of subcall function 004529B0: DeleteCriticalSection.KERNEL32(00000000,?,?,004042B7,?,2881E606,?,00000007), ref: 004529F3
Part of subcall function 004529B0: EnterCriticalSection.KERNEL32(00000000,004EC1D0,004EC1D4,?,?,?,00403843,2881E606,004EC1D0,00000007,?,?,004042B7,?,2881E606,?), ref: 00452A3D

SetEvent.KERNEL32(?,2881E606,004EC1D0,?,?,?,?,?,?,00000000,0049F0DD,000000FF,?,00404356), ref: 00452AAA
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,0049F0DD,000000FF,?,00404356), ref: 00452AC4
LeaveCriticalSection.KERNEL32(?), ref: 00452AE6

Strings

asw::lifetime::impl::lifetime_creation_monitor_holder::set_created, xrefs: 00452B09

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CriticalSection$CloseDeleteEnterEventHandleInitializeLeave
String ID: asw::lifetime::impl::lifetime_creation_monitor_holder::set_created
API String ID: 3040484998-3605786268
Opcode ID: ba1d9410590eca8237a583c2e48eaea1a7ed369f4c696a52e40ad7f6c7c5d82e
Instruction ID: 091df126031b33119a04e70a15612ea05a0887de5c911f87e023bbc02bb64bce
Opcode Fuzzy Hash: ba1d9410590eca8237a583c2e48eaea1a7ed369f4c696a52e40ad7f6c7c5d82e
Instruction Fuzzy Hash: 6A21C531900609AFCB11DF65DD45B9EFBB4FF05712F10822BF811A3691EB786A44CB98

Function 04243858 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 04239DFC: CryptStringToBinaryA.CRYPT32 ref: 04239E3D
Part of subcall function 04239DFC: CryptStringToBinaryA.CRYPT32 ref: 04239E8A

CreateDirectoryW.KERNEL32 ref: 042438A9
GetLastError.KERNEL32 ref: 042438F5

Part of subcall function 042377A4: WaitForSingleObject.KERNEL32 ref: 042377C2
Part of subcall function 042377A4: ReleaseMutex.KERNEL32 ref: 0423780B

Strings

?, xrefs: 042438B5
a, xrefs: 042438BD

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: BinaryCryptString$CreateDirectoryErrorLastMutexObjectReleaseSingleWait
String ID: ?$a
API String ID: 1789892323-455855063
Opcode ID: d24166ba7185e680b2f365b1d989a4822ad4a8b24c6c5148d37f6d587b9e62c4
Instruction ID: 19440ff434336e63da1dc741f983f57396a468407d84c7ce622b79189421ae9e
Opcode Fuzzy Hash: d24166ba7185e680b2f365b1d989a4822ad4a8b24c6c5148d37f6d587b9e62c4
Instruction Fuzzy Hash: 1221D6B4A187099BEB00AF68D4847AEFBF4EF84714F01881DE88897301D779A485CB52

Function 00456990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00457520: RegOpenKeyExW.ADVAPI32(?,?,?,00000000,00000001,00000005,2881E606,00000000,?), ref: 004575C4

RegDeleteTreeW.ADVAPI32(00000000,00000000,00000000,0000000B,00000000,2881E606,00000000,?,?,2881E606,00000000), ref: 004569E2
RegCloseKey.ADVAPI32(?,?,2881E606,00000000), ref: 00456A0A
SetLastError.KERNEL32(00000000,?,2881E606,00000000), ref: 00456A15

Strings

Cannot delete registry key tree, xrefs: 004569E8

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CloseDeleteErrorLastOpenTree
String ID: Cannot delete registry key tree
API String ID: 321458958-3455289483
Opcode ID: 036c5b5b0d07ba7e744c32f9a2d3d4dc8bb1f7550b1283fac5f43bcd1e6a24d5
Instruction ID: b7ddac03d08d477c9a39a03f520af0d2b60b0cbb6d5d6ec131ca644d1b1d57d7
Opcode Fuzzy Hash: 036c5b5b0d07ba7e744c32f9a2d3d4dc8bb1f7550b1283fac5f43bcd1e6a24d5
Instruction Fuzzy Hash: C5119871E04209ABDF10DFA5DC46BAFBBB8EB09711F50453EF811E7281EB3859048B94

Function 00456A50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00457520: RegOpenKeyExW.ADVAPI32(?,?,?,00000000,00000001,00000005,2881E606,00000000,?), ref: 004575C4

RegDeleteValueW.ADVAPI32(00000000,?,00000000,00000002,00000000,2881E606,00000000,?,?,0049F75D,000000FF), ref: 00456AA3
RegCloseKey.ADVAPI32(?), ref: 00456ACB
SetLastError.KERNEL32(00000000), ref: 00456AD6

Strings

Cannot delete registry value, xrefs: 00456AA9

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CloseDeleteErrorLastOpenValue
String ID: Cannot delete registry value
API String ID: 1963916417-4063604081
Opcode ID: eda2430b3d1f8242f033d62d131b836e1e90ff1969afb2104079f9707e091282
Instruction ID: b6e3f4f4c2caea41cf29b338b2dc952b5912dd9a7f4dc01a1062b3754ed3a3e8
Opcode Fuzzy Hash: eda2430b3d1f8242f033d62d131b836e1e90ff1969afb2104079f9707e091282
Instruction Fuzzy Hash: 23118671E04209AFDF10DFA5D846BAFBBB8EB05711F50453EF816E7281EB3999048B94

Function 0047CD93 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(004316C3,00000000,00000800,?,0047CD44,00000000,?,00000000,?,?,?,0047CE6E,00000002,FlsGetValue,004C5110,FlsGetValue), ref: 0047CDA0
GetLastError.KERNEL32(?,0047CD44,00000000,?,00000000,?,?,?,0047CE6E,00000002,FlsGetValue,004C5110,FlsGetValue,00000000,?,004753EB), ref: 0047CDAA
LoadLibraryExW.KERNEL32(004316C3,00000000,00000000,?,004316C3), ref: 0047CDD2

Strings

api-ms-, xrefs: 0047CDB7

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: d787286a6cc230a8efe7a441f6e55f7e2c4090858db94101bcd487212af4f41d
Instruction ID: 1b8575e7819009f64920eb708f37784301e07a928c3623919697ba19adcc1e17
Opcode Fuzzy Hash: d787286a6cc230a8efe7a441f6e55f7e2c4090858db94101bcd487212af4f41d
Instruction Fuzzy Hash: B4E04830684205BBEB302F51DD47B5D3F59AB11B41F20C036FE0DE45E1F7659950898C

Function 0048DFB7 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(2881E606,00000000,00000000,?), ref: 0048E01A

Part of subcall function 0049027F: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0049333F,?,00000000,-00000008), ref: 0049032B

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0048E275
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0048E2BD
GetLastError.KERNEL32 ref: 0048E360

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 66cd5df1a6dac374ed4b00601bc95b45c8de9aeae9ab5581e733c3add25206c4
Instruction ID: 6966d2292bacf3197cacf8360753875ecd608f9f939916d07e6d75a128dba57e
Opcode Fuzzy Hash: 66cd5df1a6dac374ed4b00601bc95b45c8de9aeae9ab5581e733c3add25206c4
Instruction Fuzzy Hash: A4D187B1D002589FCF11DFA9D8809EEBBB4FF49304F18492AE855EB352E734A902CB54

Function 0044C0C0 Relevance: 6.2, APIs: 4, Instructions: 250COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,00000003,?,?,?,?), ref: 0044C17C
LeaveCriticalSection.KERNEL32(?), ref: 0044C19A

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 72409b42bf0f5032407c5abbbf5f1e767da2f722a245c8f88f7d9c44afcbe8d8
Instruction ID: 9f36e1280c7c78c1ab1657841deb9d2dac10689ca1c769e170b4578d405efefc
Opcode Fuzzy Hash: 72409b42bf0f5032407c5abbbf5f1e767da2f722a245c8f88f7d9c44afcbe8d8
Instruction Fuzzy Hash: 6B91E371E012049FEB54DF69C8C5BAEB7B1BF05314F08416AE805AB381D7B9AD05CFA9

Function 00448130 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 222COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000010,?,?,?,00000000), ref: 00448334
InitializeCriticalSection.KERNEL32(00000044,?,?,?,?,00000000), ref: 00448385

Strings

3M, xrefs: 004481C6
`3M, xrefs: 0044818D

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: `3M$3M
API String ID: 32694325-3604785553
Opcode ID: 21513e3e6db9c27137bea3c16013b9d4446b841883e4809453d383097ee660ab
Instruction ID: 1729d038e68ccd2cac215e929f3fe3e68e6c739ba7a55162520fa120e856d98b
Opcode Fuzzy Hash: 21513e3e6db9c27137bea3c16013b9d4446b841883e4809453d383097ee660ab
Instruction Fuzzy Hash: 34A14CB0900606DFD705CF68C444B9AFBF0FF49318F20826AD419AB790E779AA55CF95

Function 0422744C Relevance: 6.2, APIs: 4, Instructions: 222COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 0422749C

Part of subcall function 042383D4: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00000000,00000000,00000000,?,04228859), ref: 042383EB

ExitProcess.KERNEL32 ref: 04227483

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: ExitProcessTime$FileSystem
String ID:
API String ID: 155966812-0
Opcode ID: d5c457b2541b920fc7cb7710d62cbc534331d1fee77e0c78bf06a597ae82334b
Instruction ID: b952d486e984768a28ee4b33102486344211dd14c88394d83447d9a9b5c671ff
Opcode Fuzzy Hash: d5c457b2541b920fc7cb7710d62cbc534331d1fee77e0c78bf06a597ae82334b
Instruction Fuzzy Hash: 67A1A6B4A187159BDB04EF68C1846AEBBF4FF88314F05886DD898AB201E774A584DF52

Function 00478EDD Relevance: 6.2, APIs: 4, Instructions: 192COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00478EE4
UnDecorator::getSymbolName.LIBCMT ref: 00478F76
DName::operator+.LIBCMT ref: 0047907A
DName::DName.LIBVCRUNTIME ref: 0047911D

Part of subcall function 00476A94: shared_ptr.LIBCMT ref: 00476AB0

Part of subcall function 00476C93: DName::DName.LIBVCRUNTIME ref: 00476CE1

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Name$Name::$Decorator::getH_prolog3Name::operator+Symbolshared_ptr
String ID:
API String ID: 1134295639-0
Opcode ID: 9f44a7efb411257d42abf8ec5fff6f80780428156c6730c42eac4583063257ce
Instruction ID: f80f27d84cf045bf965309c2139add616d47ed173fa552d099f77bb1f20468e8
Opcode Fuzzy Hash: 9f44a7efb411257d42abf8ec5fff6f80780428156c6730c42eac4583063257ce
Instruction Fuzzy Hash: 90715E71D11259DFDB11CFA4D885AEEBBB5FB09310F14802BE909AB352DB389D41CB98

Function 00479557 Relevance: 6.2, APIs: 4, Instructions: 169COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 0047968C

Part of subcall function 004767D0: __aulldvrm.LIBCMT ref: 00476801

DName::operator+.LIBCMT ref: 004795ED
DName::operator=.LIBVCRUNTIME ref: 004796D1
DName::DName.LIBVCRUNTIME ref: 00479703

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator=__aulldvrm
String ID:
API String ID: 2973644308-0
Opcode ID: c6802dc7baba0a19e6ee1e06b46fe02f7d81aed596b06c8601d52b19d95e86e8
Instruction ID: 1dc0a36daadf9f49fad26f009112424929c079755daa27018a8876b294aa4e17
Opcode Fuzzy Hash: c6802dc7baba0a19e6ee1e06b46fe02f7d81aed596b06c8601d52b19d95e86e8
Instruction Fuzzy Hash: 23615AB490126ADFCB09CF65D881AEEBBB1FB45300F14C15BE9096B352D7789E41CB98

Function 004754E1 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 004755A8
___AdjustPointer.LIBCMT ref: 004755CB
___AdjustPointer.LIBCMT ref: 00475667

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 9bc13773e51d8e48189ca7a64401c7e43206219f8c25de6ce843bc662694e488
Instruction ID: 7fe856895de221836dce1a8c51612aa6dfd11fb085bd3d95505ccf64b27011ef
Opcode Fuzzy Hash: 9bc13773e51d8e48189ca7a64401c7e43206219f8c25de6ce843bc662694e488
Instruction Fuzzy Hash: 7151F2B2601A06AFDB299F11D841BFA73A5EF44315F14842FE80D4F291E7B9ED41CB98

Function 0049996D Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

TypeidsEqual.LIBVCRUNTIME ref: 004999BE
TypeidsEqual.LIBVCRUNTIME ref: 004999E3
PMDtoOffset.LIBCMT ref: 004999F9
PMDtoOffset.LIBCMT ref: 00499A7A

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: EqualOffsetTypeids
String ID:
API String ID: 1707706676-0
Opcode ID: 2ca317564d3a52bdce74212441e3e6b18e266408b0b4746ca7a4d4689c7ceabc
Instruction ID: 504e07be3ffedf6389c05005c5f46089ee847bba4f132c85a45922da4f26ed3d
Opcode Fuzzy Hash: 2ca317564d3a52bdce74212441e3e6b18e266408b0b4746ca7a4d4689c7ceabc
Instruction Fuzzy Hash: 2C41993590428A9FCF10CFADC4805AEBFF4EF55314F1444AEE841AB351E33AAD458B94

Function 00426D10 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 137COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,00000001,00000000,00000000,2881E606,00000008), ref: 00426DAD
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,00000001,?,000000FF,00000000,00000000), ref: 00426E14

Strings

to_wide<char> invalid arguments, xrefs: 00426E67
to_wide<char>::MultiByteToWideChar, xrefs: 00426E4C

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: to_wide<char> invalid arguments$to_wide<char>::MultiByteToWideChar
API String ID: 626452242-363086301
Opcode ID: f4e5d31a88b7eb522cfb5b564b8bbf4ec41f6566b2d52ec6c42ab9992022b1c4
Instruction ID: f3b7ef8aecf7a8b1d2704b02bc8d173c5ba61f6f513045a0d92c4b4931e779fb
Opcode Fuzzy Hash: f4e5d31a88b7eb522cfb5b564b8bbf4ec41f6566b2d52ec6c42ab9992022b1c4
Instruction Fuzzy Hash: AB41A570B00219ABDB14DF65E805BAFFBB5FF54714F51422BE805A3380E779AA50CB98

Function 0044ADB0 Relevance: 6.1, APIs: 4, Instructions: 128fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B660: EnterCriticalSection.KERNEL32(?,2881E606,?,?,?,?,?,?,?,?,?,?,?,?,0049E525,000000FF), ref: 0044B699
Part of subcall function 0044B660: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0049E525,000000FF), ref: 0044B6BD
Part of subcall function 0044B660: GetFileSizeEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0049E525,000000FF), ref: 0044B6DD
Part of subcall function 0044B660: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0049E525,000000FF), ref: 0044B716
Part of subcall function 0044B660: GetFileSizeEx.KERNEL32(0044ADF3,0049E525,?,?,?,?,?,?,?,?,?,?,?,?,0049E525,000000FF), ref: 0044B733

Part of subcall function 004504D0: FileTimeToSystemTime.KERNEL32(?,?,2881E606,?,?), ref: 00450530

EnterCriticalSection.KERNEL32(?,?), ref: 0044AE23
LeaveCriticalSection.KERNEL32(?), ref: 0044AE44
WriteFile.KERNEL32(?,?,?,00000000,00000000), ref: 0044AE79
FlushFileBuffers.KERNEL32(?), ref: 0044AEA0
GetLastError.KERNEL32 ref: 0044AF30

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CriticalFileSection$Enter$LeaveSizeTime$BuffersErrorFlushLastSystemWrite
String ID:
API String ID: 3948539269-0
Opcode ID: 5f78d332f5d786e14d249753dccfc133f4c123aba7214025b39489a3dfafc1cb
Instruction ID: 70264a08153f8d9be929d56d816046f4e2c353d01aca9f050c9ab03ba787fb49
Opcode Fuzzy Hash: 5f78d332f5d786e14d249753dccfc133f4c123aba7214025b39489a3dfafc1cb
Instruction Fuzzy Hash: A8418171A40204AFDB04DF69D884BAEBBB5FF49311F24812AF815E7350DB38AD14CB99

Function 00413D00 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 00413BE0: ___std_exception_copy.LIBVCRUNTIME ref: 00413C12

Part of subcall function 00473A64: RaiseException.KERNEL32(E06D7363,00000001,00000003,00412B7C,?,?,?,?,00412B7C,2881E606,004E37B0,2881E606), ref: 00473AC4

EnterCriticalSection.KERNEL32(004ED28C), ref: 00413F71
LeaveCriticalSection.KERNEL32(004ED28C,?), ref: 00413F8E

Strings

SeDebugPrivilege, xrefs: 00413DC3
Width is not an integer., xrefs: 00404F50, 00413D06

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CriticalSection$EnterExceptionLeaveRaise___std_exception_copy
String ID: SeDebugPrivilege$Width is not an integer.
API String ID: 1212204202-2017928573
Opcode ID: 94c9fc46b70fc65ccf114fdd477c3d68e4e0bc06aaa0208ed9e6b718111b29ef
Instruction ID: 18e0b12821716a2f78f311a36656e3ffec8a43f268c8d46f9d5320c563f8d44e
Opcode Fuzzy Hash: 94c9fc46b70fc65ccf114fdd477c3d68e4e0bc06aaa0208ed9e6b718111b29ef
Instruction Fuzzy Hash: 8341C134E05208AFCB04DF59D845BDDBBB1EF45325F20416AF8069B391DB78AE41CB84

Function 00416A25 Relevance: 6.1, APIs: 4, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00416D1C
CreateFileW.KERNEL32(00000000,00000000), ref: 00416E7A
GetLastError.KERNEL32 ref: 00416E87
DebugActiveProcessStop.KERNEL32(?), ref: 00416E93

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ActiveCloseCreateDebugErrorFileHandleLastProcessStop
String ID:
API String ID: 1397270038-0
Opcode ID: 81fa1c73c2ed00231ed64ba1db1391f60bf08ce555677865def4e1f2239613a0
Instruction ID: 4db12df3258d641b84eca3f644d5da5a0a71897cc9b21fb22d3b2e6a69d0ddef
Opcode Fuzzy Hash: 81fa1c73c2ed00231ed64ba1db1391f60bf08ce555677865def4e1f2239613a0
Instruction Fuzzy Hash: D4519571E002649BDB24DB28DC447EDBBB1AB45315F1581DAE549A7390DB386EC0CF88

Function 00416C2F Relevance: 6.1, APIs: 4, Instructions: 121fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00416D1C
CreateFileW.KERNEL32(00000000,00000000), ref: 00416E7A
GetLastError.KERNEL32 ref: 00416E87
DebugActiveProcessStop.KERNEL32(?), ref: 00416E93

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ActiveCloseCreateDebugErrorFileHandleLastProcessStop
String ID:
API String ID: 1397270038-0
Opcode ID: 506c803e682401e4b09b6e4f2f2e35a8927c0a659ff7aef57612e93244cf28f8
Instruction ID: 3fe20cd9493a961bbe6635c4ddf5c021c68c909e8a876a1f07bc52347e73259d
Opcode Fuzzy Hash: 506c803e682401e4b09b6e4f2f2e35a8927c0a659ff7aef57612e93244cf28f8
Instruction Fuzzy Hash: 2551A471E002288BDB249B28DC447EDBBB1AB45315F1581DAE549A7390DB386FC0CF88

Function 00471730 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00471773
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004717BB

Part of subcall function 0045AFE2: _Yarn.LIBCPMT ref: 0045B001
Part of subcall function 0045AFE2: _Yarn.LIBCPMT ref: 0045B025

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 004717F4
std::_Lockit::~_Lockit.LIBCPMT ref: 004718A1

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: std::_$Locinfo::_LockitYarn$Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID:
API String ID: 2090653598-0
Opcode ID: cb4053c85d83d1dfb4388fcfca80da150e0242e9b0dba7a687e3b436b3a41826
Instruction ID: c958ac43698a48e9e02019664cdd0ad0973561115553b8b8c4c11eab16289e5f
Opcode Fuzzy Hash: cb4053c85d83d1dfb4388fcfca80da150e0242e9b0dba7a687e3b436b3a41826
Instruction Fuzzy Hash: B84160B4C14388DBEB10DFA9C9057CEBBF4AF14308F14855EE848A7342E778AA08CB55

Function 00440A00 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 0045DAD2: QueryPerformanceFrequency.KERNEL32(00000001,?,?,?,00440A13,00000000,00000001,?,2881E606,?,?), ref: 0045DAF0

Part of subcall function 0045DABB: QueryPerformanceCounter.KERNEL32(00000001,?,?,?,00440A1E,00000000,00000001,?,2881E606,?,?), ref: 0045DAC4

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00440A68
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00440A9B
__alldvrm.LIBCMT ref: 00440AB9
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00440ADE

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$PerformanceQuery$CounterFrequency__alldvrm
String ID:
API String ID: 2057067329-0
Opcode ID: 027c13ebfb889fb4652a971bb1f1aba61ff098bab54c0f4ddbe16804f889033c
Instruction ID: e3f8fb9de6253682eb4941fd55bcb7f5a0728c31c0f21ca32431d203b83e0ab6
Opcode Fuzzy Hash: 027c13ebfb889fb4652a971bb1f1aba61ff098bab54c0f4ddbe16804f889033c
Instruction Fuzzy Hash: 35319271B042146FDB18AA6D8C45B7FABEDEBC8354F11817EFA09E7341E5785C014768

Function 004564C0 Relevance: 6.1, APIs: 4, Instructions: 108registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(2881E606,?,?,?,0049F630,?,2881E606,00000000,00000000), ref: 00456561
RegCloseKey.ADVAPI32(00000000), ref: 00456580
SetLastError.KERNEL32(00000000), ref: 0045658B
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,2881E606,00000000,00000000), ref: 004565B3

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CloseErrorInfoLastOpenQuery
String ID:
API String ID: 4026330008-0
Opcode ID: 09b0c2f5904dc6907202daaef869083eab2adad6c7e7189e7218d1bdf858a7da
Instruction ID: a632c0f2066967c45b3bbbc25dc6589939c1287cbd5b8de01f145c848fbd9f45
Opcode Fuzzy Hash: 09b0c2f5904dc6907202daaef869083eab2adad6c7e7189e7218d1bdf858a7da
Instruction Fuzzy Hash: 24318671D05219AFCB15DF64E948BAEFBB8FB08701F11052AEC15A3254EB38AE04CB94

Function 042488B6 Relevance: 6.1, APIs: 4, Instructions: 99registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32 ref: 042488E2
RegCloseKey.ADVAPI32 ref: 04248996

Part of subcall function 04249B10: RtlAllocateHeap.NTDLL ref: 04249B33

RegQueryValueExW.ADVAPI32 ref: 04248934
GetLastError.KERNEL32 ref: 04248962

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: QueryValue$AllocateCloseErrorHeapLast
String ID:
API String ID: 2186148466-0
Opcode ID: 70f12b0d2fd0ede3727b7a0ed5b3e5a35b112640325219a35e928dac1538c19f
Instruction ID: 64c34b7f5466046603efbf2e3fc409cc2c8136f245ac8d8e44d4fb178214dc2c
Opcode Fuzzy Hash: 70f12b0d2fd0ede3727b7a0ed5b3e5a35b112640325219a35e928dac1538c19f
Instruction Fuzzy Hash: 9C4183B4A287059BDB04EFA8D59469EBBF4FF88344F01882DE894D7200E775E985CF52

Function 00403800 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 004529B0: InitializeCriticalSection.KERNEL32(00000000,?,?,004042B7,?,2881E606,?,00000007), ref: 004529D9
Part of subcall function 004529B0: DeleteCriticalSection.KERNEL32(00000000,?,?,004042B7,?,2881E606,?,00000007), ref: 004529F3
Part of subcall function 004529B0: EnterCriticalSection.KERNEL32(00000000,004EC1D0,004EC1D4,?,?,?,00403843,2881E606,004EC1D0,00000007,?,?,004042B7,?,2881E606,?), ref: 00452A3D

CloseHandle.KERNEL32(00000000,2881E606,004EC1D0,00000007,?,?,004042B7,?,2881E606,?), ref: 00403860
LeaveCriticalSection.KERNEL32(?,2881E606,004EC1D0,00000007), ref: 0040389A
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,004042B7,?,2881E606,?), ref: 004038C8
LeaveCriticalSection.KERNEL32(?), ref: 004038DD

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CriticalSection$Leave$CloseCreateDeleteEnterEventHandleInitialize
String ID:
API String ID: 3435541109-0
Opcode ID: e852c2e3b5208c022edf75262dfcf5f875925b357eb1e18d5a0a72e914115477
Instruction ID: 035321a306378f690622ff978b0cabdb834a934c6be3712515f8757a8a624f34
Opcode Fuzzy Hash: e852c2e3b5208c022edf75262dfcf5f875925b357eb1e18d5a0a72e914115477
Instruction Fuzzy Hash: 6A31CF72D00215ABDB219F55C845BAAFFB4FF06711F20826AF815772D0EB796A40CB98

Function 00450E10 Relevance: 6.1, APIs: 4, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(004D0140,?,?,?,?,?,?,?,?,?,?,?,?,00450C78), ref: 00450E24
HeapAlloc.KERNEL32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00450C78), ref: 00450E5A
asw_process_storage_allocate_connector.49GQFPN1V8(?,?,?,?,?,?,?,?,?,?,?,00450C78), ref: 00450E6A
LeaveCriticalSection.KERNEL32(?,?,?,004E3DCC,?,004E3DCC), ref: 00450EDB

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Heap$AllocCriticalLeaveProcessSectionasw_process_storage_allocate_connector
String ID:
API String ID: 1557274255-0
Opcode ID: 1e4ab9ca6ae0197302e26b9a9eca6e767b20db3c1020c3eb60258e38f638fef7
Instruction ID: a47a8062d209cde9734ec1c5149efc3ec35dc75576af9e2fac04c31c2bfa5062
Opcode Fuzzy Hash: 1e4ab9ca6ae0197302e26b9a9eca6e767b20db3c1020c3eb60258e38f638fef7
Instruction Fuzzy Hash: 2B21D6705003059FD714EF69DC45B6BFBA8EF04711F20882EF86583651DB78E905CB98

Function 00450C00 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00457C80: GetModuleHandleW.KERNEL32(00000000,{9C7565A2-47C2-4869-B388-8C7F9AD8E577},00000030,2881E606,00000005,00000000), ref: 00457CDB
Part of subcall function 00457C80: GetClassInfoExW.USER32(00000000), ref: 00457CE2
Part of subcall function 00457C80: GetLastError.KERNEL32 ref: 00457CF0
Part of subcall function 00457C80: Sleep.KERNEL32(00000001), ref: 00457CFA
Part of subcall function 00457C80: GetProcessHeap.KERNEL32 ref: 00457D12
Part of subcall function 00457C80: HeapAlloc.KERNEL32(00000000,00000000,00000034), ref: 00457D27
Part of subcall function 00457C80: InitializeCriticalSection.KERNEL32(00000000), ref: 00457D4A
Part of subcall function 00457C80: GetProcessHeap.KERNEL32 ref: 00457D50
Part of subcall function 00457C80: GetProcessHeap.KERNEL32 ref: 00457D6E
Part of subcall function 00457C80: RegisterClassExW.USER32(00000030), ref: 00457D90
Part of subcall function 00457C80: HeapFree.KERNEL32(?,00000000,00000000), ref: 00457DC4
Part of subcall function 00457C80: DeleteCriticalSection.KERNEL32(?), ref: 00457DEF
Part of subcall function 00457C80: GetProcessHeap.KERNEL32 ref: 00457DF5

EnterCriticalSection.KERNEL32(00000000,2881E606), ref: 00450C4B

Part of subcall function 00473235: ___unDName.LIBVCRUNTIME ref: 00473262

Part of subcall function 00450E10: GetProcessHeap.KERNEL32(004D0140,?,?,?,?,?,?,?,?,?,?,?,?,00450C78), ref: 00450E24
Part of subcall function 00450E10: HeapAlloc.KERNEL32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00450C78), ref: 00450E5A

HeapFree.KERNEL32(?,00000000,?,00000000), ref: 00450CAB
asw_process_storage_deallocate_connector.49GQFPN1V8 ref: 00450CBB
LeaveCriticalSection.KERNEL32(00000000,00000000), ref: 00450CC3

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Heap$Process$CriticalSection$AllocClassFree$DeleteEnterErrorHandleInfoInitializeLastLeaveModuleNameRegisterSleep___unasw_process_storage_deallocate_connector
String ID:
API String ID: 1926385501-0
Opcode ID: c8c5ee4ceca0d586b5c86da576ff37b6bbbafb8570711bb25cd39c953f12b676
Instruction ID: 91736652cf73540ed1473deff2b130c06c9d103c677159400f462fb8842f53ae
Opcode Fuzzy Hash: c8c5ee4ceca0d586b5c86da576ff37b6bbbafb8570711bb25cd39c953f12b676
Instruction Fuzzy Hash: F221E471E002089BDB11DF65DD457AEBBB4EB05711F20422AEC11A7382EB396E048BA9

Function 004124D0 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

VerSetConditionMask.NTDLL ref: 0041253D
VerSetConditionMask.NTDLL ref: 00412545
VerSetConditionMask.NTDLL ref: 0041254D
VerifyVersionInfoW.KERNEL32(00000000,00000023,00000000), ref: 00412574

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: bb83b9f4bfc0ed0a488d891493c38dd1a443718fb4c046e2d861c90aacb682e4
Instruction ID: 66ddef025dd8a1cde6da6c7244bcd7910c76cc1ea15bb8d40e394980f3d15ad0
Opcode Fuzzy Hash: bb83b9f4bfc0ed0a488d891493c38dd1a443718fb4c046e2d861c90aacb682e4
Instruction Fuzzy Hash: 691182716483406FE624DF65EC0BBAB7AE8EB88705F00492DB988D62C0E77456008BA6

Function 0044E520 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0044E530

Part of subcall function 0045C436: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,0044E546,?,00000000,00000000,?,?,?,0044D4BF), ref: 0045C442
Part of subcall function 0045C436: GetExitCodeThread.KERNEL32(?,0044D4BF,?,?,0044E546,?,00000000,00000000,?,?,?,0044D4BF), ref: 0045C45B
Part of subcall function 0045C436: CloseHandle.KERNEL32(?,?,?,0044E546,?,00000000,00000000,?,?,?,0044D4BF), ref: 0045C46D

std::_Throw_Cpp_error.LIBCPMT ref: 0044E559
std::_Throw_Cpp_error.LIBCPMT ref: 0044E560
std::_Throw_Cpp_error.LIBCPMT ref: 0044E567

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$Thread$CloseCodeCurrentExitHandleObjectSingleWait
String ID:
API String ID: 2210105531-0
Opcode ID: 55ae29f27c6de93a815a16df5522354a39435591f5b225fa78eca2dc416a227b
Instruction ID: 2ba4d3105ba379ba47bec0efc78893c23e15174c2b0da61ce789abe8cf5705f1
Opcode Fuzzy Hash: 55ae29f27c6de93a815a16df5522354a39435591f5b225fa78eca2dc416a227b
Instruction Fuzzy Hash: DCF0AE314507089EE7346AA58C4375273C49F00B1AF00451F7ED8865C2F9756444879A

Function 00498157 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00497395,00000000,00000001,00000000,?,?,0048E3B4,?,00000000,00000000), ref: 0049816E
GetLastError.KERNEL32(?,00497395,00000000,00000001,00000000,?,?,0048E3B4,?,00000000,00000000,?,?,?,0048E93B,2881E606), ref: 0049817A

Part of subcall function 00498140: CloseHandle.KERNEL32(FFFFFFFE,0049818A,?,00497395,00000000,00000001,00000000,?,?,0048E3B4,?,00000000,00000000,?,?), ref: 00498150

___initconout.LIBCMT ref: 0049818A

Part of subcall function 00498101: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00498130,00497382,?,?,0048E3B4,?,00000000,00000000,?), ref: 00498114

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,00497395,00000000,00000001,00000000,?,?,0048E3B4,?,00000000,00000000,?), ref: 0049819F

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: feabbfb04ab05cb9bf37dad69956e5e52a176341ce1b65382168b9651afc3c21
Instruction ID: 9c886c36bc676d2c3bb0cbccafb99f81401161260b2de03736341ade080dc062
Opcode Fuzzy Hash: feabbfb04ab05cb9bf37dad69956e5e52a176341ce1b65382168b9651afc3c21
Instruction Fuzzy Hash: 12F0303A500164BBCF221FD5DC0699A7F66FB0A3A1F014075FA1985130DA328A209B98

Function 00429C10 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 367COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00429CF7
___std_exception_copy.LIBVCRUNTIME ref: 00429E68

Strings

ios_base::failbit set, xrefs: 00429F18

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Concurrency::cancel_current_task___std_exception_copy
String ID: ios_base::failbit set
API String ID: 1979911387-3924258884
Opcode ID: b968b9702d62c0421d4287ab1f9af480e2e44da972368942c914c53ce069e2fc
Instruction ID: 55e85e2bfee7597fe535e8952487eebec723b652736f4cf7625fc21881047e5b
Opcode Fuzzy Hash: b968b9702d62c0421d4287ab1f9af480e2e44da972368942c914c53ce069e2fc
Instruction Fuzzy Hash: F8C1D471E002189BCB14DF69D881BAEFBB4EF59314F14822FE815A7391D778AD408B95

Function 00439350 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00439520
___std_exception_destroy.LIBVCRUNTIME ref: 00439593

Strings

hOJ, xrefs: 0043958B

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Concurrency::cancel_current_task___std_exception_destroy
String ID: hOJ
API String ID: 102670376-1483585742
Opcode ID: 8351beb649bf1f22bee114986752f9da8a9bf96a3a9e7c9712794bee3d0ef727
Instruction ID: af8d5967e77d8bc8c7c9096af2b1b6bfb0c768278edc9b439231984f4d92b57a
Opcode Fuzzy Hash: 8351beb649bf1f22bee114986752f9da8a9bf96a3a9e7c9712794bee3d0ef727
Instruction Fuzzy Hash: B371E671A002059FCB18DF29C990AAEB7F5FF88300F04826EE8069B341E774EE54CB94

Function 00457EF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,onexit_register_connector_avast_2,?,00000000,?,?,?,?,?,?,?,?,?,0049F8E5,000000FF), ref: 00457F95
GetProcAddress.KERNEL32(00000000), ref: 00457F9C

Strings

onexit_register_connector_avast_2, xrefs: 00457F8A

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: onexit_register_connector_avast_2
API String ID: 1646373207-1395861777
Opcode ID: 854aea110e68612b5be9f9206fdd7f24d889e054122314411d06d42f74fcc4f5
Instruction ID: 3038370282b108837ef94eb269d4ceef845552d0a8fabf817f79049d83662d86
Opcode Fuzzy Hash: 854aea110e68612b5be9f9206fdd7f24d889e054122314411d06d42f74fcc4f5
Instruction Fuzzy Hash: 1A61AF709006099FCB00DF64C88079DBBB5FF88711F15826AEC15AB391EB78AE49CF94

Function 0044A240 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000,?,?,2881E606,00000000), ref: 0044A3A8

Part of subcall function 00471E11: AcquireSRWLockExclusive.KERNEL32(004EB5C8,?,?,?,00413873,004EC1F8,2881E606,00000000,?,?,004139AA,?,004025A8,?,?), ref: 00471E1C
Part of subcall function 00471E11: ReleaseSRWLockExclusive.KERNEL32(004EB5C8,?,00413873,004EC1F8,2881E606,00000000,?,?,004139AA,?,004025A8,?,?,?,004025A8,?), ref: 00471E56

RtlNtStatusToDosError.NTDLL ref: 0044A3A1

Part of subcall function 0044D7C0: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0049A040,000000FF,?,004485B2), ref: 0044D7E4
Part of subcall function 0044D7C0: GetProcAddress.KERNEL32(00000000), ref: 0044D7F4

Part of subcall function 00471DC0: AcquireSRWLockExclusive.KERNEL32(004EB5C8,?,?,004138A1,004EC1F8,?,004139AA,?,004025A8,?,?,?,004025A8,?), ref: 00471DCA
Part of subcall function 00471DC0: ReleaseSRWLockExclusive.KERNEL32(004EB5C8,?,004138A1,004EC1F8,?,004139AA,?,004025A8,?,?,?,004025A8,?), ref: 00471DFD
Part of subcall function 00471DC0: WakeAllConditionVariable.KERNEL32(004EB5C4,?,004138A1,004EC1F8,?,004139AA,?,004025A8,?,?,?,004025A8,?), ref: 00471E08

Strings

NtSetInformationFile, xrefs: 0044A2AC

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ExclusiveLock$AcquireErrorRelease$AddressConditionHandleLastModuleProcStatusVariableWake
String ID: NtSetInformationFile
API String ID: 515452689-1659534519
Opcode ID: 54405eabe08eab440b121808341c8fcfd7411a90d8c75d1532cd35702f098f0a
Instruction ID: 30bfaccd11fb682faa3499fab00eb995cdbbe160203acdb0c70a754d595fbebc
Opcode Fuzzy Hash: 54405eabe08eab440b121808341c8fcfd7411a90d8c75d1532cd35702f098f0a
Instruction Fuzzy Hash: 75517D70D003459FDB00CF69D88579DBBF4FB48724F10822AE815AB391E775A950CF99

Function 00448CA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00403800: CloseHandle.KERNEL32(00000000,2881E606,004EC1D0,00000007,?,?,004042B7,?,2881E606,?), ref: 00403860
Part of subcall function 00403800: LeaveCriticalSection.KERNEL32(?,2881E606,004EC1D0,00000007), ref: 0040389A

WaitForSingleObject.KERNEL32(?,000000FF,?,2881E606), ref: 00448DD7
CloseHandle.KERNEL32(?,?,2881E606), ref: 00448DF5

Part of subcall function 00453190: EnterCriticalSection.KERNEL32(00000000), ref: 0045320E
Part of subcall function 00453190: LeaveCriticalSection.KERNEL32(00000000,?,?,00000000), ref: 00453242

Part of subcall function 00452A50: SetEvent.KERNEL32(?,2881E606,004EC1D0,?,?,?,?,?,?,00000000,0049F0DD,000000FF,?,00404356), ref: 00452AAA
Part of subcall function 00452A50: CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,0049F0DD,000000FF,?,00404356), ref: 00452AC4
Part of subcall function 00452A50: LeaveCriticalSection.KERNEL32(?), ref: 00452AE6

Strings

lifetime_object must be allocated on static memory (static or global variable or member of such a variable)., xrefs: 00448E2E, 00448E49

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CriticalSection$CloseHandleLeave$EnterEventObjectSingleWait
String ID: lifetime_object must be allocated on static memory (static or global variable or member of such a variable).
API String ID: 3951272266-2706815617
Opcode ID: bf4e69d5050dd5ef6fc4fd2c71a6ab81175ce82ee21481533de509780c056559
Instruction ID: 5504d1835684a24f388f84def318121cccdeb626322c9edb09946a066fbd2343
Opcode Fuzzy Hash: bf4e69d5050dd5ef6fc4fd2c71a6ab81175ce82ee21481533de509780c056559
Instruction Fuzzy Hash: 5B51D0B1C00348DBDB10DFE5D88579EBBF4AB05315F10866FE910AB391DB785A05CB99

Function 00404250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00403800: CloseHandle.KERNEL32(00000000,2881E606,004EC1D0,00000007,?,?,004042B7,?,2881E606,?), ref: 00403860
Part of subcall function 00403800: LeaveCriticalSection.KERNEL32(?,2881E606,004EC1D0,00000007), ref: 0040389A

WaitForSingleObject.KERNEL32(00000001,000000FF,?,2881E606,?,00000007), ref: 0040436F
CloseHandle.KERNEL32(00000001), ref: 00404386

Part of subcall function 00453190: EnterCriticalSection.KERNEL32(00000000), ref: 0045320E
Part of subcall function 00453190: LeaveCriticalSection.KERNEL32(00000000,?,?,00000000), ref: 00453242

Part of subcall function 00452A50: SetEvent.KERNEL32(?,2881E606,004EC1D0,?,?,?,?,?,?,00000000,0049F0DD,000000FF,?,00404356), ref: 00452AAA
Part of subcall function 00452A50: CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,0049F0DD,000000FF,?,00404356), ref: 00452AC4
Part of subcall function 00452A50: LeaveCriticalSection.KERNEL32(?), ref: 00452AE6

Strings

lifetime_object must be allocated on static memory (static or global variable or member of such a variable)., xrefs: 004043B8, 004043D3

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CriticalSection$CloseHandleLeave$EnterEventObjectSingleWait
String ID: lifetime_object must be allocated on static memory (static or global variable or member of such a variable).
API String ID: 3951272266-2706815617
Opcode ID: a34e31eaf0032ac8af74375c3b63160c56f4e9e226e448a2b0317e2468f89f64
Instruction ID: 692beb3d5719371bf4037786fad179e6bf8a21747238ca221486a1b390dfab8c
Opcode Fuzzy Hash: a34e31eaf0032ac8af74375c3b63160c56f4e9e226e448a2b0317e2468f89f64
Instruction Fuzzy Hash: 99518AB0D00609AFCB01DFA5C945BDEFBF4FF14715F10826AE814A7281E778AA04CB99

Function 04239008 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108fileCOMMON

Download Yara Rule

APIs

Part of subcall function 04239DFC: CryptStringToBinaryA.CRYPT32 ref: 04239E3D
Part of subcall function 04239DFC: CryptStringToBinaryA.CRYPT32 ref: 04239E8A

CopyFileW.KERNEL32 ref: 042390FF
GetLastError.KERNEL32 ref: 0423915B

Part of subcall function 042377A4: WaitForSingleObject.KERNEL32 ref: 042377C2
Part of subcall function 042377A4: ReleaseMutex.KERNEL32 ref: 0423780B

Strings

, xrefs: 04239090

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: BinaryCryptString$CopyErrorFileLastMutexObjectReleaseSingleWait
String ID:
API String ID: 217212182-3916222277
Opcode ID: 191d2b396956973485f60d1377ffb14f0725b34955d29e0829413a4168f3e71e
Instruction ID: 8787521140ab0d3099aac24c7c00448641578a75a34fc044880bcde157f4f2e1
Opcode Fuzzy Hash: 191d2b396956973485f60d1377ffb14f0725b34955d29e0829413a4168f3e71e
Instruction Fuzzy Hash: A34185B4A147099BDB04EF64D49479EFBF4EF88354F01881DE898A7340D779A944CF52

Function 00499B70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

PMDtoOffset.LIBCMT ref: 00499C02

Strings

Bad dynamic_cast!, xrefs: 00499C44

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Offset
String ID: Bad dynamic_cast!
API String ID: 1587990502-2956939130
Opcode ID: 64b6abba2843184cbe49a6c7408659fc57e9add433e3e65ae14f452236359cd7
Instruction ID: 17a76c12bc587396f234aac60c6bea99ddfa5fd715e45dad873ad2096cb6a222
Opcode Fuzzy Hash: 64b6abba2843184cbe49a6c7408659fc57e9add433e3e65ae14f452236359cd7
Instruction Fuzzy Hash: B621D672604205AFCF04DF6DD946AAA7BB4FB84724F24827FE91497280D73CFD018699

Function 00459B80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,00000000,00008000,0000003D), ref: 00459BEB
GetLastError.KERNEL32 ref: 00459C42

Strings

Unable to retrieve environment variable '{}'!, xrefs: 00459C4E

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: EnvironmentErrorLastVariable
String ID: Unable to retrieve environment variable '{}'!
API String ID: 3114522214-1956155322
Opcode ID: ed9d892c7214fb803ed9c6dd9b7a763eaea1573fc78a20b9b3494e0a26b57d30
Instruction ID: 2bc5ca533c105f190ca312f8cb349f932684a0a4974f8e71d0d944faeeeef0c6
Opcode Fuzzy Hash: ed9d892c7214fb803ed9c6dd9b7a763eaea1573fc78a20b9b3494e0a26b57d30
Instruction Fuzzy Hash: 5621F9B1E00204ABDB10DF55DC46BAFFBF8EB44B11F10462FF805A7280EB786A048B95

Function 0424C860 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 0424C921
ReleaseMutex.KERNEL32 ref: 0424CFAC

Strings

, xrefs: 0424C884

Memory Dump Source

Source File: 00000000.00000002.3441358009.0000000004221000.00000020.00001000.00020000.00000000.sdmp, Offset: 04221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4221000_49GqFpn1V8.jbxd

Similarity

API ID: MutexObjectReleaseSingleWait
String ID:
API String ID: 2017088797-3916222277
Opcode ID: 44a794ee2d0b6ad91a9cca2c8be37ddd27565abab5f8bb88119308a24c832089
Instruction ID: aeec30e9724b84dd3a7cdc93cc048b74525d00d30f63dd5785f5e2ee685cc8be
Opcode Fuzzy Hash: 44a794ee2d0b6ad91a9cca2c8be37ddd27565abab5f8bb88119308a24c832089
Instruction Fuzzy Hash: 1F31B4B4A19704AFE704EF69D488B9EBBF4FF84314F01892DE89897340D779A944CB52

Function 00478E06 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004766BD: pDNameNode::pDNameNode.LIBCMT ref: 004766E3

DName::DName.LIBVCRUNTIME ref: 00478EC5
DName::operator+.LIBCMT ref: 00478ED3

Strings

lKL, xrefs: 00478E56

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Name$Name::Name::operator+NodeNode::p
String ID: lKL
API String ID: 3257498322-3530256419
Opcode ID: 1d7146cc631b0a92cc46f89d2bc3f0bd7d592db81304b6f90bbfba4fc4531964
Instruction ID: a65cbf4bb83fbc87749e312dda7534c8715883bd2b411ddf06dffa87997c9e73
Opcode Fuzzy Hash: 1d7146cc631b0a92cc46f89d2bc3f0bd7d592db81304b6f90bbfba4fc4531964
Instruction Fuzzy Hash: F1213BB5800209EFDB04EF90C8559EE7BB9FB04304F10856FE919A7251EB786A49CB99

Function 0044A420 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000,?,2881E606,?,00000001,0000000D,2881E606), ref: 0044A4D4

Part of subcall function 00471E11: AcquireSRWLockExclusive.KERNEL32(004EB5C8,?,?,?,00413873,004EC1F8,2881E606,00000000,?,?,004139AA,?,004025A8,?,?), ref: 00471E1C
Part of subcall function 00471E11: ReleaseSRWLockExclusive.KERNEL32(004EB5C8,?,00413873,004EC1F8,2881E606,00000000,?,?,004139AA,?,004025A8,?,?,?,004025A8,?), ref: 00471E56

RtlNtStatusToDosError.NTDLL ref: 0044A4CD

Part of subcall function 0044D7C0: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0049A040,000000FF,?,004485B2), ref: 0044D7E4
Part of subcall function 0044D7C0: GetProcAddress.KERNEL32(00000000), ref: 0044D7F4

Part of subcall function 00471DC0: AcquireSRWLockExclusive.KERNEL32(004EB5C8,?,?,004138A1,004EC1F8,?,004139AA,?,004025A8,?,?,?,004025A8,?), ref: 00471DCA
Part of subcall function 00471DC0: ReleaseSRWLockExclusive.KERNEL32(004EB5C8,?,004138A1,004EC1F8,?,004139AA,?,004025A8,?,?,?,004025A8,?), ref: 00471DFD
Part of subcall function 00471DC0: WakeAllConditionVariable.KERNEL32(004EB5C4,?,004138A1,004EC1F8,?,004139AA,?,004025A8,?,?,?,004025A8,?), ref: 00471E08

Strings

NtSetInformationFile, xrefs: 0044A477

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ExclusiveLock$AcquireErrorRelease$AddressConditionHandleLastModuleProcStatusVariableWake
String ID: NtSetInformationFile
API String ID: 515452689-1659534519
Opcode ID: c51645fe360227dcb50f934b86ef51bd3f6cc4a6814a37608868b196f222e806
Instruction ID: 125759a1a8e2d796faf0549ac21427791f76bb32a457f445c943e7f15801ad1e
Opcode Fuzzy Hash: c51645fe360227dcb50f934b86ef51bd3f6cc4a6814a37608868b196f222e806
Instruction Fuzzy Hash: B821D471E44248EFDB10EF68DD85B9EB7A8EB04714F00463BF82597391EB7869008B99

Function 004395C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00439613

Strings

<9L, xrefs: 00439679
09L, xrefs: 00439672

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ___std_exception_copy
String ID: 09L$<9L
API String ID: 2659868963-4172692893
Opcode ID: 6506748c1b874177db87992e6d4a7654d8dd8a7947d053016be67f15eee4fa46
Instruction ID: f63ba87d1c8dfaeaac0afa147803329aa9491471a94f746feed5d31c78d2821a
Opcode Fuzzy Hash: 6506748c1b874177db87992e6d4a7654d8dd8a7947d053016be67f15eee4fa46
Instruction Fuzzy Hash: E9212AB490064AAFCB40CF59C880A85FBF4FB59315B10826AE818DB741E7B4EA54CF94

Function 004131F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0041321B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0041326A

Part of subcall function 0045AFE2: _Yarn.LIBCPMT ref: 0045B001
Part of subcall function 0045AFE2: _Yarn.LIBCPMT ref: 0045B025

Strings

bad locale name, xrefs: 00413286

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: d5d7c94bb5ce5d19d43a3cdfc84383bd7baf6c0830b694bd44cb95f7395dc31e
Instruction ID: 77007d1187794e11f754c7bd5502f8eee59f69cff8e45227c5970a435f22f098
Opcode Fuzzy Hash: d5d7c94bb5ce5d19d43a3cdfc84383bd7baf6c0830b694bd44cb95f7395dc31e
Instruction Fuzzy Hash: 6F11A071504B849FD320CF69C801B4BBBE4EF18714F008A5FE889C7B81E779A908CB99

Function 0046A580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0046A5D5

Strings

+N, xrefs: 0046A5B8
hOJ, xrefs: 0046A5C1

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ___std_exception_copy
String ID: hOJ$+N
API String ID: 2659868963-1213102139
Opcode ID: 09aae19a5f6d5b6571972b616cc7e7dee067dd2324995a1a754e47df11f3a9c6
Instruction ID: 8452f550dde4c031b6f27925d0d408ace0ab91df912e6694a74f12c94ce9ad7f
Opcode Fuzzy Hash: 09aae19a5f6d5b6571972b616cc7e7dee067dd2324995a1a754e47df11f3a9c6
Instruction Fuzzy Hash: C92137B5904709AFCB50CF59C484A46FBE8FB59715F10C66EE8589B700E3B8AA44CB94

Function 0045FBB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0045FC05

Strings

ios_base::failbit set, xrefs: 0045FBC3
P1L, xrefs: 0045FC0D

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ___std_exception_copy
String ID: P1L$ios_base::failbit set
API String ID: 2659868963-1939806705
Opcode ID: 69306c7492f30d5d493d65b5cc81a9ba6e444f734d42de36b559481e8ae2c470
Instruction ID: ab09bc42065f457e5ad6271ac301554ab40779904846f2f16b98de290f27ea26
Opcode Fuzzy Hash: 69306c7492f30d5d493d65b5cc81a9ba6e444f734d42de36b559481e8ae2c470
Instruction Fuzzy Hash: 7C2157B49007499FCB50CF58C480B8AFBF8FB09711F10C66EE8159B700E7B8AA04CBA4

Function 00428A30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00428AD5

Strings

@3L, xrefs: 00428A7F
@-L, xrefs: 00428A99

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: @-L$@3L
API String ID: 323602529-731763845
Opcode ID: c661e6d8eaf02869db15f58e1f8e28612dbc82df4107fa1c2230d1030aa3a86b
Instruction ID: eaf57c795ddd251d99f0aa0c3d30c765a3a0c5818bb590a88f1ab640453bb460
Opcode Fuzzy Hash: c661e6d8eaf02869db15f58e1f8e28612dbc82df4107fa1c2230d1030aa3a86b
Instruction Fuzzy Hash: A321E47860824ADFC720CF09C584E49FBF4FB08718B2585AEE8498B311D775E905CF84

Function 00441B30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00441BB6

Strings

M, xrefs: 00441B78
,?L, xrefs: 00441B93

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ,?L$M
API String ID: 323602529-287754947
Opcode ID: 3de63e96681d331df03484dd549076afc331db34ae011e92f87be77005ad81a6
Instruction ID: 4603a8007b44b9c1f8b2b8bff86428f1041eab6bcc62d4aa90c214d0fc8361cf
Opcode Fuzzy Hash: 3de63e96681d331df03484dd549076afc331db34ae011e92f87be77005ad81a6
Instruction Fuzzy Hash: 05210875A0425A9FC710CF0CC588E59BBE4FB08308F1181AEE8189B751E776E945CBA8

Function 00427E30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00427EB6

Strings

@3L, xrefs: 00427E5E
@-L, xrefs: 00427E78

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: @-L$@3L
API String ID: 323602529-731763845
Opcode ID: ccb967c8304dd7d278fac822612c1b1ae5699a9a4131d52ecc12bde4ddc09d0d
Instruction ID: fecd99f38cc4607d727c9db611d6f9dbb3e9c569140a7b0ad8b67b8f0dae70e9
Opcode Fuzzy Hash: ccb967c8304dd7d278fac822612c1b1ae5699a9a4131d52ecc12bde4ddc09d0d
Instruction Fuzzy Hash: 0B2117B5A0425A9FC710CF0CC588F59FBE4FB08308F1181AEE8089B751E776EA05CBA4

Function 0045FC70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0045FCBF

Strings

P1L, xrefs: 0045FCC4
ios_base::failbit set, xrefs: 0045FC82

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ___std_exception_copy
String ID: P1L$ios_base::failbit set
API String ID: 2659868963-1939806705
Opcode ID: f3694c4a89f8d50ea344364a8ecca02535654ae9bbbfb65c742ff673fe241c19
Instruction ID: a73309cdd186e7a10713478db9e6f4648f1a88abc4138712c6223b65ac756d2b
Opcode Fuzzy Hash: f3694c4a89f8d50ea344364a8ecca02535654ae9bbbfb65c742ff673fe241c19
Instruction Fuzzy Hash: BE112AB5410B449FD360CF58D804B46BBF8FB05B18F10CB5EE86697780D7B8A6088BD8

Function 00439AD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00439AF6

Strings

<9L, xrefs: 00439B3C
09L, xrefs: 00439B35

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: ___std_exception_copy
String ID: 09L$<9L
API String ID: 2659868963-4172692893
Opcode ID: 6c58439cf1a33f210c43f3a92fec0ae0695aa9411afdbff36889959704535c7a
Instruction ID: e2b809348ea08716d431a66e20d9ba9437bab60ffe59f5426a4df1892e13a449
Opcode Fuzzy Hash: 6c58439cf1a33f210c43f3a92fec0ae0695aa9411afdbff36889959704535c7a
Instruction Fuzzy Hash: F301D6F5501B06ABC340DF59D404A82FBE8BF59325B50C21AE4288BA40E3B4E668CBD4

Function 00401390 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00401397

Strings

p`N, xrefs: 004013A1
tOJ, xrefs: 0040139C, 004013AF

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: H_prolog3
String ID: p`N$tOJ
API String ID: 431132790-57927046
Opcode ID: f4982e96c52188f589e3c63792bb44e42084344fcc654765fcc21505bf0d48e1
Instruction ID: 58b26f39ea30fb077028969eee4fda257296fe793adccd562daebd476583c0db
Opcode Fuzzy Hash: f4982e96c52188f589e3c63792bb44e42084344fcc654765fcc21505bf0d48e1
Instruction Fuzzy Hash: E5E092B0A41256DBDB00FB968A067DD7970AB1075AF60C19BF010671C2C7FE07084B5D

Function 004583C0 Relevance: 5.3, APIs: 4, Instructions: 252COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,2881E606,?,?,00000000), ref: 00458440
LeaveCriticalSection.KERNEL32(?,?,?), ref: 004584B7
EnterCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,?,?), ref: 00458605
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?), ref: 00458629

Memory Dump Source

Source File: 00000000.00000002.3440917239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3440905330.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440967693.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3440979297.00000000004A4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441004650.00000000004E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441015238.00000000004E7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441027277.00000000004EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441038758.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441068726.000000000053F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3441081538.0000000000548000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_49GqFpn1V8.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 25b59a2a15904adfe13465fd8b1051193aa631df9f7b78a68328315e07040294
Instruction ID: ac7fdd5e6944ad69aeecde78964c42747611cb29dd05e86a959343ccbd04580e
Opcode Fuzzy Hash: 25b59a2a15904adfe13465fd8b1051193aa631df9f7b78a68328315e07040294
Instruction Fuzzy Hash: 2B916075A002099FCB10CF69C4846AEBBB5FF49321F15816EEC15AB341EF78AD49CB94

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., `C:\dbg\ntsd.exe -g notepad.exe` ).
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 49GqFpn1V8.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
49GqFpn1V8.exe

Function 04226008 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 270
networkmemoryfileCOMMON

Function 042433A0 Relevance: 16.7, APIs: 11, Instructions: 224
threadCOMMON

Function 0423567C Relevance: 12.1, APIs: 8, Instructions: 101
libraryCOMMON

Function 0423D5C8 Relevance: 7.7, APIs: 5, Instructions: 156
threadprocessCOMMON

Function 00477A51 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 399
memorynativeCOMMONLIBRARYCODE

Function 04253170 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
COMMON

Function 04236B04 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 136
threadsynchronizationCOMMON

Function 04226448 Relevance: 10.7, APIs: 7, Instructions: 214
synchronizationnetworkCOMMON

Function 042258B8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105
librarysynchronizationthreadCOMMON

Function 0422684C Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 773
threadCOMMON

Function 00458EC0 Relevance: 6.1, APIs: 4, Instructions: 148
COMMON

Function 04231E58 Relevance: 4.7, APIs: 3, Instructions: 199
synchronizationCOMMON

Function 0423D578 Relevance: 4.7, APIs: 3, Instructions: 178
threadprocessCOMMON

Function 04231C50 Relevance: 4.6, APIs: 3, Instructions: 129
synchronizationCOMMON

Function 0422E7D0 Relevance: 4.6, APIs: 3, Instructions: 115
synchronizationCOMMON