Edit tour

Windows Analysis Report
3lOLt0TUE4.exe

Overview

General Information

Sample name:	3lOLt0TUE4.exe renamed because original name is a hash value
Original sample name:	6970f935606328c81997e47b826ae655fa98f6503edf7c98fe84bbfd6bd26177.exe
Analysis ID:	1542046
MD5:	731497243f4c710c562dd084dcd34ec1
SHA1:	4171c0e0095b0baf7b9ceede925ba55cedb22087
SHA256:	6970f935606328c81997e47b826ae655fa98f6503edf7c98fe84bbfd6bd26177
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Contains functionality to behave differently if execute on a Russian/Kazak computer

Machine Learning detection for sample

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain checking for process token information

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

3lOLt0TUE4.exe (PID: 7548 cmdline: "C:\Users\user\Desktop\3lOLt0TUE4.exe" MD5: 731497243F4C710C562DD084DCD34EC1)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 3lOLt0TUE4.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 3lOLt0TUE4.exe

ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for sample

Source: 3lOLt0TUE4.exe

Joe Sandbox ML: detected

Source:

Binary string: elevation_service.exe.pdb source: 3lOLt0TUE4.exe

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe

Code function: 0_2_000000014004569C FindFirstFileExW,

0_2_000000014004569C

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_0000000140015450 RtlInitUnicodeString,NtOpenKeyEx,	0_2_0000000140015450
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_0000000140015620 RtlInitUnicodeString,NtQueryValueKey,	0_2_0000000140015620
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_0000000140015940 NtClose,	0_2_0000000140015940
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_0000000140014CF0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlInitUnicodeString,NtCreateKey,NtOpenKeyEx,NtDeleteKey,NtClose,NtQueryKey,NtEnumerateKey,NtQueryValueKey,GetProcAddress,GetProcAddress,RtlFormatCurrentUserKeyPath,GetCommandLineW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetModuleHandleW,GetProcAddress,GetCurrentProcess,	0_2_0000000140014CF0

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_000000014000FFB0	0_2_000000014000FFB0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_0000000140024010	0_2_0000000140024010
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_0000000140033075	0_2_0000000140033075
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_00000001400240A0	0_2_00000001400240A0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_00000001400380AC	0_2_00000001400380AC
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_00000001400490E8	0_2_00000001400490E8
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_000000014001E120	0_2_000000014001E120
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_000000014003312A	0_2_000000014003312A
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_0000000140034174	0_2_0000000140034174
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_00000001400061C0	0_2_00000001400061C0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_00000001400261D0	0_2_00000001400261D0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_0000000140042288	0_2_0000000140042288
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_00000001400442E0	0_2_00000001400442E0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_000000014003B310	0_2_000000014003B310
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_0000000140031328	0_2_0000000140031328
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_000000014003F37C	0_2_000000014003F37C
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_0000000140045464	0_2_0000000140045464
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_00000001400074F0	0_2_00000001400074F0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_0000000140019520	0_2_0000000140019520
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_000000014000A680	0_2_000000014000A680
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_000000014003A6B4	0_2_000000014003A6B4
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_000000014003A726	0_2_000000014003A726
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_0000000140044740	0_2_0000000140044740
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_00000001400027D0	0_2_00000001400027D0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_0000000140026850	0_2_0000000140026850
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_00000001400268D0	0_2_00000001400268D0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_0000000140011910	0_2_0000000140011910
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_0000000140047A14	0_2_0000000140047A14
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_0000000140042A60	0_2_0000000140042A60
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_0000000140032B75	0_2_0000000140032B75
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_0000000140032BC0	0_2_0000000140032BC0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_000000014000BBD0	0_2_000000014000BBD0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_000000014002BCBC	0_2_000000014002BCBC
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_0000000140026CC0	0_2_0000000140026CC0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_000000014002FDC0	0_2_000000014002FDC0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_0000000140017E60	0_2_0000000140017E60
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_0000000140072E6B	0_2_0000000140072E6B
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_000000014002BEC0	0_2_000000014002BEC0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_004292A0	0_2_004292A0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_004293B0	0_2_004293B0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_0042A810	0_2_0042A810
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_004079F0	0_2_004079F0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_00407C00	0_2_00407C00
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_00432D40	0_2_00432D40
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_0042EEB0	0_2_0042EEB0

Source: 3lOLt0TUE4.exe, 00000000.00000000.1816671674.0000000140070000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameelevation_service.exe< vs 3lOLt0TUE4.exe
Source: 3lOLt0TUE4.exe	Binary or memory string: OriginalFilenameelevation_service.exe< vs 3lOLt0TUE4.exe

Source: 3lOLt0TUE4.exe

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: 3lOLt0TUE4.exe

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal68.expl.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe

Code function: 0_2_000000014000DEC0 FormatMessageA,GetLastError,_invalid_parameter_noinfo_noreturn,

0_2_000000014000DEC0

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe

Code function: 0_2_00000001400024F0 StartServiceCtrlDispatcherW,GetLastError,GetLastError,

0_2_00000001400024F0

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe

Code function: 0_2_00000001400024F0 StartServiceCtrlDispatcherW,GetLastError,GetLastError,

0_2_00000001400024F0

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-dff86b9b42af94777d8e3ee9-b
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-dff86b9b42af9477-inf

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 3lOLt0TUE4.exe

ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: 3lOLt0TUE4.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 3lOLt0TUE4.exe

Static file information: File size 1869824 > 1048576

Source: 3lOLt0TUE4.exe

Static PE information: Raw size of .reloc is bigger than: 0x100000 < 0x15f000

Source: 3lOLt0TUE4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: elevation_service.exe.pdb source: 3lOLt0TUE4.exe

Source: 3lOLt0TUE4.exe

Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe

Code function: 0_2_000000014007231C push rdx; ret

0_2_0000000140072328

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe

Code function: 0_2_00000001400024F0 StartServiceCtrlDispatcherW,GetLastError,GetLastError,

0_2_00000001400024F0

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe

Code function: 0_2_0000000140014CF0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlInitUnicodeString,NtCreateKey,NtOpenKeyEx,NtDeleteKey,NtClose,NtQueryKey,NtEnumerateKey,NtQueryValueKey,GetProcAddress,GetProcAddress,RtlFormatCurrentUserKeyPath,GetCommandLineW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetModuleHandleW,GetProcAddress,GetCurrentProcess,

0_2_0000000140014CF0

Malware Analysis System Evasion

Contains functionality to behave differently if execute on a Russian/Kazak computer

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe

Code function: 0_2_004052A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]

0_2_004052A0

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-30760

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe

Code function: 0_2_000000014004569C FindFirstFileExW,

0_2_000000014004569C

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe

Code function: 0_2_000000014002DFDC VirtualQuery,GetSystemInfo,

0_2_000000014002DFDC

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe

Code function: 0_2_000000014002B4C0 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_000000014002B4C0

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe

Code function: 0_2_000000014002B4C0 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_000000014002B4C0

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe

Code function: 0_2_00000001400036C0 _Init_thread_header,GetProcessHeap,_Init_thread_header,

0_2_00000001400036C0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_000000014002B874 SetUnhandledExceptionFilter,	0_2_000000014002B874
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_000000014002B884 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000000014002B884
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_000000014002BC88 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_000000014002BC88
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: 0_2_0000000140034D64 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0000000140034D64

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe

Code function: 0_2_0000000140002F30 GetSecurityDescriptorDacl,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetAclInformation,_invalid_parameter_noinfo,

0_2_0000000140002F30

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe

Code function: 0_2_0000000140046450 cpuid

0_2_0000000140046450

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: EnumSystemLocalesW,	0_2_0000000140045028
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: GetLocaleInfoW,	0_2_00000001400450C0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: GetLocaleInfoW,	0_2_00000001400451D0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: EnumSystemLocalesW,	0_2_000000014003F220
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00000001400452B8
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: GetLocaleInfoW,	0_2_0000000140045368
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0000000140044A08
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: try_get_function,GetLocaleInfoW,	0_2_000000014003EAF8
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: EnumSystemLocalesW,	0_2_0000000140044D08
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0000000140044DE0

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe

Code function: 0_2_000000014002E504 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_000000014002E504

Source: C:\Users\user\Desktop\3lOLt0TUE4.exe

Code function: 0_2_00420080 VirtualFree,VirtualFree,VirtualAlloc,GetUserNameW,GetComputerNameW,GetComputerNameW,

0_2_00420080

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	3 Windows Service	3 Windows Service	1 Obfuscated Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	13 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 System Owner/User Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	33 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
3lOLt0TUE4.exe	66%	ReversingLabs	Win64.Virus.Expiro
3lOLt0TUE4.exe	100%	Avira	W32/Infector.Gen
3lOLt0TUE4.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542046
Start date and time:	2024-10-25 14:00:03 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	3lOLt0TUE4.exe renamed because original name is a hash value
Original Sample Name:	6970f935606328c81997e47b826ae655fa98f6503edf7c98fe84bbfd6bd26177.exe
Detection:	MAL
Classification:	mal68.expl.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 61% Number of executed functions: 30 Number of non-executed functions: 114
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

VT rate limit hit for: 3lOLt0TUE4.exe

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	4.829304172850523
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	3lOLt0TUE4.exe
File size:	1'869'824 bytes
MD5:	731497243f4c710c562dd084dcd34ec1
SHA1:	4171c0e0095b0baf7b9ceede925ba55cedb22087
SHA256:	6970f935606328c81997e47b826ae655fa98f6503edf7c98fe84bbfd6bd26177
SHA512:	992f762c770ef81f23bd7f21792585cc9dc0f99b8396ac86e5d1c1c7a9cc35887bdd5320914413117db1470a9f96102a86225f94717cabb0119e26de69078bfd
SSDEEP:	24576:4YRq7Y2cb+cREW2JOt934J7Z6bQaj1BvUm9J:5sLcnROJE3jM2ce
TLSH:	C285E00BE25914FDD067C1788A569801FAB17C550B61AAEF2364D7362F37AE44F3EB20
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...PD.\.........."............................@..............................*.....76.... ........................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14002de90
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C0F4450 [Tue Dec 11 05:00:00 2018 UTC]
TLS Callbacks:	0x40026830, 0x1
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	6a8bffcb635443fadba2b7b98db52eda

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F8CF52EE3B0h
dec eax
add esp, 28h
jmp 00007F8CF52EDBBFh
int3
int3
dec eax
mov dword ptr [esp+08h], ebx
push edi
dec eax
sub esp, 20h
dec eax
mov eax, dword ptr [0003B06Bh]
mov edi, 00000001h
dec eax
cmp eax, edi
je 00007F8CF52EDDB5h
dec eax
test eax, eax
jne 00007F8CF52EDDABh
dec eax
lea ecx, dword ptr [000268F5h]
call dword ptr [00033A47h]
dec eax
mov ebx, eax
dec eax
test eax, eax
jne 00007F8CF52EDD47h
dec eax
mov ebx, edi
jmp 00007F8CF52EDD7Ah
dec eax
lea edx, dword ptr [000236FBh]
dec eax
mov ecx, ebx
call dword ptr [00033A42h]
dec eax
test eax, eax
je 00007F8CF52EDD28h
dec eax
lea edx, dword ptr [0002371Eh]
dec eax
mov dword ptr [0003B027h], eax
dec eax
mov ecx, ebx
call dword ptr [00033A26h]
dec eax
test eax, eax
je 00007F8CF52EDD0Ch
dec eax
mov dword ptr [0003B01Ah], eax
xor eax, eax
dec eax
cmpxchg dword ptr [0003AFFFh], ebx
jne 00007F8CF52EDD47h
dec eax
cmp ebx, edi
je 00007F8CF52EDD4Ch
dec eax
cmp eax, edi
je 00007F8CF52EDD47h
inc eax
mov al, bh
jmp 00007F8CF52EDD44h
xor al, al
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
add esp, 20h
pop edi
ret
int3
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
dec eax
mov dword ptr [esp+18h], edi
dec esp
arpl word ptr [FFFD20E6h], ax
dec eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x61208	0x5e	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x61266	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x70000	0x948	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6a000	0x3780	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x60244	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5f9e8	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x547e0	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x61740	0x460	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4aca6	0x4ae00	3c60d8867697b500b2455b7fac8253fd	False	0.5312369574290484	data	6.477200698968966	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4c000	0x18d08	0x18e00	916637c466ffd5fc9c94d7370fc4eea7	False	0.44274104899497485	data	5.192284743118082	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x65000	0x4d20	0x1000	4e2f13f9aa20faa9f27368fbcb78a056	False	0.193359375	data	2.703701150071771	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x6a000	0x3780	0x3800	77348ef4c6ddb2cf19c409be4fdd3ee0	False	0.4867466517857143	data	5.559956334775326	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.00cfg	0x6e000	0x10	0x200	d4993f37d538f2865a4cb11c88676c32	False	0.046875	data	0.19586940608732903	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x6f000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x70000	0x948	0xa00	36a620379a9e69328d3b53af9a8fecc9	False	0.425	data	4.53306183589971	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x71000	0x22f000	0x15f000	a3e234ef91c4ef1b3d9082c600e128f0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x704d0	0x478	data	English	United States	0.4388111888111888
RT_MANIFEST	0x700a0	0x42c	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1008), with CRLF line terminators	English	United States	0.5037453183520599

Imports

DLL	Import
ADVAPI32.dll	AddAce, CopySid, GetAclInformation, GetLengthSid, GetSecurityDescriptorControl, GetSecurityDescriptorDacl, GetSecurityDescriptorGroup, GetSecurityDescriptorOwner, GetSecurityDescriptorSacl, GetSidLengthRequired, GetSidSubAuthority, InitializeAcl, InitializeSecurityDescriptor, InitializeSid, IsValidSid, MakeAbsoluteSD, RegisterServiceCtrlHandlerW, SetSecurityDescriptorDacl, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetServiceStatus, StartServiceCtrlDispatcherW
KERNEL32.dll	AcquireSRWLockExclusive, CloseHandle, CreateEventW, CreateFileW, DecodePointer, DeleteCriticalSection, DeleteFileW, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleCP, GetConsoleMode, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetEnvironmentVariableW, GetFileType, GetLastError, GetLocalTime, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetNativeSystemInfo, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemInfo, GetSystemTimeAsFileTime, GetTickCount, GetUserDefaultLCID, HeapAlloc, HeapCreate, HeapDestroy, HeapFree, HeapReAlloc, HeapSetInformation, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringW, LeaveCriticalSection, LoadLibraryExA, LoadLibraryExW, LocalFree, MultiByteToWideChar, OutputDebugStringA, OutputDebugStringW, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, ResetEvent, RtlCaptureContext, RtlCaptureStackBackTrace, RtlLookupFunctionEntry, RtlPcToFileHeader, RtlUnwindEx, RtlVirtualUnwind, SetEvent, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, Sleep, SwitchToThread, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, VirtualProtect, VirtualQuery, WaitForSingleObject, WaitForSingleObjectEx, WideCharToMultiByte, WriteConsoleW, WriteFile
ole32.dll	CoAddRefServerProcess, CoInitializeEx, CoInitializeSecurity, CoRegisterClassObject, CoReleaseServerProcess, CoResumeClassObjects, CoRevokeClassObject, CoUninitialize
SHELL32.dll	CommandLineToArgvW
WINMM.dll	timeGetTime

Exports

Name	Ordinal	Address
GetHandleVerifier	1	0x14001d8b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	08:01:09
Start date:	25/10/2024
Path:	C:\Users\user\Desktop\3lOLt0TUE4.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\3lOLt0TUE4.exe"
Imagebase:	0x140000000
File size:	1'869'824 bytes
MD5 hash:	731497243F4C710C562DD084DCD34EC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	6.9%
Signature Coverage:	16.7%
Total number of Nodes:	681
Total number of Limit Nodes:	11

Executed Functions

Function 0000000140014CF0 Relevance: 64.9, APIs: 19, Strings: 18, Instructions: 188
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 0000000140014D16
GetProcAddress.KERNEL32 ref: 0000000140014D30
GetProcAddress.KERNEL32 ref: 0000000140014D43
GetProcAddress.KERNEL32 ref: 0000000140014D56
GetProcAddress.KERNEL32 ref: 0000000140014D69
GetProcAddress.KERNEL32 ref: 0000000140014D7C
GetProcAddress.KERNEL32 ref: 0000000140014D8F
GetProcAddress.KERNEL32 ref: 0000000140014DA2
GetProcAddress.KERNEL32 ref: 0000000140014DB5
GetProcAddress.KERNEL32 ref: 0000000140014DC8
GetProcAddress.KERNEL32 ref: 0000000140014E66
GetProcAddress.KERNEL32 ref: 0000000140014E75
RtlFormatCurrentUserKeyPath.NTDLL ref: 0000000140014E93
GetCommandLineW.KERNEL32 ref: 0000000140014F1A
GetEnvironmentVariableW.KERNEL32 ref: 0000000140014F33
GetEnvironmentVariableW.KERNEL32 ref: 0000000140014F6A
GetModuleHandleW.KERNEL32 ref: 0000000140014FAE
GetProcAddress.KERNEL32 ref: 0000000140014FBE
GetCurrentProcess.KERNEL32 ref: 0000000140014FCC

Strings

NtEnumerateKey, xrefs: 0000000140014D98
PROGRAMFILES, xrefs: 0000000140014F23
ntdll.dll, xrefs: 0000000140014D0F
NtOpenKeyEx, xrefs: 0000000140014D5F
kernel32.dll, xrefs: 0000000140014FA7
NtClose, xrefs: 0000000140014D72
RtlFormatCurrentUserKeyPath, xrefs: 0000000140014E5C
RtlFreeUnicodeString, xrefs: 0000000140014E6B
NtCreateKey, xrefs: 0000000140014D39
S-1-5-21-2246122658-3693405117-2476756634-1002, xrefs: 0000000140014EEE
IsWow64Process, xrefs: 0000000140014FB4
NtDeleteKey, xrefs: 0000000140014D4C
NtSetValueKey, xrefs: 0000000140014DBE
RtlInitUnicodeString, xrefs: 0000000140014D1F
NtQueryValueKey, xrefs: 0000000140014DAB
\REGISTRY\USER\S-1-5-21-2246122658-3693405117-2476756634-1002\, xrefs: 0000000140014EA6
NtQueryKey, xrefs: 0000000140014D85
PROGRAMFILES(X86), xrefs: 0000000140014F58

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: AddressProc$CurrentEnvironmentHandleModuleVariable$CommandFormatLinePathProcessUser
String ID: IsWow64Process$NtClose$NtCreateKey$NtDeleteKey$NtEnumerateKey$NtOpenKeyEx$NtQueryKey$NtQueryValueKey$NtSetValueKey$PROGRAMFILES$PROGRAMFILES(X86)$RtlFormatCurrentUserKeyPath$RtlFreeUnicodeString$RtlInitUnicodeString$S-1-5-21-2246122658-3693405117-2476756634-1002$\REGISTRY\USER\S-1-5-21-2246122658-3693405117-2476756634-1002\$kernel32.dll$ntdll.dll
API String ID: 1671916859-2421250923
Opcode ID: 51e83f291381af31b42b1c98bec66c3da49ae0de3528acdf520019cf3f77114b
Instruction ID: 8296f3a076c74dc75d48bb717b5bb466eaaaa9445ea67098805aad6311cd0baf
Opcode Fuzzy Hash: 51e83f291381af31b42b1c98bec66c3da49ae0de3528acdf520019cf3f77114b
Instruction Fuzzy Hash: AE817A31312B8591FB17AB27E8507E93392AB4DBC4F59442ABA0D4B7B0EF38C506C354

Function 000000014000FFB0 Relevance: 11.5, Strings: 9, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1?1-*, xrefs: 0000000140010301
dev, xrefs: 00000001400102CE
beta, xrefs: 00000001400103B3
name, xrefs: 00000001400100C1
stable, xrefs: 00000001400101C2
\cohort, xrefs: 000000014001009B
*x64-beta*, xrefs: 000000014001034E
2?0-d*, xrefs: 0000000140010220
*x64-dev*, xrefs: 000000014001026D

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID: *x64-beta*$*x64-dev*$1?1-*$2?0-d*$\cohort$beta$dev$name$stable
API String ID: 0-1206257362
Opcode ID: 6f138ba23e1d23f54e3d8ac82d72c120f9328417ba8d9caae46b6457ae672a18
Instruction ID: 398733223c91b89438fb77706fb9c883d0450d721ce0617513930940ee9ad35b
Opcode Fuzzy Hash: 6f138ba23e1d23f54e3d8ac82d72c120f9328417ba8d9caae46b6457ae672a18
Instruction Fuzzy Hash: 14B1C1727147A092F722DB16E4407EAA360EB8A7C0F804112FBC95BAA6EF7DD645C741

Function 000000014000DEC0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 237
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FormatMessageA.KERNELBASE ref: 000000014000DF15
GetLastError.KERNEL32 ref: 000000014000DF80
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000E272

Strings

(0x%lX), xrefs: 000000014000DF1F
Error (0x%lX) while retrieving error. (0x%lX), xrefs: 000000014000DF86

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: ErrorFormatLastMessage_invalid_parameter_noinfo_noreturn
String ID: (0x%lX)$Error (0x%lX) while retrieving error. (0x%lX)
API String ID: 591752230-3206765257
Opcode ID: 5a88ea380572ae09f6ce5331f679d7b6b1edc069f2d8577d0edd30badad5a6a5
Instruction ID: 53488e4425ebb39b2910f2ed6443e1d08a5109003c21c04acb770f03378b82bc
Opcode Fuzzy Hash: 5a88ea380572ae09f6ce5331f679d7b6b1edc069f2d8577d0edd30badad5a6a5
Instruction Fuzzy Hash: A6A1C2B2704AC086EA21DB16E4043EEA351F78ABC4F444212FB9D17BAADF7CC585C740

Function 00000001400024F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StartServiceCtrlDispatcherW.ADVAPI32 ref: 0000000140002515
GetLastError.KERNEL32 ref: 0000000140002525
GetLastError.KERNEL32 ref: 0000000140002540

Strings

../../chrome/elevation_service/service_main.cc, xrefs: 0000000140002549
Failed to connect to the service control manager, xrefs: 000000014000256E

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: ErrorLast$CtrlDispatcherServiceStart
String ID: ../../chrome/elevation_service/service_main.cc$Failed to connect to the service control manager
API String ID: 3662569860-2232062004
Opcode ID: a30684eb1eb4cdf6be966ec6cf183f7b6a043c4217d192a437088d9dc669c3e8
Instruction ID: dacb01c47e93046820a4c1f43b8fc6d40c8ed1c51e59134581f31ccb0bade41a
Opcode Fuzzy Hash: a30684eb1eb4cdf6be966ec6cf183f7b6a043c4217d192a437088d9dc669c3e8
Instruction Fuzzy Hash: C711C07170468192FB22EB23F9253EA3361AB8D7C0F400026BB4E577B6DE3CC6068B40

Function 00420080 Relevance: 5.0, APIs: 3, Instructions: 466
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameW.KERNEL32 ref: 004203E0

Memory Dump Source

Source File: 00000000.00000002.1817403285.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lOLt0TUE4.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: a53a589e1d79c8daebd35e0be32d5c07406a5a25e6b1b8ac5d66ad9906a0b4eb
Instruction ID: f8b86653bd004c7e84363ce45d4b8142a181499096cd0f76e4eaa8bc9fd1a51b
Opcode Fuzzy Hash: a53a589e1d79c8daebd35e0be32d5c07406a5a25e6b1b8ac5d66ad9906a0b4eb
Instruction Fuzzy Hash: E5D14631618B1D8BC724EF58E8457EAB3E1FBA0310F98461FD846C3266DA78DA45C6C7

Function 0000000140015450 Relevance: 3.1, APIs: 2, Instructions: 115
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitUnicodeString.NTDLL ref: 000000014001559C
NtOpenKeyEx.NTDLL ref: 00000001400155D1

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: InitOpenStringUnicode
String ID:
API String ID: 3946626324-0
Opcode ID: 5480831c4fd5be8783304773b96a1f93051e85664f6868c34c085dff86f3d31a
Instruction ID: d4ed13a627d0b679ebc93e404228c36212a9fdc28a708f4602ab8cebe4e2a734
Opcode Fuzzy Hash: 5480831c4fd5be8783304773b96a1f93051e85664f6868c34c085dff86f3d31a
Instruction Fuzzy Hash: A4412571604B8081FB63AB27A8513EAA3A2BB8D7D5F544112BF890F7A5EF7DC1858340

Function 0000000140015620 Relevance: 3.1, APIs: 2, Instructions: 113
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitUnicodeString.NTDLL ref: 0000000140015677
NtQueryValueKey.NTDLL ref: 0000000140015710

Part of subcall function 0000000140014CF0: GetModuleHandleW.KERNEL32 ref: 0000000140014D16
Part of subcall function 0000000140014CF0: GetProcAddress.KERNEL32 ref: 0000000140014D30
Part of subcall function 0000000140014CF0: GetProcAddress.KERNEL32 ref: 0000000140014D43
Part of subcall function 0000000140014CF0: GetProcAddress.KERNEL32 ref: 0000000140014D56
Part of subcall function 0000000140014CF0: GetProcAddress.KERNEL32 ref: 0000000140014D69
Part of subcall function 0000000140014CF0: GetProcAddress.KERNEL32 ref: 0000000140014D7C
Part of subcall function 0000000140014CF0: GetProcAddress.KERNEL32 ref: 0000000140014D8F
Part of subcall function 0000000140014CF0: GetProcAddress.KERNEL32 ref: 0000000140014DA2
Part of subcall function 0000000140014CF0: GetProcAddress.KERNEL32 ref: 0000000140014DB5
Part of subcall function 0000000140014CF0: GetProcAddress.KERNEL32 ref: 0000000140014DC8
Part of subcall function 0000000140014CF0: GetProcAddress.KERNEL32 ref: 0000000140014E66
Part of subcall function 0000000140014CF0: GetProcAddress.KERNEL32 ref: 0000000140014E75
Part of subcall function 0000000140014CF0: RtlFormatCurrentUserKeyPath.NTDLL ref: 0000000140014E93

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: AddressProc$CurrentFormatHandleInitModulePathQueryStringUnicodeUserValue
String ID:
API String ID: 231354608-0
Opcode ID: 1734560149f36f8d03c55b117f486ed2182c301374a4193f377fd9754da6bc27
Instruction ID: c50907179431403786d3ea5dec8f3848759f60ebd4dc49af5400d481357085ec
Opcode Fuzzy Hash: 1734560149f36f8d03c55b117f486ed2182c301374a4193f377fd9754da6bc27
Instruction Fuzzy Hash: FD41E232218A80C6F652DB16E8017EAB3A0F78D7C5F508111FF894B7A5DF3AD586CB40

Function 004052A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetSystemDefaultLangID.KERNELBASE ref: 004053C4

Memory Dump Source

Source File: 00000000.00000002.1817403285.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lOLt0TUE4.jbxd

Similarity

API ID: DefaultLangSystem
String ID:
API String ID: 706401283-0
Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
Instruction ID: 39fcdf4db9a6261c521629ad4ecb41ad9280b7c21900a9b30eb29d996c612ff5
Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
Instruction Fuzzy Hash: 8E41B36141DE958FD726522454643B37BA0DB123A2F9905FBD882A62E2D1BC4C829F2F

Function 0000000140015940 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140015450: RtlInitUnicodeString.NTDLL ref: 000000014001559C
Part of subcall function 0000000140015450: NtOpenKeyEx.NTDLL ref: 00000001400155D1

NtClose.NTDLL ref: 00000001400159AB

Part of subcall function 0000000140014CF0: GetModuleHandleW.KERNEL32 ref: 0000000140014D16
Part of subcall function 0000000140014CF0: GetProcAddress.KERNEL32 ref: 0000000140014D30
Part of subcall function 0000000140014CF0: GetProcAddress.KERNEL32 ref: 0000000140014D43
Part of subcall function 0000000140014CF0: GetProcAddress.KERNEL32 ref: 0000000140014D56
Part of subcall function 0000000140014CF0: GetProcAddress.KERNEL32 ref: 0000000140014D69
Part of subcall function 0000000140014CF0: GetProcAddress.KERNEL32 ref: 0000000140014D7C
Part of subcall function 0000000140014CF0: GetProcAddress.KERNEL32 ref: 0000000140014D8F
Part of subcall function 0000000140014CF0: GetProcAddress.KERNEL32 ref: 0000000140014DA2
Part of subcall function 0000000140014CF0: GetProcAddress.KERNEL32 ref: 0000000140014DB5
Part of subcall function 0000000140014CF0: GetProcAddress.KERNEL32 ref: 0000000140014DC8
Part of subcall function 0000000140014CF0: GetProcAddress.KERNEL32 ref: 0000000140014E66
Part of subcall function 0000000140014CF0: GetProcAddress.KERNEL32 ref: 0000000140014E75
Part of subcall function 0000000140014CF0: RtlFormatCurrentUserKeyPath.NTDLL ref: 0000000140014E93

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: AddressProc$CloseCurrentFormatHandleInitModuleOpenPathStringUnicodeUser
String ID:
API String ID: 1355870404-0
Opcode ID: 069697732174b08c5421a8e0b8eb38806591bf883f45a15495bd91b262c98a86
Instruction ID: 920d10d6ba070a493e9e84cdfb2cbd90d9881cca1393e1a4799ee7752d236afa
Opcode Fuzzy Hash: 069697732174b08c5421a8e0b8eb38806591bf883f45a15495bd91b262c98a86
Instruction Fuzzy Hash: 65018F32618640C2F622A727A8153DA6791A78DBF4F544311FF984F7F5CE3DC5418B80

Function 000000014000CF50 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 329
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringA.KERNEL32 ref: 000000014000D0D4
WriteFile.KERNEL32 ref: 000000014000D175
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 000000014000D447
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000D47A

Strings

../../chrome/elevation_service/elevation_service.cc, xrefs: 000000014000CF57

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: DebugFileIos_base_dtorOutputStringWrite_invalid_parameter_noinfo_noreturnstd::ios_base::_
String ID: ../../chrome/elevation_service/elevation_service.cc
API String ID: 226236003-1549279015
Opcode ID: ab6d76d4c5131a80eb0358f53b457fa6198d93df4692c0a5135be7d8bfcd0524
Instruction ID: 68e831ab567a8e62df6560536f9084be9cf55f5e74627eef730b6f369121fe5a
Opcode Fuzzy Hash: ab6d76d4c5131a80eb0358f53b457fa6198d93df4692c0a5135be7d8bfcd0524
Instruction Fuzzy Hash: 8FE13A72700A8586EB26DF22E8903ED3361F749BC8F544526EB5E4BBB5DF78C6858310

Function 0000000140015130 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,-00000057,?,000000014001597D), ref: 00000001400151BC

Strings

\WOW6432Node, xrefs: 000000014001525A
WOW6432Node\, xrefs: 0000000140015246

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: InfoNativeSystem
String ID: WOW6432Node\$\WOW6432Node
API String ID: 1721193555-1560920464
Opcode ID: d81fd6df615f1914662e93cf4afaec8f64a10296871aa215cd2874a58c377b06
Instruction ID: ba60b726f5ade01af3f4d23444ebb7e4da502369cb533b6d12bd15868b63a01d
Opcode Fuzzy Hash: d81fd6df615f1914662e93cf4afaec8f64a10296871aa215cd2874a58c377b06
Instruction Fuzzy Hash: 0251E232615A44D6EA22EB17E8483EA63A1F35D7C5F584416FF4A0B7B4EB3AC582C740

Function 000000014000103F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140010BA0: GetModuleFileNameW.KERNEL32 ref: 0000000140010BF8

shared_ptr.LIBCMT ref: 0000000140001058

Part of subcall function 000000014000F980: CoInitializeEx.COMBASE ref: 000000014000F996

Strings

../../chrome/elevation_service/elevation_service.cc, xrefs: 00000001400010CE
Failed to initialize COM, xrefs: 00000001400010F9

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: FileInitializeModuleNameshared_ptr
String ID: ../../chrome/elevation_service/elevation_service.cc$Failed to initialize COM
API String ID: 2916548040-130731028
Opcode ID: 987bdfe2f2d8951f2a717531bccb9fa8a144bbc2809a3a2965c38921e725fa24
Instruction ID: 67b516fd3486ec22f6aaff8752bdcc9f8d1ff125ee610cd7b41472f17a57262f
Opcode Fuzzy Hash: 987bdfe2f2d8951f2a717531bccb9fa8a144bbc2809a3a2965c38921e725fa24
Instruction Fuzzy Hash: 7B2189B130854050FA66FBA3B5523FE2201ABCE7D4F404121BF8A1BAF7DE38C5469792

Function 00408070 Relevance: 4.7, APIs: 3, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1817403285.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e190fe7d4b3c5e57d75e6528bbdfe52906c1a61a35aefbd00297ac479a6f7d8
Instruction ID: 3a4af9ea66d678aaf1ea1a6dd5bb3d26c191bc867120809e853e5f7bb098c59a
Opcode Fuzzy Hash: 4e190fe7d4b3c5e57d75e6528bbdfe52906c1a61a35aefbd00297ac479a6f7d8
Instruction Fuzzy Hash: D161EE3060CA458FC7658B288A142367AA0FF95360F5946BFE8C6E62E1DF3C4C46975F

Function 0000000140008E00 Relevance: 4.6, APIs: 3, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CommandLineToArgvW.SHELL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,0000000140008D87), ref: 0000000140008E71
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,0000000140008D87), ref: 0000000140008E8C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140008EEB

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: ArgvCommandFreeLineLocal_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2755104575-0
Opcode ID: abbff420a7c97e6f353825c49e0def7c244750ef885427641574ca0a11af2c95
Instruction ID: 7e5a121b4e84af557d0da3e38d07c50298f3672cbc291d307638bbf8a8110edc
Opcode Fuzzy Hash: abbff420a7c97e6f353825c49e0def7c244750ef885427641574ca0a11af2c95
Instruction Fuzzy Hash: F121AF7261868042EA25DB56E5593AAA362F7CEBD0F104215FF9D17BA8EF7CC0428700

Function 0000000140032434 Relevance: 4.5, APIs: 3, Instructions: 19
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,00000003,0000000140032547), ref: 000000014003245D
TerminateProcess.KERNEL32(?,?,00000003,0000000140032547), ref: 0000000140032468
ExitProcess.KERNEL32 ref: 0000000140032477

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: cac87529363405e3a11f56f9b0a2ba470cadb2bf3304bd556552995707d226d5
Instruction ID: b8b2ccad4743ecea6164f5e9ec8b5b56324ebd32d46e0703e414886726e5a564
Opcode Fuzzy Hash: cac87529363405e3a11f56f9b0a2ba470cadb2bf3304bd556552995707d226d5
Instruction Fuzzy Hash: CBE0BF3470070446EB566B729C957EE23E2A78D7C1F145828EA0A437B6CD3DC4498351

Function 000000014000E3C0 Relevance: 3.1, APIs: 2, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000014000DEC0: FormatMessageA.KERNELBASE ref: 000000014000DF15

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000E487
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 000000014000E551

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: FormatIos_base_dtorMessage_invalid_parameter_noinfo_noreturnstd::ios_base::_
String ID:
API String ID: 1724511648-0
Opcode ID: e2a40321510436837262c66e338418c873de45eb8b32cbb62751fc3610e8727d
Instruction ID: 4ed6b3063f70579ee5069ef56db3cfa9fdee01982b610708d3b2ae5f7b06f849
Opcode Fuzzy Hash: e2a40321510436837262c66e338418c873de45eb8b32cbb62751fc3610e8727d
Instruction Fuzzy Hash: 8D418F72701A4095EA16DF26E8503E97760FB89BE4F448226FF6D477E5EF38C5468700

Function 0000000140008C80 Relevance: 3.1, APIs: 2, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140001024), ref: 0000000140008D22
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140008DEA

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: CommandLine_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1276230952-0
Opcode ID: 30fbfc44f23f9256cf21dad34319314847c2cd5e764320d6ec266162983d685a
Instruction ID: fe3c5639ae5f0bbf5a95d3522ebde841213fb980ca3d20f15a232087e8381233
Opcode Fuzzy Hash: 30fbfc44f23f9256cf21dad34319314847c2cd5e764320d6ec266162983d685a
Instruction Fuzzy Hash: 1C318E72604B4081EA229B12F4543AEA3A1EB9D7E4F504625FB8D4B7F5EF7CC5818340

Function 00405B09 Relevance: 3.1, APIs: 2, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1817403285.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
Instruction ID: a4c1eae16118128e463e81baae65f4585e62460cffa3dbffa250007df7947a65
Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
Instruction Fuzzy Hash: C0016D3050DF468FEB556624981827B77A0EB50324F6901BB8487EA1D6DABC5902AF1F

Function 0000000140029F90 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0000000140029FC0

Part of subcall function 000000014002AF20: std::bad_alloc::bad_alloc.LIBCMT ref: 000000014002AF29
Part of subcall function 000000014002AF20: _CxxThrowException.LIBVCRUNTIME ref: 000000014002AF3A

Concurrency::cancel_current_task.LIBCPMT ref: 0000000140029FC6

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: Concurrency::cancel_current_task$ExceptionThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 2386360001-0
Opcode ID: 3d4548bcd3710c03090b989d6b72080c1aa640ba6f282ecb1ffb60b036e738d5
Instruction ID: c876e692dc01cfc1f02e8f1a0850f411f601efdcb0b469c1a8427bd4193611da
Opcode Fuzzy Hash: 3d4548bcd3710c03090b989d6b72080c1aa640ba6f282ecb1ffb60b036e738d5
Instruction Fuzzy Hash: 94E06D7160520645F8E6337336163E801404B5E3F0E6817387B7A876F6E93888528600

Function 00405910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1817403285.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
Instruction ID: 2619670e389b767678ae0bcb6d9d84d36d65e32aa2926de5067951b932e94eee
Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
Instruction Fuzzy Hash: 7AF1043071CE588FC669A71D68413BB73D2EB99314F9845AFE04AC3396DD3C9C46878A

Function 00405B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1817403285.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
Instruction ID: e6b545dc5e83240c3b2fc77e151e9fb3744f1ffef380e44ad6d5682570b17013
Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
Instruction Fuzzy Hash: 6C217C3020CF448FEB699A28944877776A1EB55310F6941BB9047FF2E2CA3C9C459F1E

Function 0000000140010BA0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 0000000140010BF8

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 09ae042064b9b11f703a718ff4850778541440455f56ec9e4536d37bf1a53b82
Instruction ID: 7c249e8453e414afdd35d547ba56bb3b8965b1465d8e916de8cc658a6cc80857
Opcode Fuzzy Hash: 09ae042064b9b11f703a718ff4850778541440455f56ec9e4536d37bf1a53b82
Instruction Fuzzy Hash: DF214422A186A083F7129B29A4117EEA360EB89784F505110FBC967B55EF7DE686C740

Function 0000000140032360 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,00000000,0000000140036445,?,?,?,?,000000014003DFF5), ref: 00000001400324AB

Part of subcall function 00000001400323D8: GetModuleHandleExW.KERNEL32 ref: 00000001400323F4
Part of subcall function 00000001400323D8: GetProcAddress.KERNEL32 ref: 000000014003240A
Part of subcall function 00000001400323D8: FreeLibrary.KERNEL32 ref: 0000000140032427

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 75c2b925c9412d87332cc4835abf463a082df7010962ba50e87d88dca86b8437
Instruction ID: 98f55a34dabb3302a6898dd994618cbcb35b0e1b2766cdf8020a80853a80fed0
Opcode Fuzzy Hash: 75c2b925c9412d87332cc4835abf463a082df7010962ba50e87d88dca86b8437
Instruction Fuzzy Hash: 13218032A01740DAEB17DF79D4403EE37B0F788788F544526E70903AA5EB78C585CB80

Function 00405B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00405B90
CreateThread.KERNELBASE ref: 00405CDF

Memory Dump Source

Source File: 00000000.00000002.1817403285.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lOLt0TUE4.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
Instruction ID: 9dfd677ec4baf572e80963ba6737c722466ff10812f1acdc481c7b4b3cfd00ce
Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
Instruction Fuzzy Hash: 29E04F2060DB444EEB599B24581031A3AE5EB88310F1501EFC44AE72D6CB7D2A064B8A

Function 000000014000F980 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE ref: 000000014000F996

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: cc04c06e56847a1d1ad3e98fcb8df8358d835db6dd748cfef12d409b8dd6b6fa
Instruction ID: 148cfbb3d84dd5a5369efbb4e6d93de0c6302a30308153b5c8a87584f9775cc2
Opcode Fuzzy Hash: cc04c06e56847a1d1ad3e98fcb8df8358d835db6dd748cfef12d409b8dd6b6fa
Instruction Fuzzy Hash: 23D0C735B0075097E7599F77B4913D53251A748744F15D435CA5D43724DA3884978704

Function 000000014000FB90 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE ref: 000000014000FB9B

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 9df30dcb39f272073a8d8f5d51858d5be5450818d437caba021d4046df29c3fa
Instruction ID: a797f07e02d91039713ae016c1196e66f1a9767137325b475626a636edb3230f
Opcode Fuzzy Hash: 9df30dcb39f272073a8d8f5d51858d5be5450818d437caba021d4046df29c3fa
Instruction Fuzzy Hash: 0BC04C7AA1695183E78DAB275C517961253A39D340FE49824DA0E42720E93501564A10

Function 0040599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

wcscpy.LIBCMT ref: 004059D9

Memory Dump Source

Source File: 00000000.00000002.1817403285.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lOLt0TUE4.jbxd

Similarity

API ID: wcscpy
String ID:
API String ID: 1284135714-0
Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
Instruction ID: 87745563e7275ec3e804d81b4d0ba01836872a15e3d3764ae08941af790ac9a6
Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
Instruction Fuzzy Hash: 7E01A2F061EE90CFDA5AA71C504527B7592FB98724F28457B908AE72D2C87C4D029F4E

Function 00405BE2 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00405C03

Memory Dump Source

Source File: 00000000.00000002.1817403285.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lOLt0TUE4.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5b5d7b071b63003723a190de38853bb16d482f491faa3db3b767200ea78fc1cb
Instruction ID: f5eaa5a81e22cad19efdc024805bcdfaafbb186a3ef927ad5e033b3396103dd1
Opcode Fuzzy Hash: 5b5d7b071b63003723a190de38853bb16d482f491faa3db3b767200ea78fc1cb
Instruction Fuzzy Hash: 35E08C3150CE1A8FFA54A618C90927726D0DA2432032449338802F62D0E43CEA476F0F

Function 00408090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00408186

Memory Dump Source

Source File: 00000000.00000002.1817403285.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lOLt0TUE4.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
Instruction ID: b511c629561cf3a32caa9716ba2b2ae8dd997b5a4b1a4daf738c95f9ae624592
Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
Instruction Fuzzy Hash: F0C0127012884A96DA3802481E0B0B22A008F82350B08002F8CC2A83A0DD7C8E0300AF

Function 0040817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00408186

Memory Dump Source

Source File: 00000000.00000002.1817403285.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lOLt0TUE4.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
Instruction ID: 25dc5a5b6346411875af5c42b5ea943a91518cfd549025f108831be9a67f23f7
Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
Instruction Fuzzy Hash: A4C048B056850986D93826886E0A4A229518F92760B08443BAC86BE3E2D9BC4D4341EE

Non-executed Functions

Function 00000001400490E8 Relevance: 25.8, APIs: 9, Strings: 5, Instructions: 1257COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 0000000140049131
_invalid_parameter_noinfo.LIBCMT ref: 0000000140049752
_invalid_parameter_noinfo.LIBCMT ref: 0000000140049915
_invalid_parameter_noinfo.LIBCMT ref: 0000000140049B1A
memcpy_s.LIBCPMT ref: 000000014004A0C0
memcpy_s.LIBCPMT ref: 000000014004A167
memcpy_s.LIBCPMT ref: 000000014004A230

Part of subcall function 000000014003D85C: _invalid_parameter_noinfo.LIBCMT ref: 000000014003D881

Strings

1#QNAN, xrefs: 000000014004A2EB
1#INF, xrefs: 000000014004A30B
MZx, xrefs: 0000000140049771, 00000001400497D8, 0000000140049B3D, 0000000140049C15, 0000000140049C78, 0000000140049FA7
1#SNAN, xrefs: 000000014004A2CB
1#IND, xrefs: 000000014004A2AB

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$MZx
API String ID: 808467561-2638907429
Opcode ID: 39e18bddedc245116aa42cb4c6a2fb5f1bf9f1c036cca9173c7c16ab1bc2569a
Instruction ID: 288fc22dd7118f36f94a0711066f1addcef15fab421f90b8eb0627026f29abd7
Opcode Fuzzy Hash: 39e18bddedc245116aa42cb4c6a2fb5f1bf9f1c036cca9173c7c16ab1bc2569a
Instruction Fuzzy Hash: 6DB2F2B26142818BE776CE6AD540BED37A1F38D7C8F515139EB0657BA8DB38CA04CB44

Function 0000000140019520 Relevance: 12.8, APIs: 2, Strings: 5, Instructions: 564COMMON

Download Yara Rule

Strings

Histogram: %s recorded %d samples, xrefs: 00000001400195BF
, mean = %.1f, xrefs: 00000001400195F0
{%3.1f%%}, xrefs: 0000000140019AEA
... , xrefs: 000000014001988F
(flags = 0x%x), xrefs: 0000000140019612

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID: (flags = 0x%x)$ {%3.1f%%}$, mean = %.1f$... $Histogram: %s recorded %d samples
API String ID: 0-513715224
Opcode ID: d3b9878a77a302a2db09a7dd43a9470f1b4416b11ddf4165d2043fb7ad780024
Instruction ID: 04adb059001c06fc7b9070ed1c1074ce23e3f918ef5302a408a698290118c1fd
Opcode Fuzzy Hash: d3b9878a77a302a2db09a7dd43a9470f1b4416b11ddf4165d2043fb7ad780024
Instruction Fuzzy Hash: B9227072304B8485EA159F27E4583AAA7A1F78DFC4F448622FF8A1B7A9DF39C545C340

Function 0000000140044A08 Relevance: 10.7, APIs: 7, Instructions: 171COMMON

Download Yara Rule

APIs

Part of subcall function 000000014003DF34: GetLastError.KERNEL32(?,?,?,000000014002FD13,?,?,00000000,0000000140034FB0), ref: 000000014003DF3E
Part of subcall function 000000014003DF34: SetLastError.KERNEL32(?,?,?,000000014002FD13,?,?,00000000,0000000140034FB0), ref: 000000014003DFD7

EnumSystemLocalesW.KERNEL32 ref: 0000000140044B5F
GetUserDefaultLCID.KERNEL32 ref: 0000000140044B78
ProcessCodePage.LIBCMT ref: 0000000140044BA2
IsValidCodePage.KERNEL32 ref: 0000000140044BB4
IsValidLocale.KERNEL32 ref: 0000000140044BCA
GetLocaleInfoW.KERNEL32 ref: 0000000140044C26
GetLocaleInfoW.KERNEL32 ref: 0000000140044C42

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 3939093798-0
Opcode ID: c005d6c4a0b7eea474aab5746353985fca1bd7f6c0a9f1eb59589514450c4349
Instruction ID: 4e2e5a851d46792085a9059a05388c8494f6cbc947e27c41578d1fa2635e79d4
Opcode Fuzzy Hash: c005d6c4a0b7eea474aab5746353985fca1bd7f6c0a9f1eb59589514450c4349
Instruction Fuzzy Hash: 7D717E32701B508AFB52EF62D8907ED33A4FB4C7C8F4A4126AB09577A5EB38C845C394

Function 000000014002B884 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000000014002B8A0
RtlCaptureContext.KERNEL32 ref: 000000014002B8CC
RtlLookupFunctionEntry.KERNEL32 ref: 000000014002B8E6
RtlVirtualUnwind.KERNEL32 ref: 000000014002B927
IsDebuggerPresent.KERNEL32 ref: 000000014002B97B
SetUnhandledExceptionFilter.KERNEL32 ref: 000000014002B99C
UnhandledExceptionFilter.KERNEL32 ref: 000000014002B9A7

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 9924b99f63e3d307044a6c9e876192410d7423eef716954732aaf5b44b485aa7
Instruction ID: 830872bed35560bdea2addcf938ab35cbca3cfc5ab11a569337613b495db0446
Opcode Fuzzy Hash: 9924b99f63e3d307044a6c9e876192410d7423eef716954732aaf5b44b485aa7
Instruction Fuzzy Hash: FF316672205B8089EB61DF65E8507ED7375F788788F44442AEB4E47BA9EF38C648C710

Function 00000001400074F0 Relevance: 9.5, APIs: 6, Instructions: 526COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00000001400075F1
std::_Facet_Register.LIBCPMT ref: 0000000140007656
std::_Lockit::~_Lockit.LIBCPMT ref: 000000014000767B
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140007722
std::_Facet_Register.LIBCPMT ref: 000000014000778C
std::_Lockit::~_Lockit.LIBCPMT ref: 00000001400077B1

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: std::_$Lockit$Facet_Lockit::_Lockit::~_Register
String ID:
API String ID: 878851027-0
Opcode ID: 2aa50b52456933a7f656678efc06121d3b45dfadf587f4065a936d5d93dd3d59
Instruction ID: 88ad6182ced35b8d16633005081ff2d009f7fd94776e1b4ccaf01a724b04c38a
Opcode Fuzzy Hash: 2aa50b52456933a7f656678efc06121d3b45dfadf587f4065a936d5d93dd3d59
Instruction Fuzzy Hash: 9C3262766096C089DA72DB26A4507EEB7A1F799BD0F088111EBCD47BAADB3CC445CB01

Function 00000001400061C0 Relevance: 9.5, APIs: 6, Instructions: 499COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014000627B
std::_Facet_Register.LIBCPMT ref: 00000001400062E0
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140006305
std::_Lockit::_Lockit.LIBCPMT ref: 00000001400063AC
std::_Facet_Register.LIBCPMT ref: 0000000140006411
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140006436

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: std::_$Lockit$Facet_Lockit::_Lockit::~_Register
String ID:
API String ID: 878851027-0
Opcode ID: de6d0140e11fe5034402b96d49d641318218cdf513e4805170c559fba9fda33b
Instruction ID: 4334b2d6731cb2c92d059481db1bad3029907abb5cbb5d65f7f569d960259019
Opcode Fuzzy Hash: de6d0140e11fe5034402b96d49d641318218cdf513e4805170c559fba9fda33b
Instruction Fuzzy Hash: 81329276209BD485DA72CF26E0503EEBBA5F799BD0F088111EBD957BA9DB38C445CB00

Function 00000001400027D0 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 448COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140004660: GetSidLengthRequired.ADVAPI32 ref: 00000001400046D6
Part of subcall function 0000000140004660: InitializeSid.ADVAPI32 ref: 00000001400046F0
Part of subcall function 0000000140004660: GetSidSubAuthority.ADVAPI32 ref: 0000000140004731
Part of subcall function 0000000140004660: IsValidSid.ADVAPI32 ref: 0000000140004740
Part of subcall function 0000000140004660: GetLengthSid.ADVAPI32 ref: 000000014000474F
Part of subcall function 0000000140004660: CopySid.ADVAPI32 ref: 000000014000476A

IsValidSid.ADVAPI32 ref: 0000000140002858
IsValidSid.ADVAPI32 ref: 00000001400029E6
IsValidSid.ADVAPI32 ref: 0000000140002B65
CoInitializeSecurity.OLE32 ref: 0000000140002EAD

Strings

@ , xrefs: 0000000140002E8A

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: Valid$InitializeLength$AuthorityCopyRequiredSecurity
String ID: @
API String ID: 3675658427-2328788274
Opcode ID: 13b996e590429cacfa25733084150d1326f374f3df9e85463b1f56c268df3ca7
Instruction ID: 8840cc2ff78aa68ce04bf614d35ad1f43d2ebde6d55aac3b0b5cf47f7f9bf176
Opcode Fuzzy Hash: 13b996e590429cacfa25733084150d1326f374f3df9e85463b1f56c268df3ca7
Instruction Fuzzy Hash: E7222BB2605E8582E761DB2AE45039E73A0F789BB4F458312EBB9437E5DF78C845C780

Function 0000000140034D64 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 0000000140034DDD
RtlLookupFunctionEntry.KERNEL32 ref: 0000000140034DF5
RtlVirtualUnwind.KERNEL32 ref: 0000000140034E30
IsDebuggerPresent.KERNEL32 ref: 0000000140034E69
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140034E73
UnhandledExceptionFilter.KERNEL32 ref: 0000000140034E7E

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b452193c1a726e5a153f0fda66400893445a65ab5c43022d6fc1d144f9b470e7
Instruction ID: 5ab1ace98d973d2c61399d052f67637f8a65f6cffa68e5360ba8d42150e6ecaa
Opcode Fuzzy Hash: b452193c1a726e5a153f0fda66400893445a65ab5c43022d6fc1d144f9b470e7
Instruction Fuzzy Hash: 82315B36214B8086EB61CF66E8403EE73A5F789798F54052AFB8D47BA8DF38C545CB00

Function 0000000140045464 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 171COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400454AC

Part of subcall function 0000000140034CE0: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,0000000140034F75), ref: 0000000140034CE9
Part of subcall function 0000000140034CE0: GetCurrentProcess.KERNEL32(?,?,?,?,0000000140034F75), ref: 0000000140034D0E

Strings

*, xrefs: 00000001400454D3
C:\Users\user\Desktop\3lOLt0TUE4.exe, xrefs: 0000000140045472
., xrefs: 0000000140045982
., xrefs: 0000000140045973

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
String ID: *$.$.$C:\Users\user\Desktop\3lOLt0TUE4.exe
API String ID: 4036615347-2802115526
Opcode ID: c009e349a145a249dc6b9d08f3bdec5f9e2c06d3726469bee2aa494ae9dd3382
Instruction ID: e2253a77b244eface347fc0b715fadd82f1304834761960bbb0d6286c2c6efbd
Opcode Fuzzy Hash: c009e349a145a249dc6b9d08f3bdec5f9e2c06d3726469bee2aa494ae9dd3382
Instruction Fuzzy Hash: 3351F172B11B1485FB12EBA7D8103ED37A0B748BD9F964925EF0D1BB96EA38C4428304

Function 000000014002B4C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000000014002B521
IsDebuggerPresent.KERNEL32 ref: 000000014002B539
OutputDebugStringW.KERNEL32 ref: 000000014002B54A

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 000000014002B543
MZx, xrefs: 000000014002B4E0

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$MZx
API String ID: 389471666-1466369552
Opcode ID: 14272c93465a4f83ebf7303f8390c378ec07a3553b7ffdc706b149d59c270c9c
Instruction ID: 13bff59ef44acf3a57119c98018217d18445bb8a14eb71a66d3b19ed1c104958
Opcode Fuzzy Hash: 14272c93465a4f83ebf7303f8390c378ec07a3553b7ffdc706b149d59c270c9c
Instruction Fuzzy Hash: BC11AC32210B80A7FB16DB27EA403E932A5FB48386F444029E70983AA0EF78D4B4C750

Function 0000000140002F30 Relevance: 7.6, APIs: 5, Instructions: 132COMMON

Download Yara Rule

APIs

GetSecurityDescriptorDacl.ADVAPI32 ref: 0000000140002F80
InitializeSecurityDescriptor.ADVAPI32 ref: 0000000140002FB7
SetSecurityDescriptorDacl.ADVAPI32 ref: 0000000140002FE6

Part of subcall function 00000001400033C0: GetSecurityDescriptorControl.ADVAPI32 ref: 000000014000315A

GetAclInformation.ADVAPI32 ref: 0000000140003049
_invalid_parameter_noinfo.LIBCMT ref: 00000001400030FF

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: DescriptorSecurity$Dacl$ControlInformationInitialize_invalid_parameter_noinfo
String ID:
API String ID: 1177257891-0
Opcode ID: 12d77a2eedc4291097bdb8193906ad4b5aa31f9470b126b0a5fbd8435bec464f
Instruction ID: 2c67b213d3f321a145779a2d9abb25ecd4e5a131b40f0e9bbbec0380017ee0a2
Opcode Fuzzy Hash: 12d77a2eedc4291097bdb8193906ad4b5aa31f9470b126b0a5fbd8435bec464f
Instruction Fuzzy Hash: FE416EB2316A4145FB5BEB23B8157FA62A59B8DBC0F088038BF4E477B6DF38C5419241

Function 00000001400261D0 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 385COMMON

Download Yara Rule

Strings

Histogram: %s recorded %d samples, xrefs: 000000014002622D
(flags = 0x%x), xrefs: 000000014002624B

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID: (flags = 0x%x)$Histogram: %s recorded %d samples
API String ID: 0-1860478404
Opcode ID: addf4fd06b6d8822ab1e70227b4b45fb609eb714e2566f51c4b5348d0cffd109
Instruction ID: fe8a92417c3a9fcee806598b1e802e50bf88f744f0785638290ea864ff0ed106
Opcode Fuzzy Hash: addf4fd06b6d8822ab1e70227b4b45fb609eb714e2566f51c4b5348d0cffd109
Instruction Fuzzy Hash: E6F15A76304A8482EA11DB2AE05839EB761FB89FD8F504516EF8E07BB9CF39C945C740

Function 000000014002E504 Relevance: 6.0, APIs: 4, Instructions: 40timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,?,000000014002DE99), ref: 000000014002E531
GetCurrentThreadId.KERNEL32 ref: 000000014002E53F
GetCurrentProcessId.KERNEL32(?,?,?,000000014002DE99), ref: 000000014002E54B
QueryPerformanceCounter.KERNEL32(?,?,?,000000014002DE99), ref: 000000014002E55B

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 115d615ad3d4a8c1cf2c51eaf74dd9ecc9ef062d0fc191d3f32c32f6fba14844
Instruction ID: a6bbe25f283b26d3ee7781465b7746a1965b7a986c9ac71e6d710a6a285a8412
Opcode Fuzzy Hash: 115d615ad3d4a8c1cf2c51eaf74dd9ecc9ef062d0fc191d3f32c32f6fba14844
Instruction Fuzzy Hash: 58112A32601F448AEB119F62EC583D933A4F75D798F581A25FB5D837A4DF38C1A48380

Function 0000000140042288 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400422EC

Strings

gfffffff, xrefs: 0000000140042581

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfffffff
API String ID: 3215553584-1523873471
Opcode ID: d7f089267822a7d7c498ddd9cc78de30a48eb2309234509972d0e6ecb9ff54c4
Instruction ID: 077d0ac64fbe7df0fe57da7447584eacbf889f050b4e69444a95177c2bd889a9
Opcode Fuzzy Hash: d7f089267822a7d7c498ddd9cc78de30a48eb2309234509972d0e6ecb9ff54c4
Instruction Fuzzy Hash: C99145737057C486EB17CB2A94103EE6BA5E799BC4F468032EB59477A5EA3DC506C301

Function 000000014004569C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\3lOLt0TUE4.exe, xrefs: 00000001400456AE
., xrefs: 0000000140045973

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID: .$C:\Users\user\Desktop\3lOLt0TUE4.exe
API String ID: 0-591925995
Opcode ID: d4f832015fd176ee4aeaa909b131ce0476798d284691c4d6dcf782e53615dd94
Instruction ID: 34e17e5c7ae27c6c12b54a272270a67da56588a8c4166aa8caa9f6d246ee93ee
Opcode Fuzzy Hash: d4f832015fd176ee4aeaa909b131ce0476798d284691c4d6dcf782e53615dd94
Instruction Fuzzy Hash: 7531597271069089E761AF63A8047EABB90F398FE4F558635BF6917BD5CE3CC4018304

Function 000000014003EAF8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000000014003EB31
GetLocaleInfoW.KERNEL32(?,?,?,?,00000000,0000000140032D46), ref: 000000014003EB5F

Strings

GetLocaleInfoEx, xrefs: 000000014003EB25

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: InfoLocaletry_get_function
String ID: GetLocaleInfoEx
API String ID: 2200034068-2904428671
Opcode ID: 12ef3ac6d0956768d989ed42a96e06b1939e9f3656ab2ed1898a7468755ec872
Instruction ID: 71d32cb82b3a1926ac18cfbf67ec8272d1323327aa96994b2e580eeafb5a75be
Opcode Fuzzy Hash: 12ef3ac6d0956768d989ed42a96e06b1939e9f3656ab2ed1898a7468755ec872
Instruction Fuzzy Hash: 23016935704B8082EB029B67B8407DAA761EB8DBC0F684526BF4917BBACF38C9418740

Function 000000014003B310 Relevance: 4.8, APIs: 3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aebf8648d7ee3da799c4f541d254e1186d0b124807c91a44ae569beb0c557d06
Instruction ID: 01d3a463934a168e00f3390b1149be4eb49b74242ff690a1a72836b2a718fe1b
Opcode Fuzzy Hash: aebf8648d7ee3da799c4f541d254e1186d0b124807c91a44ae569beb0c557d06
Instruction Fuzzy Hash: 8AC1C27271868487DB72CF1AE18879BB7A1F3887C8F448125EB4A87B54D73CD941CB40

Function 0000000140044DE0 Relevance: 4.7, APIs: 3, Instructions: 169COMMON

Download Yara Rule

APIs

Part of subcall function 000000014003DF34: GetLastError.KERNEL32(?,?,?,000000014002FD13,?,?,00000000,0000000140034FB0), ref: 000000014003DF3E
Part of subcall function 000000014003DF34: SetLastError.KERNEL32(?,?,?,000000014002FD13,?,?,00000000,0000000140034FB0), ref: 000000014003DFD7

GetLocaleInfoW.KERNEL32 ref: 0000000140044E4D
GetLocaleInfoW.KERNEL32 ref: 0000000140044E9F
GetLocaleInfoW.KERNEL32 ref: 0000000140044F66

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: c204252a773c87163fff4f0362213be6f0208685aaed122eb1322148d8a0f4f3
Instruction ID: f1de9223200c27af968db60780e83fc2b0075db97719c156028d2ce688342a37
Opcode Fuzzy Hash: c204252a773c87163fff4f0362213be6f0208685aaed122eb1322148d8a0f4f3
Instruction Fuzzy Hash: ED61AF7221064186EB368F26E5903D973A1F38C7C9F42813AFB9A876F5DB38D959C704

Function 00000001400036C0 Relevance: 4.6, APIs: 3, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

_Init_thread_header.LIBCMT ref: 0000000140003719
GetProcessHeap.KERNEL32(?,?,?,?,00000001400044BD,?,?,?,00000001400046B1), ref: 0000000140003729
_Init_thread_header.LIBCMT ref: 000000014000376C

Part of subcall function 000000014002A160: EnterCriticalSection.KERNEL32(?,?,?,0000000140004BAD,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 000000014002A170

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: Init_thread_header$CriticalEnterHeapProcessSection
String ID:
API String ID: 1961180699-0
Opcode ID: ea7d4aa280539babd2439ac70b35f0a14f6da2330253ab1b0fcbbe8c39324500
Instruction ID: b1a7a9b823775a7ff0b0abd0f565b74e208dea8deb4b8e45dab32a2784a8e270
Opcode Fuzzy Hash: ea7d4aa280539babd2439ac70b35f0a14f6da2330253ab1b0fcbbe8c39324500
Instruction Fuzzy Hash: C0319FB4204A049AF603EB16FC913D9336AB76D796FA00A25F70D832B5DF78C959C740

Function 000000014001E120 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 653COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014001E7F7

Strings

8, xrefs: 000000014001E6D0

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: 8
API String ID: 3668304517-4194326291
Opcode ID: cd094b8745f7822e6cee6d102c0d711dda94fa4e21595a32246fdf589eb05285
Instruction ID: b2a42fad97facabcfdc3e8b4229c675377f070a9ec24647be01870069db31e2d
Opcode Fuzzy Hash: cd094b8745f7822e6cee6d102c0d711dda94fa4e21595a32246fdf589eb05285
Instruction Fuzzy Hash: 7642AEB3A21B8482EE528B56D5443AC63A4F799BE4F558725EB7E077E0EF35D290C300

Function 0000000140033075 Relevance: 4.1, Strings: 3, Instructions: 316COMMON

Download Yara Rule

Strings

_.,, xrefs: 00000001400330A9
U, xrefs: 0000000140033251
C, xrefs: 000000014003332A

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: C$U$_.,
API String ID: 3215553584-4113466154
Opcode ID: 3697b6e9065fedabf29f95a1d0b9fb91b062bd9b7abf63880ab349f7acdb9131
Instruction ID: 40eb6e07938e41d6686bdfa972585d962385e7bee0ee595ea1081590dc3b67ce
Opcode Fuzzy Hash: 3697b6e9065fedabf29f95a1d0b9fb91b062bd9b7abf63880ab349f7acdb9131
Instruction Fuzzy Hash: DFD19D32201A9096EB67CB26E491BDF73A0F78C7D4F508126FF8947AA4EB38D551CB00

Function 0000000140047A14 Relevance: 3.2, APIs: 2, Instructions: 232COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 0000000140047C63
RaiseException.KERNEL32 ref: 0000000140047C74

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: b8432e4d214cab16cfb2bf6679ca1aae80b9e5a705a068ecbf0dd26367b68ee7
Instruction ID: c460a78c2965215d35bee289a5656983ccaf5fb8ee74277a9e76be3a7fe63068
Opcode Fuzzy Hash: b8432e4d214cab16cfb2bf6679ca1aae80b9e5a705a068ecbf0dd26367b68ee7
Instruction Fuzzy Hash: 7DB13077610B448BEB16CF2AC88679C77A0F388B88F168925EB5D877B4CB39D451C704

Function 0000000140032BC0 Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

utf8, xrefs: 0000000140032CD8
utf-8, xrefs: 0000000140032CEC

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID: utf-8$utf8
API String ID: 0-782216586
Opcode ID: 978d04cd92163e68937c9480117004e58a46cd15dd6386bf0436826f11b4dd9f
Instruction ID: e9297553737458bfa032fdbe21df2a31fe1b49ef2ee594be4f30ce70a75b312a
Opcode Fuzzy Hash: 978d04cd92163e68937c9480117004e58a46cd15dd6386bf0436826f11b4dd9f
Instruction Fuzzy Hash: FE71E33671479542FB6B9BB7A5227EB6391F7887C4F509026BF4A47AE9DB38C401C600

Function 000000014003312A Relevance: 2.6, Strings: 2, Instructions: 117COMMON

Download Yara Rule

Strings

_.,, xrefs: 00000001400330A9
U, xrefs: 0000000140033251

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: U$_.,
API String ID: 3215553584-1203667853
Opcode ID: e9e4d7ea6193ea173a39a13d78a613238c3576ed98a9238de90d494753d2b3fa
Instruction ID: 04431c00e84afd95eb1178677b969e772501119a817e1cfb62a7e157e173de4d
Opcode Fuzzy Hash: e9e4d7ea6193ea173a39a13d78a613238c3576ed98a9238de90d494753d2b3fa
Instruction Fuzzy Hash: 93411232600A9056FB7BCB67E8A1BDB63A1F78C7D4F444526BF49076A5EF38C6458700

Function 000000014002FDC0 Relevance: 1.9, APIs: 1, Instructions: 370COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 000000014002FF08

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: c4460a703a5c82801f327fd0d8c12fc3a24cb7ecc4907b1ad99c6689b4c168ad
Instruction ID: 28e5d708f86b046eca387909a1eeb9c83e8f378084fb12c0d7a1723b202ac3b8
Opcode Fuzzy Hash: c4460a703a5c82801f327fd0d8c12fc3a24cb7ecc4907b1ad99c6689b4c168ad
Instruction Fuzzy Hash: B1029B32A09BC086E752CF3AD4553EE73A4F75D788F459226EB8883662EB35D6C5C700

Function 0000000140042A60 Relevance: 1.8, APIs: 1, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e11331c0f7b0de21d87e3997c2057673ff42dd0b78d24890b965fd2c86d00f64
Instruction ID: da9e90e54c6406e99383d0488136bfa8116d4b0103085308ed5267d2dce82ac5
Opcode Fuzzy Hash: e11331c0f7b0de21d87e3997c2057673ff42dd0b78d24890b965fd2c86d00f64
Instruction Fuzzy Hash: 08E12176700B8085E722DB62E4417EE37A4F7997C8F414A26AF5D577A6EF38C249D300

Function 00432D40 Relevance: 1.8, APIs: 1, Instructions: 321COMMON

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00432F8D

Memory Dump Source

Source File: 00000000.00000002.1817403285.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lOLt0TUE4.jbxd

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: b2614b7e1b0189ae345bd4c1d95b1b808051b71dd771fb59e21b33d23e549fbc
Instruction ID: c80435e8494229a43a5fffd4d6288923b7ccbb2c72bf2b8950da5cc93c6173a1
Opcode Fuzzy Hash: b2614b7e1b0189ae345bd4c1d95b1b808051b71dd771fb59e21b33d23e549fbc
Instruction Fuzzy Hash: EDB18931610A4DCFDB99CF1CC88AB6677E0FF59304F18959AE869CB262C339D852CB05

Function 00000001400450C0 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 000000014003DF34: GetLastError.KERNEL32(?,?,?,000000014002FD13,?,?,00000000,0000000140034FB0), ref: 000000014003DF3E
Part of subcall function 000000014003DF34: SetLastError.KERNEL32(?,?,?,000000014002FD13,?,?,00000000,0000000140034FB0), ref: 000000014003DFD7

GetLocaleInfoW.KERNEL32 ref: 0000000140045128

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 64a676d30c5538ac30c42c6a960a82695894d88443eeb02e983a2a47c0e9bb73
Instruction ID: b60c7d9e43adfc0e96cc9b42baa4256d00f1f4af276eaba2ee17b3d07a81f0d6
Opcode Fuzzy Hash: 64a676d30c5538ac30c42c6a960a82695894d88443eeb02e983a2a47c0e9bb73
Instruction Fuzzy Hash: BA31A07231468186EB2AEB23E4513DA73A1F78C7C6F458139BB4A873B6DB38D951C700

Function 0000000140044D08 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 000000014003DF34: GetLastError.KERNEL32(?,?,?,000000014002FD13,?,?,00000000,0000000140034FB0), ref: 000000014003DF3E
Part of subcall function 000000014003DF34: SetLastError.KERNEL32(?,?,?,000000014002FD13,?,?,00000000,0000000140034FB0), ref: 000000014003DFD7

EnumSystemLocalesW.KERNEL32(?,?,?,0000000140044B0B), ref: 0000000140044DA6

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: b874de089d8b916dca863298a54351e0a382e0a1a50e2333e8cb51a8d322e9ee
Instruction ID: 6a9b6fff6bac6e3b88f0aef6cd7cec4e9e0bc20301a9c130c683a048d487afec
Opcode Fuzzy Hash: b874de089d8b916dca863298a54351e0a382e0a1a50e2333e8cb51a8d322e9ee
Instruction Fuzzy Hash: 5A1106B7A046448AEB168F16D4803EC77A1F398FE4F458125E725433E0DB34C5D1C740

Function 00000001400451D0 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 000000014003DF34: GetLastError.KERNEL32(?,?,?,000000014002FD13,?,?,00000000,0000000140034FB0), ref: 000000014003DF3E
Part of subcall function 000000014003DF34: SetLastError.KERNEL32(?,?,?,000000014002FD13,?,?,00000000,0000000140034FB0), ref: 000000014003DFD7

GetLocaleInfoW.KERNEL32 ref: 000000014004523D

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: f2ccbd1d4dfeb7a0f20c9447ecd23894780dc1affbab8a383636f8e0d6df1a65
Instruction ID: 1f8081382046405dc1d65548bc78fa479e1aa2f6d29be4dcf940a41c361a5a78
Opcode Fuzzy Hash: f2ccbd1d4dfeb7a0f20c9447ecd23894780dc1affbab8a383636f8e0d6df1a65
Instruction Fuzzy Hash: A321BE32214A818AEB22EF22E8413D933A1F38DBC5F854136FB4987366DB38D511CB00

Function 0000000140045368 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 000000014003DF34: GetLastError.KERNEL32(?,?,?,000000014002FD13,?,?,00000000,0000000140034FB0), ref: 000000014003DF3E
Part of subcall function 000000014003DF34: SetLastError.KERNEL32(?,?,?,000000014002FD13,?,?,00000000,0000000140034FB0), ref: 000000014003DFD7

GetLocaleInfoW.KERNEL32(?,?,?,0000000140044FE4), ref: 000000014004539F

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 0f1f5c272739da45f03698522d766ea31d23f7546ba83fa7e85e600b54ff1951
Instruction ID: 9354cfc18fa9c48870e24b7c2c6b362ed95af0148e089eb09ca7dd1f57cf14d1
Opcode Fuzzy Hash: 0f1f5c272739da45f03698522d766ea31d23f7546ba83fa7e85e600b54ff1951
Instruction Fuzzy Hash: F9114C3261459482E766AF23D0407EE22A1E388BE7F554532FB26477E6D675C9818704

Function 000000014003F220 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,?,000000014003E9B9), ref: 000000014003F27A

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 14372d48a1652f84cc00f4219de4d6aac04428eeebca81ac7541f1d4c8695c10
Instruction ID: 9c7bded7325398d7d455f30185e52bc959eb35c322dc9b428cf19d75dced7e1b
Opcode Fuzzy Hash: 14372d48a1652f84cc00f4219de4d6aac04428eeebca81ac7541f1d4c8695c10
Instruction Fuzzy Hash: 2C015772714B4482E705DB26E8903DA73A2E79CBC0F548126FB4957779DE3CC8558780

Function 0000000140045028 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 000000014003DF34: GetLastError.KERNEL32(?,?,?,000000014002FD13,?,?,00000000,0000000140034FB0), ref: 000000014003DF3E
Part of subcall function 000000014003DF34: SetLastError.KERNEL32(?,?,?,000000014002FD13,?,?,00000000,0000000140034FB0), ref: 000000014003DFD7

EnumSystemLocalesW.KERNEL32(?,?,?,0000000140044AC7), ref: 00000001400450A8

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 7cb256954bbe78e7548afe37c9f598bef31b6951fa3e8e5cd53e6db253b308d8
Instruction ID: ad41d8708550984db28ee92cd2034e7700f59557bfe88d30ad1fc60c0df5b5ac
Opcode Fuzzy Hash: 7cb256954bbe78e7548afe37c9f598bef31b6951fa3e8e5cd53e6db253b308d8
Instruction Fuzzy Hash: 1A0147767002808AE7126F27E8407DA76E2E748BE6F428332E724472E6DB35C880C744

Function 0000000140031328 Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

0, xrefs: 00000001400314CA

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: d9185aa07112d9a397941b7a65cc466e270287a2d1db34efb85fca043499bcac
Instruction ID: d2144be35f16c4ee13989f4b748e251055a33fdb26aafc76b09d5dcef4449e4b
Opcode Fuzzy Hash: d9185aa07112d9a397941b7a65cc466e270287a2d1db34efb85fca043499bcac
Instruction Fuzzy Hash: 5661C03530464186FB6B8A6B90403EF67D1A7CEBC8F581916FF419B6FACB35C8868741

Function 000000014003F37C Relevance: 1.4, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000000014003F421

Part of subcall function 000000014003F304: HeapAlloc.KERNEL32(?,?,00000000,000000014003E0F6,?,?,?,0000000140034629,?,?,?,?,000000014003D87A,?,?,00000000), ref: 000000014003F359

Part of subcall function 000000014003DD34: HeapFree.KERNEL32(?,?,?,000000014004391B,?,?,?,00000001400434C3,?,?,?,0000000140043E10,?,?,?,0000000140043D1B), ref: 000000014003DD4A
Part of subcall function 000000014003DD34: GetLastError.KERNEL32(?,?,?,000000014004391B,?,?,?,00000001400434C3,?,?,?,0000000140043E10,?,?,?,0000000140043D1B), ref: 000000014003DD5C

Part of subcall function 0000000140048DB4: _invalid_parameter_noinfo.LIBCMT ref: 0000000140048DE2

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: ErrorHeapLast$AllocFree_invalid_parameter_noinfo
String ID:
API String ID: 916656526-0
Opcode ID: a3cec2b28e1aa257cd2e5574e980ce52070b7ce858f97940b60499b01ef453c4
Instruction ID: 43cd58880e768521110e6309741aff83a8c5d5cd14caf30911540818398961f5
Opcode Fuzzy Hash: a3cec2b28e1aa257cd2e5574e980ce52070b7ce858f97940b60499b01ef453c4
Instruction Fuzzy Hash: 0E419031301A8242FA739E27A851BFBA791BB9DBC0F444525BF4947BE6DE3CC505A700

Function 0042EEB0 Relevance: .7, Instructions: 737COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1817403285.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f1da026cedb8bb4c154c58f95936b4a0e13185094ee08358de1f6eed02a0cf
Instruction ID: ba832315f60bfe01f78e135ab607fabacc940a44a85b0e34bee37f325de42116
Opcode Fuzzy Hash: 33f1da026cedb8bb4c154c58f95936b4a0e13185094ee08358de1f6eed02a0cf
Instruction Fuzzy Hash: 68F19732668F1C079728EE9DAC8E2B573C2D3E8722F4A437F9805D3265DD75AC8185C6

Function 0000000140026CC0 Relevance: .6, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d564e2b74aa32b693c35aacfbc297a91a2dcb490c9579aa42c28f1748b5c47
Instruction ID: f261b2cfc3b8da4730995c8c31609a819ad6049ffb89d2880c2c31b5664bb443
Opcode Fuzzy Hash: 03d564e2b74aa32b693c35aacfbc297a91a2dcb490c9579aa42c28f1748b5c47
Instruction Fuzzy Hash: 8722B1B7F2415047D31CCF69EC42E9A7692F7E4748B89D128DB06D3F08E93DEA168A44

Function 00000001400380AC Relevance: .5, Instructions: 535COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e05e5622fff88cd8dcc88363a90415e03d0231f8b5d6bcc2e7f476e7ac88c9da
Instruction ID: 3eaa9111eca2a033ce1543174c22640db4d918014b2af92e71b3a4345db54def
Opcode Fuzzy Hash: e05e5622fff88cd8dcc88363a90415e03d0231f8b5d6bcc2e7f476e7ac88c9da
Instruction Fuzzy Hash: CE422E31525F4889E663DB37A8357967728BB5A3C2F818303FE4A77A71DB3AD4428700

Function 00407C00 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1817403285.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724192d415810ac4f34237431d09bd2ecc20d27c57fa4998346b62a5e3d6f42c
Instruction ID: 552ee4f71a8be2f15d39a9fb372ab8504bfcda2e79b68cea8d5aa1bc6b814482
Opcode Fuzzy Hash: 724192d415810ac4f34237431d09bd2ecc20d27c57fa4998346b62a5e3d6f42c
Instruction Fuzzy Hash: 53C15B3282DF644AD3279F7D98812E6F3E4FFD9319F41872AD9C5A3060DB3864478286

Function 000000014000BBD0 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 7d68bc6bf42f81b163c14409fa430129394e9f4b49efbe72a0f3e1f7b7919d75
Instruction ID: c23b2f8605ce77865fd8eca59e4c52f58e0637ccf5fc140646b78fe76c822a39
Opcode Fuzzy Hash: 7d68bc6bf42f81b163c14409fa430129394e9f4b49efbe72a0f3e1f7b7919d75
Instruction Fuzzy Hash: A8F17363D24BD482E711CB29D9007F86760F7ADB98F15E315EF6A137A2EB75A2D18300

Function 000000014000A680 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b87a718667909f6521cf663e20e1afefa7280e59d9047530e69ff38576f4387
Instruction ID: b114a49d2efadab1ae8ef0229d4c509ef51cef604c18844825b472bfb3120bf1
Opcode Fuzzy Hash: 1b87a718667909f6521cf663e20e1afefa7280e59d9047530e69ff38576f4387
Instruction Fuzzy Hash: B6E11393D24FD482F701CF2989007E86760F7EABD8F55A308DF99133A6DB79A695C240

Function 0000000140017E60 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a48ac8054aa67be7bfd890edce459658a7d96b5f006aee6d1443f3813cf500f5
Instruction ID: 78fa1d0389ac902604521bf60ea3c097077983ceb04c330fe09852acf3d8aaa9
Opcode Fuzzy Hash: a48ac8054aa67be7bfd890edce459658a7d96b5f006aee6d1443f3813cf500f5
Instruction Fuzzy Hash: C1C18D32304B9486E7769A17D4087AE77A6F349BC4F580029FF8E4BBA5CB39C985D300

Function 00000001400442E0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: ErrorLast$CurrentFeaturePresentProcessProcessortry_get_function
String ID:
API String ID: 3790591341-0
Opcode ID: 7edd881d4be8a13f44d5f6aa40e1782afd083a500a278d412750523e2058b5f3
Instruction ID: 1503339e08ada572e4c723e1fa5b92f2024c1875ebdcd176f11bbe18d9b670ba
Opcode Fuzzy Hash: 7edd881d4be8a13f44d5f6aa40e1782afd083a500a278d412750523e2058b5f3
Instruction Fuzzy Hash: 90A1D23261069482EB66EF33D411BEA3391F788BCCF518235BF4587AEADB38C9518744

Function 0042A810 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1817403285.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e6b58e5a89bf5cdf24951cf629520558a61642b70cf246aec3f524e75493717
Instruction ID: 81878882f838a7c71bfcd71a9427000161ba3efb37b033e1f2411dee7fd754be
Opcode Fuzzy Hash: 4e6b58e5a89bf5cdf24951cf629520558a61642b70cf246aec3f524e75493717
Instruction Fuzzy Hash: 6061E531A293894B930DC91D9C864517B92EAA651937CC3ECCDD28F387E862F517C3D2

Function 0000000140011910 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aef237ae5a4f47ce23a2d7149d4205e725aae9d2895f165d36055238af7eab5
Instruction ID: c96c1e92399dc4ff530452948c69ed0ea770b934022747f0d9713e5808f975b6
Opcode Fuzzy Hash: 1aef237ae5a4f47ce23a2d7149d4205e725aae9d2895f165d36055238af7eab5
Instruction Fuzzy Hash: 3B712572F17A9442EA17863A44027E46A91AFD67F0F46C712EE383B7E6E736D1418300

Function 004079F0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1817403285.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e4cd470e5335410284ca3e833719b72024060eaaa31e98f07d66ec036bdbde
Instruction ID: 34ad47e74f1ccfb71a9995f93287e9bff7a02906dd33a4a2ec043376cb3b1107
Opcode Fuzzy Hash: 63e4cd470e5335410284ca3e833719b72024060eaaa31e98f07d66ec036bdbde
Instruction Fuzzy Hash: 22510910F1C7844BDB395B2C485427B36A1EB95328F1942BBE446F23D2D93C7E42965F

Function 00000001400268D0 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfec977527b5bcc444f809b3d51313d185a825bce9d59066c9c2fee62b3e45b9
Instruction ID: 2288c0f7a9d0da9ce16da8606a03351df7758a3cfb5be3452c1ae86280c5cc37
Opcode Fuzzy Hash: dfec977527b5bcc444f809b3d51313d185a825bce9d59066c9c2fee62b3e45b9
Instruction Fuzzy Hash: 9B6183736186848BE735CF2AE44039ABBA0E359384F44412DFB8EC7BA2D67CD9458B05

Function 004293B0 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1817403285.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1cb0376d5f4543bb8137eeff6a4ca7b4a3039c8d8bd8826e253d9a000427cd9
Instruction ID: dd5ab14a278209c2a8eb9a9065036ab52eaa82f327a7141319c9eec701cba398
Opcode Fuzzy Hash: f1cb0376d5f4543bb8137eeff6a4ca7b4a3039c8d8bd8826e253d9a000427cd9
Instruction Fuzzy Hash: 53510DB28183058F8308CF19C882126FBE5FB8A714B15855EE9D697212D731F9538FC2

Function 000000014003A6B4 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: d34cce4d7287b7d75e27684d7a43430cb5af39a04496c1d52e288c822b004839
Instruction ID: 82aaf97a0ef8cb6b6cdd5268e39beda681071c869067a888d23555b72fb9981a
Opcode Fuzzy Hash: d34cce4d7287b7d75e27684d7a43430cb5af39a04496c1d52e288c822b004839
Instruction Fuzzy Hash: B351B232711A5482EB66CF26D5D53AE33A4F789BD8F518A16EF1E97AA5CF38C051C300

Function 004292A0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1817403285.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0710a6d56e74f75e4f2d76c0792897e09a389baafeaf9ef38ca3dee3c678baf7
Instruction ID: 95f53bcb3013ffc607570205fa4a55d7e593650cec09bf4caffca84637faaae4
Opcode Fuzzy Hash: 0710a6d56e74f75e4f2d76c0792897e09a389baafeaf9ef38ca3dee3c678baf7
Instruction Fuzzy Hash: C84182B69683048F830CDF14C883422B7E4FB8A719B25C56DD9D64B202DB31F953DAC2

Function 0000000140034174 Relevance: .1, Instructions: 135COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2447063f7cd4f98a0ae3ed48a6a75841ce19c8fdd0e5f0f292fdbffb0ceb1534
Instruction ID: 6b9b02058375bcecfbb59437eb0cb2d39f611623c4381441f130834f492fd430
Opcode Fuzzy Hash: 2447063f7cd4f98a0ae3ed48a6a75841ce19c8fdd0e5f0f292fdbffb0ceb1534
Instruction Fuzzy Hash: 5C41B372310B4482EF45DF6BDA2439AB3A2E74CFD4F499426EF0D97B68DA38C5458340

Function 0000000140032B75 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5bab3a6beb5876d68e17d7876697978282b9db638857d2baeaccf3ee70fe3890
Instruction ID: 71d1b069d77aa432aa2a9583704c86dbaa2ddd7b6448a706519fc493aff1ed2a
Opcode Fuzzy Hash: 5bab3a6beb5876d68e17d7876697978282b9db638857d2baeaccf3ee70fe3890
Instruction Fuzzy Hash: 0E31B33B7202A047F37ADAB77922FDB2251B7883D4F5496297F9507D95CB3CC0528A00

Function 0000000140026850 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7670e76163cd66883b4efc7e3c17b4edb03b89a1b82b7a62a75a7081b0b7ba9
Instruction ID: b09f4ae942ec73054a9de2b8787de49b9a5ec8876b679cd0ee3400aa84bbbdff
Opcode Fuzzy Hash: d7670e76163cd66883b4efc7e3c17b4edb03b89a1b82b7a62a75a7081b0b7ba9
Instruction Fuzzy Hash: 78319273E1003147E7BA533E68157B965C157987D4F4A872AEE19E32E0E525CD52E2C0

Function 000000014002BCBC Relevance: .1, Instructions: 111COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f98b334728c508f8a9d96360c225ff665e2112f8fbde2b6107ec001dc329bfa3
Instruction ID: 37e2c45ad4b60748a68cc4d80484d22f4ed56dc5a2df46cdb1c8efd71eb9c72b
Opcode Fuzzy Hash: f98b334728c508f8a9d96360c225ff665e2112f8fbde2b6107ec001dc329bfa3
Instruction Fuzzy Hash: E741E4726182108AFB669F27F8457CA3A91F35C3D0F61882DFB5D876B0E778C8508B40

Function 0000000140044740 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: ErrorLasttry_get_function$CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 3433887101-0
Opcode ID: b3232d7d03fea3ec08f031af25467d18b9ad2a1cfc87cfbb60455cb53af29ac8
Instruction ID: 76ea5f5a28b968cc35811154b2a1651ede0a9e78d64fec79c2efac54d397a43f
Opcode Fuzzy Hash: b3232d7d03fea3ec08f031af25467d18b9ad2a1cfc87cfbb60455cb53af29ac8
Instruction Fuzzy Hash: 4241D432214AC442EB62DB22E8117DA2360F78CBD8F514325BF69477D9CF38C552C740

Function 0000000140072E6B Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b2540150fab47bdc3bb884613f5a7273d42d65200fa140bbed8dbff9215ffa4
Instruction ID: 5ee309807ff80ba20bd5b14fe7370d8625deebd74df5ac24a86580155dad0fa2
Opcode Fuzzy Hash: 1b2540150fab47bdc3bb884613f5a7273d42d65200fa140bbed8dbff9215ffa4
Instruction Fuzzy Hash: C63138376143E04BE36A8BB6A512BCB3761F7897D4F58C229AF9507D96C73C8412CA00

Function 000000014003A726 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0853de7745177a4f017aa76284a316cc91dc138732e4886c0a652ba30e32a584
Instruction ID: 03023baf41d7edfaf3de9d77937d8966f826a7d2a1c982761b8fdeb6e43aa32e
Opcode Fuzzy Hash: 0853de7745177a4f017aa76284a316cc91dc138732e4886c0a652ba30e32a584
Instruction Fuzzy Hash: FA11823672015883F77ED677B166BAB2352A7993C4F14D515BB420BDA6CF3CD0514A04

Function 0000000140024010 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165a5aa6dccafd6047d2a19d3efdb2a52f476aa11013381039673b76e21ff959
Instruction ID: 6e7bc2ce785c34fe49913341867df66185ac30375d8a1be741251f17b1d54bbb
Opcode Fuzzy Hash: 165a5aa6dccafd6047d2a19d3efdb2a52f476aa11013381039673b76e21ff959
Instruction Fuzzy Hash: F6014F33D201B046DB91EB7E8C48B8A67A1E7C9741FAB8721EF4863754D6399D42D3E0

Function 00000001400240A0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 276a3b3fb41928333db733a9fe7fa8fe356879d2fbec6fbca3a46653d126ea2f
Instruction ID: a9fff9e572b526238a7215ab704cb81dcd9280e85d4663171c42906c161b0720
Opcode Fuzzy Hash: 276a3b3fb41928333db733a9fe7fa8fe356879d2fbec6fbca3a46653d126ea2f
Instruction Fuzzy Hash: 87012133D101B046DB91EB6A9C48B9A67A1E7C9345FA68322DF4863754D2359D42D3D0

Function 0000000140046450 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9869b9370ae91ce55583a1c2da905f5353009ac5ccd9dda881d43b69f60637a5
Instruction ID: 799ae78e7d9203150839d317021f4b36836e0ee54ce60c27f15aa25c60bd6efc
Opcode Fuzzy Hash: 9869b9370ae91ce55583a1c2da905f5353009ac5ccd9dda881d43b69f60637a5
Instruction Fuzzy Hash: 17F012717156948ADBA58F29E842B5977D5E35C3C4F908429E68983F14D63C84618F04

Function 000000014002B874 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 002b5c2c0288fd80eb61bc9a6a559af48a8bceda51e53035310ef369e694fd57
Instruction ID: f7ca0a4b05b8661b9d616c23098a5898cd8f1a7098825a504a12a71ffc6f1302
Opcode Fuzzy Hash: 002b5c2c0288fd80eb61bc9a6a559af48a8bceda51e53035310ef369e694fd57
Instruction Fuzzy Hash: 1EA00231506C45E4E7469B43EC603D02331F798381F540416F30D434B09B388880D301

Function 000000014003EEB8 Relevance: 36.8, APIs: 10, Strings: 11, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000000014003EED3
try_get_function.LIBVCRUNTIME ref: 000000014003EEF2

Part of subcall function 000000014003F014: GetProcAddress.KERNEL32(?,?,0000000100000008,000000014003EAD2,?,?,?,000000014003E0E3,?,?,?,0000000140034629), ref: 000000014003F16C

try_get_function.LIBVCRUNTIME ref: 000000014003EF11

Part of subcall function 000000014003F014: LoadLibraryExW.KERNEL32(?,?,0000000100000008,000000014003EAD2,?,?,?,000000014003E0E3,?,?,?,0000000140034629), ref: 000000014003F0B7
Part of subcall function 000000014003F014: GetLastError.KERNEL32(?,?,0000000100000008,000000014003EAD2,?,?,?,000000014003E0E3,?,?,?,0000000140034629), ref: 000000014003F0C5
Part of subcall function 000000014003F014: LoadLibraryExW.KERNEL32(?,?,0000000100000008,000000014003EAD2,?,?,?,000000014003E0E3,?,?,?,0000000140034629), ref: 000000014003F107

try_get_function.LIBVCRUNTIME ref: 000000014003EF30

Part of subcall function 000000014003F014: FreeLibrary.KERNEL32(?,?,0000000100000008,000000014003EAD2,?,?,?,000000014003E0E3,?,?,?,0000000140034629), ref: 000000014003F140

try_get_function.LIBVCRUNTIME ref: 000000014003EF4F
try_get_function.LIBVCRUNTIME ref: 000000014003EF6E
try_get_function.LIBVCRUNTIME ref: 000000014003EF8D
try_get_function.LIBVCRUNTIME ref: 000000014003EFAC
try_get_function.LIBVCRUNTIME ref: 000000014003EFCB
try_get_function.LIBVCRUNTIME ref: 000000014003EFEA

Strings

LCMapStringEx, xrefs: 000000014003EFC4
EnumSystemLocalesEx, xrefs: 000000014003EEF7, 000000014003EF0A
LocaleNameToLCID, xrefs: 000000014003EFEF, 000000014003F002
LCIDToLocaleName, xrefs: 000000014003EFD0, 000000014003EFE3
GetLocaleInfoEx, xrefs: 000000014003EF48
CompareStringEx, xrefs: 000000014003EEEB
GetDateFormatEx, xrefs: 000000014003EF16, 000000014003EF29
GetUserDefaultLocaleName, xrefs: 000000014003EF73, 000000014003EF86
AreFileApisANSI, xrefs: 000000014003EECC
IsValidLocaleName, xrefs: 000000014003EF92, 000000014003EFA5
GetTimeFormatEx, xrefs: 000000014003EF54, 000000014003EF67

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: try_get_function$Library$Load$AddressErrorFreeLastProc
String ID: AreFileApisANSI$CompareStringEx$EnumSystemLocalesEx$GetDateFormatEx$GetLocaleInfoEx$GetTimeFormatEx$GetUserDefaultLocaleName$IsValidLocaleName$LCIDToLocaleName$LCMapStringEx$LocaleNameToLCID
API String ID: 3255926029-3252031757
Opcode ID: fcd4ac423e6f245f02eb0176da032fa2d8cb0e32db2b45cc89ac797d78cb2b26
Instruction ID: 306b3782ebd619ac6c314cacb11e0fe4983a5a6809e35d95b1e80edf744f0b4b
Opcode Fuzzy Hash: fcd4ac423e6f245f02eb0176da032fa2d8cb0e32db2b45cc89ac797d78cb2b26
Instruction Fuzzy Hash: CC314E78100A4AA1FA0BEF5AE851BF523A1E74E3C4FC05027B319171B6DF7E8649E391

Function 000000014002E244 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 196libraryCOMMON

Download Yara Rule

APIs

DloadAcquireSectionWriteAccess.DELAYIMP ref: 000000014002E25E

Part of subcall function 000000014002E104: DloadGetSRWLockFunctionPointers.DELAYIMP ref: 000000014002E11A
Part of subcall function 000000014002E104: DloadProtectSection.DELAYIMP ref: 000000014002E175
Part of subcall function 000000014002E104: DloadGetSRWLockFunctionPointers.DELAYIMP ref: 000000014002E17A

RaiseException.KERNEL32 ref: 000000014002E2DF
DloadReleaseSectionWriteAccess.DELAYIMP ref: 000000014002E2CB

Part of subcall function 000000014002E1B0: DloadGetSRWLockFunctionPointers.DELAYIMP ref: 000000014002E1C0
Part of subcall function 000000014002E1B0: DloadProtectSection.DELAYIMP ref: 000000014002E20F
Part of subcall function 000000014002E1B0: DloadGetSRWLockFunctionPointers.DELAYIMP ref: 000000014002E214

LoadLibraryExA.KERNEL32 ref: 000000014002E381
GetLastError.KERNEL32 ref: 000000014002E38F
DloadReleaseSectionWriteAccess.DELAYIMP ref: 000000014002E3C1
RaiseException.KERNEL32 ref: 000000014002E3D5

Strings

H, xrefs: 000000014002E2B0
MZx, xrefs: 000000014002E266

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: Dload$Section$FunctionLockPointers$AccessWrite$ExceptionProtectRaiseRelease$AcquireErrorLastLibraryLoad
String ID: H$MZx
API String ID: 3582658894-3879308991
Opcode ID: 007f62e25ecfeaaea0e6bda599372a2bddc6bd666008d629e1e7a21ff3617a5e
Instruction ID: f057c435e7340d4ec6e569f62102e1389f3594af5a3802b17ade9c28a301cf6e
Opcode Fuzzy Hash: 007f62e25ecfeaaea0e6bda599372a2bddc6bd666008d629e1e7a21ff3617a5e
Instruction Fuzzy Hash: FD810832601B908AEB16DFA6E8843EC37A1B70CBD8F584429EF0957B64EB38D854C700

Function 000000014002A010 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 95libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000000014002A035
GetModuleHandleW.KERNEL32 ref: 000000014002A043
GetModuleHandleW.KERNEL32 ref: 000000014002A059
GetProcAddress.KERNEL32 ref: 000000014002A076
GetProcAddress.KERNEL32 ref: 000000014002A08A
GetProcAddress.KERNEL32 ref: 000000014002A09E
CreateEventW.KERNEL32 ref: 000000014002A10E

Strings

kernel32.dll, xrefs: 000000014002A052
InitializeConditionVariable, xrefs: 000000014002A06C
WakeAllConditionVariable, xrefs: 000000014002A094
api-ms-win-core-synch-l1-2-0.dll, xrefs: 000000014002A03C
SleepConditionVariableCS, xrefs: 000000014002A080

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: AddressProc$HandleModule$CountCreateCriticalEventInitializeSectionSpin
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2179320429-1714406822
Opcode ID: f37d6bd26b8c1fb83fc5010bf1376ca8297aeebccbf8dbfc0064af4dce9d0f86
Instruction ID: a8cccffb675cb33f0988eae76eb40573b7ba90736cf9b37c37970a34ad66b910
Opcode Fuzzy Hash: f37d6bd26b8c1fb83fc5010bf1376ca8297aeebccbf8dbfc0064af4dce9d0f86
Instruction Fuzzy Hash: 22314E31201B0092FB169B26EC203D562A2AB8E7E1F591539AB1E477B4EF3CC949C214

Function 000000014000CBE0 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 242threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 000000014000CC8D
GetCurrentThreadId.KERNEL32 ref: 000000014000CCB0
GetLocalTime.KERNEL32 ref: 000000014000CCDA
GetTickCount.KERNEL32 ref: 000000014000CE24
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000CF3D

Strings

VERBOSE, xrefs: 000000014000CE58
../../chrome/elevation_service/elevation_service.cc, xrefs: 000000014000CBE5
UNKNOWN, xrefs: 000000014000CE75
)] , xrefs: 000000014000CEB9

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: Current$CountLocalProcessThreadTickTime_invalid_parameter_noinfo_noreturn
String ID: )] $../../chrome/elevation_service/elevation_service.cc$UNKNOWN$VERBOSE
API String ID: 1965730521-3791372713
Opcode ID: ceaf304e6cd5f3d46827d0923e8794e12d8c966c9a6fb709b4d84510979ab2ce
Instruction ID: 62dee3e82d7878e802802f88dcc8813efdf0bc3b05f5930420827d9e3e7340c5
Opcode Fuzzy Hash: ceaf304e6cd5f3d46827d0923e8794e12d8c966c9a6fb709b4d84510979ab2ce
Instruction Fuzzy Hash: 0AA18FB1711A4085FB06EB27E4A53ED2762AB8DBD8F448522FF1E477EADE38C0458350

Function 00000001400025A0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerW.ADVAPI32 ref: 00000001400025ED
SetServiceStatus.ADVAPI32 ref: 000000014000260F

Part of subcall function 000000014000F980: CoInitializeEx.COMBASE ref: 000000014000F996

GetLastError.KERNEL32 ref: 0000000140002670
GetLastError.KERNEL32 ref: 00000001400026C2
SetServiceStatus.ADVAPI32 ref: 0000000140002713

Strings

../../chrome/elevation_service/service_main.cc, xrefs: 0000000140002679, 00000001400026CB
RegisterServiceCtrlHandler failed, xrefs: 000000014000269E
ChromeElevationService, xrefs: 00000001400025DF
Failed to initialize COM, xrefs: 00000001400026F0

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: Service$ErrorLastStatus$CtrlHandlerInitializeRegister
String ID: ../../chrome/elevation_service/service_main.cc$ChromeElevationService$Failed to initialize COM$RegisterServiceCtrlHandler failed
API String ID: 790579533-4046687200
Opcode ID: 325acf9a4caa992a862e0918961f82431ae96fa13d2f7fb0caa50a1230d9a009
Instruction ID: b95ac3bdb0eba166568bb0667f234ee4227bc8a2bb0ee02ee8969bca477c3399
Opcode Fuzzy Hash: 325acf9a4caa992a862e0918961f82431ae96fa13d2f7fb0caa50a1230d9a009
Instruction Fuzzy Hash: 6C413DB131464192FA26EB13F8553EA6361EB8D7C4F444026FB8A5B7B6DF3DD1068740

Function 0000000140019FC0 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 240COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014001A16B

Part of subcall function 0000000140029F90: Concurrency::cancel_current_task.LIBCPMT ref: 0000000140029FC0
Part of subcall function 0000000140029F90: Concurrency::cancel_current_task.LIBCPMT ref: 0000000140029FC6

Strings

count, xrefs: 000000014001A2C5
bucket_count, xrefs: 000000014001A12A
low, xrefs: 000000014001A258
high, xrefs: 000000014001A2A0
max, xrefs: 000000014001A0F9
type, xrefs: 000000014001A019
min, xrefs: 000000014001A0B3

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: Concurrency::cancel_current_task$_invalid_parameter_noinfo_noreturn
String ID: bucket_count$count$high$low$max$min$type
API String ID: 4131450254-2045534459
Opcode ID: bdfd84f6c9701a05742d9f42e6b2b60650ba66744531afc889ef059b2ffd0ea8
Instruction ID: 00a089d2e0e7017a43a6167fab8010f5cc726159f026ab3c7ac1f563223f0f0e
Opcode Fuzzy Hash: bdfd84f6c9701a05742d9f42e6b2b60650ba66744531afc889ef059b2ffd0ea8
Instruction Fuzzy Hash: CA918A32304B4482EB11DB26E4943AA67A1F78DFE4F508225EF9E47BA5DF39C485C740

Function 0000000140043F56 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142COMMON

Download Yara Rule

APIs

TranslateName.LIBCMT ref: 0000000140043F65
TranslateName.LIBCMT ref: 0000000140043FA0
GetACP.KERNEL32 ref: 0000000140043FE5
IsValidCodePage.KERNEL32 ref: 000000014004400D
wcschr.LIBVCRUNTIME ref: 00000001400440A9
wcschr.LIBVCRUNTIME ref: 00000001400440B9

Strings

utf8, xrefs: 00000001400440F1

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: NameTranslatewcschr$CodePageValid
String ID: utf8
API String ID: 1874385749-905460609
Opcode ID: 729325e871a85ce5f2c7f5f9a08a93aa37d56540deb5dba6b0678be02ca46773
Instruction ID: 91ca68c8140d280e589dafe57849d4974e34aaebb9faccefc4bec3967a44f2f9
Opcode Fuzzy Hash: 729325e871a85ce5f2c7f5f9a08a93aa37d56540deb5dba6b0678be02ca46773
Instruction Fuzzy Hash: D151CF3230074081FB66AB63D8517EA22A1B79CBC8F465131FF1957AF6EB79C9858309

Function 000000014002C7AC Relevance: 12.1, APIs: 8, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014002C7CC
std::_Lockit::_Lockit.LIBCPMT ref: 000000014002C7F1
std::_Lockit::~_Lockit.LIBCPMT ref: 000000014002C81B
messages.LIBCPMT ref: 000000014002C875
std::_Facet_Register.LIBCPMT ref: 000000014002C88D
std::_Lockit::~_Lockit.LIBCPMT ref: 000000014002C8AE
std::bad_alloc::bad_alloc.LIBCMT ref: 000000014002C8C8
_CxxThrowException.LIBVCRUNTIME ref: 000000014002C8D9

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmessagesstd::bad_alloc::bad_alloc
String ID:
API String ID: 3381189198-0
Opcode ID: 76f9ef5c71c659f5f1f4834e2380bb2eb9c93cbd527c1338830184b00ed651b8
Instruction ID: 4079047e60921d5a4eacd1bfc8b8e4361d38bb245703b034bb5fad8123e31231
Opcode Fuzzy Hash: 76f9ef5c71c659f5f1f4834e2380bb2eb9c93cbd527c1338830184b00ed651b8
Instruction Fuzzy Hash: 92416D36624B4082EA179F27E8447D96761E78CBE4F68862AFB5D077B5DF38C846C700

Function 000000014001DB40 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 304threadCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 000000014001DB89

Part of subcall function 000000014001D6F0: TlsGetValue.KERNEL32(?,?,00000000,?,0000000140014919,?,?,?,?,?,000000014000F85E), ref: 000000014001D702

CloseHandle.KERNEL32 ref: 000000014001DB70
GetCurrentThreadId.KERNEL32 ref: 000000014001DBFC
ReleaseSRWLockExclusive.KERNEL32 ref: 000000014001DCF1

Part of subcall function 000000014002AF40: std::invalid_argument::invalid_argument.LIBCONCRT ref: 000000014002AF4C
Part of subcall function 000000014002AF40: _CxxThrowException.LIBVCRUNTIME ref: 000000014002AF5D

ReleaseSRWLockExclusive.KERNEL32 ref: 000000014001DF27

Strings

list<T> too long, xrefs: 000000014001DD1B

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: CloseExclusiveHandleLockRelease$CurrentExceptionThreadThrowValuestd::invalid_argument::invalid_argument
String ID: list<T> too long
API String ID: 145395645-4027344264
Opcode ID: d6598243f5ff30b940fcc3f9f6892aab7a4abc6ebcfddea3a599001563179127
Instruction ID: 65adc52f25f702c6738f59a48c7cf5a3cbcba261d426c5e1efcb01001d287612
Opcode Fuzzy Hash: d6598243f5ff30b940fcc3f9f6892aab7a4abc6ebcfddea3a599001563179127
Instruction Fuzzy Hash: 04B19C72700A8495EB66EB26E9583EA3365F74DBD4F844426EF0E4B7A5CF38C542C340

Function 0000000140046AC8 Relevance: 10.8, APIs: 7, Instructions: 291COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000140046F03

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e3ac1d5e9ed4ac32e6b2b018d04df1d6b42878273c6c0e31cb2b30b93033a7b7
Instruction ID: 0d02d609397cf1b9d86cea3a92651cd1bfcdac7a35410420e0fa887e54e635b9
Opcode Fuzzy Hash: e3ac1d5e9ed4ac32e6b2b018d04df1d6b42878273c6c0e31cb2b30b93033a7b7
Instruction Fuzzy Hash: 38C1E33260468085EB639F73E4403EE6BA1F749BC4F560125FB46077B5EB39C845CB46

Function 000000014003D2A8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 150COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000014003C2E0: __vcrt_getptd_noexit.LIBVCRUNTIME ref: 000000014003C2E4

EncodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,8B4838246C8B4830,?,000000014003D188), ref: 000000014003D2F7
_CallSETranslator.LIBVCRUNTIME ref: 000000014003D33E
_GetRangeOfTrysToCheck.LIBVCRUNTIME ref: 000000014003D385
CatchIt.LIBVCRUNTIME ref: 000000014003D4BE

Strings

RCC, xrefs: 000000014003D313
MOC, xrefs: 000000014003D30B

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: CallCatchCheckEncodePointerRangeTranslatorTrys__vcrt_getptd_noexit
String ID: MOC$RCC
API String ID: 4033425306-2084237596
Opcode ID: a592995cad47d52b8a55b5ae00bc6bb7a67d97ae6ea27a47576e431a27d71624
Instruction ID: e005243617e2d577d383369f18f3e8e313041bdd80a419c96b328e72f09c6749
Opcode Fuzzy Hash: a592995cad47d52b8a55b5ae00bc6bb7a67d97ae6ea27a47576e431a27d71624
Instruction Fuzzy Hash: 77619E32204AC096EF26DF16E4807EEB7A1F788BC8F45451AEB4E83BA5CB38D555C701

Function 000000014004A9DC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,00001010,000000014004608D), ref: 000000014004AA0D
GetLastError.KERNEL32(?,00001010,000000014004608D), ref: 000000014004AA19
CloseHandle.KERNEL32(?,00001010,000000014004608D), ref: 000000014004AA31
CreateFileW.KERNEL32 ref: 000000014004AA5C
WriteConsoleW.KERNEL32 ref: 000000014004AA7B

Strings

CONOUT$, xrefs: 000000014004AA3D

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 4ea95f97eb49aa4939c551ce902c7b59029855f23d7bcdc886ab8c16c7f1fbe5
Instruction ID: 7431b52f088fb401e1fafba6754282c5e9de66c85996500712331e5ea32af496
Opcode Fuzzy Hash: 4ea95f97eb49aa4939c551ce902c7b59029855f23d7bcdc886ab8c16c7f1fbe5
Instruction Fuzzy Hash: E511DA32310A808AE752AB03EC643A9A3A1F38CBE5F240224FB5D837A0CF7CC8148740

Function 0000000140004660 Relevance: 9.1, APIs: 6, Instructions: 105COMMON

Download Yara Rule

APIs

GetSidLengthRequired.ADVAPI32 ref: 00000001400046D6
InitializeSid.ADVAPI32 ref: 00000001400046F0
GetSidSubAuthority.ADVAPI32 ref: 0000000140004731
IsValidSid.ADVAPI32 ref: 0000000140004740
GetLengthSid.ADVAPI32 ref: 000000014000474F
CopySid.ADVAPI32 ref: 000000014000476A

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: Length$AuthorityCopyInitializeRequiredValid
String ID:
API String ID: 4248086415-0
Opcode ID: e3aaf5f443248a1a9dd90b6a0cbbb8c135624ca7fff00c2903f63cbc039e7cc1
Instruction ID: f7fa9a91afe40eaa7d20bd4e56aa78bb325bce024222a2882c9da7ee39f737ea
Opcode Fuzzy Hash: e3aaf5f443248a1a9dd90b6a0cbbb8c135624ca7fff00c2903f63cbc039e7cc1
Instruction Fuzzy Hash: 7E319EB2228A8082EB52EB22F8547ED27A5F7887C4F854425EB4D836B2DF3CC449C744

Function 000000014000C5E0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 260fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 000000014000C665
GetCurrentDirectoryW.KERNEL32 ref: 000000014000C691
GetModuleFileNameW.KERNEL32 ref: 000000014000C706
CreateFileW.KERNEL32 ref: 000000014000C9B1

Strings

debug.log, xrefs: 000000014000C819, 000000014000C933

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: File$Create$CurrentDirectoryModuleName
String ID: debug.log
API String ID: 4120427848-600467936
Opcode ID: eaa3c89e03e8743818b7a375fa252fb9b5b091f5f26922d95015675013321713
Instruction ID: a8f2bc9e107df9cbf680e32319cd50c561e540ba3bba38b9dfe580de22cd6908
Opcode Fuzzy Hash: eaa3c89e03e8743818b7a375fa252fb9b5b091f5f26922d95015675013321713
Instruction Fuzzy Hash: 13B19BB2215B4092EB12CB12EA087E96361F789BC0F544626EB5E477B4DF7CC5A5C380

Function 000000014001F8F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173stringCOMMON

Download Yara Rule

APIs

strstr.LIBVCRUNTIME ref: 000000014001F9DA
strstr.LIBVCRUNTIME ref: 000000014001FA1A

Strings

Collections of all histograms, xrefs: 000000014001F957
Collections of histograms for %s, xrefs: 000000014001F929

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: strstr
String ID: Collections of all histograms$Collections of histograms for %s
API String ID: 1392478783-1894274736
Opcode ID: 6a38db52d99570661431df614d1fa76ae44420b2a1313d61ac28fdc1a10416c0
Instruction ID: 18e4c61fa57ab8a671a39e7e54fc26b3cce6352a8a8e3b227f1a3748e26862af
Opcode Fuzzy Hash: 6a38db52d99570661431df614d1fa76ae44420b2a1313d61ac28fdc1a10416c0
Instruction Fuzzy Hash: AD61BEB6210A8081EA12EF13E4543EA6760F78DBC8F889112FF4E1B7A5DF79C585E300

Function 000000014000C3A6 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 143fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 000000014000C4E9
DeleteFileW.KERNEL32 ref: 000000014000C5A2

Part of subcall function 0000000140009420: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140009513

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000C5D4

Strings

], xrefs: 000000014000C440
vmodule, xrefs: 000000014000C3A6, 000000014000C3E6

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseDeleteFileHandle
String ID: vmodule$]
API String ID: 4078075412-393197275
Opcode ID: 458a696ecc4fedc3ace4e094e4b0da3d2e40976a4df703997200a64392c106fe
Instruction ID: 70b8e51237148cc4a2868020af47202c104ebdf182741b3ce0aa73bd74b5f146
Opcode Fuzzy Hash: 458a696ecc4fedc3ace4e094e4b0da3d2e40976a4df703997200a64392c106fe
Instruction Fuzzy Hash: D35167B2711A4085FA06DB63E9543ED23A2B74DBD8F540925EB1E4BBF6DF38C5858340

Function 00000001400323D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000001400323F4
GetProcAddress.KERNEL32 ref: 000000014003240A
FreeLibrary.KERNEL32 ref: 0000000140032427

Strings

CorExitProcess, xrefs: 0000000140032403
mscoree.dll, xrefs: 00000001400323EB

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 49bea8142319ea412d631d54bdbc5441e5c5eafe40cc1d3c0e68bffafd1ce3b8
Instruction ID: 221ae9ca5d134b3330b421e37d4866d1721bfc3384aff5dd226d045a44ca6bd2
Opcode Fuzzy Hash: 49bea8142319ea412d631d54bdbc5441e5c5eafe40cc1d3c0e68bffafd1ce3b8
Instruction Fuzzy Hash: 8CF01CB1322B40C1FF5B9B62E8943E92361AB8CBD1F581829B65F87674DF78C598C710

Function 0000000140035B60 Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000140035BA4

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9ecc53bb1b7fb3251e6413e2f774571122fb093c472ca1a89e23a17bd22217c4
Instruction ID: ec43d4fcb8152318b520dce10abbfc58bde0a832cf4e73b347d60944a2479698
Opcode Fuzzy Hash: 9ecc53bb1b7fb3251e6413e2f774571122fb093c472ca1a89e23a17bd22217c4
Instruction Fuzzy Hash: 1781AB3262065099FB63AFA3A8803EE6BA1B74DBC6F544115FF0A57BB5DB34C842C710

Function 0000000140047684 Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000001400476C0
_set_statfp.LIBCMT ref: 00000001400476DE
_set_statfp.LIBCMT ref: 0000000140047707
_set_statfp.LIBCMT ref: 00000001400478C0

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 01032c4e6f80079aaa0163cc4061c76cee70a41106028d5f9ce773fb58371ca6
Instruction ID: c93827035d380859f71fab8edc66e6afb27ecf047f62f52f2aba1b16f40f4aba
Opcode Fuzzy Hash: 01032c4e6f80079aaa0163cc4061c76cee70a41106028d5f9ce773fb58371ca6
Instruction Fuzzy Hash: 1251E536514D4485F6239F3AE854BEA6361BB483E0F568629BF5E2B5F1DF34C481C608

Function 00000001400033C0 Relevance: 7.6, APIs: 5, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bcab97e30e5d3b5d3c175338324b60c8ccdc4847c939da449d9d1d1adbf1604
Instruction ID: 5f9026a8de8196ee3fb803fcd9051761d0f4207d4d701bcfddae4215b1a8463f
Opcode Fuzzy Hash: 8bcab97e30e5d3b5d3c175338324b60c8ccdc4847c939da449d9d1d1adbf1604
Instruction Fuzzy Hash: 754182B2715A8141FB5BEB23B8653EA16959B8DBC0F18C428BB4E4B7F3DE38D4418341

Function 000000014001D210 Relevance: 7.6, APIs: 5, Instructions: 120COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000000014001D244
TlsSetValue.KERNEL32 ref: 000000014001D2AE
ReleaseSRWLockExclusive.KERNEL32 ref: 000000014001D309
TlsSetValue.KERNEL32 ref: 000000014001D393
_Init_thread_header.LIBCMT ref: 000000014001D3BE

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: Value$ExclusiveInit_thread_headerLockRelease
String ID:
API String ID: 1047916916-0
Opcode ID: 869f4b7815926199aab956de5f2697b90f2fd38dee0eab01114aef5e23c1cdc1
Instruction ID: fb1ff2217132ca7b52c4bcc360608883e2caa67f68411662646c81ae60cebe06
Opcode Fuzzy Hash: 869f4b7815926199aab956de5f2697b90f2fd38dee0eab01114aef5e23c1cdc1
Instruction Fuzzy Hash: F941EF7130154086FA26EB13E9503EA7392E78EBE0F544625FF1A4B7B5DE39C981C780

Function 000000014000F5C0 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014000F5E8
std::_Lockit::_Lockit.LIBCPMT ref: 000000014000F607
std::_Lockit::~_Lockit.LIBCPMT ref: 000000014000F633
std::_Facet_Register.LIBCPMT ref: 000000014000F6D7
std::_Lockit::~_Lockit.LIBCPMT ref: 000000014000F6F1

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 4812b73ae06796cef755c0ccbe3446291c9315d5754afe408e2765dd677ff2c6
Instruction ID: d492af4a1242d271393f1479aee684e523e94e5ca67f37b166736a0ad7114083
Opcode Fuzzy Hash: 4812b73ae06796cef755c0ccbe3446291c9315d5754afe408e2765dd677ff2c6
Instruction Fuzzy Hash: 94319C72205A4081FE26EB13E9553E973A1FB9CBD8F598026AB4D07BB5DF39C946D300

Function 000000014001D590 Relevance: 7.6, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32(028B0830,00000204,?,000000014001D462,00000204,?,?,?,000000014001D755,?,?,00000000,000000014001D957), ref: 000000014001D600
TlsFree.KERNEL32(028B0830,00000204,?,000000014001D462,00000204,?,?,?,000000014001D755,?,?,00000000,000000014001D957), ref: 000000014001D61A
TlsGetValue.KERNEL32(028B0830,00000204,?,000000014001D462,00000204,?,?,?,000000014001D755,?,?,00000000,000000014001D957), ref: 000000014001D628
TlsSetValue.KERNEL32(?,?,000000014001D755,?,?,00000000,000000014001D957,?,?,?,?,00000000,028B0830,00000000,000000014001DAE2,00000000), ref: 000000014001D64D
TlsSetValue.KERNEL32(?,?,000000014001D755,?,?,00000000,000000014001D957,?,?,?,?,00000000,028B0830,00000000,000000014001DAE2,00000000), ref: 000000014001D676

Part of subcall function 00000001400267E0: TlsAlloc.KERNEL32(028B0830,00000204,?,000000014001D462,00000204,?,?,?,000000014001D755,?,?,00000000,000000014001D957), ref: 00000001400267E8

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: Value$Free$Alloc
String ID:
API String ID: 4173863045-0
Opcode ID: 260cda8b93150db8185e1c9eaacd02b936848e04ff169c4ecd2c53a06053427d
Instruction ID: 5ae05deffcb046404fc52b5cf309c4f92fcfc2c68e5336b39db370b7d2932cc4
Opcode Fuzzy Hash: 260cda8b93150db8185e1c9eaacd02b936848e04ff169c4ecd2c53a06053427d
Instruction Fuzzy Hash: BC31BF31B005404AF66AEBB289117ED33629B8C7E8F504618BF1E1FBE5DE388D068240

Function 000000014000F0F0 Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014000F0F7
std::_Lockit::~_Lockit.LIBCPMT ref: 000000014000F123
_Getctype.LIBCPMT ref: 000000014000F1CC
std::_Facet_Register.LIBCPMT ref: 000000014000F1F4
std::_Lockit::~_Lockit.LIBCPMT ref: 000000014000F20E

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::~_$Facet_GetctypeLockit::_Register
String ID:
API String ID: 1838228655-0
Opcode ID: 5731ed39b5e534b82a173c049f94d7171117b38f5231929d98a57f03d514fe09
Instruction ID: 13811ad3c4311a3ffd31fe86599d81dd74af767cb4f31c7ada50147cb5d8ed17
Opcode Fuzzy Hash: 5731ed39b5e534b82a173c049f94d7171117b38f5231929d98a57f03d514fe09
Instruction Fuzzy Hash: 8931CE72205A4081FB22EB22E5543EA73A1FB9CBC4F058119EB4D03BB6EF38C981D340

Function 0000000140004820 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

GetSecurityDescriptorControl.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,000000014000480A), ref: 0000000140004855
GetSecurityDescriptorOwner.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,000000014000480A), ref: 0000000140004885
GetSecurityDescriptorGroup.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,000000014000480A), ref: 00000001400048A2
GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,000000014000480A), ref: 00000001400048C4
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,000000014000480A), ref: 00000001400048EF

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: DescriptorSecurity$ControlDaclGroupOwnerSacl
String ID:
API String ID: 1158139820-0
Opcode ID: f532b273829567dfbc9fe9c56d968e40025db91d5bb5eb4e446e9836dfb3a2aa
Instruction ID: e3b7c209faba04e01b9c88fe7fda2d10ffd7859f9f703cf254e113f97d457f19
Opcode Fuzzy Hash: f532b273829567dfbc9fe9c56d968e40025db91d5bb5eb4e446e9836dfb3a2aa
Instruction Fuzzy Hash: CB210AB2204A8681EB11DF53F9547EBA361E789BC4F449012FB8E57AB9CF38C586D740

Function 0000000140046104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000000014004612C
_set_statfp.LIBCMT ref: 0000000140046147
_set_statfp.LIBCMT ref: 0000000140046163
_set_statfp.LIBCMT ref: 000000014004619F

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 957ff9fc767acefb1201c42b4cc893eb63bc4eaccbccbc47b6bc2eaae864688a
Instruction ID: f4c14f8190d932ae3cc72b094c4ad8df8dfdcc753cc42fb17640887478a4bd4c
Opcode Fuzzy Hash: 957ff9fc767acefb1201c42b4cc893eb63bc4eaccbccbc47b6bc2eaae864688a
Instruction Fuzzy Hash: 0211C636E10B1005FA662A3AD4423E511406B5C3F4F4F0A35FB7B0B3FBAB3488414A1A

Function 0000000140041FD8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014004201B

Strings

-, xrefs: 00000001400421FD
gfff, xrefs: 000000014004213D
e+000, xrefs: 00000001400420C0

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$e+000$gfff
API String ID: 3215553584-2620144452
Opcode ID: c33bfb3497739c1c153d770dd76b0a8cf9a6fe73c3b968890d656d9d337118c7
Instruction ID: b456f15578aa0d0b3228bb8d86f0c5889ccd7c58213d134bbf09c65441a8bdce
Opcode Fuzzy Hash: c33bfb3497739c1c153d770dd76b0a8cf9a6fe73c3b968890d656d9d337118c7
Instruction Fuzzy Hash: 9A6104727147C486E7268F36E9403D97791E399BD0F898235EBA847BEADB39C445C700

Function 0000000140030E00 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000140030E27
_invalid_parameter_noinfo.LIBCMT ref: 0000000140030FFB

Strings

, xrefs: 0000000140030F84
*, xrefs: 0000000140030F33

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: eedf139915a376f1688f8bfd5fe434b474aa0ba93430a1d5eeea7afcd662c7ab
Instruction ID: 0932e2c879d69d093859d60141680c21b95bb4b976f48e40ccf0854a7d6c1c34
Opcode Fuzzy Hash: eedf139915a376f1688f8bfd5fe434b474aa0ba93430a1d5eeea7afcd662c7ab
Instruction Fuzzy Hash: F8515C721066448EE77B8E2AC0653EE3BA0F30EB99F641625EB46476F9C779C581CB01

Function 000000014003C484 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000000014003C56D
_CreateFrameInfo.LIBVCRUNTIME ref: 000000014003C596
__DestructExceptionObject.LIBVCRUNTIME ref: 000000014003C69C

Strings

csm, xrefs: 000000014003C66F

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: CreateDestructExceptionFrameInfoObject__except_validate_context_record
String ID: csm
API String ID: 146877497-1018135373
Opcode ID: e47b124cfe08c94bcfbc648c85ae479e4d478ed0c40c0e2fd9d91b3f2794d879
Instruction ID: 9351b86357ea298ac50d4699110ef244c1ae61dbe51141e20b64236156f02441
Opcode Fuzzy Hash: e47b124cfe08c94bcfbc648c85ae479e4d478ed0c40c0e2fd9d91b3f2794d879
Instruction Fuzzy Hash: 03515E76225A4082EA72DB62E540BAF77A4F78CBD4F141215EF8D87BA5CF34C4A2C704

Function 0000000140028CD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 95COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140028E0A

Strings

UMA.NegativeSamples.Reason, xrefs: 0000000140028D02
UMA.NegativeSamples.Histogram, xrefs: 0000000140028D94
UMA.NegativeSamples.Increment, xrefs: 0000000140028D45

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: UMA.NegativeSamples.Histogram$UMA.NegativeSamples.Increment$UMA.NegativeSamples.Reason
API String ID: 3668304517-2026303189
Opcode ID: 2f96a78d121b2c02d1739ab812b9c4de60d5240caf380631e6d437b52701f41f
Instruction ID: 1ab0635f6fbb9dec2664796250aca18658d5eaea41bce2cd1c32bd531c482fb5
Opcode Fuzzy Hash: 2f96a78d121b2c02d1739ab812b9c4de60d5240caf380631e6d437b52701f41f
Instruction Fuzzy Hash: 0D319832300A0086EB26DB16E8503EA2762A79DBE8F104225FF5E477F5DE3DC9818700

Function 0000000140026080 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400261C4

Strings

</PRE>, xrefs: 0000000140026175
<PRE>, xrefs: 00000001400260B8
<br>, xrefs: 0000000140026109

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: </PRE>$<PRE>$<br>
API String ID: 3668304517-4186555117
Opcode ID: 1d39f2e2bfdc6639cf831771faf3563d9b82d00fa31697b6ce6a59b3c2e540b8
Instruction ID: 1c342437767d1f29adfb8d114672c5e296407bd0c1b8ed7007bf18a54d60f921
Opcode Fuzzy Hash: 1d39f2e2bfdc6639cf831771faf3563d9b82d00fa31697b6ce6a59b3c2e540b8
Instruction Fuzzy Hash: 4631087221468482EB15CF22E4583DEB362F78DBC4F848115FB4A0BBA5DF7CD4818304

Function 00000001400193D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140019514

Strings

<br>, xrefs: 0000000140019459
</PRE>, xrefs: 00000001400194C5
<PRE>, xrefs: 0000000140019408

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: </PRE>$<PRE>$<br>
API String ID: 3668304517-4186555117
Opcode ID: db0ab4fb01cb98913ec937c680cd62f70097bc38d4cb934e6004fb5544332502
Instruction ID: bd461fd786b1fb8604333b7d702e0fb9697e2827cc7cba3737c0052bc4cb4080
Opcode Fuzzy Hash: db0ab4fb01cb98913ec937c680cd62f70097bc38d4cb934e6004fb5544332502
Instruction Fuzzy Hash: 4B31A872214A8482EB25DF16E5583DEB362F79DBD4F809111FB5A0BBA9DF7DC1828304

Function 000000014003C5EA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 000000014003C2E0: __vcrt_getptd_noexit.LIBVCRUNTIME ref: 000000014003C2E4

__DestructExceptionObject.LIBVCRUNTIME ref: 000000014003C612
RaiseException.KERNEL32 ref: 000000014003C63B
__DestructExceptionObject.LIBVCRUNTIME ref: 000000014003C69C

Strings

csm, xrefs: 000000014003C66F

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
String ID: csm
API String ID: 2280078643-1018135373
Opcode ID: 8eb77453e360597db13ca8bfdc4094f1a4c681d4697f7193f2b3ce661c832256
Instruction ID: 5b25346a811018f5ab2de87346879d4de3c0d17ae187557b8159a01a7bd65268
Opcode Fuzzy Hash: 8eb77453e360597db13ca8bfdc4094f1a4c681d4697f7193f2b3ce661c832256
Instruction Fuzzy Hash: 1021277A21468086E672DF12E04179FB7A1F78CBE5F041215EF9983BA5CB39D896CB01

Function 0000000140035E40 Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 0000000140035E9D
WriteFile.KERNEL32(?,?,?,?,?,?,00000F70,0000000140035D0A), ref: 0000000140035FA3
WriteFile.KERNEL32(?,?,?,?,?,?,00000F70,0000000140035D0A), ref: 0000000140035FE4
GetLastError.KERNEL32(?,?,?,?,?,?,00000F70,0000000140035D0A), ref: 0000000140036023

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLast
String ID:
API String ID: 765721374-0
Opcode ID: b484540da893ce3f60eb248466d1d5446548579533a9d43ec1a64b44ad004b84
Instruction ID: 04820718e60021bfe332ca4c72e3f708913f3e8b6a7a49d763d097faf82a789d
Opcode Fuzzy Hash: b484540da893ce3f60eb248466d1d5446548579533a9d43ec1a64b44ad004b84
Instruction Fuzzy Hash: DF51BC32B10A9089E712DF76E8843DE3BB0F748B88F149515EF4A57BA5DB34C156C700

Function 000000014002AD20 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014002AD3E
std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 000000014002AD52

Part of subcall function 000000014002ABB4: _Yarn.LIBCPMT ref: 000000014002AC0B

_Yarn.LIBCPMT ref: 000000014002AD8F

Part of subcall function 000000014002C5BC: EncodePointer.KERNEL32 ref: 000000014002C5D6

std::_Lockit::~_Lockit.LIBCPMT ref: 000000014002ADD4

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: LockitYarnstd::_$EncodeLocimpLocimp::_Lockit::_Lockit::~_New_Pointerstd::locale::_
String ID:
API String ID: 4002550820-0
Opcode ID: 6dfd48ab791f7fa1d02d84773a632d048f90c95e930a5cd67147775ab62f23b2
Instruction ID: bd24c1c6cd242dcb2fa84b023521f00ba135106d7348547dab413066f60d6a59
Opcode Fuzzy Hash: 6dfd48ab791f7fa1d02d84773a632d048f90c95e930a5cd67147775ab62f23b2
Instruction Fuzzy Hash: 6D11C631200A4592EB129F26EC543D96762B74EBD4F694629EB5D473B6DF3CC889C304

Function 000000014001E800 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 139COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 000000014001EDF9
gfffffff, xrefs: 000000014001EE49

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID:
String ID: gfffffff$gfffffff
API String ID: 0-161084747
Opcode ID: 6d15a5503dde6a9a9877c42e2de021fff651b7f9b39933c09bf4425d77bb2650
Instruction ID: 6a3bb84b5422b1cdd29ae0cfaa38cb5aa79d2de2390f2598ef1b521682f13c97
Opcode Fuzzy Hash: 6d15a5503dde6a9a9877c42e2de021fff651b7f9b39933c09bf4425d77bb2650
Instruction Fuzzy Hash: A2519DB2B11A8492EE158B16E98879D6690FB4CBF4F194725EF7E07BE0EE34C090C300

Function 0000000140006F80 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00000001400070C7

Part of subcall function 000000014002AF20: std::bad_alloc::bad_alloc.LIBCMT ref: 000000014002AF29
Part of subcall function 000000014002AF20: _CxxThrowException.LIBVCRUNTIME ref: 000000014002AF3A

Strings

true, xrefs: 0000000140007070
false, xrefs: 0000000140007041

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: Concurrency::cancel_current_taskExceptionThrowstd::bad_alloc::bad_alloc
String ID: false$true
API String ID: 1680350287-2658103896
Opcode ID: 978d4bb9d0162cf6d5ccc7ea78d9efdc1fa57f2a0f1c18e00ccbe7612d0ddab1
Instruction ID: a64c3aebb81d18948b8216bfa6aa155adaa8bcd5ed7f58db57b8746caebb0f7a
Opcode Fuzzy Hash: 978d4bb9d0162cf6d5ccc7ea78d9efdc1fa57f2a0f1c18e00ccbe7612d0ddab1
Instruction Fuzzy Hash: 5E41D672605B8481EA67DB27B5517EA3750975D7C0F484225EB8D07BA2EE3DC546C300

Function 0000000140033D18 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000140033D4A

Part of subcall function 000000014003DD34: HeapFree.KERNEL32(?,?,?,000000014004391B,?,?,?,00000001400434C3,?,?,?,0000000140043E10,?,?,?,0000000140043D1B), ref: 000000014003DD4A
Part of subcall function 000000014003DD34: GetLastError.KERNEL32(?,?,?,000000014004391B,?,?,?,00000001400434C3,?,?,?,0000000140043E10,?,?,?,0000000140043D1B), ref: 000000014003DD5C

GetModuleFileNameW.KERNEL32(?,?,?,?,?,000000014002DC96), ref: 0000000140033D68

Strings

C:\Users\user\Desktop\3lOLt0TUE4.exe, xrefs: 0000000140033D56

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\3lOLt0TUE4.exe
API String ID: 3580290477-1849602671
Opcode ID: 9d8ff803844faf7c630714e7033d477acb144e7a54747c11ed1e3aa1343a756a
Instruction ID: 2d4d58bed62a85027691c5abd25b84b328c765bbd999de622c1ca60ff95a1307
Opcode Fuzzy Hash: 9d8ff803844faf7c630714e7033d477acb144e7a54747c11ed1e3aa1343a756a
Instruction Fuzzy Hash: C2415936201B5086EB17EF27E8813EA77A5E748BD4F55442AFB4A4BBA5DF38C4818300

Function 0000000140036278 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,00001010,00001010,00001010,0000000140035D60), ref: 000000014003638F
GetLastError.KERNEL32(?,?,00001010,00001010,00001010,0000000140035D60), ref: 00000001400363B1

Strings

U, xrefs: 000000014003633B

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: bddbc8ad406f15b80bb6157fcdd3446ead256ecbf1be863d66aedaebb71ec528
Instruction ID: 7b5ffe6af83c96b0b87fc1e147cf42f9cb90fa3617bb97e028700c967ae7a9ee
Opcode Fuzzy Hash: bddbc8ad406f15b80bb6157fcdd3446ead256ecbf1be863d66aedaebb71ec528
Instruction Fuzzy Hash: 55419F32314A8086EB229F26E8447EA67A1F38C7D4F948025EF4D877A8DB38C501C740

Function 0000000140048210 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

_handle_errorf.LIBCMT ref: 0000000140048382

Strings

powf, xrefs: 000000014004837B
", xrefs: 000000014004832D

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: _handle_errorf
String ID: "$powf
API String ID: 2315412904-603753351
Opcode ID: 829b591893e5008f8e335f31da3d531be945cb2b459a9d0dce0cc27c413e041c
Instruction ID: 188d31caac00246d88c1fda39f1867b5fa8f99f4dbd246e9185b6f4d8bff76d4
Opcode Fuzzy Hash: 829b591893e5008f8e335f31da3d531be945cb2b459a9d0dce0cc27c413e041c
Instruction Fuzzy Hash: 5B412173924680DFE370CF22E4847EEBAA0F39D788F112319F745029A8DB79C554AB44

Function 0000000140013FBE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

ReleaseSRWLockExclusive.KERNEL32 ref: 0000000140013FC3

Part of subcall function 000000014001D6F0: TlsGetValue.KERNEL32(?,?,00000000,?,0000000140014919,?,?,?,?,?,000000014000F85E), ref: 000000014001D702

Strings

ActivityTracker.ThreadTrackers.MemLimitTrackerCount, xrefs: 0000000140014089
ActivityTracker.ThreadTrackers.Count, xrefs: 0000000140014041

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: ExclusiveLockReleaseValue
String ID: ActivityTracker.ThreadTrackers.Count$ActivityTracker.ThreadTrackers.MemLimitTrackerCount
API String ID: 3065551114-324972283
Opcode ID: 5775061a5afecb2115db08986a1b29ef5382e95547c2a9d2b08fb225f2a613b8
Instruction ID: 67449696d257c4c9cf5aac991ba5c2fa64811ff62e9c2359472728c9c9eeb2d7
Opcode Fuzzy Hash: 5775061a5afecb2115db08986a1b29ef5382e95547c2a9d2b08fb225f2a613b8
Instruction Fuzzy Hash: 89215C31301A4086EB629F17E9903DA62A5F38CBD4F504129EF4E8BBB1DF7ED6518741

Function 00000001400483A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00000001400484B2

Strings

pow, xrefs: 00000001400484A1
", xrefs: 000000014004848B

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: _handle_error
String ID: "$pow
API String ID: 1757819995-713443511
Opcode ID: 3787674d59328094a88149cdf8d12cce7860cc7486e7b0e0c182d9fa44ef1dc7
Instruction ID: 27ae27021fd05bc4aff94b1fb3dfb32523a316740f8b85ec68c6229c868d3449
Opcode Fuzzy Hash: 3787674d59328094a88149cdf8d12cce7860cc7486e7b0e0c182d9fa44ef1dc7
Instruction Fuzzy Hash: 38212D72918AC487E371CF11E4447AFBAA0F7DE384F212715FB8506965D7BDC1859B04

Function 0000000140047940 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_set_errno_from_matherr.LIBCMT ref: 00000001400479EC
_set_errno_from_matherr.LIBCMT ref: 0000000140047A00

Strings

pow, xrefs: 0000000140047967

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: _set_errno_from_matherr
String ID: pow
API String ID: 1187470696-2276729525
Opcode ID: 917cdf0490dccf3f4620b9dab4735aed81eeb179ef8d5f3284563aaa539fe56f
Instruction ID: dea15a066a8b1088c758d1a4ccaccafa0e1a65ee9085ad227d6c9241649b84e7
Opcode Fuzzy Hash: 917cdf0490dccf3f4620b9dab4735aed81eeb179ef8d5f3284563aaa539fe56f
Instruction Fuzzy Hash: 3B213076619684CBE761DF29E48079AB7A0F79D780F511625FB8D83B66DB3CC8408F04

Function 000000014003EC9C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000000014003ECD5
LCMapStringW.KERNEL32 ref: 000000014003ED5D

Strings

LCMapStringEx, xrefs: 000000014003ECC9

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 3884e0b63a8c96efe407d3432f9ddbc462819470e36a17f86fe60df43b273216
Instruction ID: 32921ae9604b6e7a91068b94d0e7bb4e28e5e3147340e8e0d8bc24defe51629a
Opcode Fuzzy Hash: 3884e0b63a8c96efe407d3432f9ddbc462819470e36a17f86fe60df43b273216
Instruction Fuzzy Hash: 3E11C436608B8086D761CB56B4803DAB7A5F7CDBD4F584126EF8D83B69CF38C5548B40

Function 00000001400464C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 0000000140046546

Strings

", xrefs: 000000014004651F
exp, xrefs: 0000000140046535

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: _handle_error
String ID: "$exp
API String ID: 1757819995-2878093337
Opcode ID: a6d7bfb3a6d47cfe190d8e7df2d7e6f097575f1f12928ecf6e72c9d0be14eb34
Instruction ID: 3e1030e6c8eede1e5b8d0290e4b7063840aae134a90d8a299bb3142af507c940
Opcode Fuzzy Hash: a6d7bfb3a6d47cfe190d8e7df2d7e6f097575f1f12928ecf6e72c9d0be14eb34
Instruction Fuzzy Hash: 59016D76A24A8886E221CF35A4493EABAA0FFEA744F602305F7411A674D779D4859F00

Function 00000001400187F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140018845

Strings

Histogram.BadConstructionArguments, xrefs: 0000000140018BF0
Histogram.MismatchedConstructionArguments, xrefs: 0000000140018927

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: Histogram.BadConstructionArguments$Histogram.MismatchedConstructionArguments
API String ID: 3668304517-1562091482
Opcode ID: d3f07b97601b995599a7c672edc3cd51021882322e7aec231143e27373290e56
Instruction ID: bc27cf14a5c30e382b19be256c059611988f9b21698056696276a34fb5f112ce
Opcode Fuzzy Hash: d3f07b97601b995599a7c672edc3cd51021882322e7aec231143e27373290e56
Instruction Fuzzy Hash: 58F0A76270004442FE7E969790583EC1202DB4DBF0F409610AB3D0FBE5DD79C8C18344

Function 000000014002B5D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014002B5E3
std::_Lockit::~_Lockit.LIBCPMT ref: 000000014002B63A

Strings

MZx, xrefs: 000000014002B5EE

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: MZx
API String ID: 593203224-2575928145
Opcode ID: 0748977e3b2f55a0288a3cff7ac831c52b695268794c44e5de3e63df36cf93f9
Instruction ID: 327dc8da4074a523da4e651eba584555fbfbebde33221c7dc872eacf5b5388b5
Opcode Fuzzy Hash: 0748977e3b2f55a0288a3cff7ac831c52b695268794c44e5de3e63df36cf93f9
Instruction Fuzzy Hash: 39F02472B2278046EF42DB02E8597E4A291E75CBC8F98402AAB4D073A5EB3CC955C380

Function 000000014001D8B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,000000014001469C,00000000,00000000,?,?,?,000000014000F8F3,?,?,00000000,000000014000F7D1), ref: 000000014001D8C0
GetProcAddress.KERNEL32(?,?,?,?,000000014001469C,00000000,00000000,?,?,?,000000014000F8F3,?,?,00000000,000000014000F7D1), ref: 000000014001D8D0

Strings

GetHandleVerifier, xrefs: 000000014001D8C6

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetHandleVerifier
API String ID: 1646373207-1090674830
Opcode ID: 6442d51f2bd7f140e5c80bc8190d34017e336b51f9de3beae020d983c35a97aa
Instruction ID: 625ebb09b676e6bd4fbcb7e9adef5f11e465bbe67a205c45669491cb32323155
Opcode Fuzzy Hash: 6442d51f2bd7f140e5c80bc8190d34017e336b51f9de3beae020d983c35a97aa
Instruction Fuzzy Hash: 37F0123071660181FF5EDB27A8553E532926B8C7C0F54882BB60F473B0DE3A80458360

Function 000000014003EB7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000000014003EBA5
GetUserDefaultLCID.KERNEL32(?,?,000000A0,0000000140044864), ref: 000000014003EBBC

Strings

GetUserDefaultLocaleName, xrefs: 000000014003EB88, 000000014003EB92

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: DefaultUsertry_get_function
String ID: GetUserDefaultLocaleName
API String ID: 3217810228-151340334
Opcode ID: 38115934365ac2b91385db30dd824bb08e78e3ee1b1ca3423f17699961fe7d81
Instruction ID: 4a69caa104e52205d9c3cb98012810ad93b3863fd0ffdbb213cd5739a6e59df3
Opcode Fuzzy Hash: 38115934365ac2b91385db30dd824bb08e78e3ee1b1ca3423f17699961fe7d81
Instruction Fuzzy Hash: 54F0373431458141FB179F57B9447FA6392AB4D7C4F545025BB0D47BB5CF39C4458700

Function 000000014003EBE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000000014003EC11
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00000003,0000000140030771), ref: 000000014003EC2B

Strings

InitializeCriticalSectionEx, xrefs: 000000014003EC05

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: ce3007e46195e6e95f029db1521970912dfba6121faffa4cef7bee6a34856249
Instruction ID: 6b0b1d677f8ba22b4523108f504932208e2309df771e299394aa8cee02130577
Opcode Fuzzy Hash: ce3007e46195e6e95f029db1521970912dfba6121faffa4cef7bee6a34856249
Instruction Fuzzy Hash: 88F05835214B8082FB069B43B8407EA2361AB8CBC0F589525FB4A03BA5CF39C986C750

Function 000000014003DA24 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000000014003DA4D
TlsSetValue.KERNEL32(?,?,?,000000014003C295,?,?,?,?,000000014002F15C,?,?,?,?,000000014002A4FB), ref: 000000014003DA64

Strings

FlsSetValue, xrefs: 000000014003DA3A

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 0bf3ebee11cad994176f0cb653be403563d196f2221c7de05fdab407c3f263ea
Instruction ID: 7ec5efc1aaed1997111329f75591f01e778e1b6eda0a38b19367794e7ccffa20
Opcode Fuzzy Hash: 0bf3ebee11cad994176f0cb653be403563d196f2221c7de05fdab407c3f263ea
Instruction Fuzzy Hash: 3FE0ED71605A40D2FB1B9B57F9447D97362A78CBC0F5C4426BB19476B5CE38CA848711

Function 000000014003EAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000000014003EACD
TlsSetValue.KERNEL32(?,?,?,000000014003E0E3,?,?,?,0000000140034629,?,?,?,?,000000014003D87A,?,?,00000000), ref: 000000014003EAE4

Strings

FlsSetValue, xrefs: 000000014003EABA

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: fbe1b1d18b61da2dcfad621472f8166ae1277451959b0802539174d15548c3d7
Instruction ID: d8b91e8c9cefe726aab317ba9c2b59223c998b511e20ba3ab6e03f3aa46ccf12
Opcode Fuzzy Hash: fbe1b1d18b61da2dcfad621472f8166ae1277451959b0802539174d15548c3d7
Instruction Fuzzy Hash: 5AE01275200A8091FB0B9B57F8447EA2362F78C7C0F584126BB19077B5CE3DD998C311

Function 000000014003EDE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000000014003EE11
__crtDownlevelLocaleNameToLCID.LIBCPMT ref: 000000014003EE28

Strings

LocaleNameToLCID, xrefs: 000000014003EDF4, 000000014003EDFE

Memory Dump Source

Source File: 00000000.00000002.1818271468.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818256593.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818301544.000000014004C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818321337.0000000140065000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818336146.000000014006A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818352269.0000000140070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818367665.0000000140071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1818382089.0000000140072000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_3lOLt0TUE4.jbxd

Similarity

API ID: DownlevelLocaleName__crttry_get_function
String ID: LocaleNameToLCID
API String ID: 404522899-2050040251
Opcode ID: 112d6606d29657f3bad817a362e59555f30022a7cbc2007681e9591e3bab0754
Instruction ID: 56b3432f105bab3165cd02585cadaedc199a8481abcc3611402fb17c63e541bf
Opcode Fuzzy Hash: 112d6606d29657f3bad817a362e59555f30022a7cbc2007681e9591e3bab0754
Instruction Fuzzy Hash: A2E0927120068081FA07EB5BF4403EA2321AB8C3C0F584825BB19073B1CF39D985D310

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3lOLt0TUE4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: 3lOLt0TUE4.exePID: 7548, Parent PID: 2580

General

Chronological Activities

Disassembly

Analysis Process: 3lOLt0TUE4.exePID: 7548, Parent PID: 2580COMMON

Execution Graph

Graph

Windows Analysis Report
3lOLt0TUE4.exe

Function 0000000140014CF0 Relevance: 64.9, APIs: 19, Strings: 18, Instructions: 188
libraryloaderCOMMON

Function 000000014000FFB0 Relevance: 11.5, Strings: 9, Instructions: 250
COMMON

Function 000000014000DEC0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 237
windowCOMMON

Function 00000001400024F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
COMMON

Function 00420080 Relevance: 5.0, APIs: 3, Instructions: 466
COMMON

Function 0000000140015450 Relevance: 3.1, APIs: 2, Instructions: 115
nativeCOMMON

Function 0000000140015620 Relevance: 3.1, APIs: 2, Instructions: 113
nativeCOMMON

Function 000000014000CF50 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 329
fileCOMMON

Function 0000000140015130 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140
COMMON

Function 000000014000103F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
COMMON

Function 00408070 Relevance: 4.7, APIs: 3, Instructions: 236
COMMON

Function 0000000140008E00 Relevance: 4.6, APIs: 3, Instructions: 76
COMMON

Function 0000000140032434 Relevance: 4.5, APIs: 3, Instructions: 19
COMMONLIBRARYCODE

Function 000000014000E3C0 Relevance: 3.1, APIs: 2, Instructions: 120
COMMON

Function 0000000140008C80 Relevance: 3.1, APIs: 2, Instructions: 106
COMMON