Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1546257
MD5:	87514bcfa421057dc1575ec1630d78ff
SHA1:	012029171ff901f1cb5495059da47143d193923c
SHA256:	50c263fc02412062ca239e7419880678f797408a243d0a2140bc7bbb96a716c1
Tags:	exeuser-Bitsight
Infos:

Detection

NetSupport RAT

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Contains functionalty to change the wallpaper

Delayed program exit found

Sigma detected: Execution from Suspicious Folder

Sigma detected: Suspicious Program Location with Network Connections

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara detected NetSupport remote tool

Classification

Process Tree

System is w10x64

file.exe (PID: 6604 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 87514BCFA421057DC1575EC1630D78FF)

bild.exe (PID: 5732 cmdline: "C:\Users\Public\Netstat\bild.exe" MD5: 8D9709FF7D9C83BD376E01912C734F0A)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\Public\Netstat\PCICHEK.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\Public\Netstat\pcicapi.dll	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\Public\Netstat\bild.exe	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\Public\Netstat\HTCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\Public\Netstat\TCCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\Public\Netstat\PCICL32.DLL	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\Public\Netstat\PCICL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000002.00000002.3888318749.0000000000262000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000002.00000002.3890657665.000000006E0C0000.00000002.00000001.01000000.0000000E.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000002.00000003.2343699674.0000000000F56000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000002.00000000.2041890788.0000000000262000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000002.00000002.3888424181.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: file.exe PID: 6604	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: file.exe PID: 6604	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: bild.exe PID: 5732	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: bild.exe PID: 5732	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.bild.exe.6fbb0000.6.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
2.0.bild.exe.260000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
2.2.bild.exe.260000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
2.2.bild.exe.6f9d0000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
2.2.bild.exe.111b79e0.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.2.bild.exe.111b79e0.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
2.2.bild.exe.6e080000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0.3.file.exe.27c55aa6820.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.3.file.exe.27c55aa6820.0.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
2.2.bild.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.2.bild.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 6 entries

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Netstat\bild.exe" , CommandLine: "C:\Users\Public\Netstat\bild.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Netstat\bild.exe, NewProcessName: C:\Users\Public\Netstat\bild.exe, OriginalFileName: C:\Users\Public\Netstat\bild.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6604, ParentProcessName: file.exe, ProcessCommandLine: "C:\Users\Public\Netstat\bild.exe" , ProcessId: 5732, ProcessName: bild.exe

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 172.86.117.97, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Netstat\bild.exe, Initiated: true, ProcessId: 5732, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T17:06:03.056875+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.5	49706	TCP
2024-10-31T17:06:41.336373+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.5	49907	TCP

ETPRO MALWARE NetSupport RAT CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T17:05:40.883894+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.5	49704	172.86.117.97	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Netstat\bild.exe	ReversingLabs: Detection: 28%
Source: C:\Users\Public\Netstat\remcmdstub.exe	ReversingLabs: Detection: 13%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 88.6% probability

Source: C:\Users\Public\Netstat\bild.exe

Code function: 2_2_110AD570 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,

2_2_110AD570

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\Public\Netstat\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: msvcr100.i386.pdb source: file.exe, 00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp, bild.exe, bild.exe, 00000002.00000002.3890464582.000000006D021000.00000020.00000001.01000000.0000000D.sdmp, msvcr100.dll.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: bild.exe, 00000002.00000002.3890900771.000000006FBB2000.00000002.00000001.01000000.0000000B.sdmp, PCICHEK.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: file.exe, 00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: bild.exe, 00000002.00000002.3890657665.000000006E0C0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\client32\Release\client32.pdb source: bild.exe, 00000002.00000002.3888318749.0000000000262000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000002.00000000.2041890788.0000000000262000.00000002.00000001.01000000.00000009.sdmp, bild.exe.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: TCCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: bild.exe, 00000002.00000002.3890657665.000000006E0C0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: file.exe
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: bild.exe, 00000002.00000002.3890806531.000000006F9D5000.00000002.00000001.01000000.0000000C.sdmp, pcicapi.dll.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: TCCTL32.DLL.0.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAB40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF75AAB40BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AACB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF75AACB190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AADFCA0 FindFirstFileExA,	0_2_00007FF75AADFCA0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	2_2_1102D330
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	2_2_11065890
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	2_2_1106A0A0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	2_2_111266E0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	2_2_1110AFD0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_6D080F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6D080F84
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_6D07EFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6D07EFE1

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.5:49704 -> 172.86.117.97:443

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 172.67.68.212 172.67.68.212

Source: Joe Sandbox View

ASN Name: QUICKPACKETUS QUICKPACKETUS

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.5:49706
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.5:49907

Source: unknown	TCP traffic detected without corresponding DNS query: 172.86.117.97
Source: unknown	TCP traffic detected without corresponding DNS query: 172.86.117.97
Source: unknown	TCP traffic detected without corresponding DNS query: 172.86.117.97
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: geo.netsupportsoftware.com

Source: unknown

HTTP traffic detected: POST http://172.86.117.97/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 172.86.117.97Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:

Source: bild.exe, bild.exe, 00000002.00000002.3890657665.000000006E0C0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr	String found in binary or memory: http://%s/fakeurl.htm
Source: bild.exe, bild.exe, 00000002.00000002.3890657665.000000006E0C0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr	String found in binary or memory: http://%s/testpage.htm
Source: bild.exe, 00000002.00000002.3890657665.000000006E0C0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr	String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: bild.exe, bild.exe, 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://127.0.0.1
Source: file.exe, 00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0$
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: bild.exe, 00000002.00000003.2343699674.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000002.00000002.3888424181.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: bild.exe, 00000002.00000002.3888424181.0000000000F08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp/
Source: bild.exe, 00000002.00000002.3888424181.0000000000F08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSX
Source: file.exe, 00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: file.exe, 00000000.00000003.2039840028.0000027C55C7D000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: file.exe, 00000000.00000003.2039840028.0000027C55C7D000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: file.exe, 00000000.00000003.2039840028.0000027C55C7D000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: file.exe, 00000000.00000003.2039840028.0000027C55C7D000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: file.exe, 00000000.00000003.2039840028.0000027C55C7D000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: file.exe, 00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: file.exe, 00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
Source: file.exe, 00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.pci.co.uk/support
Source: file.exe, 00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: file.exe, 00000000.00000003.2039840028.0000027C55C7D000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: file.exe, 00000000.00000003.2039840028.0000027C55C7D000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: file.exe, 00000000.00000003.2039840028.0000027C55C7D000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: file.exe, 00000000.00000003.2039840028.0000027C55C7D000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: remcmdstub.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: C:\Users\Public\Netstat\bild.exe

Code function: 2_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,

2_2_1101F6B0

Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,		2_2_1101F6B0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_11032EE0 GetClipboardFormatNameA,SetClipboardData,		2_2_11032EE0

Source: C:\Users\Public\Netstat\bild.exe

Code function: 2_2_110321E0 GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalFree,

2_2_110321E0

Source: C:\Users\Public\Netstat\bild.exe

Code function: 2_2_110076F0 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,

2_2_110076F0

Source: C:\Users\Public\Netstat\bild.exe

Code function: 2_2_11113880 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,

2_2_11113880

Source: Yara match	File source: 2.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.27c55aa6820.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bild.exe PID: 5732, type: MEMORYSTR
Source: Yara match	File source: C:\Users\Public\Netstat\PCICL32.DLL, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\Public\Netstat\bild.exe

Code function: 2_2_111158B0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,

2_2_111158B0

Source: C:\Users\Public\Netstat\bild.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF75AAAC2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF75AAAC2F0

Source: C:\Users\Public\Netstat\bild.exe

Code function: 2_2_1115DB40 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,

2_2_1115DB40

Source: C:\Users\Public\Netstat\bild.exe

Code function: 2_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,

2_2_1102D330

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAAF930	0_2_00007FF75AAAF930
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAB4928	0_2_00007FF75AAB4928
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAC1F20	0_2_00007FF75AAC1F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAA5E24	0_2_00007FF75AAA5E24
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AACCE88	0_2_00007FF75AACCE88
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AABA4AC	0_2_00007FF75AABA4AC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAC3484	0_2_00007FF75AAC3484
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AACB190	0_2_00007FF75AACB190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAD0754	0_2_00007FF75AAD0754
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAC4B98	0_2_00007FF75AAC4B98
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AABBB90	0_2_00007FF75AABBB90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAB5B60	0_2_00007FF75AAB5B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAD8C1C	0_2_00007FF75AAD8C1C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAD89A0	0_2_00007FF75AAD89A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AABC96C	0_2_00007FF75AABC96C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAC3964	0_2_00007FF75AAC3964
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAC2AB0	0_2_00007FF75AAC2AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAA1AA4	0_2_00007FF75AAA1AA4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAE5AF8	0_2_00007FF75AAE5AF8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAB1A48	0_2_00007FF75AAB1A48
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AADFA94	0_2_00007FF75AADFA94
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AABAF18	0_2_00007FF75AABAF18
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAE2080	0_2_00007FF75AAE2080
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAC8DF4	0_2_00007FF75AAC8DF4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAD0754	0_2_00007FF75AAD0754
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAC2D58	0_2_00007FF75AAC2D58
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAC53F0	0_2_00007FF75AAC53F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAC21D0	0_2_00007FF75AAC21D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AABF180	0_2_00007FF75AABF180
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAAA310	0_2_00007FF75AAAA310
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAAC2F0	0_2_00007FF75AAAC2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAA7288	0_2_00007FF75AAA7288
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAB126C	0_2_00007FF75AAB126C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAA4840	0_2_00007FF75AAA4840
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AADC838	0_2_00007FF75AADC838
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAE2550	0_2_00007FF75AAE2550
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AABB534	0_2_00007FF75AABB534
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAA76C0	0_2_00007FF75AAA76C0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_110733B0	2_2_110733B0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_11029590	2_2_11029590
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_11061C90	2_2_11061C90
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_11033010	2_2_11033010
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_11163220	2_2_11163220
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_1102B5F0	2_2_1102B5F0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_11167485	2_2_11167485
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_110454F0	2_2_110454F0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_1101B760	2_2_1101B760
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_111258B0	2_2_111258B0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_1101BBA0	2_2_1101BBA0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_11087C60	2_2_11087C60
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_11070090	2_2_11070090
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_11080480	2_2_11080480
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_1115E980	2_2_1115E980
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_1101C9C0	2_2_1101C9C0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_110088AB	2_2_110088AB
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_11050D80	2_2_11050D80

Source: C:\Users\Public\Netstat\bild.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 11146450 appears 615 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 110278E0 appears 47 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 1116F010 appears 37 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 11029450 appears 1003 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 111603E3 appears 41 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 1105DD10 appears 291 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 11081BB0 appears 44 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 11164010 appears 32 times

Source: file.exe, 00000000.00000003.2039840028.0000027C55C10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepcicl32.dll2 vs file.exe
Source: file.exe, 00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcr100_clr0400.dll^ vs file.exe

Source: classification engine

Classification label: mal84.rans.evad.winEXE@3/12@1/2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF75AAAB6D8 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF75AAAB6D8

Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_1109D440 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,		2_2_1109D440
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_1109D4D0 AdjustTokenPrivileges,CloseHandle,		2_2_1109D4D0

Source: C:\Users\Public\Netstat\bild.exe

Code function: 2_2_11115B70 CoInitialize,CoCreateInstance,LoadLibraryA,GetProcAddress,SHGetSettings,FreeLibrary,CoUninitialize,

2_2_11115B70

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF75AAC8624 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF75AAC8624

Source: C:\Users\Public\Netstat\bild.exe

Code function: 2_2_11127E10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,

2_2_11127E10

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\Public\Netstat

Jump to behavior

Source: C:\Users\Public\Netstat\bild.exe

Mutant created: NULL

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\Public\Netstat\bild.exe "C:\Users\Public\Netstat\bild.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\Public\Netstat\bild.exe "C:\Users\Public\Netstat\bild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: pcihooks.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: pciinv.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File written: C:\Users\Public\Netstat\client32.ini

Jump to behavior

Source: C:\Users\Public\Netstat\bild.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Source: file.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: file.exe

Static file information: File size 2283549 > 1048576

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\Public\Netstat\msvcr100.dll

Jump to behavior

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: msvcr100.i386.pdb source: file.exe, 00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp, bild.exe, bild.exe, 00000002.00000002.3890464582.000000006D021000.00000020.00000001.01000000.0000000D.sdmp, msvcr100.dll.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: bild.exe, 00000002.00000002.3890900771.000000006FBB2000.00000002.00000001.01000000.0000000B.sdmp, PCICHEK.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: file.exe, 00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: bild.exe, 00000002.00000002.3890657665.000000006E0C0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\client32\Release\client32.pdb source: bild.exe, 00000002.00000002.3888318749.0000000000262000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000002.00000000.2041890788.0000000000262000.00000002.00000001.01000000.00000009.sdmp, bild.exe.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: TCCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: bild.exe, 00000002.00000002.3890657665.000000006E0C0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: file.exe
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: bild.exe, 00000002.00000002.3890806531.000000006F9D5000.00000002.00000001.01000000.0000000C.sdmp, pcicapi.dll.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: TCCTL32.DLL.0.dr

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\Public\Netstat\bild.exe

Code function: 2_2_11029590 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,

2_2_11029590

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\Public\Netstat\__tmp_rar_sfx_access_check_6879453

Jump to behavior

Source: file.exe	Static PE information: section name: .didat
Source: file.exe	Static PE information: section name: _RDATA
Source: PCICL32.DLL.0.dr	Static PE information: section name: .hhshare

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAE5156 push rsi; retf	0_2_00007FF75AAE5157
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAE5166 push rsi; retf	0_2_00007FF75AAE5167
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_1116F055 push ecx; ret	2_2_1116F068
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_11169F49 push ecx; ret	2_2_11169F5C
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_6D022D80 push eax; ret	2_2_6D022D9E

Source: msvcr100.dll.0.dr

Static PE information: section name: .text entropy: 6.909044922675825

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\pcicapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\bild.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\HTCTL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\PCICHEK.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\PCICL32.DLL	Jump to dropped file

Source: C:\Users\Public\Netstat\bild.exe

2_2_11127E10

Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_11139090 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,	2_2_11139090
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_1115B1D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	2_2_1115B1D0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_11113290 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	2_2_11113290
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	2_2_110CB2B0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	2_2_110CB2B0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_110254A0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	2_2_110254A0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_110258F0 IsIconic,BringWindowToTop,GetCurrentThreadId,	2_2_110258F0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_11023BA0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	2_2_11023BA0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_11024280 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	2_2_11024280
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_11112670 IsIconic,GetTickCount,	2_2_11112670
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	2_2_111229D0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	2_2_111229D0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_110C0BB0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	2_2_110C0BB0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	2_2_1115ADD0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	2_2_1115ADD0

Source: C:\Users\Public\Netstat\bild.exe

Code function: 2_2_11143570 GetTickCount,GetModuleFileNameA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_11143570

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\Public\Netstat\bild.exe

Code function: 2_2_110B8200 Sleep,ExitProcess,

2_2_110B8200

Source: C:\Users\Public\Netstat\bild.exe	Window / User API: threadDelayed 420			Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Window / User API: threadDelayed 7939			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\Public\Netstat\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\Public\Netstat\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\Public\Netstat\HTCTL32.DLL	Jump to dropped file

Source: C:\Users\Public\Netstat\bild.exe	Evaded block: after key decision	graph_2-72354
Source: C:\Users\Public\Netstat\bild.exe	Evaded block: after key decision	graph_2-74237
Source: C:\Users\Public\Netstat\bild.exe	Evaded block: after key decision	graph_2-77130
Source: C:\Users\Public\Netstat\bild.exe	Evaded block: after key decision	graph_2-76731

Source: C:\Users\Public\Netstat\bild.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_2-76870

Source: C:\Users\Public\Netstat\bild.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_2-72894

Source: C:\Users\Public\Netstat\bild.exe

API coverage: 5.1 %

Source: C:\Users\Public\Netstat\bild.exe TID: 6548	Thread sleep time: -86250s >= -30000s	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe TID: 4068	Thread sleep time: -42000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe TID: 6548	Thread sleep time: -1984750s >= -30000s	Jump to behavior

Source: C:\Users\Public\Netstat\bild.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\Public\Netstat\bild.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAB40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF75AAB40BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AACB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF75AACB190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AADFCA0 FindFirstFileExA,	0_2_00007FF75AADFCA0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	2_2_1102D330
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	2_2_11065890
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	2_2_1106A0A0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	2_2_111266E0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	2_2_1110AFD0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_6D080F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6D080F84
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_6D07EFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6D07EFE1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF75AAD16A4 VirtualQuery,GetSystemInfo,

0_2_00007FF75AAD16A4

Source: HTCTL32.DLL.0.dr	Binary or memory string: VMware
Source: HTCTL32.DLL.0.dr	Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: TCCTL32.DLL.0.dr	Binary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s
Source: bild.exe, 00000002.00000003.2343788894.0000000005C0C000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000002.00000002.3888424181.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000002.00000002.3889718885.0000000005C0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: HTCTL32.DLL.0.dr	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: TCCTL32.DLL.0.dr	Binary or memory string: VMWare
Source: bild.exe, 00000002.00000002.3888424181.0000000000EAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP3

Source: C:\Users\Public\Netstat\bild.exe	API call chain: ExitProcess graph end node	graph_2-72422
Source: C:\Users\Public\Netstat\bild.exe	API call chain: ExitProcess graph end node	graph_2-73052
Source: C:\Users\Public\Netstat\bild.exe	API call chain: ExitProcess graph end node	graph_2-76546

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF75AAD3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF75AAD3170

Source: C:\Users\Public\Netstat\bild.exe

Code function: 2_2_11147750 GetLastError,wsprintfA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,SetLastError,GetKeyState,

2_2_11147750

Source: C:\Users\Public\Netstat\bild.exe

Code function: 2_2_6D0A6C74 VirtualProtect ?,-00000001,00000104,?

2_2_6D0A6C74

Source: C:\Users\Public\Netstat\bild.exe

2_2_11029590

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF75AAE0D20 GetProcessHeap,

0_2_00007FF75AAE0D20

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAD3354 SetUnhandledExceptionFilter,	0_2_00007FF75AAD3354
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAD2510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF75AAD2510
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAD3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF75AAD3170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75AAD76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF75AAD76D8
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_11093080 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,	2_2_11093080
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_110310C0 _NSMClient32@8,SetUnhandledExceptionFilter,	2_2_110310C0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_11161D01 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_11161D01
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_1116DD89 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_1116DD89
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_6D0AADFC _crt_debugger_hook,_memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,	2_2_6D0AADFC

Source: C:\Users\Public\Netstat\bild.exe

Code function: 2_2_110F4560 GetTickCount,LogonUserA,GetTickCount,GetLastError,

2_2_110F4560

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF75AACB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF75AACB190

Source: C:\Users\Public\Netstat\bild.exe

Code function: 2_2_1111FCA0 GetForegroundWindow,GetClassNameA,GetWindowTextA,keybd_event,keybd_event,keybd_event,

2_2_1111FCA0

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Users\Public\Netstat\bild.exe "C:\Users\Public\Netstat\bild.exe"

Jump to behavior

Source: C:\Users\Public\Netstat\bild.exe

Code function: 2_2_1109E190 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,

2_2_1109E190

Source: C:\Users\Public\Netstat\bild.exe

Code function: 2_2_1109E910 GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,

2_2_1109E910

Source: file.exe, 00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: file.exe, 00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp, bild.exe, bild.exe, 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	Binary or memory string: Shell_TrayWnd
Source: file.exe, 00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp, bild.exe, bild.exe, 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	Binary or memory string: Progman

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF75AABDC70 cpuid

0_2_00007FF75AABDC70

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	0_2_00007FF75AACA2CC
Source: C:\Users\Public\Netstat\bild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	2_2_11173A35
Source: C:\Users\Public\Netstat\bild.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	2_2_11173D69
Source: C:\Users\Public\Netstat\bild.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	2_2_11173CC6
Source: C:\Users\Public\Netstat\bild.exe	Code function: GetLocaleInfoA,	2_2_1116B38E
Source: C:\Users\Public\Netstat\bild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	2_2_11173933
Source: C:\Users\Public\Netstat\bild.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	2_2_111739DA
Source: C:\Users\Public\Netstat\bild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_1117383E
Source: C:\Users\Public\Netstat\bild.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	2_2_11173D2D
Source: C:\Users\Public\Netstat\bild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	2_2_11173C06

Source: C:\Users\Public\Netstat\bild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\Public\Netstat\bild.exe

Code function: 2_2_110F33F0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree,

2_2_110F33F0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF75AAD0754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF75AAD0754

Source: C:\Users\Public\Netstat\bild.exe

Code function: 2_2_1103B160 SHGetFolderPathA,GetUserNameA,DeleteFileA,_sprintf,_fputs,_free,GetFileAttributesA,SetFileAttributesA,

2_2_1103B160

Source: C:\Users\Public\Netstat\bild.exe

Code function: 2_2_11174AE9 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,SetOaNoCache,

2_2_11174AE9

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF75AAB4EB0 GetVersionExW,

0_2_00007FF75AAB4EB0

Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_11070090 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,		2_2_11070090
Source: C:\Users\Public\Netstat\bild.exe	Code function: 2_2_110D8200 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,		2_2_110D8200

Source: Yara match	File source: 2.2.bild.exe.6fbb0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bild.exe.260000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bild.exe.260000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bild.exe.6f9d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bild.exe.6e080000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.27c55aa6820.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3888318749.0000000000262000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3890657665.000000006E0C0000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2343699674.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2041890788.0000000000262000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3888424181.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bild.exe PID: 5732, type: MEMORYSTR
Source: Yara match	File source: C:\Users\Public\Netstat\PCICHEK.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\pcicapi.dll, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\bild.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\HTCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\TCCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\PCICL32.DLL, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	4 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	22 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	1 Windows Service	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Input Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	2 Software Packing	NTDS	44 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Windows Service	1 DLL Side-Loading	LSA Secrets	141 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	13 Process Injection	1 Masquerading	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	13 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	53%	ReversingLabs	Win64.Trojan.NetSupport

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\Netstat\HTCTL32.DLL	3%	ReversingLabs
C:\Users\Public\Netstat\PCICHEK.DLL	3%	ReversingLabs
C:\Users\Public\Netstat\PCICL32.DLL	12%	ReversingLabs
C:\Users\Public\Netstat\TCCTL32.DLL	3%	ReversingLabs
C:\Users\Public\Netstat\bild.exe	29%	ReversingLabs	Win32.Trojan.NetSupport
C:\Users\Public\Netstat\msvcr100.dll	0%	ReversingLabs
C:\Users\Public\Netstat\pcicapi.dll	3%	ReversingLabs
C:\Users\Public\Netstat\remcmdstub.exe	13%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://www.symauth.com/rpa00	0%	URL Reputation	safe
http://www.symauth.com/cps0(	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
geo.netsupportsoftware.com	172.67.68.212	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geo.netsupportsoftware.com/location/loca.asp	false		unknown
http://172.86.117.97/fakeurl.htm	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://geo.netsupportsoftware.com/location/loca.aspSX	bild.exe, 00000002.00000002.3888424181.0000000000F08000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.pci.co.uk/support	file.exe, 00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	false		unknown
http://%s/testpage.htmwininet.dll	bild.exe, 00000002.00000002.3890657665.000000006E0C0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr	false		unknown
http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)	file.exe, 00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	false		unknown
http://www.pci.co.uk/supportsupport	file.exe, 00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	false		unknown
http://www.symauth.com/rpa00	file.exe, 00000000.00000003.2039840028.0000027C55C7D000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	false	URL Reputation: safe	unknown
http://127.0.0.1RESUMEPRINTING	file.exe, 00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	false		unknown
http://geo.netsupportsoftware.com/location/loca.asp/	bild.exe, 00000002.00000002.3888424181.0000000000F08000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://%s/testpage.htm	bild.exe, bild.exe, 00000002.00000002.3890657665.000000006E0C0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr	false		unknown
http://www.netsupportschool.com/tutor-assistant.asp11(	file.exe, 00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	false		unknown
http://127.0.0.1	bild.exe, bild.exe, 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	false		unknown
http://www.symauth.com/cps0(	file.exe, 00000000.00000003.2039840028.0000027C55C7D000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	false	URL Reputation: safe	unknown
http://www.netsupportschool.com/tutor-assistant.asp	file.exe, 00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	false		unknown
http://%s/fakeurl.htm	bild.exe, bild.exe, 00000002.00000002.3890657665.000000006E0C0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.68.212	geo.netsupportsoftware.com	United States		13335	CLOUDFLARENETUS	false
172.86.117.97	unknown	United States		46261	QUICKPACKETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546257
Start date and time:	2024-10-31 17:04:54 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	file.exe
Detection:	MAL
Classification:	mal84.rans.evad.winEXE@3/12@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 83% Number of executed functions: 172 Number of non-executed functions: 100
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
12:06:16	API Interceptor	13250674x Sleep call for process: bild.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.68.212	https://inspyrehomedesign.com/Ray-verify.html	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	8hN4C25a0O.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	FakturaPDF.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	JbZaDxFXF3.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	file.exe	Get hash	malicious	NetSupport RAT, LummaC Stealer, NetSupport Downloader	Browse	geo.netsupportsoftware.com/location/loca.asp
	MDE_File_Sample_fb7baecc9f46e01492b4e3e6409d6c73f83a1169.zip	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geo.netsupportsoftware.com	https://webdemo.biz/	Get hash	malicious	NetSupport RAT, CAPTCHA Scam	Browse	104.26.0.231
	https://inspyrehomedesign.com	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212
	https://inspyrehomedesign.com/Ray-verify.html	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212
	file.exe	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	http://holidaybunch.com	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	NeftPaymentError_Emdtd22102024_jpg.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	NeftPaymentError_Emdtd22102024_jpg.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	Update.js	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Fw Message from Kevin - Update on Coles Supply Chain Modernisation 31-10-24.eml	Get hash	malicious	Unknown	Browse	104.18.36.155
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWorm	Browse	188.114.96.3
	https://t.ly/4Nq2x	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	104.20.6.133
	INVOICE ATTACHMENT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	SilverSEAL Corporation -RFQ_RFP_FSR Proposal.pdf	Get hash	malicious	Phisher	Browse	188.114.96.3
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	https://my.toruftuiov.com/a43a39c3-796e-468c-aae4-b83c862e0918	Get hash	malicious	Unknown	Browse	104.16.79.73
	RFQ Proposals ADC-24-65.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	RFQ Q700mm CB St44 PN20 e=5.6 mm TSEN 10217-1 #U7edd#U7f18#U94a2#U7ba1#Uff1a200 #U7c73.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
QUICKPACKETUS	arm5.elf	Get hash	malicious	Unknown	Browse	194.50.224.242
	sh4.elf	Get hash	malicious	Mirai	Browse	107.161.124.133
	arm6.elf	Get hash	malicious	Unknown	Browse	107.161.124.106
	AF1cyL4cv6.vbs	Get hash	malicious	AsyncRAT	Browse	193.26.115.68
	4d5ZJqq0M7.vbs	Get hash	malicious	AsyncRAT	Browse	193.26.115.68
	LmJ7BFJILh.htm	Get hash	malicious	Unknown	Browse	193.26.115.68
	Compliance_Report_Final_Q3_8c3f5541a91374b5bf18ac88017a597742a1891a.html	Get hash	malicious	HTMLPhisher	Browse	185.215.165.89
	file.exe	Get hash	malicious	Unknown	Browse	144.172.118.154
	vEOTtk6FeG.elf	Get hash	malicious	Mirai	Browse	69.50.231.212

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Netstat\HTCTL32.DLL	https://webdemo.biz/	Get hash	malicious	NetSupport RAT, CAPTCHA Scam	Browse
	https://inspyrehomedesign.com	Get hash	malicious	NetSupport RAT	Browse
	https://inspyrehomedesign.com/Ray-verify.html	Get hash	malicious	NetSupport RAT	Browse
	file.exe	Get hash	malicious	NetSupport RAT	Browse
	file.exe	Get hash	malicious	NetSupport RAT	Browse
	http://holidaybunch.com	Get hash	malicious	NetSupport RAT	Browse
	upd_8707558.msix	Get hash	malicious	NetSupport RAT	Browse
	information_package.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader, Stealc, Vidar	Browse
	Update_2762895.msix	Get hash	malicious	NetSupport RAT	Browse

Created / dropped Files

C:\Users\Public\Netstat\HTCTL32.DLL

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	328056
Entropy (8bit):	6.754723001562745
Encrypted:	false
SSDEEP:	6144:2ib5YbsXPKXd6ppGpwpbGf30IVFpSzyaHx3/4aY5dUilQpAf84lH0JYBAnM1OK/Y:2ib5YbsXioEgULFpSzya9/lY5SilQCfg
MD5:	2D3B207C8A48148296156E5725426C7F
SHA1:	AD464EB7CF5C19C8A443AB5B590440B32DBC618F
SHA-256:	EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796
SHA-512:	55C791705993B83C9B26A8DBD545D7E149C42EE358ECECE638128EE271E85B4FDBFD6FBAE61D13533BF39AE752144E2CC2C5EDCDA955F18C37A785084DB0860C
Malicious:	false
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\HTCTL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: upd_8707558.msix, Detection: malicious, Browse Filename: information_package.exe, Detection: malicious, Browse Filename: Update_2762895.msix, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A.......A...9...A...A..gA....1..A....0.A.......A.......A.......A..Rich.A..........PE..L.....V...........!.................Z.......................................P......=G....@......................... ...k....y..x.......@...............x).......0..................................._..@............................................text............................... ..`.rdata..............................@..@.data....f.......(...v..............@....rsrc...@...........................@..@.reloc..b1.......2..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Netstat\NSM.LIC

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	257
Entropy (8bit):	5.119720931145611
Encrypted:	false
SSDEEP:	6:O/oPn4xRPjwx1lDKHMoEEjLgpW2MezvLdNWYpPM/ioVLa8l6i7s:XeR7wx6JjjqW2MePBPM/ioU8l6J
MD5:	7067AF414215EE4C50BFCD3EA43C84F0
SHA1:	C331D410672477844A4CA87F43A14E643C863AF9
SHA-256:	2050CC232710A2EA6A207BC78D1EAC66A4042F2EE701CDFEEE5DE3DDCDC31D12
SHA-512:	17B888087192BCEA9F56128D0950423B1807E294D1C4F953D1BF0F5BD08E5F8E35AFEEE584EBF9233BFC44E0723DB3661911415798159AC118C8A42AAF0B902F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1200..0x3bcb348e....; NetSupport License File...; Generated on 11:54 - 21/03/2018........[[Enforce]]....[_License]..control_only=0..expiry=..inactive=0..licensee=EVALUSION..maxslaves=5000..os2=1..product=10..serial_no=NSM165348..shrink_wrap=0..transport=0..

C:\Users\Public\Netstat\PCICHEK.DLL

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18808
Entropy (8bit):	6.22028391196942
Encrypted:	false
SSDEEP:	192:1ANeiOT8Z2b6SoVF6RRHaPrpF3o47jtd3hfwHjvud3hfwx7bjuh:1ANt+E2exrpxTSDuTuih
MD5:	A0B9388C5F18E27266A31F8C5765B263
SHA1:	906F7E94F841D464D4DA144F7C858FA2160E36DB
SHA-256:	313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A
SHA-512:	6051A0B22AF135B4433474DC7C6F53FB1C06844D0A30ED596A3C6C80644DF511B023E140C4878867FA2578C79695FAC2EB303AEA87C0ECFC15A4AD264BD0B3CD
Malicious:	false
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\PCICHEK.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sv..7.d.7.d.7.d.,...5.d.,...4.d.>o..0.d.7.e...d.,...3.d.,...6.d.,...6.d.,...6.d.Rich7.d.........PE..L...f..U...........!......................... ...............................`............@.........................p"..a.... ..P....@............... ..x)...P......@ ............................................... ..@............................text...$........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Netstat\PCICL32.DLL

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3735416
Entropy (8bit):	6.525042992590476
Encrypted:	false
SSDEEP:	49152:cTXNZ+0ci2aYNT8wstdAukudJ1xTvIZamclSp+73mPu:cTXNo0cpKwstTJIkS43mm
MD5:	00587238D16012152C2E951A087F2CC9
SHA1:	C4E27A43075CE993FF6BB033360AF386B2FC58FF
SHA-256:	63AA18C32AF7144156E7EE2D5BA0FA4F5872A7DEB56894F6F96505CBC9AFE6F8
SHA-512:	637950A1F78D3F3D02C30A49A16E91CF3DFCCC59104041876789BD7FDF9224D187209547766B91404C67319E13D1606DA7CEC397315495962CBF3E2CCD5F1226
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\Public\Netstat\PCICL32.DLL, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\PCICL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(.t.I.'.I.'.I.'A..'.I.'...'.I.'.?#'.I.'...'.I.'.1.'.I.'.I.'.J.'.1.'.I.'.1.'.I.'..#',I.'.."'.I.'...'.I.'...'.I.'...'.I.'Rich.I.'................PE..L......V...........!......... ..............0................................9.....f-9.....................................4........`................8.x)...P7.p....@.......................P.......P..@............0..........`....................text............................... ..`.rdata.......0......................@..@.data....%..........................@....tls.........@......................@....hhshare.....P......................@....rsrc........`......................@..@.reloc..(2...P7..4....6.............@..B........................................................................................................................................................................................................

C:\Users\Public\Netstat\TCCTL32.DLL

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	396664
Entropy (8bit):	6.809064783360712
Encrypted:	false
SSDEEP:	12288:OpwbUb48Ju0LIFZB4Qaza4yFaMHAZtJ4Yew2j/bJa+neNQ:epq7BaGIn4BbLneNQ
MD5:	EAB603D12705752E3D268D86DFF74ED4
SHA1:	01873977C871D3346D795CF7E3888685DE9F0B16
SHA-256:	6795D760CE7A955DF6C2F5A062E296128EFDB8C908908EDA4D666926980447EA
SHA-512:	77DE0D9C93CCBA967DB70B280A85A770B3D8BEA3B707B1ABB037B2826B48898FEC87924E1A6CCE218C43478E5209E9EB9781051B4C3B450BEA3CD27DBD32C7F3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\TCCTL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z..z..z.....z.....z.....z..{.Y.z....K.z......z.....z......z.....z.Rich.z.........PE..L...Y?XV...........!................................................................'.....@.............................o...T...x....0..@...............x)...@..\E..................................`d..@...............h............................text............................... ..`.rdata../...........................@..@.data...h............\|..............@....rsrc...@....0......................@..@.reloc.. F...@...H..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Netstat\bild.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	105848
Entropy (8bit):	4.68250265552195
Encrypted:	false
SSDEEP:	384:qTjV5+6j6Qa86Fkv2Wr120hZIqeTSGRp2TkFimMP:qHVZl6FhWr80/heT8TkFiH
MD5:	8D9709FF7D9C83BD376E01912C734F0A
SHA1:	E3C92713CE1D7EAA5E2B1FABEB06CDC0BB499294
SHA-256:	49A568F8AC11173E3A0D76CFF6BC1D4B9BDF2C35C6D8570177422F142DCFDBE3
SHA-512:	042AD89ED2E15671F5DF67766D11E1FA7ADA8241D4513E7C8F0D77B983505D63EBFB39FEFA590A2712B77D7024C04445390A8BF4999648F83DBAB6B0F04EB2EE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\bild.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i.......i..6....i...h...i..6...i..6..i..6....i.Rich..i.........................PE..L...T..U.....................n...... ........ ....@..................................K....@.................................< ..<....0...i...........t..x).......... ............................................... ...............................text............................... ..`.rdata..V.... ......................@..@.rsrc....i...0...j..................@..@.reloc..l............r..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Netstat\client32.ini

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	701
Entropy (8bit):	5.536175622432943
Encrypted:	false
SSDEEP:	12:Yrqzd+mPZGS/py6z8BlsVTXuZ7+DP981E7GXXfDWQClnmSuy7bIAlkz6:4qzEmPZly6YBlLoG1fXXfDi7bIAaz6
MD5:	A0A7B634AB8C28C9DE3A0122F7E43F98
SHA1:	676F7554B78EAC6FEFC97B40CD965B3DEDFEF4BC
SHA-256:	D28BC214691BF2B576411750BD8AE9D5B27AE66DC8E0B60C841D43C1ABBBC9E5
SHA-512:	A8378E27F139F3524A45276416DBA938CD788F6C299A29B6E241740972CB5DC1181E3F0FD908769F53751E1E3392BBC73279E01D3DEF6D322ECE6FA9842879DE
Malicious:	false
Preview:	0xf2ddf885....[Client].._present=1..DisableChatMenu=1..DisableClientConnect=1..DisableDisconnect=1..DisableLocalInventory=1..DisableReplayMenu=1..DisableRequestHelp=1..HideWhenIdle=1..Protocols=3..RADIUSSecret=dgAAAOeJWid73S6SvOyjjiTDVewA..RoomSpec=Eval..ShowUIOnConnect=0..silent=1..SKMode=1..SOS_Alt=0..SOS_LShift=0..SOS_RShift=0..SysTray=0..UnloadMirrorOnDisconnect=1..Usernames=*....[_Info]..Filename=C:\Program Files (x86)\NetSupport\NetSupport Manager\client32u.ini....[_License]..quiet=1....[Audio]..DisableAudioFilter=1....[General]..BeepUsingSpeaker=0......[HTTP]..GatewayAddress=172.86.117.97:443..gsk=EFHH;K>OBDEJ9A<I@BCB..gskmode=0..gsku=EFHH;K>OBDEJ9A<I@BCB..GSKX=EFHH;K>OBDEJ9A<I@BCB....

C:\Users\Public\Netstat\msvcr100.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	773968
Entropy (8bit):	6.901559811406837
Encrypted:	false
SSDEEP:	12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
MD5:	0E37FBFA79D349D672456923EC5FBBE3
SHA1:	4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
SHA-256:	8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
SHA-512:	2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Netstat\nskbfltr.inf

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	328
Entropy (8bit):	4.93007757242403
Encrypted:	false
SSDEEP:	6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn
MD5:	26E28C01461F7E65C402BDF09923D435
SHA1:	1D9B5CFCC30436112A7E31D5E4624F52E845C573
SHA-256:	D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
SHA-512:	C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
Malicious:	false
Preview:	; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

C:\Users\Public\Netstat\pcicapi.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33144
Entropy (8bit):	6.737780491933496
Encrypted:	false
SSDEEP:	768:FFvNhAyi5hHA448qZkSn+EgT8To1iTYiu:FCyoHA448qSSzgI2GQ
MD5:	DCDE2248D19C778A41AA165866DD52D0
SHA1:	7EC84BE84FE23F0B0093B647538737E1F19EBB03
SHA-256:	9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917
SHA-512:	C5D170D420F1AEB9BCD606A282AF6E8DA04AE45C83D07FAAACB73FF2E27F4188B09446CE508620124F6D9B447A40A23620CFB39B79F02B04BB9E513866352166
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\pcicapi.dll, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+-..E~..E~..E~.\.~..E~.\.~..E~...~..E~..D~..E~.\.~..E~.\.~..E~.\.~..E~.\.~..E~...~..E~.\.~..E~Rich..E~........PE..L......U...........!.....2...........<.......P...............................`............@..........................^.......W..d....@..x............X..x)...P......`Q...............................V..@............P..@............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...,....`.......F..............@....rsrc...x....@.......H..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Netstat\remcmdstub.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	77224
Entropy (8bit):	6.793971095882093
Encrypted:	false
SSDEEP:	1536:zfafvTuNOwphKuyUHTqYXHhrXH4+LIyrxomee/+5IrAee/DIr3:jafLSpAFUzt0+LIyr7eR5IUeCIz
MD5:	325B65F171513086438952A152A747C4
SHA1:	A1D1C397902FF15C4929A03D582B09B35AA70FC0
SHA-256:	26DBB528C270C812423C3359FC54D13C52D459CC0E8BC9B0D192725EDA34E534
SHA-512:	6829555AB3851064C3AAD2D0C121077DB0260790B95BF087B77990A040FEBD35B8B286F1593DCCAA81B24395BD437F5ADD02037418FD5C9C8C78DC0989A9A10D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.V#...#...#...L...2...*.r.&...#...t...L.K.u...L.J.>...L.{."...L.\|."...Rich#...........PE..L...c..c.....................J.......!............@.......................... ............@....................................<.......T................]..............................................@...............@............................text.............................. ..`.rdata..,%.......&..................@..@.data....-..........................@....rsrc...T...........................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\loca[1].htm

Download File

Process:	C:\Users\Public\Netstat\bild.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	15
Entropy (8bit):	2.7329145639793984
Encrypted:	false
SSDEEP:	3:QJgTG:QkG
MD5:	8AB0D91EF06123198FFAC30AD08A14C7
SHA1:	46D83BB84F74D8F28427314C6084CC9AFE9D1533
SHA-256:	DB50064FEE42FB57DCFD9C4269A682331246224D6108A18DB83ABD400CCECA12
SHA-512:	1AA8560708AD663C4D5D0C2199E2CE472D11748EDA18848AAA3430C6F333BB04DA65DFFF4144BFEEA3860CA30F7F832EC64FF6D5B0731AC8878050601AC7A3A3
Malicious:	false
Preview:	32.7767,-96.797

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.881018486516457
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'283'549 bytes
MD5:	87514bcfa421057dc1575ec1630d78ff
SHA1:	012029171ff901f1cb5495059da47143d193923c
SHA256:	50c263fc02412062ca239e7419880678f797408a243d0a2140bc7bbb96a716c1
SHA512:	0d37d146960abf699a35d8c66d4af38c68af12db62d8548457dc26f6a2e30dd07c3d2599f38befee0720e649b08884daa37961b74ff4e2622840ea3d8237501b
SSDEEP:	49152:kDjlabwz9Tvaw2EheBgtpsDf5Log8nUQkFG4tP5Deqk+H1Zf8NNbTs:0qwFvcEhQGa178UnxBkk1ZfWC
TLSH:	72B51209E3E909F5D0B7E53CCA668D02F77A7C5903309A8F23B4525A1F673A09E39761
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x140032ee0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x66409723 [Sun May 12 10:17:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	b1c5b1beabd90d9fdabd1df0779ea832

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F5E2CE1A1F8h
dec eax
add esp, 28h
jmp 00007F5E2CE19B8Fh
int3
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ebp
mov edx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
inc ecx
mov ebx, dword ptr [edx]
dec eax
shl ebx, 04h
dec ecx
add ebx, edx
dec esp
lea eax, dword ptr [ebx+04h]
call 00007F5E2CE19013h
mov eax, dword ptr [ebp+04h]
and al, 66h
neg al
mov eax, 00000001h
sbb edx, edx
neg edx
add edx, eax
test dword ptr [ebx+04h], edx
je 00007F5E2CE19D23h
dec esp
mov ecx, edi
dec ebp
mov eax, esi
dec eax
mov edx, esi
dec eax
mov ecx, ebp
call 00007F5E2CE1BD37h
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov ebp, dword ptr [esp+38h]
dec eax
mov esi, dword ptr [esp+40h]
dec eax
mov edi, dword ptr [esp+48h]
dec eax
add esp, 20h
inc ecx
pop esi
ret
int3
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F5E2CE085A3h
dec eax
lea edx, dword ptr [00025747h]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F5E2CE1ADF2h
int3
jmp 00007F5E2CE20FD4h
int3
int3
int3
int3
int3
int3

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x597a0	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x597d4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x70000	0xe360	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6a000	0x306c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7f000	0x970	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x536c0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x53780	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4b3f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x48000	0x508	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x588bc	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4676e	0x46800	f06bb06e02377ae8b223122e53be35c2	False	0.5372340425531915	data	6.47079645411382	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x48000	0x128c4	0x12a00	2de06d4a6920a6911e64ff20000ea72f	False	0.4499003775167785	data	5.273999097784603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5b000	0xe75c	0x1a00	0dbdb901a7d477980097e42e511a94fb	False	0.28275240384615385	data	3.2571023907881185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x6a000	0x306c	0x3200	b0ce0f057741ad2a4ef4717079fa34e9	False	0.483359375	data	5.501810413666288	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x6e000	0x360	0x400	1fcc7b1d7a02443319f8fcc2be4ca936	False	0.2578125	data	3.0459938492946015	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x6f000	0x15c	0x200	3f331ec50f09ba861beaf955b33712d5	False	0.408203125	data	3.3356393424384843	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x70000	0xe360	0xe400	ada5628b9441c3d4f775b5c1be0267ef	False	0.630139802631579	data	6.596650704309685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7f000	0x970	0xa00	77a9ddfc47a5650d6eebbcc823e39532	False	0.52421875	data	5.336289720085303	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x70680	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x711c8	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x72778	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x72ce0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x73588	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x74430	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x74898	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x75940	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x77ee8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x7c5b8	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x7c388	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x7c4c8	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x7c258	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x7bf20	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x7bcc8	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x7cf98	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x7d180	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x7d350	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x7d508	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x7d650	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x7dac0	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x7dc28	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x7dd80	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x7de90	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x7df50	0x1c0	data	English	United States	0.5178571428571429
RT_STRING	0x7e110	0x250	data	English	United States	0.44256756756756754
RT_GROUP_ICON	0x7bc60	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x7c840	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	LocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T17:05:40.883894+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.5	49704	172.86.117.97	443	TCP
2024-10-31T17:06:03.056875+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.5	49706	TCP
2024-10-31T17:06:41.336373+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.5	49907	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 17:05:46.526397943 CET	49704	443	192.168.2.5	172.86.117.97
Oct 31, 2024 17:05:46.526444912 CET	443	49704	172.86.117.97	192.168.2.5
Oct 31, 2024 17:05:46.526532888 CET	49704	443	192.168.2.5	172.86.117.97
Oct 31, 2024 17:05:46.597737074 CET	49704	443	192.168.2.5	172.86.117.97
Oct 31, 2024 17:05:46.597759962 CET	443	49704	172.86.117.97	192.168.2.5
Oct 31, 2024 17:05:46.597814083 CET	443	49704	172.86.117.97	192.168.2.5
Oct 31, 2024 17:05:46.624857903 CET	49705	80	192.168.2.5	172.67.68.212
Oct 31, 2024 17:05:46.630076885 CET	80	49705	172.67.68.212	192.168.2.5
Oct 31, 2024 17:05:46.630145073 CET	49705	80	192.168.2.5	172.67.68.212
Oct 31, 2024 17:05:46.630245924 CET	49705	80	192.168.2.5	172.67.68.212
Oct 31, 2024 17:05:46.635592937 CET	80	49705	172.67.68.212	192.168.2.5
Oct 31, 2024 17:05:48.270577908 CET	80	49705	172.67.68.212	192.168.2.5
Oct 31, 2024 17:05:48.270632982 CET	49705	80	192.168.2.5	172.67.68.212
Oct 31, 2024 17:07:36.601964951 CET	49705	80	192.168.2.5	172.67.68.212
Oct 31, 2024 17:07:36.607688904 CET	80	49705	172.67.68.212	192.168.2.5
Oct 31, 2024 17:07:36.613964081 CET	49705	80	192.168.2.5	172.67.68.212

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 17:05:46.608417034 CET	50721	53	192.168.2.5	1.1.1.1
Oct 31, 2024 17:05:46.620574951 CET	53	50721	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 17:05:46.608417034 CET	192.168.2.5	1.1.1.1	0x7fe7	Standard query (0)	geo.netsupportsoftware.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 17:05:46.620574951 CET	1.1.1.1	192.168.2.5	0x7fe7	No error (0)	geo.netsupportsoftware.com	172.67.68.212	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:05:46.620574951 CET	1.1.1.1	192.168.2.5	0x7fe7	No error (0)	geo.netsupportsoftware.com	104.26.0.231	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:05:46.620574951 CET	1.1.1.1	192.168.2.5	0x7fe7	No error (0)	geo.netsupportsoftware.com	104.26.1.231	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

172.86.117.97connection: keep-alivecmd=pollinfo=1ack=1

geo.netsupportsoftware.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	172.86.117.97	443	5732	C:\Users\Public\Netstat\bild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 17:05:46.597737074 CET	218	OUT	POST http://172.86.117.97/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 172.86.117.97Connection: Keep-AliveCMD=POLLINFO=1ACK=1 Data Raw: Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	172.67.68.212	80	5732	C:\Users\Public\Netstat\bild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 17:05:46.630245924 CET	118	OUT	GET /location/loca.asp HTTP/1.1 Host: geo.netsupportsoftware.com Connection: Keep-Alive Cache-Control: no-cache
Oct 31, 2024 17:05:48.270577908 CET	959	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 16:05:48 GMT Content-Type: text/html; Charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Ray: 8db4e379cdb845e4-DFW CF-Cache-Status: DYNAMIC Access-Control-Allow-Origin: * Cache-Control: private Set-Cookie: ASPSESSIONIDCCBQAACB=GLDPFJHBNMGEIBKMAEBBGABK; path=/ cf-apo-via: origin,host X-Frame-Options: SAMEORIGIN X-Powered-By: ASP.NET Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W1RH1vq9tq2WPg00ev%2FK3Hp2AUvjG1iOIsDql1y2g24FCdyZmgD67xnsCxzEpToiptBIJY6vB6lz8SwZHtEplZ3NEDmcnR%2FQiQHZ3ADdEdo3xmYheBNdsMi84vQBMHoloO0EHKhUM4bRSNFR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare server-timing: cfL4;desc="?proto=TCP&rtt=1932&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 66 0d 0a 33 32 2e 37 37 36 37 2c 2d 39 36 2e 37 39 37 0d 0a 30 0d 0a 0d 0a Data Ascii: f32.7767,-96.7970

Target ID:	0
Start time:	12:05:44
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x7ff75aaa0000
File size:	2'283'549 bytes
MD5 hash:	87514BCFA421057DC1575EC1630D78FF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000003.2039840028.0000027C558F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:05:45
Start date:	31/10/2024
Path:	C:\Users\Public\Netstat\bild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Netstat\bild.exe"
Imagebase:	0x260000
File size:	105'848 bytes
MD5 hash:	8D9709FF7D9C83BD376E01912C734F0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000002.00000002.3888318749.0000000000262000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000002.00000002.3890657665.000000006E0C0000.00000002.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000002.00000003.2343699674.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000002.00000000.2041890788.0000000000262000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000002.00000002.3888424181.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\bild.exe, Author: Joe Security
Antivirus matches:	Detection: 29%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	27.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	26

Executed Functions

Function 00007FF75AACB190 Relevance: 123.9, APIs: 60, Strings: 10, Instructions: 1421windowfilesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF75AAA255C: GetDlgItem.USER32 ref: 00007FF75AAA25AC
Part of subcall function 00007FF75AAA255C: SetWindowTextW.USER32 ref: 00007FF75AAA25C8

EndDialog.USER32 ref: 00007FF75AACB2D0
SetDlgItemTextW.USER32 ref: 00007FF75AACB320
GetMessageW.USER32 ref: 00007FF75AACB350
IsDialogMessageW.USER32 ref: 00007FF75AACB369
TranslateMessage.USER32 ref: 00007FF75AACB37B
DispatchMessageW.USER32 ref: 00007FF75AACB389
EndDialog.USER32 ref: 00007FF75AACB3D3
GetDlgItem.USER32 ref: 00007FF75AACB410
SendMessageW.USER32 ref: 00007FF75AACB431
SendMessageW.USER32 ref: 00007FF75AACB449
SetFocus.USER32 ref: 00007FF75AACB452
GetLastError.KERNEL32 ref: 00007FF75AACB634
GetLastError.KERNEL32 ref: 00007FF75AACB665
GetTickCount.KERNEL32 ref: 00007FF75AACB68B
GetLastError.KERNEL32 ref: 00007FF75AACB6F5
GetCommandLineW.KERNEL32 ref: 00007FF75AACB841
CreateFileMappingW.KERNEL32 ref: 00007FF75AACB900
MapViewOfFile.KERNEL32 ref: 00007FF75AACB923
Sleep.KERNEL32 ref: 00007FF75AACB9B6
UnmapViewOfFile.KERNEL32 ref: 00007FF75AACB9DF
CloseHandle.KERNEL32 ref: 00007FF75AACB9E8
SetDlgItemTextW.USER32 ref: 00007FF75AACBCDE
DialogBoxParamW.USER32 ref: 00007FF75AACC0D7
EndDialog.USER32 ref: 00007FF75AACC0EF
EnableWindow.USER32 ref: 00007FF75AACC2A6
SendMessageW.USER32 ref: 00007FF75AACC2F8
ShellExecuteExW.SHELL32 ref: 00007FF75AACB95B

Part of subcall function 00007FF75AABAAE0: LoadStringW.USER32 ref: 00007FF75AABAB67
Part of subcall function 00007FF75AABAAE0: LoadStringW.USER32 ref: 00007FF75AABAB80

SendMessageW.USER32 ref: 00007FF75AACBEC3
SendDlgItemMessageW.USER32 ref: 00007FF75AACBEEA
GetDlgItem.USER32 ref: 00007FF75AACBEF8
SendMessageW.USER32 ref: 00007FF75AACBF12
GetDlgItem.USER32 ref: 00007FF75AACBF4F
SetDlgItemTextW.USER32 ref: 00007FF75AACBFEC
SetDlgItemTextW.USER32 ref: 00007FF75AACC004
SetDlgItemTextW.USER32 ref: 00007FF75AACC321
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACC363
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACC369
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACC36F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACC375
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACC37B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACC381
SendDlgItemMessageW.USER32 ref: 00007FF75AACC449
EndDialog.USER32 ref: 00007FF75AACC463
GetDlgItem.USER32 ref: 00007FF75AACC491
SetFocus.USER32 ref: 00007FF75AACC49A
SendDlgItemMessageW.USER32 ref: 00007FF75AACC53E
FindFirstFileW.KERNEL32 ref: 00007FF75AACC562
FindClose.KERNEL32 ref: 00007FF75AACC68A
SendDlgItemMessageW.USER32 ref: 00007FF75AACC7AF

Part of subcall function 00007FF75AAA129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF75AAA1396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACCAA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACCAAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACCAB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACCABB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACCAC1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACCAC7

Strings

STARTDLG, xrefs: 00007FF75AACB1CA
@, xrefs: 00007FF75AACB7B6
-el -s2 "-d%s" "-sp%s", xrefs: 00007FF75AACB799
p, xrefs: 00007FF75AACB7AB
%s %s, xrefs: 00007FF75AACC6D9, 00007FF75AACC946
runas, xrefs: 00007FF75AACB7C9
LICENSEDLG, xrefs: 00007FF75AACC0C9
__tmp_rar_sfx_access_check_, xrefs: 00007FF75AACB6A9
REPLACEFILEDLG, xrefs: 00007FF75AACC3D3
winrarsfxmappingfile.tmp, xrefs: 00007FF75AACB8E0

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Item$Message$_invalid_parameter_noinfo_noreturn$Send$DialogText$File$ErrorLast$CloseFindFocusLoadStringViewWindow$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleLineMappingParamShellSleepTickTranslateUnmap
String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
API String ID: 255727823-2702805183
Opcode ID: b94f3a18abd40ded152ad5cdacc7b809bf44a79477dc03de5816be10aa1b7cfe
Instruction ID: 64a1a5e3bbe78d7b1f4da23c4f6f38c46118a7ca8f2ecd904099250cc57cb9e2
Opcode Fuzzy Hash: b94f3a18abd40ded152ad5cdacc7b809bf44a79477dc03de5816be10aa1b7cfe
Instruction Fuzzy Hash: 05D2E561A0878285FA20FBA4E854AF9E361FF85780FC841B5E94D077A5EF3DE546C360

Function 00007FF75AACCE88 Relevance: 65.0, APIs: 26, Strings: 10, Instructions: 1963windowfileCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF75AACD5F3
SendMessageW.USER32 ref: 00007FF75AACD626
SendMessageW.USER32 ref: 00007FF75AACD655
MoveFileW.KERNEL32 ref: 00007FF75AACDB4B
MoveFileExW.KERNEL32 ref: 00007FF75AACDB69
GetTempPathW.KERNEL32 ref: 00007FF75AACDC49

Part of subcall function 00007FF75AAA1FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAA1FFB

EndDialog.USER32 ref: 00007FF75AACDFCA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF75AACEEE3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACEEEF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACEF07
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACEF0D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACEF13
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACEF19
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACEF1F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACEF25
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACEF2B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACEF31
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACEF37
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACEF3D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACEF43
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACEF49
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACEF4F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACEF55
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACEF5B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF75AACEF67
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF75AACEF73

Strings

MAX, xrefs: 00007FF75AACEA82, 00007FF75AACEA91
@set:user, xrefs: 00007FF75AACDD96, 00007FF75AACDDA5
lnk, xrefs: 00007FF75AACE3CA, 00007FF75AACE3D9
.lnk, xrefs: 00007FF75AACE406, 00007FF75AACE415
.tmp, xrefs: 00007FF75AACDA85
ProgramFilesDir, xrefs: 00007FF75AACD4F0
MIN, xrefs: 00007FF75AACEAE5, 00007FF75AACEAF4
HIDE, xrefs: 00007FF75AACE9E5, 00007FF75AACE9F4
Software\Microsoft\Windows\CurrentVersion, xrefs: 00007FF75AACD501
<br>, xrefs: 00007FF75AACD6DA, 00007FF75AACD6E9

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$FileMessageMoveSend$DialogItemPathTemp
String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
API String ID: 3007431893-3916287355
Opcode ID: 17fc79a3ad95a6d0300714d3646d8cfefc5ee36d2af72e3520256202b352b11c
Instruction ID: dbe04f55473c247f4501fb499eed675dacfc3745a36bdeb47fcb354a0845c4dd
Opcode Fuzzy Hash: 17fc79a3ad95a6d0300714d3646d8cfefc5ee36d2af72e3520256202b352b11c
Instruction Fuzzy Hash: 6D139272B04B8299FB10EFA4D8506EC67A1EF40398F880576EA5D17BD9DF38D586C360

Function 00007FF75AAD0754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF75AABDFD0: GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF75AABE018
Part of subcall function 00007FF75AABDFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF75AABE030
Part of subcall function 00007FF75AABDFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF75AABE05D

Part of subcall function 00007FF75AAB62DC: GetCurrentDirectoryW.KERNEL32 ref: 00007FF75AAB62F2
Part of subcall function 00007FF75AAB62DC: GetCurrentDirectoryW.KERNEL32 ref: 00007FF75AAB632C

Part of subcall function 00007FF75AAC946C: OleInitialize.OLE32 ref: 00007FF75AAC9486
Part of subcall function 00007FF75AAC946C: SHGetMalloc.SHELL32 ref: 00007FF75AAC94D4

GetCommandLineW.KERNEL32 ref: 00007FF75AAD096E
OpenFileMappingW.KERNEL32 ref: 00007FF75AAD0A07
MapViewOfFile.KERNEL32 ref: 00007FF75AAD0A30
UnmapViewOfFile.KERNEL32 ref: 00007FF75AAD0A46
MapViewOfFile.KERNEL32 ref: 00007FF75AAD0A63
UnmapViewOfFile.KERNEL32 ref: 00007FF75AAD0ACA
CloseHandle.KERNEL32 ref: 00007FF75AAD0AD3
SetEnvironmentVariableW.KERNELBASE ref: 00007FF75AAD0BAD
GetLocalTime.KERNEL32 ref: 00007FF75AAD0BB8
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF75AAD0C13
SetEnvironmentVariableW.KERNEL32 ref: 00007FF75AAD0C26
GetModuleHandleW.KERNEL32 ref: 00007FF75AAD0C2E
LoadIconW.USER32 ref: 00007FF75AAD0C4D
DialogBoxParamW.USER32 ref: 00007FF75AAD0CB6
Sleep.KERNEL32 ref: 00007FF75AAD0CE6
DeleteObject.GDI32 ref: 00007FF75AAD0D0D
DeleteObject.GDI32 ref: 00007FF75AAD0D1F
CloseHandle.KERNEL32 ref: 00007FF75AAD0D67
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAD0DD7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAD0DDD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAD0DE3

Part of subcall function 00007FF75AACFD0C: SetEnvironmentVariableW.KERNEL32 ref: 00007FF75AACFD43
Part of subcall function 00007FF75AACFD0C: SetEnvironmentVariableW.KERNEL32 ref: 00007FF75AACFDBC

Strings

sfxname, xrefs: 00007FF75AAD0B9B
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00007FF75AAD0C02
STARTDLG, xrefs: 00007FF75AAD0CA5
sfxstime, xrefs: 00007FF75AAD0C1F
winrarsfxmappingfile.tmp, xrefs: 00007FF75AAD09F9

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 1048086575-3710569615
Opcode ID: a1c62a29b36dee484797fa5976536d2a19ba5f749f11c97bfbb60a5c0b178c14
Instruction ID: 442ed1b15c43401294e2cbfac3caa4874ca7b2568e7f9ae3935cf85de90078bc
Opcode Fuzzy Hash: a1c62a29b36dee484797fa5976536d2a19ba5f749f11c97bfbb60a5c0b178c14
Instruction Fuzzy Hash: 2812B961E08B8285FB50FB64E845AB9F361FF84744FC84276D99D06AA5EF3CE542C360

Function 00007FF75AABA4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF75AABA504

Part of subcall function 00007FF75AAC0F68: WideCharToMultiByte.KERNEL32 ref: 00007FF75AAC0F99

SetDlgItemTextW.USER32 ref: 00007FF75AABA573
GetWindowRect.USER32 ref: 00007FF75AABA5AD
GetClientRect.USER32 ref: 00007FF75AABA5BB
GetWindowLongPtrW.USER32 ref: 00007FF75AABA66C
GetWindowRect.USER32 ref: 00007FF75AABA6B2
SetWindowTextW.USER32 ref: 00007FF75AABA6EC
GetSystemMetrics.USER32 ref: 00007FF75AABA6F7
GetWindow.USER32 ref: 00007FF75AABA708
GetWindowRect.USER32 ref: 00007FF75AABA746
GetWindow.USER32 ref: 00007FF75AABA808

Strings

CAPTION, xrefs: 00007FF75AABA6CF
$%s:, xrefs: 00007FF75AABA4EF

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWideswprintf
String ID: $%s:$CAPTION
API String ID: 2100155373-404845831
Opcode ID: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction ID: 4f0f9c2dc074fee429457ee31d4ec38ea3f021bd613f4b26a6947e5b9e63aca6
Opcode Fuzzy Hash: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction Fuzzy Hash: AC91F732B186458BF718EF69A800A69E7A0FF84784F885535EE4D47B58CF3DE806CB40

Function 00007FF75AAC8624 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32 ref: 00007FF75AAC863D
SizeofResource.KERNEL32 ref: 00007FF75AAC8659
LoadResource.KERNEL32 ref: 00007FF75AAC8673
LockResource.KERNEL32 ref: 00007FF75AAC8685
GlobalAlloc.KERNELBASE ref: 00007FF75AAC86A6
GlobalLock.KERNEL32 ref: 00007FF75AAC86BB
CreateStreamOnHGlobal.COMBASE ref: 00007FF75AAC86E8
GdipAlloc.GDIPLUS ref: 00007FF75AAC86FE
GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF75AAC8769
GlobalUnlock.KERNEL32 ref: 00007FF75AAC878C
GlobalFree.KERNEL32 ref: 00007FF75AAC8795

Strings

PNG, xrefs: 00007FF75AAC862F

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
Instruction ID: d1d4686e549cec53ee425531fc3c0307e64a403bcc3ce2157fb3ca1b558af1f3
Opcode Fuzzy Hash: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
Instruction Fuzzy Hash: 1C413E25A09B1282FE44AB96D454B79E7A0BF9CB90F8C4479DE0D47364EF7CE44AC360

Function 00007FF75AAAF930 Relevance: 17.2, APIs: 8, Strings: 1, Instructions: 1417COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB1239
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB123F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB1245
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB124B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB1251
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB1257
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB125D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB1263

Strings

__tmp_reference_source_, xrefs: 00007FF75AAAFCCF, 00007FF75AAAFCDE

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: __tmp_reference_source_
API String ID: 3668304517-685763994
Opcode ID: d32273fa0b543aa22c5bae2e0cfe48275fd65e4c4ae787494a48fef12078bce6
Instruction ID: 753260132a6d9d2861e2671f8d1e3627ccafd451bb3d567de1a1affe74368bed
Opcode Fuzzy Hash: d32273fa0b543aa22c5bae2e0cfe48275fd65e4c4ae787494a48fef12078bce6
Instruction Fuzzy Hash: 26E2A562A087C642FA64EBA5E1407BEE7A1FF41740F884176DB9D036A5DF3CE856C720

Function 00007FF75AAA4840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAA511E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAA5124
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAA512A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAA5E16
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAA5E1C

Strings

CMT, xrefs: 00007FF75AAA59B2

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: CMT
API String ID: 3668304517-2756464174
Opcode ID: aac8491763159f59806d652f8a14fa42eb9fc7339645808187768839367cb2af
Instruction ID: 3c45c205218bc0be66ef243d83fcb6a88ba09ec260700ffbfc00333ad04e1fe0
Opcode Fuzzy Hash: aac8491763159f59806d652f8a14fa42eb9fc7339645808187768839367cb2af
Instruction Fuzzy Hash: 6DE2FE22B0868286FB18EBB5D050AFDA7A1FF44784F880476DB5E47696DF3CE456C360

Function 00007FF75AAB40BC Relevance: 10.7, APIs: 7, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00007FF75AAB410B
FindFirstFileW.KERNELBASE ref: 00007FF75AAB415E
GetLastError.KERNEL32 ref: 00007FF75AAB41AF
FindNextFileW.KERNEL32 ref: 00007FF75AAB41D7
GetLastError.KERNEL32 ref: 00007FF75AAB41E5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB430F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB4315

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
String ID:
API String ID: 474548282-0
Opcode ID: 3b45cdafcdb97bfe6833dfb07e445cc1833db233a54d2cf08b5bd2ce5f6738c0
Instruction ID: e66dd5bc63d92befa9b52c5ed7bdf85dfa5d5df5d50c4aefe4d24a956cb15fe6
Opcode Fuzzy Hash: 3b45cdafcdb97bfe6833dfb07e445cc1833db233a54d2cf08b5bd2ce5f6738c0
Instruction Fuzzy Hash: E561B662A0874682FA10EBA4E84067DA361FF957A4F944371EBBD036E9DF3CD946C710

Function 00007FF75AAA5E24 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586COMMON

Download Yara Rule

Strings

CMT, xrefs: 00007FF75AAA59B2, 00007FF75AAA675B

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID:
String ID: CMT
API String ID: 0-2756464174
Opcode ID: 936a8f495a57b50c0dc0cbd09bc27929dc5340db306dd6e3f5389225bf01f1a2
Instruction ID: 8afcc5775409dba703b2793ef3d8eeb3693b3d035208a4c501a754e043933d3f
Opcode Fuzzy Hash: 936a8f495a57b50c0dc0cbd09bc27929dc5340db306dd6e3f5389225bf01f1a2
Instruction Fuzzy Hash: 0442E122B0868297FB18EBB4C1506FDA7A1EF54344F880176DB5E53696DF38E41AC7A0

Function 00007FF75AAC1F20 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f290487e5a667d54cc41a5d187d2fad0533435d196c5144e63478bd963f0733
Instruction ID: 9d40a0960d5eb8b9e65fbd49a7d3b2963777f82a2ab0a48f51ff12a9ac0d9820
Opcode Fuzzy Hash: 4f290487e5a667d54cc41a5d187d2fad0533435d196c5144e63478bd963f0733
Instruction Fuzzy Hash: 42E1F522A082828BFB64EF799058A7DF790FF44748F484175EB4E47785DE3CE5428718

Function 00007FF75AAC3484 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3f9089be966249862bf56ce032710d6eb03eb50aa34be6e58aa05575d530c2
Instruction ID: 46b5cbd22a981ab8f7dfc2610968e940f6cbd20d3a8bf642bbe0e474ca122d68
Opcode Fuzzy Hash: 8c3f9089be966249862bf56ce032710d6eb03eb50aa34be6e58aa05575d530c2
Instruction Fuzzy Hash: 7BB1B1A2B057D992FE58EAA5D518AE9E391BB05FC4F888036EE1D07741DF3CE156C320

Function 00007FF75AAB4928 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID:
API String ID: 3340455307-0
Opcode ID: 351ceed20d24346c920f2b33a82c7c15764e1b5f9a2ac08ee0b3c21e451927ce
Instruction ID: 016e8b0fddff892d8744856518f58fd24592a7fe90953f1aba7e9420f2b8c7e7
Opcode Fuzzy Hash: 351ceed20d24346c920f2b33a82c7c15764e1b5f9a2ac08ee0b3c21e451927ce
Instruction Fuzzy Hash: AE412822B1575A87FA64EF65A900B6AA252FFC4784F888034DF0D07795DE3CE887C314

Function 00007FF75AABDFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF75AABE018
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF75AABE030
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF75AABE05D
CreateFileW.KERNEL32 ref: 00007FF75AABE3F0
SetFilePointer.KERNEL32 ref: 00007FF75AABE40E
ReadFile.KERNEL32 ref: 00007FF75AABE436

Part of subcall function 00007FF75AABDFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF75AABDDDF

CompareStringW.KERNELBASE ref: 00007FF75AABE559
CloseHandle.KERNEL32 ref: 00007FF75AABE4F3

Part of subcall function 00007FF75AAA1FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAA1FFB

Part of subcall function 00007FF75AAB51A4: GetVersionExW.KERNEL32 ref: 00007FF75AAB51D5

Part of subcall function 00007FF75AABDFD0: LoadLibraryExW.KERNELBASE ref: 00007FF75AABDEFF
Part of subcall function 00007FF75AABDFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AABDFB5
Part of subcall function 00007FF75AABDFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AABDFBB
Part of subcall function 00007FF75AABDFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AABDFC1
Part of subcall function 00007FF75AABDFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AABDFC7

AllocConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF75AABE74B
GetCurrentProcessId.KERNEL32(?,?,?,00000000,?), ref: 00007FF75AABE755
AttachConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF75AABE75D
GetStdHandle.KERNEL32(?,?,?,00000000,?), ref: 00007FF75AABE780
WriteConsoleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF75AABE799
Sleep.KERNEL32(?,?,?,00000000,?), ref: 00007FF75AABE7A4
FreeConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF75AABE7AA
ExitProcess.KERNEL32 ref: 00007FF75AABE7BB

Strings

ieframe.dll, xrefs: 00007FF75AABE120
ws2help.dll, xrefs: 00007FF75AABE10A
mpr.dll, xrefs: 00007FF75AABE291
cryptbase.dll, xrefs: 00007FF75AABE0C8
RpcRtRemote.dll, xrefs: 00007FF75AABE363
version.dll, xrefs: 00007FF75AABE07B
iphlpapi.DLL, xrefs: 00007FF75AABE267
ws2_32.dll, xrefs: 00007FF75AABE0FF
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00007FF75AABE73B
UXTheme.dll, xrefs: 00007FF75AABE0B2
peerdist.dll, xrefs: 00007FF75AABE38D
imageres.dll, xrefs: 00007FF75AABE24B
samcli.dll, xrefs: 00007FF75AABE2C9
cryptui.dll, xrefs: 00007FF75AABE1A3
WINNSI.DLL, xrefs: 00007FF75AABE275
ntmarta.dll, xrefs: 00007FF75AABE1F7
dnsapi.DLL, xrefs: 00007FF75AABE259
crypt32.dll, xrefs: 00007FF75AABE187
clbcatq.dll, xrefs: 00007FF75AABE0E9
rsaenh.dll, xrefs: 00007FF75AABE0A7
DXGIDebug.dll, xrefs: 00007FF75AABE086, 00007FF75AABE5B6
samlib.dll, xrefs: 00007FF75AABE2D7
SetDefaultDllDirectories, xrefs: 00007FF75AABE053
shdocvw.dll, xrefs: 00007FF75AABE179
userenv.dll, xrefs: 00007FF75AABE15D
dfscli.dll, xrefs: 00007FF75AABE2F3
apphelp.dll, xrefs: 00007FF75AABE14F
sfc_os.dll, xrefs: 00007FF75AABE091
linkinfo.dll, xrefs: 00007FF75AABE347
dwmapi.dll, xrefs: 00007FF75AABE0BD, 00007FF75AABE661
srvcli.dll, xrefs: 00007FF75AABE221
wintrust.dll, xrefs: 00007FF75AABE1B1
propsys.dll, xrefs: 00007FF75AABE2AD
dhcpcsvc6.dll, xrefs: 00007FF75AABE31D
rasadhlp.dll, xrefs: 00007FF75AABE30F
atl.dll, xrefs: 00007FF75AABE136
dhcpcsvc.dll, xrefs: 00007FF75AABE32B
netutils.dll, xrefs: 00007FF75AABE283
comres.dll, xrefs: 00007FF75AABE0F4
msasn1.dll, xrefs: 00007FF75AABE195
uxtheme.dll, xrefs: 00007FF75AABE66D
devrtl.dll, xrefs: 00007FF75AABE29F
cscapi.dll, xrefs: 00007FF75AABE22F
ntshrui.dll, xrefs: 00007FF75AABE12B
cryptsp.dll, xrefs: 00007FF75AABE355
kernel32, xrefs: 00007FF75AABE011
aclui.dll, xrefs: 00007FF75AABE371
dsrole.dll, xrefs: 00007FF75AABE37F
oleaccrc.dll, xrefs: 00007FF75AABE1E9
SetDllDirectoryW, xrefs: 00007FF75AABE026
SSPICLI.DLL, xrefs: 00007FF75AABE09C
browcli.dll, xrefs: 00007FF75AABE301
setupapi.dll, xrefs: 00007FF75AABE141
psapi.dll, xrefs: 00007FF75AABE115
WindowsCodecs.dll, xrefs: 00007FF75AABE213
cabinet.dll, xrefs: 00007FF75AABE1DB
wkscli.dll, xrefs: 00007FF75AABE2E5
slc.dll, xrefs: 00007FF75AABE23D
secur32.dll, xrefs: 00007FF75AABE1CD
mlang.dll, xrefs: 00007FF75AABE2BB
shell32.dll, xrefs: 00007FF75AABE1BF
usp10.dll, xrefs: 00007FF75AABE0DE
XmlLite.dll, xrefs: 00007FF75AABE339
netapi32.dll, xrefs: 00007FF75AABE16B
profapi.dll, xrefs: 00007FF75AABE205
lpk.dll, xrefs: 00007FF75AABE0D3

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
API String ID: 1496594111-2013832382
Opcode ID: 7c4a34b53ce793e8483b627db677786fa0ac65cb43c3a9d0b7710463073bebd5
Instruction ID: 55eac333892586f53c154f78afb9fa96f68cbe2571ced87d24e7c2ff03340560
Opcode Fuzzy Hash: 7c4a34b53ce793e8483b627db677786fa0ac65cb43c3a9d0b7710463073bebd5
Instruction Fuzzy Hash: 13323131A09B8299FB21AFA0E8409E9B3A4FF54354FD4027ADA4D07765EF3CD656C360

Function 00007FF75AAB98DC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF75AAB8E58: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF75AAB8F8D

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF75AAB9F75
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AABA42F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AABA435

Part of subcall function 00007FF75AAC0BBC: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF75AAC0B44), ref: 00007FF75AAC0BE9

Strings

, xrefs: 00007FF75AAB9DF9
STRINGS, xrefs: 00007FF75AAB9DC1
,, xrefs: 00007FF75AAB9FAA
DIRECTION, xrefs: 00007FF75AAB9DE5
MENU, xrefs: 00007FF75AAB9DD9
*messages***, xrefs: 00007FF75AAB9C04
$%s:, xrefs: 00007FF75AAB9F50
@%s:, xrefs: 00007FF75AAB9F57
RTL, xrefs: 00007FF75AAB9F2E
*messages***, xrefs: 00007FF75AAB9BC6
DIALOG, xrefs: 00007FF75AAB9DCD

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
API String ID: 3629253777-3268106645
Opcode ID: c7e299983de1d31cdbd1676a4e843f0011001ae21b66b5c33926bd5b009ca2a1
Instruction ID: a98bf1b26c13e22388a75d6f304027742d5a5c26c2651cfff9ec007a692c548b
Opcode Fuzzy Hash: c7e299983de1d31cdbd1676a4e843f0011001ae21b66b5c33926bd5b009ca2a1
Instruction Fuzzy Hash: 1562D132A1878A86FB50EBA4D444ABDA361FF40784FC84176DA4D076D9EF3DE946C360

Function 00007FF75AAD1900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF75AAD1558: DloadProtectSection.DELAYIMP ref: 00007FF75AAD15C9

RaiseException.KERNEL32 ref: 00007FF75AAD19A7
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF75AAD1993

Part of subcall function 00007FF75AAD1868: DloadProtectSection.DELAYIMP ref: 00007FF75AAD18C7

LoadLibraryExA.KERNELBASE ref: 00007FF75AAD1A46
GetLastError.KERNEL32 ref: 00007FF75AAD1A54
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF75AAD1A86
RaiseException.KERNEL32 ref: 00007FF75AAD1A9A

Strings

H, xrefs: 00007FF75AAD1974

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
String ID: H
API String ID: 3432403771-2852464175
Opcode ID: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction ID: abbce6e9b3252b14915c1b452d5ef79878b483a24835ddd225db647b971dfa0d
Opcode Fuzzy Hash: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction Fuzzy Hash: 31914C32B05B528AFB90EFA5D844AA8A3A1FF08B54F884479DE4D17754EF38E446C320

Function 00007FF75AACF4E0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32 ref: 00007FF75AACF747
ShowWindow.USER32 ref: 00007FF75AACF786
GetExitCodeProcess.KERNEL32 ref: 00007FF75AACF7BD
CloseHandle.KERNEL32 ref: 00007FF75AACF7E7
ShowWindow.USER32 ref: 00007FF75AACF83F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACF8FB

Strings

p, xrefs: 00007FF75AACF529
.inf, xrefs: 00007FF75AACF675
Install, xrefs: 00007FF75AACF684
.exe, xrefs: 00007FF75AACF7F2

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
String ID: .exe$.inf$Install$p
API String ID: 1054546013-3607691742
Opcode ID: 22420bc2198f6078b2f288bbded650d2fe37d63e6dbd6053a2019b52a2d3da4b
Instruction ID: c1cc3f0ea9c0ab60fcfc196c07c7d868fd2041c8b6eb2701cec2734719c5e665
Opcode Fuzzy Hash: 22420bc2198f6078b2f288bbded650d2fe37d63e6dbd6053a2019b52a2d3da4b
Instruction Fuzzy Hash: 79C1C562F08B0295FB00EBA5D964A7DA7B1BF84780F8840B5EA4D477A4DF3CE552C360

Function 00007FF75AACF0A4 Relevance: 16.6, APIs: 11, Instructions: 102
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF75AACAE1C: PeekMessageW.USER32 ref: 00007FF75AACAE32
Part of subcall function 00007FF75AACAE1C: GetMessageW.USER32 ref: 00007FF75AACAE49
Part of subcall function 00007FF75AACAE1C: IsDialogMessageW.USER32 ref: 00007FF75AACAE60
Part of subcall function 00007FF75AACAE1C: TranslateMessage.USER32 ref: 00007FF75AACAE6F
Part of subcall function 00007FF75AACAE1C: DispatchMessageW.USER32 ref: 00007FF75AACAE7A

GetDlgItem.USER32 ref: 00007FF75AACF0E3
ShowWindow.USER32 ref: 00007FF75AACF109
SendMessageW.USER32 ref: 00007FF75AACF11E
SendMessageW.USER32 ref: 00007FF75AACF136
SendMessageW.USER32 ref: 00007FF75AACF157
SendMessageW.USER32 ref: 00007FF75AACF173
SendMessageW.USER32 ref: 00007FF75AACF1B6
SendMessageW.USER32 ref: 00007FF75AACF1D4
SendMessageW.USER32 ref: 00007FF75AACF1E8
SendMessageW.USER32 ref: 00007FF75AACF212
SendMessageW.USER32 ref: 00007FF75AACF22A

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID:
API String ID: 3569833718-0
Opcode ID: 6d17268858d6b6aed380ad60cc2cf8b16547cb3a0c40a3112c59011326a33119
Instruction ID: fec56f9bcbb2ea05c4144ec4f4c054a96c00dbb07e1c416dddd5658709638dca
Opcode Fuzzy Hash: 6d17268858d6b6aed380ad60cc2cf8b16547cb3a0c40a3112c59011326a33119
Instruction Fuzzy Hash: AE41B231B14A4286F704AF61E814FA96760FF89B98F881175ED0A07B95CF3ED44687A4

Function 00007FF75AAAEF10 Relevance: 11.0, APIs: 7, Instructions: 453COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAAF542
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAAF548
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAAF554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAAF55A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAAF560
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAAF56C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAAF572

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: b60b4e85dca72afb36c41ecd76671d2e4f9ea4131e30583f6657b838cfa2a64e
Instruction ID: 28ac6312de96ca2a79588f0ff2ca2083eb76761d7cd2d0fa2e81a4b89f5a8a8e
Opcode Fuzzy Hash: b60b4e85dca72afb36c41ecd76671d2e4f9ea4131e30583f6657b838cfa2a64e
Instruction Fuzzy Hash: F312C362F08B4285FB10EBA4D4446BDA3B1EF44798F844276DA5D17AD9DF3CD48AC3A0

Function 00007FF75AAB24C0 Relevance: 9.2, APIs: 6, Instructions: 164
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF75AAB259B
GetLastError.KERNEL32 ref: 00007FF75AAB25AE
CreateFileW.KERNEL32 ref: 00007FF75AAB260E
GetLastError.KERNEL32 ref: 00007FF75AAB2617
SetFileTime.KERNEL32 ref: 00007FF75AAB26C9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB2736

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3536497005-0
Opcode ID: bf6d388e0ddc62a07829c0e0ddc79988d82f0ae4bc2505d9adb649ad5df9f7e3
Instruction ID: a141c08321da2b7147bb933645b087958132af3f6c9c61b6b64f2c97e97c06e1
Opcode Fuzzy Hash: bf6d388e0ddc62a07829c0e0ddc79988d82f0ae4bc2505d9adb649ad5df9f7e3
Instruction Fuzzy Hash: F1611562A1874185F7209B69E41076EA7B1FF987A8F540335CEA903AD4DF3DC45AC710

Function 00007FF75AACB014 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadBitmapW.USER32 ref: 00007FF75AACB02A
GetObjectW.GDI32 ref: 00007FF75AACB05B
DeleteObject.GDI32 ref: 00007FF75AACB095
DeleteObject.GDI32 ref: 00007FF75AACB0C5

Part of subcall function 00007FF75AAC8624: FindResourceW.KERNEL32 ref: 00007FF75AAC863D
Part of subcall function 00007FF75AAC8624: SizeofResource.KERNEL32 ref: 00007FF75AAC8659
Part of subcall function 00007FF75AAC8624: LoadResource.KERNEL32 ref: 00007FF75AAC8673
Part of subcall function 00007FF75AAC8624: LockResource.KERNEL32 ref: 00007FF75AAC8685
Part of subcall function 00007FF75AAC8624: GlobalAlloc.KERNELBASE ref: 00007FF75AAC86A6
Part of subcall function 00007FF75AAC8624: GlobalLock.KERNEL32 ref: 00007FF75AAC86BB
Part of subcall function 00007FF75AAC8624: CreateStreamOnHGlobal.COMBASE ref: 00007FF75AAC86E8
Part of subcall function 00007FF75AAC8624: GdipAlloc.GDIPLUS ref: 00007FF75AAC86FE
Part of subcall function 00007FF75AAC8624: GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF75AAC8769
Part of subcall function 00007FF75AAC8624: GlobalUnlock.KERNEL32 ref: 00007FF75AAC878C
Part of subcall function 00007FF75AAC8624: GlobalFree.KERNEL32 ref: 00007FF75AAC8795

Strings

], xrefs: 00007FF75AACB063

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Global$Resource$Object$AllocBitmapCreateDeleteGdipLoadLock$FindFreeFromSizeofStreamUnlock
String ID: ]
API String ID: 3561356813-3352871620
Opcode ID: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
Instruction ID: 6743b69776621ff9da0bd5a75ed6eebd4c6d3fee3830fa24a30a7a3d28432539
Opcode Fuzzy Hash: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
Instruction Fuzzy Hash: 9911B920F0D64241FA64BB619665B79D791BF88BC0F8C40B4ED1D07B95EE2DE8068750

Function 00007FF75AACAE1C Relevance: 7.5, APIs: 5, Instructions: 27
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32 ref: 00007FF75AACAE32
GetMessageW.USER32 ref: 00007FF75AACAE49
IsDialogMessageW.USER32 ref: 00007FF75AACAE60
TranslateMessage.USER32 ref: 00007FF75AACAE6F
DispatchMessageW.USER32 ref: 00007FF75AACAE7A

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
Instruction ID: 1f557e060d80ba1c86c9d18564f422ef878f625dfb98a45ae0060f081fe88360
Opcode Fuzzy Hash: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
Instruction Fuzzy Hash: 79F04F35B3855282FB50AB24E8A5E36A361FFE4B04FC85071E54E41954DF3DD509DB50

Function 00007FF75AAC91E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32 ref: 00007FF75AAC9211
SHAutoComplete.SHLWAPI ref: 00007FF75AAC9255

Part of subcall function 00007FF75AAC13C4: CompareStringW.KERNEL32 ref: 00007FF75AAC13E3

FindWindowExW.USER32 ref: 00007FF75AAC923F

Strings

EDIT, xrefs: 00007FF75AAC921B, 00007FF75AAC9233

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction ID: f9beeb531bf3c0b642ee51563a56a46b7648810c99b763e4460602ea898d2acb
Opcode Fuzzy Hash: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction Fuzzy Hash: 15013161B18A4381FA64AB61F820BB6A390BFA8744FCC11B1D94D4A755EE2CE14AD660

Function 00007FF75AAB2CE0 Relevance: 6.1, APIs: 4, Instructions: 136
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(00007FF75AAB8C9A), ref: 00007FF75AAB2D22
WriteFile.KERNEL32 ref: 00007FF75AAB2D6C
WriteFile.KERNELBASE ref: 00007FF75AAB2D9A

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 0323b359cf5b651ecb761d1be35a0d157ce23368862f5c076944cf5492cb83e9
Instruction ID: b10b85cf9f7301c122b68237fcb41832138df7c5aa19f838030b430d591a2b28
Opcode Fuzzy Hash: 0323b359cf5b651ecb761d1be35a0d157ce23368862f5c076944cf5492cb83e9
Instruction Fuzzy Hash: ED510B22B1974652FB50EBA5D444B7AA750FF55790F880177EA4D07AD4EF3CD88AC320

Function 00007FF75AAD03E0 Relevance: 6.1, APIs: 4, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextW.USER32 ref: 00007FF75AAD0556
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAD05C1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAD05C7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAD05CD

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$TextWindow
String ID:
API String ID: 2912839123-0
Opcode ID: 026bc20b37c79a3b9cd77c26472f0129fcb044d8b857d7992271820a149e5442
Instruction ID: 67ab0f4c8ac9e370f918c32b84cfcd759dc28407cb7239d9f515f173f67a358f
Opcode Fuzzy Hash: 026bc20b37c79a3b9cd77c26472f0129fcb044d8b857d7992271820a149e5442
Instruction Fuzzy Hash: 3851CF62F1465284FB00ABE4D844AADA322AF44B94FC84679DE5D17BD9DF6CD442C360

Function 00007FF75AAD2D6C Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF75AAD2D7B

Part of subcall function 00007FF75AAD27FC: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF75AAD281E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF75AAD2D90
__scrt_release_startup_lock.LIBCMT ref: 00007FF75AAD2DFE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF75AAD2E51

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
Instruction ID: 1e94f17c9b440d303e98a3e595fd22ebfeb599e691af53bb4c086446517ff52c
Opcode Fuzzy Hash: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
Instruction Fuzzy Hash: 24313D21E0C64341FAD4BBE49411BB9E691AF44744FCC14B8E98E4B6D7EF2CA90BC270

Function 00007FF75AAB3684 Relevance: 6.1, APIs: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,?,?,?,?,?,00000000,?,00007FF75AAB309D), ref: 00007FF75AAB36CE
CreateDirectoryW.KERNEL32 ref: 00007FF75AAB3733
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FF75AAB309D), ref: 00007FF75AAB3791
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB37CE

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2359106489-0
Opcode ID: 5f5a2498c506899800acde8abea11f876c241ca53163134c058b9fa48508e244
Instruction ID: 426f73ad1f19a8c7331aa325f75e943d7af1f8583d9de71e3ea43062048c9dec
Opcode Fuzzy Hash: 5f5a2498c506899800acde8abea11f876c241ca53163134c058b9fa48508e244
Instruction Fuzzy Hash: A831D622A1C78681FA60EBA59454A79E351FF88790FD80271EE9D43AD5DF3CD8878230

Function 00007FF75AAB2320 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,00000000,00007FF75AAB2927,?,00100000,?,00000001,00000000,00000000,?,00007FF75AAB14C1), ref: 00007FF75AAB2348
ReadFile.KERNELBASE ref: 00007FF75AAB2367
GetLastError.KERNEL32 ref: 00007FF75AAB239B
GetLastError.KERNEL32 ref: 00007FF75AAB23BA

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction ID: 7f00f4e9477bfade177a4e86eaabfa92fcb1f7636e38222517351779b68c097c
Opcode Fuzzy Hash: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction Fuzzy Hash: 6E21F521A0C74681FA60AF91A400A3DE360FF85B94F9C44B2DA4D466C4EF7CDC8A8721

Function 00007FF75AABE948 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF75AABECD8: ResetEvent.KERNEL32 ref: 00007FF75AABECF1
Part of subcall function 00007FF75AABECD8: ReleaseSemaphore.KERNEL32 ref: 00007FF75AABED07

ReleaseSemaphore.KERNEL32 ref: 00007FF75AABE974
CloseHandle.KERNELBASE ref: 00007FF75AABE993
DeleteCriticalSection.KERNEL32 ref: 00007FF75AABE9AA
CloseHandle.KERNEL32 ref: 00007FF75AABE9B7

Part of subcall function 00007FF75AABEA5C: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF75AABE95F,?,?,?,00007FF75AAB463A,?,?,?), ref: 00007FF75AABEA63
Part of subcall function 00007FF75AABEA5C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF75AABE95F,?,?,?,00007FF75AAB463A,?,?,?), ref: 00007FF75AABEA6E

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 502429940-0
Opcode ID: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction ID: b7a5a3cc5ce51878d4aac2bc2d9b8b23ea59fcb4a2d8ad496468566a648abb35
Opcode Fuzzy Hash: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction Fuzzy Hash: F6018032A14A8192F258EB61E544A6DF730FF88BC0F444074DB5D13225CF39E4B6C750

Function 00007FF75AABEAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF75AABEAE0
SetThreadPriority.KERNEL32 ref: 00007FF75AABEB36

Strings

CreateThread failed, xrefs: 00007FF75AABEAEE

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Thread$CreatePriority
String ID: CreateThread failed
API String ID: 2610526550-3849766595
Opcode ID: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction ID: 5e24b6a7781c512b1c6cee40896411458c0dac67618be8eed8f9146da7cc83eb
Opcode Fuzzy Hash: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction Fuzzy Hash: C2116031A08B4281F714FB54E8419A9F360FF94784F9C81B5D64E02669EF7CE982C7A0

Function 00007FF75AAC946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF75AABDFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF75AABDDDF

OleInitialize.OLE32 ref: 00007FF75AAC9486
SHGetMalloc.SHELL32 ref: 00007FF75AAC94D4

Strings

riched20.dll, xrefs: 00007FF75AAC9475

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: DirectoryInitializeMallocSystem
String ID: riched20.dll
API String ID: 174490985-3360196438
Opcode ID: b1936b3f38021c99ecd6522b050f6163774a90ef7a51b133bb98bdb322c125e4
Instruction ID: 8fbc01388647b39fa6556871b07a59290096efaecfbd0583a3b37d847af15b04
Opcode Fuzzy Hash: b1936b3f38021c99ecd6522b050f6163774a90ef7a51b133bb98bdb322c125e4
Instruction Fuzzy Hash: 90F0AF71618A8182FB40AF60F40496AF7A0FF88314F880135E98D42754DF7CD18DCB20

Function 00007FF75AAC095C Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF75AAC853C: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF75AAC856C

Part of subcall function 00007FF75AABAAE0: LoadStringW.USER32 ref: 00007FF75AABAB67
Part of subcall function 00007FF75AABAAE0: LoadStringW.USER32 ref: 00007FF75AABAB80

Part of subcall function 00007FF75AAA1FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAA1FFB

Part of subcall function 00007FF75AAA129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF75AAA1396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAD01BB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAD01C1
SendDlgItemMessageW.USER32 ref: 00007FF75AAD01F2

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
String ID:
API String ID: 3106221260-0
Opcode ID: a7a3b9276fd9d60c98c673be8cadfcd1c49bd858ed4eeabe3b08c1157da673f6
Instruction ID: 6e2dcd6106388b6688abeabcd75cf41f363a4685effd92b898bedb11dc22ab16
Opcode Fuzzy Hash: a7a3b9276fd9d60c98c673be8cadfcd1c49bd858ed4eeabe3b08c1157da673f6
Instruction Fuzzy Hash: 0551C362F047425AFB00BBE1D4556FDA362AF85784FC8017AEA4D177DAEE2CD502C3A0

Function 00007FF75AAA1744 Relevance: 4.6, APIs: 3, Instructions: 118COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAA189C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF75AAA18A8
__std_exception_copy.LIBVCRUNTIME ref: 00007FF75AAA18D4

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task__std_exception_copy_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2371198981-0
Opcode ID: 1efb8e3964760df1e8e504c58090104d82ec3478f89626f60cfdbe921361c3b8
Instruction ID: 1ca2d9609d2839b01890f8ec81f1ddc9587e6bcce19dd61aad44573963fea6dd
Opcode Fuzzy Hash: 1efb8e3964760df1e8e504c58090104d82ec3478f89626f60cfdbe921361c3b8
Instruction Fuzzy Hash: A341E161B08645A5FA04AB92E544A79E395EF08BE0FD88231DE7C07BD5EF3CE096C354

Function 00007FF75AAB2134 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FF75AAB21CF
CreateFileW.KERNEL32 ref: 00007FF75AAB223C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB22D8

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: CreateFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2272807158-0
Opcode ID: 0b9e157db79160e2ad51da083b57527fa928f82c130172c126627bbc10adf13b
Instruction ID: c3114231b5a9e43add289a68ced13609d33b692221acb5cad43243c2abc65d44
Opcode Fuzzy Hash: 0b9e157db79160e2ad51da083b57527fa928f82c130172c126627bbc10adf13b
Instruction Fuzzy Hash: 89411672A0878582FB109B54E444A69A3A0FF847B4F840335DFAD03AE5DF3CD896C710

Function 00007FF75AAA23F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 00007FF75AAA243E
GetWindowTextW.USER32 ref: 00007FF75AAA2476
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAA2505

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2176759853-0
Opcode ID: e08c7dfb2dc1d9463dec0fad2005500a4fe685a622722b2634dfe3f3512ff4dd
Instruction ID: 63acafa603980d39cf418b8a98ab39a58767ee503b08c49c09c1e82409cd0da3
Opcode Fuzzy Hash: e08c7dfb2dc1d9463dec0fad2005500a4fe685a622722b2634dfe3f3512ff4dd
Instruction Fuzzy Hash: 0E218472A18B8181FA149BA5E44057AB3A4FF89BD0F985235EBDD03B95DF3CD191C740

Function 00007FF75AAC1F94 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF75AAC205B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF75AAC2077
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF75AAC2093

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: std::bad_alloc::bad_alloc
String ID:
API String ID: 1875163511-0
Opcode ID: 7fdfb8b08260a68de66ecd622df27e98485fdb680c183650925e5cdb3d7d3185
Instruction ID: b85b56ebbee7d8eade3210a62f22bacd18d5a4919711655f9a52562c7de63ab6
Opcode Fuzzy Hash: 7fdfb8b08260a68de66ecd622df27e98485fdb680c183650925e5cdb3d7d3185
Instruction Fuzzy Hash: F1318322A0864661FBA4B754E4547B9E3A0FF50B84F9C4472E28C077A9EF6CD947C311

Function 00007FF75AAB3D34 Relevance: 4.6, APIs: 3, Instructions: 62COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?,?,?,?,?,00000000,00000001,?,00007FF75AAC07E1), ref: 00007FF75AAB3D5E
SetFileAttributesW.KERNEL32 ref: 00007FF75AAB3DB0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB3E1A

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: ac18a83a37a21749c7aa78aaec7704104475699d89f0dcb909fab837ee55c2e9
Instruction ID: 6ced54dccf7b324464408a7eb239169347e5c5e2e31e8ccd43eeb156f9c02e6c
Opcode Fuzzy Hash: ac18a83a37a21749c7aa78aaec7704104475699d89f0dcb909fab837ee55c2e9
Instruction Fuzzy Hash: 7D21FB22A0878541FA20AB65E44566DA360FF88794F984275EA9D43694EF3CD542C620

Function 00007FF75AAB31BC Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,00007FF75AAC0822), ref: 00007FF75AAB31E7
DeleteFileW.KERNEL32 ref: 00007FF75AAB3237
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB32A1

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3118131910-0
Opcode ID: a0ef641f18d862fb2ede747b4f7a5cd70e7cdd2a52a9d3b4729baac44d7eebee
Instruction ID: 713b099ff90023136cb2ee4ea035530340a26cdeda44caa9bba490da3818da5c
Opcode Fuzzy Hash: a0ef641f18d862fb2ede747b4f7a5cd70e7cdd2a52a9d3b4729baac44d7eebee
Instruction Fuzzy Hash: 8221F832A1878581FE50AB64F44462EA360FF98BD4F940274EAED42A99DF3CD542C720

Function 00007FF75AAB32BC Relevance: 4.6, APIs: 3, Instructions: 57COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,00007FF75AABE5B1,?,?,?,00000000,?), ref: 00007FF75AAB32E7
GetFileAttributesW.KERNELBASE ref: 00007FF75AAB3334
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB3399

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: bb03d890145153a6389d317eee9ce9bd5a67d6f121021ec7dbe6c19775fb5f48
Instruction ID: 8c9e9c673043d659c6900f2a9de59756b7b451d5daf32bb15fd07d2820dfdf4e
Opcode Fuzzy Hash: bb03d890145153a6389d317eee9ce9bd5a67d6f121021ec7dbe6c19775fb5f48
Instruction Fuzzy Hash: 0F21B632A1878581FA50AB68F44452AA361FFC87A4F981371EAED43BD5DF3CD442C720

Function 00007FF75AADBF64 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF75AADBF48), ref: 00007FF75AADBF8C
TerminateProcess.KERNEL32(?,?,?,00007FF75AADBF48), ref: 00007FF75AADBF97
ExitProcess.KERNEL32 ref: 00007FF75AADBFA6

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
Instruction ID: 801516d5d6e264c4a6b3b8fd16429d1b1c5763e1d57c29e4fb22381f93fcf3fa
Opcode Fuzzy Hash: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
Instruction Fuzzy Hash: C7E01A24A0430686FB947BA19895B79A362AF9CB41F5844BCC84A42396CE3DE80A8760

Function 00007FF75AAAF578 Relevance: 3.2, APIs: 2, Instructions: 193COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAAF895
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAAF89B

Part of subcall function 00007FF75AAB3EC8: FindClose.KERNELBASE(?,?,00000000,00007FF75AAC0811), ref: 00007FF75AAB3EFD

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseFind
String ID:
API String ID: 3587649625-0
Opcode ID: 390f1a2edb2631e53b1801632849d54f8c861f77ec1a095bbc779a2a96df894f
Instruction ID: 19cf63877376bc63281bf73a0aed9789bc51df2a3f4dde88a9b808c02324b46f
Opcode Fuzzy Hash: 390f1a2edb2631e53b1801632849d54f8c861f77ec1a095bbc779a2a96df894f
Instruction Fuzzy Hash: F191C233A1878194FB14EFA4D4406ADA3A1FF84798FD84176EA4C07AE9DF78D546C3A0

Function 00007FF75AAA3904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAA3AB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAA3AB9

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 08a22ae537fb238a79d2cd958e2f999ccce0ea13b41feda8d349708073189f75
Instruction ID: b93fb52862446ed6006537e024462e696e766356fdb5e688bb14fcb8d48388da
Opcode Fuzzy Hash: 08a22ae537fb238a79d2cd958e2f999ccce0ea13b41feda8d349708073189f75
Instruction Fuzzy Hash: 0141E462F1465284FB00EBF1D450AFDA3A0AF44BD8F985175EE5D27AD9DE38D4838360

Function 00007FF75AAB2778 Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,00007FF75AAB274D), ref: 00007FF75AAB28A9
GetLastError.KERNEL32(?,00007FF75AAB274D), ref: 00007FF75AAB28B8

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction ID: 8e498baa4fbc075751d4094fea0b1ed6e59de6c8becea6b843af3034859f1fa5
Opcode Fuzzy Hash: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction Fuzzy Hash: 1E311A32B19B4A41FA606BE6D540EB5A350AF04BD4F8C0172DE1D177A4EE3CDC478320

Function 00007FF75AAA22BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF75AAA22F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAA23F0

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Item_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1746051919-0
Opcode ID: bec8d0c1c672d295977e9fc10f39d8f626ff81b9c2385a5dbc8c6e1febdb5a1a
Instruction ID: 479f88536eea42ab96380cba4f0ab1872429df9b16a30610936212e40d66a1bf
Opcode Fuzzy Hash: bec8d0c1c672d295977e9fc10f39d8f626ff81b9c2385a5dbc8c6e1febdb5a1a
Instruction Fuzzy Hash: 7831F422A1874145FA54AB95E44477EF3A0EF85790F884231EB9C07BE5EF3CE496C760

Function 00007FF75AAB2AD0 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32 ref: 00007FF75AAB2AFE
SetFileTime.KERNELBASE ref: 00007FF75AAB2B9B

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction ID: 5adfaf30fc2d46847fe7170dc3f7bf8d09140a021a659ab7aa9b3551840fd75a
Opcode Fuzzy Hash: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction Fuzzy Hash: D221E222E09B4A91FA62AE91D410BBAD790AF05794F9840B2DE4C02295FE3CDD8BC310

Function 00007FF75AABAAE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF75AABAB67
LoadStringW.USER32 ref: 00007FF75AABAB80

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
Instruction ID: 77746e46da84d95070aa81f8875e2f815f4ef9d61a8fadf19a53f65334294be0
Opcode Fuzzy Hash: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
Instruction Fuzzy Hash: 22118E70B0874586FA00AF1AA844868F7A1BF89FC0BD84479CA1D93724EF7CE9818394

Function 00007FF75AAB2BB0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007FF75AAB2C11
GetLastError.KERNEL32 ref: 00007FF75AAB2C1E

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction ID: 6fb8ac67fbd30a3010aa3f8e9bb18654d3fb17865295451b43db954d9f27cc5b
Opcode Fuzzy Hash: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction Fuzzy Hash: 2B11D221A0874581FB61AB65E840A79A360FF55BB4F984772DA3D122D4EF3CD987C310

Function 00007FF75AAA255C Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF75AABA4AC: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF75AABA504
Part of subcall function 00007FF75AABA4AC: SetDlgItemTextW.USER32 ref: 00007FF75AABA573
Part of subcall function 00007FF75AABA4AC: GetWindowRect.USER32 ref: 00007FF75AABA5AD
Part of subcall function 00007FF75AABA4AC: GetClientRect.USER32 ref: 00007FF75AABA5BB

GetDlgItem.USER32 ref: 00007FF75AAA25AC
SetWindowTextW.USER32 ref: 00007FF75AAA25C8

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: ItemRectTextWindow$Clientswprintf
String ID:
API String ID: 3322643685-0
Opcode ID: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
Instruction ID: 7c0978bbb1d632da59ab4973463a7a16ff729ff0feac99771fa403cd21322c1f
Opcode Fuzzy Hash: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
Instruction Fuzzy Hash: 2C015220A0974B41FE59B7D1A454B79D7917F45744F8C00B9C84D062E9EE2CE8DA8360

Function 00007FF75AABEB58 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00007FF75AABEBAD,?,?,?,?,00007FF75AAB5752,?,?,?,00007FF75AAB56DE), ref: 00007FF75AABEB5C
GetProcessAffinityMask.KERNEL32 ref: 00007FF75AABEB6F

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction ID: 56be7a67caec554692b7d0fb6da001b229eb1c6a78f9c1615597b4488f247569
Opcode Fuzzy Hash: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction Fuzzy Hash: 8DE02B61F1468A82EF589F99C4408E9B392BFC8B40BC88039D60B83614DE2CE5468B00

Function 00007FF75AAD21D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF75AAD2200

Part of subcall function 00007FF75AAD2F7C: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF75AAD2F85

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF75AAD2206

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: 14867973fed18b2c44dc58e1bcd5f94848bfca26dcf41195b9c376eff134a452
Instruction ID: 60e428e10bd6f78f27b87d767e92b7cbb785e76b31215711172d8308febd57fc
Opcode Fuzzy Hash: 14867973fed18b2c44dc58e1bcd5f94848bfca26dcf41195b9c376eff134a452
Instruction Fuzzy Hash: EFE0EC70E0920741FA9832F218269B580904F69770EDC5BF4EAFE052D6BD1CA49BC170

Function 00007FF75AADD90C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL ref: 00007FF75AADD922
GetLastError.KERNEL32 ref: 00007FF75AADD934

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction ID: 9405b13151dd6febd9e78a13a48dc8a18bfd5a6b557ab4becee5d2cdcf49e2ad
Opcode Fuzzy Hash: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction Fuzzy Hash: 8CE08690E0A14342FF44BBF2980597497D05FA8750F8C04B4C94D86252EE3D94838270

Function 00007FF75AAA33E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAA388C

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: eaabdaa8850150cc0ece2f2f1474b33a95fa1a6fec094405e9f66626a5bb54a1
Instruction ID: 783c53b7953b8b74ba4c0579fa3ffeecee507feebee7f19e74df25a75931df00
Opcode Fuzzy Hash: eaabdaa8850150cc0ece2f2f1474b33a95fa1a6fec094405e9f66626a5bb54a1
Instruction Fuzzy Hash: ADD1FB6AB0868255FB68EB6595446B9E7E1FF05B84F8C40B5CB1D07BA1CF38E4628370

Function 00007FF75AAB5294 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB551B

Part of subcall function 00007FF75AAC13F4: CompareStringW.KERNEL32 ref: 00007FF75AAC145A

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: CompareString_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1017591355-0
Opcode ID: 388fc3c901f750e810fce68d2ec07def1b7a5bb75be5fb5e9f63537d100d501a
Instruction ID: d6b9eccb9b4894162cb4602650e0c2eb8918c6c2dad3ba0acee72692c74a55b9
Opcode Fuzzy Hash: 388fc3c901f750e810fce68d2ec07def1b7a5bb75be5fb5e9f63537d100d501a
Instruction Fuzzy Hash: 8761D931E0C74B41FA64BAD594249BAD292AF45BD4F9C41B5EE4F067C5EE6CEC438230

Function 00007FF75AAC1870 Relevance: 1.7, APIs: 1, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF75AABE948: ReleaseSemaphore.KERNEL32 ref: 00007FF75AABE974
Part of subcall function 00007FF75AABE948: CloseHandle.KERNELBASE ref: 00007FF75AABE993
Part of subcall function 00007FF75AABE948: DeleteCriticalSection.KERNEL32 ref: 00007FF75AABE9AA
Part of subcall function 00007FF75AABE948: CloseHandle.KERNEL32 ref: 00007FF75AABE9B7

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC1ACB

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: CloseHandle$CriticalDeleteReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 904680172-0
Opcode ID: 50f7335678577ceeb6d211ec326131ba5fa7e84c6b35c080be0a6a65b3549785
Instruction ID: f38e922fcaf7e5bbae26fc0aafa55b559e7fdf1a699d33a86c1125496a28d5c4
Opcode Fuzzy Hash: 50f7335678577ceeb6d211ec326131ba5fa7e84c6b35c080be0a6a65b3549785
Instruction Fuzzy Hash: 7C61AD72B15A8592FE08EBA5D5644BCB3A4FF40F90F9C4272E76D07AC1DF28E4628310

Function 00007FF75AAAEC9C Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAAEEB8

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 9c3f9390a9065cb36f7a64368bb790d884637895af10fcd5f23bdc876ae0bee8
Instruction ID: 1c93ca5130aebb71528294c468c55a8e20680599a5671f1d13da15aa34b519e9
Opcode Fuzzy Hash: 9c3f9390a9065cb36f7a64368bb790d884637895af10fcd5f23bdc876ae0bee8
Instruction Fuzzy Hash: C451F762A0878250FA20AB95D444BB9A791FF45BC4F8C0176EE5D07393DF3DE886C3A0

Function 00007FF75AAAE7A8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF75AAB3EC8: FindClose.KERNELBASE(?,?,00000000,00007FF75AAC0811), ref: 00007FF75AAB3EFD

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAAE993

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: CloseFind_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1011579015-0
Opcode ID: 66b082697bf6d456d849a2ffc3f94eea7fcf4a782198a57a47dea411162543d7
Instruction ID: 72192ae7d3d277d132af3684e2544c1e43a3bd1a8dded16508696edb8cbe6232
Opcode Fuzzy Hash: 66b082697bf6d456d849a2ffc3f94eea7fcf4a782198a57a47dea411162543d7
Instruction Fuzzy Hash: B6518622A0879681FB60EFA4D44577DA391FF84B84F884176EA8D077A6DF3DD442C360

Function 00007FF75AAB1794 Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB187D

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 596eeaa46c14c421b88cd5960f13ec5a4774242ca82f07c4e126378d4fcb3d87
Instruction ID: a296634f2a25cdf62d4015d834e0ea75bfbae3bdb4f425b7ebb386524ed618b8
Opcode Fuzzy Hash: 596eeaa46c14c421b88cd5960f13ec5a4774242ca82f07c4e126378d4fcb3d87
Instruction Fuzzy Hash: 6141D762B18B8542FA14AA97A644779E291FF44FC0F8C8535EE4C47F5ADF3CD8928340

Function 00007FF75AAB2F58 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB30C8

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 5a2d32e3cad0443ebeff1d9248599c1ca23f921f148fa2738b984a0d020eca18
Instruction ID: c5ecd9d23ff6ceadc93d895aa2d1a727553436014adce31c16fe9e67e3c73b42
Opcode Fuzzy Hash: 5a2d32e3cad0443ebeff1d9248599c1ca23f921f148fa2738b984a0d020eca18
Instruction Fuzzy Hash: 99412722A08B4A80FE50AB65E145779A360EF84BD4F880175EA4D07BD9DF3DE842C730

Function 00007FF75AADBDF8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF75AADBE20

Part of subcall function 00007FF75AADBFB0: GetModuleHandleExW.KERNEL32 ref: 00007FF75AADBFD0
Part of subcall function 00007FF75AADBFB0: GetProcAddress.KERNEL32 ref: 00007FF75AADBFE6
Part of subcall function 00007FF75AADBFB0: FreeLibrary.KERNEL32 ref: 00007FF75AADC00B

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
Instruction ID: 05350263c13d2d3d1c9d0e08aa972438dbe8590cfd906a432967448677a14979
Opcode Fuzzy Hash: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
Instruction Fuzzy Hash: 2341D421E1860282FB94BB91D850978E6A1BF58B40FCC44BADA8D476A1DF3CE842C760

Function 00007FF75AAA129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF75AAA1396

Part of subcall function 00007FF75AAA1F80: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF75AAA1F89

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
String ID:
API String ID: 680105476-0
Opcode ID: 81bbc9496a7d415ea2bbbc601fb53a43020ae880daa92f7a292fdc8bc8c92929
Instruction ID: a90d9fa95bfcbc78fc3e0ffcdae116c913c62db879a02ef0b9146772d4fa4c55
Opcode Fuzzy Hash: 81bbc9496a7d415ea2bbbc601fb53a43020ae880daa92f7a292fdc8bc8c92929
Instruction Fuzzy Hash: FF213022A08651A5FA54AE92A400679A2D0AF05BF0FDC0771DE7E47BD1DE7CE45283A4

Function 00007FF75AAE124C Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75AAE1280

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
Instruction ID: 856c764ec21c1acc95cc4580b636220100b71c5020ed84aecb89100c7a0d139c
Opcode Fuzzy Hash: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
Instruction Fuzzy Hash: 43115E3291C79286F710AB90A840D39F2E4FF60380FDD05B9E69D8B696DF3CE4428760

Function 00007FF75AAA3AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAA3B6C

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: f5fcd5f1c3f2e37d131694daf467b35a295dcb205b70c803901a30fdf0723196
Instruction ID: 44452455293f84ecf070e6fee9b1fced11d86f5b55318eb784cb0270b0548519
Opcode Fuzzy Hash: f5fcd5f1c3f2e37d131694daf467b35a295dcb205b70c803901a30fdf0723196
Instruction Fuzzy Hash: 10010466E1868541FA11A7A8E441629B3A2FF88790FC45271E6AC07AA5EF3CD0428724

Function 00007FF75AAD1558 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF75AAD1604: GetModuleHandleW.KERNEL32(?,?,?,00007FF75AAD1573,?,?,?,00007FF75AAD192A), ref: 00007FF75AAD162B

DloadProtectSection.DELAYIMP ref: 00007FF75AAD15C9

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: DloadHandleModuleProtectSection
String ID:
API String ID: 2883838935-0
Opcode ID: 902d746097657f35995c40355b3f554eba39218e3fb79a70aefbb70b68ceb6fd
Instruction ID: e4d41f2f57342c6107e41df6567a471142b0756341b5b1a4051bd8bcfb71c45d
Opcode Fuzzy Hash: 902d746097657f35995c40355b3f554eba39218e3fb79a70aefbb70b68ceb6fd
Instruction Fuzzy Hash: 8111C070D0890781FB90BFC5E841F70A7A0BF14348FDC14F8DA4D862A1EE3CA69686B0

Function 00007FF75AAB3EC8 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF75AAB40BC: FindFirstFileW.KERNELBASE ref: 00007FF75AAB410B
Part of subcall function 00007FF75AAB40BC: FindFirstFileW.KERNELBASE ref: 00007FF75AAB415E
Part of subcall function 00007FF75AAB40BC: GetLastError.KERNEL32 ref: 00007FF75AAB41AF

FindClose.KERNELBASE(?,?,00000000,00007FF75AAC0811), ref: 00007FF75AAB3EFD

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
Instruction ID: 9ff4732097318e79c55d36bd8b50f5ef8e8eafdbbaf4bec29f790bffa155b658
Opcode Fuzzy Hash: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
Instruction Fuzzy Hash: 4AF0F46250838582FA50BBF0A400579B7609F19BB4F5C53B8EA3D077CBCE38D8468770

Function 00007FF75AAB273C Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE ref: 00007FF75AAB2755

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 7793d0dfaf1bed477703e517dfb550f1e48d00439aedf8bd4eeb9f79e866bcb3
Instruction ID: b7279b1e0c1dc5392b715a366b8ae6fca1e26b05ef58c7b9cc786515ef98d3ee
Opcode Fuzzy Hash: 7793d0dfaf1bed477703e517dfb550f1e48d00439aedf8bd4eeb9f79e866bcb3
Instruction Fuzzy Hash: 12E0CD51B1061582FF20BBB6C8419345320EF4CF84B8C10F1CE0D07331CE28C8C68714

Function 00007FF75AAB2490 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF75AAB24A2

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction ID: 4b7fbf55067a33e0274634f5e0f87a5efe4d9d768eae47df54d1d7822ae829ae
Opcode Fuzzy Hash: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction Fuzzy Hash: 41D02212D0944082FD00B3B5D84147C6300AF93335FE803B1C23E81AE1CE1E98CBA320

Function 00007FF75AAB7FC4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE ref: 00007FF75AAB7FD2

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
Instruction ID: 9cadecad84b7b197e99636b8bf41268ea423ac0cad0ef4c91ad34223400e4944
Opcode Fuzzy Hash: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
Instruction Fuzzy Hash: CEC08C20F06602C1EA08EB26C8C941813A4BF54B04BA84078C10C81120CE2CC9FBD359

Function 00007FF75AADFA04 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF75AADFA59

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
Instruction ID: 762504970d78d9704bc7fec2aee4f59f8bce5f60ee6fd034bed4b135fa8b4818
Opcode Fuzzy Hash: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
Instruction Fuzzy Hash: 40F06251B0970745FE947AE19911BBAD2905F58B40FCC54B0C98D4E3E1EE1CE5834130

Function 00007FF75AADD94C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF75AADD98A

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction ID: bc651f5412872acb63382a385bc2d8dafebfbce0987c12ed7d8f95d08a607afe
Opcode Fuzzy Hash: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction Fuzzy Hash: 69F08291B0A38744FF9476F15800EB4D6A05F84760FCC26B0DDEE466C1EE1EE4428130

Function 00007FF75AAB20D0 Relevance: 1.3, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000001,00007FF75AAB207E), ref: 00007FF75AAB20F6

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction ID: 0f37409eb70d23ef0f6c599172828eb624d07a19218d1c9c12125cd94c77efab
Opcode Fuzzy Hash: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction Fuzzy Hash: DFF0A432A0868685FB249B60E041BB9A761EF14B78F8C4375D73D011E4EF28DC9A8320

Non-executed Functions

Function 00007FF75AAAC2F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF75AAADE04: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF75AAACF4B), ref: 00007FF75AAADE27
Part of subcall function 00007FF75AAADE04: GetLastError.KERNEL32 ref: 00007FF75AAADE88
Part of subcall function 00007FF75AAADE04: CloseHandle.KERNEL32 ref: 00007FF75AAADE9B

wcscpy.LIBCMT ref: 00007FF75AAACBC8
wcscpy.LIBCMT ref: 00007FF75AAACBFE
CreateFileW.KERNEL32 ref: 00007FF75AAACC38
DeviceIoControl.KERNEL32 ref: 00007FF75AAACD01
CloseHandle.KERNEL32 ref: 00007FF75AAACD12
GetLastError.KERNEL32 ref: 00007FF75AAACD2E
RemoveDirectoryW.KERNEL32 ref: 00007FF75AAACD7D
DeleteFileW.KERNEL32 ref: 00007FF75AAACD88
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAACE89
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAACE8F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAACE9B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAACEA1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAACEAD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAACEB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAACEB9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAACEBF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAACEC5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAACECB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAACED1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAACED7

Strings

SeRestorePrivilege, xrefs: 00007FF75AAAC343
\??\, xrefs: 00007FF75AAAC392, 00007FF75AAAC3B8
SeCreateSymbolicLinkPrivilege, xrefs: 00007FF75AAAC34F
UNC\, xrefs: 00007FF75AAAC53F, 00007FF75AAAC55D

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseErrorFileHandleLastwcscpy$ControlCreateCurrentDeleteDeviceDirectoryProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 2659423929-3508440684
Opcode ID: ff93d16a2b273c6118f741a7e32725ecd73d88bf4e3e3e92d6e46e353eb7c7b6
Instruction ID: 8bbf3ebf7078b2000e429206d6f0b207f810c556fa86979053eb36898ac06a8f
Opcode Fuzzy Hash: ff93d16a2b273c6118f741a7e32725ecd73d88bf4e3e3e92d6e46e353eb7c7b6
Instruction Fuzzy Hash: 55621262F0874285FB00EBF4D444ABDA3A1AF847A4F984272DA6D53AD5DF3CD586C360

Function 00007FF75AABF180 Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON

Download Yara Rule

APIs

_Init_thread_footer.LIBCMT ref: 00007FF75AAC0528

Part of subcall function 00007FF75AABAAE0: LoadStringW.USER32 ref: 00007FF75AABAB67
Part of subcall function 00007FF75AABAAE0: LoadStringW.USER32 ref: 00007FF75AABAB80

Part of subcall function 00007FF75AACB0DC: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00007FF75AAC0429), ref: 00007FF75AACB110
Part of subcall function 00007FF75AACB0DC: SetLastError.KERNEL32 ref: 00007FF75AACB153

Part of subcall function 00007FF75AAA129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF75AAA1396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC0490
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC0496
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC049C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC04A2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC04A8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC04AE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC04B4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC04BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC04C0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC04C6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC04CC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC04D2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC04D8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC04DE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC04E4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC04EA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC04F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC04F6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC0532
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC0538

Strings

%ls, xrefs: 00007FF75AABF3AC, 00007FF75AABF3FF
%s: %s, xrefs: 00007FF75AABFC11

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLoadString$Concurrency::cancel_current_taskInit_thread_footer
String ID: %ls$%s: %s
API String ID: 2539828978-2259941744
Opcode ID: 6623834c6ca9731efd334e76f2f7c4d48775863e17bd3527b859c843ee7b3cd4
Instruction ID: a6ed938d23a6cb1e1c1e7ee302d7422620b48cde6e05c3cb39ae56e332decba5
Opcode Fuzzy Hash: 6623834c6ca9731efd334e76f2f7c4d48775863e17bd3527b859c843ee7b3cd4
Instruction Fuzzy Hash: 47B20962A1878241FA54BBA5E4509BEE351EFC93C0F984376E6DD037EAEE2CD542C710

Function 00007FF75AAE2550 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75AAE2C12
memcpy_s.LIBCMT ref: 00007FF75AAE35BF
memcpy_s.LIBCMT ref: 00007FF75AAE3666

Part of subcall function 00007FF75AAE38BC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF75AAE38EE

memcpy_s.LIBCMT ref: 00007FF75AAE372F

Part of subcall function 00007FF75AADD008: _invalid_parameter_noinfo.LIBCMT ref: 00007FF75AADD02D

Strings

1#INF, xrefs: 00007FF75AAE3807
1#SNAN, xrefs: 00007FF75AAE37C9
1#IND, xrefs: 00007FF75AAE37AA
1#QNAN, xrefs: 00007FF75AAE37E8

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfomemcpy_s
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 1759834784-2761157908
Opcode ID: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
Instruction ID: f4652aca178bb7b2265c029b018962784a6d90f601bd689cd22ec3698d2bf8a6
Opcode Fuzzy Hash: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
Instruction Fuzzy Hash: A9B21C72A081824BFB65AFA5D440FFDB791FF54388F885179DA0A57B84DF38E5068B20

Function 00007FF75AAB1A48 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 00007FF75AAB1A97
GetLongPathNameW.KERNEL32 ref: 00007FF75AAB1AE0
GetShortPathNameW.KERNEL32 ref: 00007FF75AAB1B21
GetShortPathNameW.KERNEL32 ref: 00007FF75AAB1B6A

Part of subcall function 00007FF75AAC13C4: CompareStringW.KERNEL32 ref: 00007FF75AAC13E3

MoveFileW.KERNEL32 ref: 00007FF75AAB1DFE
MoveFileW.KERNEL32 ref: 00007FF75AAB1E65

Part of subcall function 00007FF75AAB2134: CreateFileW.KERNEL32 ref: 00007FF75AAB223C

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB1FE1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB1FE7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB1FED

Strings

rtmp, xrefs: 00007FF75AAB1CF4, 00007FF75AAB1D03

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
String ID: rtmp
API String ID: 3587137053-870060881
Opcode ID: 4e83cf1a0bf76f1cd98a138687b98762b91f55a9d542ddcfa5c5c6636e940066
Instruction ID: 9b761bb18eaed98c779029eab6c03f0c308830a095cb4d5aceac0a658d6fdfbf
Opcode Fuzzy Hash: 4e83cf1a0bf76f1cd98a138687b98762b91f55a9d542ddcfa5c5c6636e940066
Instruction Fuzzy Hash: E5F1E522B08B4695FB10EBB5D4405BDA7A1FF853C4F980176EA4D43AA9DF3CD986C350

Function 00007FF75AAB5B60 Relevance: 12.3, APIs: 8, Instructions: 256COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 00007FF75AAB5BC2
GetFullPathNameW.KERNEL32 ref: 00007FF75AAB5C0E
GetFullPathNameW.KERNEL32 ref: 00007FF75AAB5D2B
GetFullPathNameW.KERNEL32 ref: 00007FF75AAB5D70
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB5EE0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB5EE6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB5EEC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB5EF2

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: FullNamePath_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1693479884-0
Opcode ID: 13b57053c9edb0f691e6564e78418f78cd1dc0b326f339559e8595bdf58b92da
Instruction ID: 68677fd46ade91863bf228f1c3e65931739a2659e0525027668e1e419b92d5fd
Opcode Fuzzy Hash: 13b57053c9edb0f691e6564e78418f78cd1dc0b326f339559e8595bdf58b92da
Instruction Fuzzy Hash: BCA1C472F14B5644FE40ABF9C8449BCA361AF45BA4B984275DE6E17BC8DF3CE4438250

Function 00007FF75AAD3170 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF75AAD318C
RtlCaptureContext.KERNEL32 ref: 00007FF75AAD31B9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF75AAD31D3
RtlVirtualUnwind.KERNEL32 ref: 00007FF75AAD3214
IsDebuggerPresent.KERNEL32 ref: 00007FF75AAD3268
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF75AAD3289
UnhandledExceptionFilter.KERNEL32 ref: 00007FF75AAD3294

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
Instruction ID: 4d5f1b279313cfd328c49154d9727a301d9c411539db7383db4fecbab0105b7f
Opcode Fuzzy Hash: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
Instruction Fuzzy Hash: 58315272609B8289FB609FA0E8507ED7360FF94744F884479DB8D47A98DF38D549C720

Function 00007FF75AAD76D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF75AAD7751
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF75AAD7769
RtlVirtualUnwind.KERNEL32 ref: 00007FF75AAD77A4
IsDebuggerPresent.KERNEL32 ref: 00007FF75AAD77DD
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF75AAD77E7
UnhandledExceptionFilter.KERNEL32 ref: 00007FF75AAD77F2

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
Instruction ID: b5a9f39b4553a847fd11d021e5c1be79d7830af2b487eb3b00e1ecdcf6ed7ce4
Opcode Fuzzy Hash: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
Instruction Fuzzy Hash: 2A31A732604B8185EB64DF65E8406AEB7A0FF88754F940175EA9D43B98DF3CC546C710

Function 00007FF75AAA1AA4 Relevance: 6.3, APIs: 4, Instructions: 285COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAA1EA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAA1EAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAA1EB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAA1EBB

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: f9bf03e1b13c0b4c6c7d934612849e6fccaf4440e8589cb7471eab4968075207
Instruction ID: c4123715ca3b31ef687559db0266e1fb08a60d3c86155dc08cebcc06240f7edb
Opcode Fuzzy Hash: f9bf03e1b13c0b4c6c7d934612849e6fccaf4440e8589cb7471eab4968075207
Instruction Fuzzy Hash: 2EB1D122B14686A5FB10ABA5D8406FDA3A1FF857C4FC84276EA4C03B99EF3CD546C350

Function 00007FF75AADFA94 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75AADFAC4

Part of subcall function 00007FF75AAD7934: GetCurrentProcess.KERNEL32(00007FF75AAE0CCD), ref: 00007FF75AAD7961

Strings

*?, xrefs: 00007FF75AADFAEB
., xrefs: 00007FF75AADFEE4

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: CurrentProcess_invalid_parameter_noinfo
String ID: *?$.
API String ID: 2518042432-3972193922
Opcode ID: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
Instruction ID: 924766de16b47f3316806696730ca5f01bcf3a7403e46e3940ffe4f4ff7d04e3
Opcode Fuzzy Hash: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
Instruction Fuzzy Hash: 9151C262B15A9545FF51EFE298108BEA3A4FF48BD8B884571DE9D17B85EE3CD0438320

Function 00007FF75AAE2080 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.LIBCMT ref: 00007FF75AAE210B

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction ID: 9735668e297d1305114e39a4d3525833578f2367cfdf886e7f1fdeac275c2a40
Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction Fuzzy Hash: 69D1EA32B1868687EB34DF55E184A6AF791FB98744F488138CB4E57B44EB3CE946CB10

Function 00007FF75AAAB6D8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF75AAABA9D), ref: 00007FF75AAAB6E5
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,00007FF75AAABA9D), ref: 00007FF75AAAB719
LocalFree.KERNEL32(?,?,?,?,?,?,?,00007FF75AAABA9D), ref: 00007FF75AAAB743

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
Instruction ID: 9547f14b5c9db4da89f51503ff599a7df08440c8189c980242da31ac8f074ecf
Opcode Fuzzy Hash: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
Instruction Fuzzy Hash: F4014F7160C74282F750AFA2F85057AA791FF99BC0F8C4074EA8E47B49DE3CD9168750

Function 00007FF75AADFCA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

., xrefs: 00007FF75AADFEE4

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
Instruction ID: 531da9f7318eec8d365fbb5e35703f40bb3020fb853fc7a4d23c2da18e915cc7
Opcode Fuzzy Hash: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
Instruction Fuzzy Hash: F6310A22B0869145F760AB76D804BBEAA91AF54BE4F9C8235DE9C07BC5CE3CD5038300

Function 00007FF75AAE5AF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF75AAE5D45
RaiseException.KERNEL32 ref: 00007FF75AAE5D56

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
Instruction ID: e0c1eb82444cdf7eb5c6593b99bf15a0697fb159fae020be7aadab63631f9128
Opcode Fuzzy Hash: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
Instruction Fuzzy Hash: 7FB19E73600B868BEB15DF29D88636C7BA0FB84B48F188976DB5D837A4CB39D452C710

Function 00007FF75AAC8DF4 Relevance: 3.2, APIs: 2, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF75AAC85E0: GetDC.USER32 ref: 00007FF75AAC85EC
Part of subcall function 00007FF75AAC85E0: GetDeviceCaps.GDI32 ref: 00007FF75AAC85FD
Part of subcall function 00007FF75AAC85E0: ReleaseDC.USER32 ref: 00007FF75AAC860A

GetObjectW.GDI32 ref: 00007FF75AAC8E48

Part of subcall function 00007FF75AAC90B0: GetDC.USER32 ref: 00007FF75AAC90D9
Part of subcall function 00007FF75AAC90B0: GetObjectW.GDI32 ref: 00007FF75AAC9107
Part of subcall function 00007FF75AAC90B0: ReleaseDC.USER32 ref: 00007FF75AAC91BB

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID:
API String ID: 1061551593-0
Opcode ID: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
Instruction ID: df1b7d58085e6fc1588e52d31fa3cdd1e66b81631d29134c80bb565d1c553546
Opcode Fuzzy Hash: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
Instruction Fuzzy Hash: 0A813936B08A0586FB209FAAD450AACB771FF88B88F4441B6DE0D57B24DF39D546C390

Function 00007FF75AACA2CC Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 00007FF75AACA315
GetNumberFormatW.KERNEL32 ref: 00007FF75AACA371

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
Instruction ID: 30ad3e4faff34c9a6b63fc8d5f8f25b63fc2facb64a0e6d0d53074fb52b0c5a9
Opcode Fuzzy Hash: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
Instruction Fuzzy Hash: 2F118C36A08B8199F361AF51E810BE9B360FF88B84FC84176DA8C03668DF3CD146C754

Function 00007FF75AAB126C Relevance: 1.7, APIs: 1, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF75AAB24C0: CreateFileW.KERNELBASE ref: 00007FF75AAB259B
Part of subcall function 00007FF75AAB24C0: GetLastError.KERNEL32 ref: 00007FF75AAB25AE
Part of subcall function 00007FF75AAB24C0: CreateFileW.KERNEL32 ref: 00007FF75AAB260E
Part of subcall function 00007FF75AAB24C0: GetLastError.KERNEL32 ref: 00007FF75AAB2617

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB15D0

Part of subcall function 00007FF75AAB3980: MoveFileW.KERNEL32 ref: 00007FF75AAB39BD
Part of subcall function 00007FF75AAB3980: MoveFileW.KERNEL32 ref: 00007FF75AAB3A34

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: File$CreateErrorLastMove$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 34527147-0
Opcode ID: 3d42be01f5da7359752b23aff0a4933365d5119f3f7d56a086558a804adc0db8
Instruction ID: f44ed5ad24e59362ab1bf91df1627b131ff7d8dfe4eadec1e5e97d1ff558aa03
Opcode Fuzzy Hash: 3d42be01f5da7359752b23aff0a4933365d5119f3f7d56a086558a804adc0db8
Instruction Fuzzy Hash: 6E91C422B1874A81FA50EBA2D444ABDA3A1FF54BC4F884076EE0D47B95DF3CD946C350

Function 00007FF75AAB4EB0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00007FF75AAB4EE2

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 5e1f820920c456f15e44ae9d5f0cc3b6f822566f542002a6e47536c5256bfc9c
Instruction ID: 3b0c689dfb3be5197205a8049561936f89c0765fd43e8b12476526422b8d88cf
Opcode Fuzzy Hash: 5e1f820920c456f15e44ae9d5f0cc3b6f822566f542002a6e47536c5256bfc9c
Instruction Fuzzy Hash: 1B01847194D78686FA71ABB4A414BB5F7906FA9B05FCC01B4C69C07291DE3CA84A8A34

Function 00007FF75AAD8C1C Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF75AAD8DD3

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
Instruction ID: 544ae1a26cd29005c19ca7342bf34710aaca25e2441431dd2acdaabdeb745e98
Opcode Fuzzy Hash: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
Instruction Fuzzy Hash: 8E81FA22A1814246FAE8AA958040E7DABD0EF58B48FDC15B2DDC9876D5CF3DE847C760

Function 00007FF75AAD89A0 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF75AAD8B3A

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
Instruction ID: 76197980ec048654ef970d8a8edb55aec7de4b01c3c200bf9b466060a6f2f81e
Opcode Fuzzy Hash: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
Instruction Fuzzy Hash: 47715A21A0C24346FBE8AA994040E7DEB90AF49704FDD15B1CDC98F6E6CE2DF8478760

Function 00007FF75AABC96C Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

gj, xrefs: 00007FF75AABC97B

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
Instruction ID: eb422b139c95b3d26e12d23ee889dde23ef1a5e1c160688f643d0237f9659d3e
Opcode Fuzzy Hash: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
Instruction Fuzzy Hash: F05192377286908BD754CF65E400A9EB3A5F788758F445126EF8A93B09CB3DE945CF40

Function 00007FF75AADC838 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF75AADC874

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
Instruction ID: 3d5d38710f7976612977142d632d00be3402595d0039296971e4adccc4dbf73d
Opcode Fuzzy Hash: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
Instruction Fuzzy Hash: C241EF32714A458AFE48DF6AD8146A9B7A1AB58FC0B8D9036DE5D87754EE3DD042C300

Function 00007FF75AAE0D20 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF75AAE0D24

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
Instruction ID: 44a54d98e638e89c69c89272c707bb7b32b7e8c70b26edfcc767d8f358ccc436
Opcode Fuzzy Hash: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
Instruction Fuzzy Hash: B2B09220E17A02C2FA083B516C8265467A4BF98700FD890B8C10C41320DE2C20A64721

Function 00007FF75AAC3964 Relevance: .9, Instructions: 931COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df1e6e81a57214c8643d36be1bb9cde3812740f73d4ab830297bee2ffae98a2
Instruction ID: e5063187b46da1f4332b0ea67cd880881b2cd13d31bed0f0409a423168aeae03
Opcode Fuzzy Hash: 1df1e6e81a57214c8643d36be1bb9cde3812740f73d4ab830297bee2ffae98a2
Instruction Fuzzy Hash: 3A821672A096C186F705DFA4D428ABCBBA1EB51F84F5D817AEB4E07385DA3DD446C320

Function 00007FF75AAA76C0 Relevance: .9, Instructions: 893COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
Instruction ID: 83e291f4b0c6ed4ce269b4ee305059bda775ecc670df3ca7fb25151afeb4541a
Opcode Fuzzy Hash: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
Instruction Fuzzy Hash: 47626D9AD3AF9A1EE303A53954131D2E35C0EF74C9551E31BFCE431E66EB92A6832314

Function 00007FF75AAC53F0 Relevance: .9, Instructions: 891COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a45c88a368d7276059de07aefbbc35b61cea5d64746511b72f3674958eea04
Instruction ID: 876dd17e6b650fb909a4465a553c208f24b3cf6839ac0201cc88bd0a82143207
Opcode Fuzzy Hash: 83a45c88a368d7276059de07aefbbc35b61cea5d64746511b72f3674958eea04
Instruction Fuzzy Hash: DF8212B2A086C28AF714DE64D428AFCBBA1FB55B48F4C8176EA4D47785DA3CD446C720

Function 00007FF75AABBB90 Relevance: .6, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
Instruction ID: 2e7f0033d21fa7aa566d2f06265f654d1149fda1dba481cc2e1f9c242b2a91da
Opcode Fuzzy Hash: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
Instruction Fuzzy Hash: DE220573B206508BD728CF25D89AE5E3766F798344B4B8228DF4ACB789DB38D505CB40

Function 00007FF75AAC4B98 Relevance: .6, Instructions: 578COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
Instruction ID: 15623ade0bfa76dc237126b33c12912fd7e1758177e1472abc2e71e4d677694b
Opcode Fuzzy Hash: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
Instruction Fuzzy Hash: 2D32E372A041928BF718DF64D564BBC77A1FB54B08F498139EB4A87B84DB3CE852C750

Function 00007FF75AAA7288 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
Instruction ID: 535645d965f7166125f7125b132f617222d99bdbee73de0ac4f008023e3b5372
Opcode Fuzzy Hash: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
Instruction Fuzzy Hash: F4C1ADB7B281908FE350CFBAE400A9D7BB1F39878CB559125DF59A3B09D639E605CB40

Function 00007FF75AAC2D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
Instruction ID: ab76708425b923dd5c8f4b6af807d31c06a5387a1d97cd293a53037d81579cb5
Opcode Fuzzy Hash: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
Instruction Fuzzy Hash: 79A15773A0828646FB15FAA4C424BFDE691EF90744F8D4175EA4A07786EE3CE847C760

Function 00007FF75AABAF18 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
Instruction ID: 7fcacde8c302b92af7088567be66205bef30c37f073d24343f1aa51a169f225d
Opcode Fuzzy Hash: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
Instruction Fuzzy Hash: 0EC10573A292E44DF302CBB5A4248FD3FB1E71E34DB4A4151EFA666B4AD6285201DB70

Function 00007FF75AAAA310 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
Instruction ID: c1db9896ad0c61840defaf30bdb33fa964b69cfd3165f0a26b5bf8f82a4323bc
Opcode Fuzzy Hash: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
Instruction Fuzzy Hash: 4E912362B1868196FB11EF69E450AFDA7A0FF95788F880031EF4E07649EF39D646C350

Function 00007FF75AABB534 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
Instruction ID: e8424e2d8426bdb9088810edeabbf7eae0ef8f573df514e2c2a7da153a32c3e7
Opcode Fuzzy Hash: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
Instruction Fuzzy Hash: E4612823B192D549FB01DFB585108FDBFB1EB19784B898072CE9A57646DA3CE907CB20

Function 00007FF75AAC21D0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
Instruction ID: e4fda2a66bac8def610227ac78a15b7668dfbc1a860c2e974707877fc5cea1c9
Opcode Fuzzy Hash: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
Instruction Fuzzy Hash: FE510273B181514BF729AF68D024BADB751FB90B48F884134EB4947789EE3DE54ACB10

Function 00007FF75AAC2AB0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
Instruction ID: f6f787464ad0f975dedbe2f7c61debbbdc3c2b8a77d8e54041cdfd4060284aeb
Opcode Fuzzy Hash: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
Instruction Fuzzy Hash: FA312BB2A186814BF708EE6AD56067EF7D0FB44740F488139DF4683782DA7CE446C710

Function 00007FF75AABDC70 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
Instruction ID: a4a17cf83e89b24115ab270ea1249096ef3a70b18c57beb487b9c5f603deafae
Opcode Fuzzy Hash: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
Instruction Fuzzy Hash: C7F0FE61F1C28F42FB6A20B95819B3990569F13318FEC48B5D12FC62C5D9ADECA31139

Function 00007FF75AAD3354 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
Instruction ID: aca75ab8fd115aa987067c040c480a25e08611e077818bd4c3a959f8219d5056
Opcode Fuzzy Hash: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
Instruction Fuzzy Hash: 79A002A190CC43D0F694AB90E960870A730FF64300BD810B5F04D410A4DF3CA803C330

Function 00007FF75AAAD7D0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAAD964

Strings

::$INDEX_ALLOCATION, xrefs: 00007FF75AAAD83E
:$EFS:$LOGGED_UTILITY_STREAM, xrefs: 00007FF75AAAD86A
::$REPARSE_POINT, xrefs: 00007FF75AAAD88B
::$OBJECT_ID, xrefs: 00007FF75AAAD880
::$BITMAP, xrefs: 00007FF75AAAD807
::$LOGGED_UTILITY_STREAM, xrefs: 00007FF75AAAD85F
::$EA_INFORMATION, xrefs: 00007FF75AAAD828
::$INDEX_ROOT, xrefs: 00007FF75AAAD854
:$I30:$INDEX_ALLOCATION, xrefs: 00007FF75AAAD849
:$TXF_DATA:$LOGGED_UTILITY_STREAM, xrefs: 00007FF75AAAD875
::$EA, xrefs: 00007FF75AAAD81D
::$DATA, xrefs: 00007FF75AAAD812
::$FILE_NAME, xrefs: 00007FF75AAAD833
::$ATTRIBUTE_LIST, xrefs: 00007FF75AAAD7FC

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
API String ID: 3668304517-727060406
Opcode ID: 68b0776e0b0472d89a3e33afb210e6886cf7e268cb4df9669c3e10123b671312
Instruction ID: 2d0264b6b75d8f44e249538a22cb4b501c628202cb09205a187013151f202386
Opcode Fuzzy Hash: 68b0776e0b0472d89a3e33afb210e6886cf7e268cb4df9669c3e10123b671312
Instruction Fuzzy Hash: EE41E836B05F4199FB01ABA0D4807ED73A5EF58798F84017ADA5C13B58EE39D156C3A0

Function 00007FF75AAD2A10 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF75AAD2A26
GetModuleHandleW.KERNEL32 ref: 00007FF75AAD2A33
GetModuleHandleW.KERNEL32 ref: 00007FF75AAD2A48
GetProcAddress.KERNEL32 ref: 00007FF75AAD2A60
GetProcAddress.KERNEL32 ref: 00007FF75AAD2A73
CreateEventW.KERNEL32 ref: 00007FF75AAD2A9F
DeleteCriticalSection.KERNEL32 ref: 00007FF75AAD2AEB
CloseHandle.KERNEL32 ref: 00007FF75AAD2AFD

Strings

WakeAllConditionVariable, xrefs: 00007FF75AAD2A66
SleepConditionVariableCS, xrefs: 00007FF75AAD2A56
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF75AAD2A2C
kernel32.dll, xrefs: 00007FF75AAD2A41

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
Instruction ID: d277ba4a4d863da16e3348c4a2c88d00741a35721d0979a0d37ded912eeb41a9
Opcode Fuzzy Hash: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
Instruction Fuzzy Hash: F221F174E19A0381FA95BBD1E855D74A7A0FF58780FCC40B9D94E066A0EE3DA54BC370

Function 00007FF75AAB6A0C Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB70A6

Part of subcall function 00007FF75AAA2004: std::_Xinvalid_argument.LIBCPMT ref: 00007FF75AAA200F

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB70B2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB70B8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB70C4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB70D6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB70DC

Strings

\\?\, xrefs: 00007FF75AAB6A57, 00007FF75AAB6A66
DXGIDebug.dll, xrefs: 00007FF75AAB6A18
UNC, xrefs: 00007FF75AAB6BBF

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
String ID: DXGIDebug.dll$UNC$\\?\
API String ID: 4097890229-4048004291
Opcode ID: 790c86bd1d63f4eca2282328e285cd4af49754adb3319a1c484213ed7cda452a
Instruction ID: 685ae52850447d43731bb7819950c3288da2ed5bb3568d023e66c5d70932cf13
Opcode Fuzzy Hash: 790c86bd1d63f4eca2282328e285cd4af49754adb3319a1c484213ed7cda452a
Instruction Fuzzy Hash: DA12E322B09B4684FB10EBA4D4405ADA371EF81B84F984176DA9D07BE9DF3DD94AC360

Function 00007FF75AACA440 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 257COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF75AAA129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF75AAA1396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACA72F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACA735
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACA73B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACA741
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACA747
EndDialog.USER32 ref: 00007FF75AACA7BA

Strings

Software\WinRAR SFX, xrefs: 00007FF75AACA52B, 00007FF75AACA53A
GETPASSWORD1, xrefs: 00007FF75AACA773

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialog
String ID: GETPASSWORD1$Software\WinRAR SFX
API String ID: 431506467-1315819833
Opcode ID: 2f46cc1a99c1f37a0c478ce60eb93dd31fe2b8eb42b17bb1256e0ee20edd3ce7
Instruction ID: 46cad345b1dfa2dea42f30334cb96cdb96e4cf13d0546f4e94eac8e43a7828bb
Opcode Fuzzy Hash: 2f46cc1a99c1f37a0c478ce60eb93dd31fe2b8eb42b17bb1256e0ee20edd3ce7
Instruction Fuzzy Hash: F2B1C072F1874285FB00ABA4E4546BCA372AF45394F884275EA5C27BD9EE3CE446C350

Function 00007FF75AAC6E80 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF75AAC7E9B), ref: 00007FF75AAC7080
CreateStreamOnHGlobal.COMBASE ref: 00007FF75AAC70B1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC717B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC7181
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC7187

Strings

<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00007FF75AAC6F2C, 00007FF75AAC6F3B
<html>, xrefs: 00007FF75AAC6F13
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>, xrefs: 00007FF75AAC6ED5, 00007FF75AAC6EE4
</html>, xrefs: 00007FF75AAC6F72, 00007FF75AAC6F81

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Global$AllocCreateStream
String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 2868844859-1533471033
Opcode ID: 1ea127eca2c18cb8a14940d765cc2bcbd285cf128bafe390cda2fc791a186282
Instruction ID: 62ce5b6f86b634b360086b6da29e69283e77d1af4112f21cd218882887f18e1d
Opcode Fuzzy Hash: 1ea127eca2c18cb8a14940d765cc2bcbd285cf128bafe390cda2fc791a186282
Instruction Fuzzy Hash: DD81B062F18B0295FB01EBE5D8509EDA371AF48784F880576DE1D177A9EE38D50BC360

Function 00007FF75AADE650 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75AADE7CD

Strings

NAN, xrefs: 00007FF75AADE6B1
nan(ind), xrefs: 00007FF75AADE706
NAN(IND), xrefs: 00007FF75AADE6FB
nan(snan), xrefs: 00007FF75AADE6F0
INF, xrefs: 00007FF75AADE6C3
nan, xrefs: 00007FF75AADE6B8
inf, xrefs: 00007FF75AADE6D6
NAN(SNAN), xrefs: 00007FF75AADE6E5

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
Instruction ID: 0341f24a7acaaca8c77768000fefa484da30acb7f044a0f48bc0d0a2bf701251
Opcode Fuzzy Hash: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
Instruction Fuzzy Hash: E841DE72A0AB4188F754DFA4E841BAD73A4EF14394F88417AEE9C03B45DE3DD426C394

Function 00007FF75AACF390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32 ref: 00007FF75AACF3CF
GetClassNameW.USER32 ref: 00007FF75AACF3FC
GetWindowLongPtrW.USER32 ref: 00007FF75AACF41D
SendMessageW.USER32 ref: 00007FF75AACF437
GetObjectW.GDI32 ref: 00007FF75AACF452
SendMessageW.USER32 ref: 00007FF75AACF487
DeleteObject.GDI32 ref: 00007FF75AACF490
GetWindow.USER32 ref: 00007FF75AACF49E

Strings

STATIC, xrefs: 00007FF75AACF402

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassDeleteLongName
String ID: STATIC
API String ID: 2845197485-1882779555
Opcode ID: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
Instruction ID: c58bbe858ae5c38059a056568e5899e12821373f2d2af48682138fa987944cad
Opcode Fuzzy Hash: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
Instruction Fuzzy Hash: CB319425B08B4246FA60BB51E564FB9A3A1BF89BC0F884470ED4D07B56DE3DD4078760

Function 00007FF75AACAE90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

LICENSEDLG, xrefs: 00007FF75AACAEAE

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: ItemTextWindow
String ID: LICENSEDLG
API String ID: 2478532303-2177901306
Opcode ID: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
Instruction ID: 4b85f8e677debbcee3475bb4b4643ebb948871bda5bfea01320da009119c9f98
Opcode Fuzzy Hash: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
Instruction Fuzzy Hash: 5741A535A18A1282F754AB95B814F79A361BF84F80FCC40B5E90E07B95CF3DE54783A0

Function 00007FF75AABB9B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF75AABBA12
GetProcAddress.KERNEL32 ref: 00007FF75AABBA2D
GetCurrentProcessId.KERNEL32 ref: 00007FF75AABBACA

Part of subcall function 00007FF75AABDFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF75AABDDDF

Strings

Crypt32.dll, xrefs: 00007FF75AABB9F0
CryptProtectMemory, xrefs: 00007FF75AABBA08
CryptUnprotectMemory, xrefs: 00007FF75AABBA1F
CryptUnprotectMemory failed, xrefs: 00007FF75AABBAC1
CryptProtectMemory failed, xrefs: 00007FF75AABBA80

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: AddressProc$CurrentDirectoryProcessSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
API String ID: 2915667086-2207617598
Opcode ID: 6794cfd2df2083ddb130d433e4ca33b69faefb70ddab7dfcfa84983386d80e8a
Instruction ID: 8526e28247af2665d30c0d16c58b78623283114349039fc5b210f7e574ab325b
Opcode Fuzzy Hash: 6794cfd2df2083ddb130d433e4ca33b69faefb70ddab7dfcfa84983386d80e8a
Instruction Fuzzy Hash: 78316360E0DB0682FA14FB95A864975E7A0BF54B90FCC41B9D84E033A4DE3DE9838360

Function 00007FF75AAC87D8 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC8DB6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC8DC2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC8DCE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC8DDA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAC8DE0

Strings

, xrefs: 00007FF75AAC88BE
, xrefs: 00007FF75AAC8A55

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: $
API String ID: 3668304517-227171996
Opcode ID: fc3ab499728c373c0b87e4ce79ecf20d3361f502613e825a9cd7664fd32f0bbf
Instruction ID: 6d979141db1b7026f055b28619b905b31feefcccfd6f93e187fbba6d0f66c44b
Opcode Fuzzy Hash: fc3ab499728c373c0b87e4ce79ecf20d3361f502613e825a9cd7664fd32f0bbf
Instruction Fuzzy Hash: 72F1F462F1574640FE00ABA4D4549BDA7A1BF48BA8FC85271EA6D137D5EF7CE082C360

Function 00007FF75AAD57EC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF75AAD598A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF75AAD5CAD
abort.LIBCMT ref: 00007FF75AAD5CE1

Strings

csm, xrefs: 00007FF75AAD58D1
csm, xrefs: 00007FF75AAD5933
csm, xrefs: 00007FF75AAD59B1

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 2940173790-393685449
Opcode ID: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
Instruction ID: ec0ef695a79ad4976fea70b6525263893bdd4abb51c59ed149b0c4919b22a060
Opcode Fuzzy Hash: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
Instruction Fuzzy Hash: CBE1B072A087828AF790AFA5D480BBDB7A0FF45748F980175DACD57696CF38E486C710

Function 00007FF75AAB4F38 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF75AAB4E24: SysAllocString.OLEAUT32 ref: 00007FF75AAB4E5F

VariantClear.OLEAUT32 ref: 00007FF75AAB5125

Strings

Windows 10, xrefs: 00007FF75AAB510A
Name, xrefs: 00007FF75AAB50F9
SELECT * FROM Win32_OperatingSystem, xrefs: 00007FF75AAB5017
ROOT\CIMV2, xrefs: 00007FF75AAB4F7B
WQL, xrefs: 00007FF75AAB502A

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: AllocClearStringVariant
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 1959693985-3505469590
Opcode ID: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
Instruction ID: 1eb813b1110a343bce14235fea0d192d65579ff4f3d6c1e3d13deb4a31e96184
Opcode Fuzzy Hash: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
Instruction Fuzzy Hash: 52713D76A14B0685FB10EF65E8809ADB7B0FF98B98B885176DA4E43B64CF3CD545C320

Function 00007FF75AAD72EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,00000000,00007FF75AAD74F3,?,?,?,00007FF75AAD525E,?,?,?,00007FF75AAD5219), ref: 00007FF75AAD7371
GetLastError.KERNEL32(?,?,00000000,00007FF75AAD74F3,?,?,?,00007FF75AAD525E,?,?,?,00007FF75AAD5219), ref: 00007FF75AAD737F
LoadLibraryExW.KERNEL32(?,?,00000000,00007FF75AAD74F3,?,?,?,00007FF75AAD525E,?,?,?,00007FF75AAD5219), ref: 00007FF75AAD73A9
FreeLibrary.KERNEL32(?,?,00000000,00007FF75AAD74F3,?,?,?,00007FF75AAD525E,?,?,?,00007FF75AAD5219), ref: 00007FF75AAD73EF
GetProcAddress.KERNEL32(?,?,00000000,00007FF75AAD74F3,?,?,?,00007FF75AAD525E,?,?,?,00007FF75AAD5219), ref: 00007FF75AAD73FB

Strings

api-ms-, xrefs: 00007FF75AAD7391

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
Instruction ID: 80e43d8d8fa1aac8b9972cecb0dbe7de4b408d35566ef6470970a8fc6cbcec7f
Opcode Fuzzy Hash: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
Instruction Fuzzy Hash: 9231D221B1AA4281FE97BB96A800975A794FF08BA0F9D4579DD5E17380DF3CE44283A0

Function 00007FF75AAD1604 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,00007FF75AAD1573,?,?,?,00007FF75AAD192A), ref: 00007FF75AAD162B
GetProcAddress.KERNEL32(?,?,?,00007FF75AAD1573,?,?,?,00007FF75AAD192A), ref: 00007FF75AAD1648
GetProcAddress.KERNEL32(?,?,?,00007FF75AAD1573,?,?,?,00007FF75AAD192A), ref: 00007FF75AAD1664

Strings

ReleaseSRWLockExclusive, xrefs: 00007FF75AAD1653
AcquireSRWLockExclusive, xrefs: 00007FF75AAD163E
KERNEL32.DLL, xrefs: 00007FF75AAD1624

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
Instruction ID: 9355d6f33a45706f81db5d20be013696177973c6ca1d8dcfb44aed66e3c6d3a1
Opcode Fuzzy Hash: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
Instruction Fuzzy Hash: 24115E20E0AB4381FEA5AFC0A940A74E7E16F18790FCD84B9CA5D46390FE3CB5468670

Function 00007FF75AABED24 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF75AAB51A4: GetVersionExW.KERNEL32 ref: 00007FF75AAB51D5

FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF75AAA5AB4), ref: 00007FF75AABED8C
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF75AAA5AB4), ref: 00007FF75AABED98
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF75AAA5AB4), ref: 00007FF75AABEDA8
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF75AAA5AB4), ref: 00007FF75AABEDB6
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF75AAA5AB4), ref: 00007FF75AABEDC4
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF75AAA5AB4), ref: 00007FF75AABEE05

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
Instruction ID: 7a999896b38da61c721cf8c682bb86f8b65dc3d7087a9f382a1b3ceea0ce81e3
Opcode Fuzzy Hash: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
Instruction Fuzzy Hash: D8518AB2B006558AFB14DFB8D4405AC7BB1FB48B88BA4403ADE1D67B58DF38E946C710

Function 00007FF75AABF010 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32 ref: 00007FF75AABF074

Part of subcall function 00007FF75AAB51A4: GetVersionExW.KERNEL32 ref: 00007FF75AAB51D5

LocalFileTimeToFileTime.KERNEL32 ref: 00007FF75AABF096
FileTimeToSystemTime.KERNEL32 ref: 00007FF75AABF0A2
TzSpecificLocalTimeToSystemTime.KERNEL32 ref: 00007FF75AABF0B2
SystemTimeToFileTime.KERNEL32 ref: 00007FF75AABF0C0
SystemTimeToFileTime.KERNEL32 ref: 00007FF75AABF0CE

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
Instruction ID: 935bbd3c12de9635d50b96cf8e8b324365d627a649f1500761f79761b22efda5
Opcode Fuzzy Hash: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
Instruction Fuzzy Hash: D0311B62B10A5189FB04DFF5E8805AC7770FF18758B98503ADE1D97A58EB38D896C710

Function 00007FF75AAB7918 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB7C8C

Strings

.rar, xrefs: 00007FF75AAB7969, 00007FF75AAB7978
rar, xrefs: 00007FF75AAB7A9B, 00007FF75AAB7AAA, 00007FF75AAB7B67, 00007FF75AAB7B7C
exe, xrefs: 00007FF75AAB79AF, 00007FF75AAB79BE
sfx, xrefs: 00007FF75AAB79F3, 00007FF75AAB7A02

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: .rar$exe$rar$sfx
API String ID: 3668304517-630704357
Opcode ID: f48e310f2d4c6838760fd8124c0dfc7220e7dc8c7a549aff28db8dcc178fbc20
Instruction ID: b314da5000451fe516cae193b7adfe98a2b18b72a63dffa2c6095393ba161a3e
Opcode Fuzzy Hash: f48e310f2d4c6838760fd8124c0dfc7220e7dc8c7a549aff28db8dcc178fbc20
Instruction Fuzzy Hash: E2A1E322A0570A80FB05BFA5D441ABCA361BF55B98F980275CD5D076E9DF7CE943C360

Function 00007FF75AAD5CE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF75AAD5D58

Part of subcall function 00007FF75AAD5210: abort.LIBCMT ref: 00007FF75AAD5223

_CallSETranslator.LIBVCRUNTIME ref: 00007FF75AAD5DA3
abort.LIBCMT ref: 00007FF75AAD5FD1

Strings

MOC, xrefs: 00007FF75AAD5D6C
RCC, xrefs: 00007FF75AAD5D74

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
Instruction ID: c3659e445e382abcbcb6ece9d8dd49cabaf3f7bb87f10726e95398e010644281
Opcode Fuzzy Hash: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
Instruction Fuzzy Hash: CF91B273A08B828AF750EFA5D4406ADBBA0FB48788F58413AEE8D17755DF38D196C710

Function 00007FF75AAD4F80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF75AAD4FAB
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF75AAD5040
RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF75AAD2F5E), ref: 00007FF75AAD508F

Strings

csm, xrefs: 00007FF75AAD5026
f, xrefs: 00007FF75AAD4FBE

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
Instruction ID: 68930b8e202f7c058f78a20e406fdff9bbeb8004479920fcc19b57e35e12360b
Opcode Fuzzy Hash: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
Instruction Fuzzy Hash: 0B51D831A196038AF794FB51E444E29B765FF40B84F9880B4EA9E47748DF78E842C750

Function 00007FF75AAACEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF75AAAD03D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAAD0D1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAAD0D7

Part of subcall function 00007FF75AAADE04: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF75AAACF4B), ref: 00007FF75AAADE27
Part of subcall function 00007FF75AAADE04: GetLastError.KERNEL32 ref: 00007FF75AAADE88
Part of subcall function 00007FF75AAADE04: CloseHandle.KERNEL32 ref: 00007FF75AAADE9B

Strings

SeRestorePrivilege, xrefs: 00007FF75AAACF5E
SeSecurityPrivilege, xrefs: 00007FF75AAACF3F

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 2102711378-639343689
Opcode ID: 2b861648b180918fd0f02cdc83054ab275c6740b5d877ad0ce6218155adf80f7
Instruction ID: 809f7ed0ac96347168ba989611b22be4b68c25b1e0035e1071708dba2ed9d197
Opcode Fuzzy Hash: 2b861648b180918fd0f02cdc83054ab275c6740b5d877ad0ce6218155adf80f7
Instruction Fuzzy Hash: CE51E762F0478145FB10FBE4D841ABDA7A1BF947A4F880175DE5D13695EF3CA887C2A0

Function 00007FF75AAC7B28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 00007FF75AAC7B6F
GetWindowRect.USER32 ref: 00007FF75AAC7BC0
ShowWindow.USER32 ref: 00007FF75AAC7C96
ShowWindow.USER32 ref: 00007FF75AAC7CC3

Strings

RarHtmlClassName, xrefs: 00007FF75AAC7C4B

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Window$Show$Rect
String ID: RarHtmlClassName
API String ID: 2396740005-1658105358
Opcode ID: 7f8a0b662af83a4f47b362c37f36e9414f73daccdb18f375bc1ce0a7ee57f15d
Instruction ID: a75c3aaf1e4571dfcc90ad3249537b2c5a935b3c4ee660cc55957bbde1d88fd3
Opcode Fuzzy Hash: 7f8a0b662af83a4f47b362c37f36e9414f73daccdb18f375bc1ce0a7ee57f15d
Instruction Fuzzy Hash: 43519421A09742CAFB25EB61E454B7AE7A0FF85780F884075EE8E47B55DF3CE0468710

Function 00007FF75AACFD0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32 ref: 00007FF75AACFD43
SetEnvironmentVariableW.KERNEL32 ref: 00007FF75AACFDBC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AACFE1B

Strings

sfxpar, xrefs: 00007FF75AACFDB5
sfxcmd, xrefs: 00007FF75AACFD3C

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
String ID: sfxcmd$sfxpar
API String ID: 3540648995-3493335439
Opcode ID: 9cd6036ae86cdbcd8d8a5aead61c32137b442908135497355496b2fd8e337c0a
Instruction ID: 9f2f80c7adcc986b12539219d7e7b1404806011c1361e909ddf98685ac247c66
Opcode Fuzzy Hash: 9cd6036ae86cdbcd8d8a5aead61c32137b442908135497355496b2fd8e337c0a
Instruction Fuzzy Hash: 9531A332A14B0584FB04ABA5E4946AC7371FF58B88F980176DE5D177A9DE3CD042C364

Function 00007FF75AACFED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00007FF75AACFF34, 00007FF75AACFF99
RENAMEDLG, xrefs: 00007FF75AACFF60

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
Instruction ID: 8973b1e60433c0624f24da484eb470549f2d72e38d2ac2443857849d6aba7e60
Opcode Fuzzy Hash: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
Instruction Fuzzy Hash: 69211B61908B4780FA10AB59F858978F7A0FF49B84F9C01B6E94D43364DE3CE496C3A0

Function 00007FF75AADBFB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF75AADBFD0
GetProcAddress.KERNEL32 ref: 00007FF75AADBFE6
FreeLibrary.KERNEL32 ref: 00007FF75AADC00B

Strings

CorExitProcess, xrefs: 00007FF75AADBFDF
mscoree.dll, xrefs: 00007FF75AADBFC7

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
Instruction ID: 89dc542acd097aaebfb60acb2c8b8cf0054d0490f76f2aaa9dc96bad2b474d97
Opcode Fuzzy Hash: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
Instruction Fuzzy Hash: C0F04F21A19A4281FE84AFA1E850A79A7A0EF9C790FCC1079D94F46665DE3CE4868720

Function 00007FF75AAE45C0 Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75AAE4605

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
Instruction ID: c1e65040b35b512b5e677145ef3ced987e3a1ca9ec542acc72184885994a1ee8
Opcode Fuzzy Hash: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
Instruction Fuzzy Hash: C281C362F1865246F750ABB59840ABDF7A9BF65B84F8841B9CE0E13695CF3DA443C330

Function 00007FF75AAB3AF8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF75AAB3BBB
CreateFileW.KERNEL32 ref: 00007FF75AAB3C24
SetFileTime.KERNEL32 ref: 00007FF75AAB3CEC
CloseHandle.KERNEL32 ref: 00007FF75AAB3CF6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB3D2C

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2398171386-0
Opcode ID: c0b6f85d6e607c1b1f7522d8fb8fca2e4b31be8c2fa13c4f1724a84f069d023c
Instruction ID: 7935e9051222fcd65d27f4866de341371b7a28667a6f0eb94bac5895da1186fc
Opcode Fuzzy Hash: c0b6f85d6e607c1b1f7522d8fb8fca2e4b31be8c2fa13c4f1724a84f069d023c
Instruction Fuzzy Hash: 2951E722B04B4699FB50EBF5E440BBDA371AF44798F884675DE1D47BD9DE38980AC320

Function 00007FF75AAE3F34 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF75AAE4767), ref: 00007FF75AAE3F91
WideCharToMultiByte.KERNEL32 ref: 00007FF75AAE406D
WriteFile.KERNEL32 ref: 00007FF75AAE4093
WriteFile.KERNEL32 ref: 00007FF75AAE40D2
GetLastError.KERNEL32 ref: 00007FF75AAE410A

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
Instruction ID: d15b52b991b8419de8700b82d8503a6f81acb12340ddd9990356f0c77362e4fc
Opcode Fuzzy Hash: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
Instruction Fuzzy Hash: A551D032A14A518AFB10DBB5D4407ACBBB4BF58798F488139CF4A57B99CF39D146C320

Function 00007FF75AAD1E00 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF75AAB4DF4), ref: 00007FF75AAD1E87
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF75AAB4DF4), ref: 00007FF75AAD1F09
SysAllocString.OLEAUT32 ref: 00007FF75AAD1F16

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: b7eca4d0914b4f3ce7b9457829877c74e6e00994a5cd88f9d96bed53318f8e63
Instruction ID: a76d2f49531a63ffbc7b86aaaefdbb1994edda69a7e43577a72766cf4ac070d7
Opcode Fuzzy Hash: b7eca4d0914b4f3ce7b9457829877c74e6e00994a5cd88f9d96bed53318f8e63
Instruction Fuzzy Hash: 8541D331A0974689FB94AFA19440B78A3D1EF08BA4F9C4675EAAD877D5DF3CD0438320

Function 00007FF75AADF414 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF75AADF536

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
Instruction ID: f184689e11c09c5781d5fe40152fac359e324b8ce4fbea188852d677999c7e88
Opcode Fuzzy Hash: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
Instruction Fuzzy Hash: 12415B61B09A0281FE95AF92A900D7AE791BF18BD0F9D4979DD5E4B744EF3CE0028320

Function 00007FF75AAE56D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF75AAE56FF
_set_statfp.LIBCMT ref: 00007FF75AAE571A
_set_statfp.LIBCMT ref: 00007FF75AAE5736
_set_statfp.LIBCMT ref: 00007FF75AAE5772

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction ID: a195dddc94355294e31e07f5bf3ce916815294e496d9eba3bb3ddbdbd92aecd0
Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction Fuzzy Hash: DF110436F0C607C1F71431A8F242B79A0416F753A0FCC4ABCEA7D065D6CE6CA8524120

Function 00007FF75AACFE24 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00007FF75AACFE41
GetMessageW.USER32 ref: 00007FF75AACFE58
TranslateMessage.USER32 ref: 00007FF75AACFE63
DispatchMessageW.USER32 ref: 00007FF75AACFE6E
WaitForSingleObject.KERNEL32 ref: 00007FF75AACFE7C

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Message$DispatchObjectPeekSingleTranslateWait
String ID:
API String ID: 3621893840-0
Opcode ID: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
Instruction ID: 3e287e7ad9981fdd8843fefa4f582f21f7a8e782f07273730e19e6e598ff200f
Opcode Fuzzy Hash: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
Instruction Fuzzy Hash: 96F06221B3854682F710A764E464F3AA211FFE4B05FC81070E54F41994DF2CD149D760

Function 00007FF75AAD625C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF75AAD6286
abort.LIBCMT ref: 00007FF75AAD64EA

Strings

csm, xrefs: 00007FF75AAD641A
csm, xrefs: 00007FF75AAD62AB

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: __except_validate_context_recordabort
String ID: csm$csm
API String ID: 746414643-3733052814
Opcode ID: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
Instruction ID: 978e8e2799074bdecb4edb695a34ce0a9e8fb83b1bd29c7308994083f49684e4
Opcode Fuzzy Hash: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
Instruction Fuzzy Hash: 9071D3B29186C186E7A0AFA5D150B7DFBA0EF85B88F488175DACC07A85DF3CD492C750

Function 00007FF75AAD80F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75AAD811B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF75AAD82ED

Strings

, xrefs: 00007FF75AAD8276
*, xrefs: 00007FF75AAD8221

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
Instruction ID: 356ffdea44a8fba0385a0c292177eda86f37badb23562f1e79c490023433983e
Opcode Fuzzy Hash: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
Instruction Fuzzy Hash: BE51A87280C6428AF7E4AFA8844477CBFA0FF29B08F9C11B5D6D943199CF2CD586C665

Function 00007FF75AAE1758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF75AAE17CB
MultiByteToWideChar.KERNEL32 ref: 00007FF75AAE1894
GetStringTypeW.KERNEL32 ref: 00007FF75AAE18AE

Strings

$%s, xrefs: 00007FF75AAE175A

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$StringType
String ID: $%s
API String ID: 3586891840-3791308623
Opcode ID: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
Instruction ID: 4b2c462f25d89f8f8f5889bd80461a9bfd1379ed2912c38dc6028002ad29ea75
Opcode Fuzzy Hash: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
Instruction Fuzzy Hash: 36417122B15B914AFB519FA5D800AB9A3D1FF64BA8F8C0675DA5D0B7C4DF3CE4468310

Function 00007FF75AAD66A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF75AAD5210: abort.LIBCMT ref: 00007FF75AAD5223

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF75AAD674A
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF75AAD6776

Strings

csm, xrefs: 00007FF75AAD6876

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_recordabort
String ID: csm
API String ID: 2466640111-1018135373
Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction ID: 13402292314f3f1891e467514b7d62c2b413f2e4b7ec49c73eef9a8d6eebe8c5
Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction Fuzzy Hash: 1C516172A2974287E6A0EB95E040A7EB7A4FB89B91F980174DBCD07B55CF3CD452CB10

Function 00007FF75AAE4360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF75AAE4446
WriteFile.KERNEL32 ref: 00007FF75AAE4479
GetLastError.KERNEL32 ref: 00007FF75AAE449B

Strings

U, xrefs: 00007FF75AAE4424

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: U
API String ID: 2456169464-4171548499
Opcode ID: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
Instruction ID: 27ae5dd6f5b8996a04c1396c9e7ce9195c5cc5ff93bd5ad6e465ad1652cbb981
Opcode Fuzzy Hash: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
Instruction Fuzzy Hash: 4841D422B18A8282E710DFA5E4047B9B7A4FB98794F884035EF4E87748DF7CD442C710

Function 00007FF75AAC90B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF75AAC90D9
GetObjectW.GDI32 ref: 00007FF75AAC9107
ReleaseDC.USER32 ref: 00007FF75AAC91BB

Strings

, xrefs: 00007FF75AAC9153

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: ObjectRelease
String ID:
API String ID: 1429681911-3916222277
Opcode ID: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
Instruction ID: 8631513b1cc49a17a194af752af0fe2da932460f48d823c17718e456105f6071
Opcode Fuzzy Hash: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
Instruction Fuzzy Hash: 3C315E3560874286EB08EF12B819B2AB7A0FB89FD1F844475ED4A43B54DE3DE449CB50

Function 00007FF75AABE870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,?,00007FF75AAC317F,?,?,00001000,00007FF75AAAE51D), ref: 00007FF75AABE8BB
CreateSemaphoreW.KERNEL32(?,?,?,00007FF75AAC317F,?,?,00001000,00007FF75AAAE51D), ref: 00007FF75AABE8CB
CreateEventW.KERNEL32(?,?,?,00007FF75AAC317F,?,?,00001000,00007FF75AAAE51D), ref: 00007FF75AABE8E4

Strings

Thread pool initialization failed., xrefs: 00007FF75AABE900

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
Instruction ID: 15574e84e03b4e835ba68355d21c7b6c22ed4c57f67a8485b7c6f1f60725ee98
Opcode Fuzzy Hash: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
Instruction Fuzzy Hash: 5A21D532E1574186F710AFA4D454BB9B6A2FF98B08F5C8074CA0D0A295DF7E9846C7A0

Function 00007FF75AAC85E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF75AAC85EC
GetDeviceCaps.GDI32 ref: 00007FF75AAC85FD
ReleaseDC.USER32 ref: 00007FF75AAC860A

Strings

, xrefs: 00007FF75AAC8610

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: CapsDeviceRelease
String ID:
API String ID: 127614599-3916222277
Opcode ID: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
Instruction ID: 40de916c3b1c36c5abefb31b6504c64b9e9691b7757af3c31764319d10e03ab9
Opcode Fuzzy Hash: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
Instruction Fuzzy Hash: 01E0C220B0864186FB0C6BB6B58A83AA261BF4CBD0F598075EA1F43794DE3DC4C44310

Function 00007FF75AAAD1A8 Relevance: 6.2, APIs: 4, Instructions: 238timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNEL32 ref: 00007FF75AAAD46C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAAD554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAAD55A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAAD560

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FileTime
String ID:
API String ID: 1137671866-0
Opcode ID: cec97bbf542a68d3f637d63df83d07036a1dd9e73fac06600a2283ba6a0594d3
Instruction ID: 133a9451ddbe0aba4f0de3d98d1d31e0b52f4d28d334403d8b7d1bfbdaa2a4d5
Opcode Fuzzy Hash: cec97bbf542a68d3f637d63df83d07036a1dd9e73fac06600a2283ba6a0594d3
Instruction Fuzzy Hash: D0A1E862A1878281FA10EBA4D4406FDA3B1FF85784FC45172EA9D03AD9DF3CE546C760

Function 00007FF75AAC0548 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF75AAC05FC
SetLastError.KERNEL32 ref: 00007FF75AAC0697

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 3578434af854304fb897eec4f9fa00df497f7e1084ee6400d5c28e9fbb9a79f6
Instruction ID: 46cd8229eb9ca151c08ddc619e48e50dab5a4ea7ce4c8fccb02ceb6be9b6997d
Opcode Fuzzy Hash: 3578434af854304fb897eec4f9fa00df497f7e1084ee6400d5c28e9fbb9a79f6
Instruction Fuzzy Hash: FA510472B14B4699FB00ABA4D4446FCA361EF84BC8F884176EA5C177D5EE2CD546C360

Function 00007FF75AAC9D90 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF75AAC9DBC
GetLastError.KERNEL32 ref: 00007FF75AAC9E08
CreateDirectoryW.KERNEL32 ref: 00007FF75AAC9F10
LocalFree.KERNEL32 ref: 00007FF75AAC9F20

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
String ID:
API String ID: 1077098981-0
Opcode ID: ccc7d28b294f4e6884a1db5a4544c49550100c2123dc1ad4bd8ddaa1afcd3233
Instruction ID: 348e33931302a53a264e1e5ff9adbb1328e9687848327e15194184d58aaff540
Opcode Fuzzy Hash: ccc7d28b294f4e6884a1db5a4544c49550100c2123dc1ad4bd8ddaa1afcd3233
Instruction Fuzzy Hash: B251A032A18B4286F7409F61E854BAEB764FF88B84F980075EA4E57B58DF3CD405CB50

Function 00007FF75AADDB5C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75AADDBAF
WideCharToMultiByte.KERNEL32 ref: 00007FF75AADDC81
GetLastError.KERNEL32 ref: 00007FF75AADDCA4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF75AADDCD6

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 4141327611-0
Opcode ID: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
Instruction ID: ab049e6aa240ac226a2c3fae13684ad696c40c859c66834d041e2c484f9bdf2c
Opcode Fuzzy Hash: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
Instruction Fuzzy Hash: DC41C8B190E6C246FBA6ABA09040779E6A0EF50B90F9C41B1DACD46AD5DF7CD8438730

Function 00007FF75AAB3980 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32 ref: 00007FF75AAB39BD
MoveFileW.KERNEL32 ref: 00007FF75AAB3A34
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB3AEB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB3AF1

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: FileMove_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3823481717-0
Opcode ID: 3bc213a9f55eb78a1b8575f48284007dba253a064d69617307a7282262df2cc1
Instruction ID: 9568b60ff69ab198568a540652fbfa9fab3b1076288170a69717b661c8e23e31
Opcode Fuzzy Hash: 3bc213a9f55eb78a1b8575f48284007dba253a064d69617307a7282262df2cc1
Instruction Fuzzy Hash: AC41F062F10B5184FB00EBF5D8445ACB371BF44BA8B981239DE5D27A99EF39D846C320

Function 00007FF75AAE0B78 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF75AADC45B), ref: 00007FF75AAE0B91
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF75AADC45B), ref: 00007FF75AAE0BF3
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF75AADC45B), ref: 00007FF75AAE0C2D
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF75AADC45B), ref: 00007FF75AAE0C57

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
Instruction ID: 4ed8c00cb88fcdd4ef203599b3795b1d57fa044d5fc579d31597f0d1854ca973
Opcode Fuzzy Hash: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
Instruction Fuzzy Hash: 7F218431B58B5182F664AF516440429F6A4FFA8FD0B8C4178DE9E63B94DF3CE4538314

Function 00007FF75AADD440 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF75AAD7F28,?,?,?,00007FF75AAD9D35), ref: 00007FF75AADD44A
SetLastError.KERNEL32(?,?,?,00007FF75AAD7F28,?,?,?,00007FF75AAD9D35), ref: 00007FF75AADD4B2
SetLastError.KERNEL32(?,?,?,00007FF75AAD7F28,?,?,?,00007FF75AAD9D35), ref: 00007FF75AADD4C8
abort.LIBCMT ref: 00007FF75AADD4CE

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
Instruction ID: a1594a8624b5cfbe178592ea2d51a148a8f0b966f0d4103741d897e2cda8a99f
Opcode Fuzzy Hash: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
Instruction Fuzzy Hash: D5019290B0A68342FAD877F1E555D7CD5615F54790F8C04B8D9AE06BD6ED2CB8078230

Function 00007FF75AAC8590 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF75AAC8598
GetDeviceCaps.GDI32 ref: 00007FF75AAC85AE
GetDeviceCaps.GDI32 ref: 00007FF75AAC85C2
ReleaseDC.USER32 ref: 00007FF75AAC85D3

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
Instruction ID: 14b76c44c8eaceeaeee324bdb5a85dcfd9d7db7f9075693a9786a0e267a0f47f
Opcode Fuzzy Hash: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
Instruction Fuzzy Hash: C7E01260E09B0686FF1C7B716859936A690BF48741F8C84BAD81F46360ED3DE085C760

Function 00007FF75AAAE34C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAAE549

Strings

DXGIDebug.dll, xrefs: 00007FF75AAAE35A

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: DXGIDebug.dll
API String ID: 3668304517-540382549
Opcode ID: 542befb6cfa6d10c523847148554f6d067076e635e2560feee388be7f8acc3cf
Instruction ID: e475929fc9bd7efb0cbe4475a476cfc582f5f6c381e0c7aa7a52e620046d33e9
Opcode Fuzzy Hash: 542befb6cfa6d10c523847148554f6d067076e635e2560feee388be7f8acc3cf
Instruction Fuzzy Hash: C071CC72A14B8186EB14DBA5E4407ADB3A9FF54794F884236DBAC03B95DF38D462C350

Function 00007FF75AADE1F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75AADE237

Strings

gfff, xrefs: 00007FF75AADE362
e+000, xrefs: 00007FF75AADE2DF

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
Instruction ID: 07e25dcf3bba6bfcaa36bce3a5c0fdc777706aa486fa17e9eae9f6f7f6d4dd2f
Opcode Fuzzy Hash: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
Instruction Fuzzy Hash: 52512662B187C146FBA59B759840B6DAA91AF80B90F8C82B1C6DC87BD6CF3CD446C710

Function 00007FF75AAB9408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF75AAB95A8: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF75AAB95E6

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB959C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75AAB95A2

Strings

SIZE, xrefs: 00007FF75AAB9443

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$swprintf
String ID: SIZE
API String ID: 449872665-3243624926
Opcode ID: a0d5e285fbaa1ac9608f05ebcc1ead8385210100eac4b181d702dbb234701be4
Instruction ID: aac6ca5cf01575715dc1b640617019c11f337291f252744f94b36ec032e97f53
Opcode Fuzzy Hash: a0d5e285fbaa1ac9608f05ebcc1ead8385210100eac4b181d702dbb234701be4
Instruction Fuzzy Hash: 75413572A1878685FE50EBA4E440BFDA350EF85390F884371EA9D026D6EF3CD946C710

Function 00007FF75AADC2C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75AADC2EA
GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF75AAD2CD5), ref: 00007FF75AADC30B

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00007FF75AADC2F9

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: FileModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\file.exe
API String ID: 3307058713-517116171
Opcode ID: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
Instruction ID: 1d5e5b4318cb68c66af528d6efed804b15001252be61b230207984992f28f93b
Opcode Fuzzy Hash: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
Instruction Fuzzy Hash: D9418472A08A5286FB94BFA5A4408BDF794FF44794BC84075E98D47B45DE3DE442C360

Function 00007FF75AAC9B40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF75AAA255C: GetDlgItem.USER32 ref: 00007FF75AAA25AC
Part of subcall function 00007FF75AAA255C: SetWindowTextW.USER32 ref: 00007FF75AAA25C8

EndDialog.USER32 ref: 00007FF75AAC9C24
SetDlgItemTextW.USER32 ref: 00007FF75AAC9CAA

Strings

ASKNEXTVOL, xrefs: 00007FF75AAC9B72

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
Instruction ID: c676dbc984c86deb79d01bd420a3bcf0b0d19118ee4e30d3bf9adeb8bb9b6e62
Opcode Fuzzy Hash: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
Instruction Fuzzy Hash: EE419721A0CA8285FA11BB92E454AB9E3A1BF85BC0F9C00B5EE4D07795DE3DD45683A0

Function 00007FF75AAB9638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF75AAB96EA

Part of subcall function 00007FF75AAC0F68: WideCharToMultiByte.KERNEL32 ref: 00007FF75AAC0F99

Strings

$%s, xrefs: 00007FF75AAB96D7
@%s, xrefs: 00007FF75AAB96CE

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_snwprintf
String ID: $%s$@%s
API String ID: 2650857296-834177443
Opcode ID: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
Instruction ID: ab7df4e1e9032d23e9a5cfae638a56da941117bc523f1096a4f39c70b8da9ae1
Opcode Fuzzy Hash: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
Instruction Fuzzy Hash: 9431D272B18B4A85FA50EFA6E440AE9A3A0FF54784F880076DE4C07795DF3CE906C710

Function 00007FF75AADEB04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF75AADEB76
GetFileType.KERNEL32 ref: 00007FF75AADEB8C

Strings

@, xrefs: 00007FF75AADEBB7

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
Instruction ID: 5833f4826e6b8411df2a7de9f4a5834e2ec41179f1aac28c7215884f7f19b891
Opcode Fuzzy Hash: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
Instruction Fuzzy Hash: 1321C822A08B4241FBB0AB649490538A651EF45B74F6C5375D6AF077D5CE3CF882C350

Function 00007FF75AAD4078 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF75AAD1D3E), ref: 00007FF75AAD40BC
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF75AAD1D3E), ref: 00007FF75AAD4102

Strings

csm, xrefs: 00007FF75AAD40EF

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
Instruction ID: f309290aa9dd56b6d065a747ded9e69935148a5246606c845e90b321dd0db17c
Opcode Fuzzy Hash: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
Instruction Fuzzy Hash: 8D112B32608B4182EBA09B25E440669B7E1FB88B94F5C4275DFCD07B58DF3CD556C710

Function 00007FF75AABEA5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF75AABE95F,?,?,?,00007FF75AAB463A,?,?,?), ref: 00007FF75AABEA63
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF75AABE95F,?,?,?,00007FF75AAB463A,?,?,?), ref: 00007FF75AABEA6E

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00007FF75AABEA78

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1211598281-2248577382
Opcode ID: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
Instruction ID: 15035619798c4b6ea4b770b1f0dc207d4d817a2158f624d21072a503b0654623
Opcode Fuzzy Hash: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
Instruction Fuzzy Hash: 02E01A65E1994281F610B7A4AC52C78F6507F74770FD803B4D03E411E1EE6CAD478360

Function 00007FF75AABA43C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF75AABA447
FindResourceW.KERNEL32 ref: 00007FF75AABA45D

Strings

RTL, xrefs: 00007FF75AABA453

Memory Dump Source

Source File: 00000000.00000002.2044807488.00007FF75AAA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75AAA0000, based on PE: true

Associated: 00000000.00000002.2044781807.00007FF75AAA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044889856.00007FF75AAE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AAFB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044923292.00007FF75AB04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044968635.00007FF75AB0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75aaa0000_file.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
Instruction ID: ecc32bf055387754e1ff5acb53df2b62ce5ff052956434366c8bac67bdddc4e0
Opcode Fuzzy Hash: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
Instruction Fuzzy Hash: 66D05EA1F0970682FF196BF5A449B7596505F2CB41FCC40BCC80E06394EE2CD58AC7A0

Analysis Process: bild.exePID: 5732, Parent PID: 6604COMMON

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	107

Executed Functions

Function 1109E190 Relevance: 100.3, APIs: 42, Strings: 15, Instructions: 501
filethreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1109D440: GetCurrentProcess.KERNEL32(000F01FF,?,11030063,00000000,00000000,00080000,AD96CFBE,00080000,00000000,00000000), ref: 1109D46D
Part of subcall function 1109D440: OpenProcessToken.ADVAPI32(00000000), ref: 1109D474
Part of subcall function 1109D440: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D485
Part of subcall function 1109D440: AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109D4A9

LocalAlloc.KERNEL32(00000040,00000014,SeSecurityPrivilege,?,00080000,AD96CFBE,00080000,00000000,00000000), ref: 1109E225
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 1109E23E
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 1109E249
GetVersionExA.KERNEL32(?), ref: 1109E260
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109E2CE
SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,?,00000000), ref: 1109E2E3
FreeLibrary.KERNEL32(00000001,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109E2F4
CreateFileMappingA.KERNEL32(000000FF,11030063,00000004,00000000,?,?), ref: 1109E330
GetLastError.KERNEL32 ref: 1109E33D
LocalFree.KERNEL32(?), ref: 1109E366
LocalFree.KERNEL32(?), ref: 1109E373
GetLastError.KERNEL32 ref: 1109E390
MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 1109E3AE
LocalFree.KERNEL32(?), ref: 1109E3D9
LocalFree.KERNEL32(?), ref: 1109E3E6

Part of subcall function 1109D3A0: LoadLibraryA.KERNEL32(Advapi32.dll,00000000,1109E27E), ref: 1109D3A8

Part of subcall function 1109D3F0: GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 1109D404

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109E412
LocalFree.KERNEL32(?), ref: 1109E4DB
LocalFree.KERNEL32(?), ref: 1109E4E8
_memset.LIBCMT ref: 1109E500
GetTickCount.KERNEL32 ref: 1109E508
GetCurrentProcessId.KERNEL32 ref: 1109E5B4
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109E5CF
CreateEventA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?), ref: 1109E61B
GetLastError.KERNEL32 ref: 1109E624
GetLastError.KERNEL32(00000000), ref: 1109E62B
CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109E660
GetLastError.KERNEL32 ref: 1109E669
GetLastError.KERNEL32(00000000), ref: 1109E670
CreateEventA.KERNEL32(?,00000001,00000000,?), ref: 1109E6A6
GetLastError.KERNEL32 ref: 1109E6AF
GetLastError.KERNEL32(00000000), ref: 1109E6B6
CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109E6EB
GetLastError.KERNEL32 ref: 1109E6FA
GetLastError.KERNEL32(00000000), ref: 1109E6FD
LocalFree.KERNEL32(?), ref: 1109E725
LocalFree.KERNEL32(?), ref: 1109E732
GetCurrentThreadId.KERNEL32 ref: 1109E763
CreateThread.KERNEL32(00000000,00002000,Function_0009DD20,00000000,00000000,00000030), ref: 1109E77D
ResetEvent.KERNEL32(?), ref: 1109E7AC
ResetEvent.KERNEL32(?), ref: 1109E7B2
ResetEvent.KERNEL32(?), ref: 1109E7B8
SetEvent.KERNEL32(?), ref: 1109E7BE

Strings

Error creating filemap (%d), xrefs: 1109E344
cant create filemap, xrefs: 1109E375
Error cant map view, xrefs: 1109E3BB
S:(ML;;NW;;;LW), xrefs: 1109E288
cant map, xrefs: 1109E3E8
SeSecurityPrivilege, xrefs: 1109E1FA
map exists, xrefs: 1109E4EA
warning map exists, xrefs: 1109E490
Info - reusing existing filemap, xrefs: 1109E479
Error cant create events, xrefs: 1109E7E7
Cant create event %s, e=%d (x%x), xrefs: 1109E639, 1109E67E, 1109E6C4, 1109E707
cant create events, xrefs: 1109E7F4
IPC(%s) created, xrefs: 1109E7C8
Error filemap exists, xrefs: 1109E4BD
cant create thread, xrefs: 1109E78A

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: ErrorLast$FreeLocal$Event$Create$DescriptorFileSecurity$CurrentProcessReset$LibraryModuleNameSaclThreadToken$AddressAdjustAllocCountDaclInitializeLoadLookupMappingOpenPrivilegePrivilegesProcTickValueVersionView_memset
String ID: Cant create event %s, e=%d (x%x)$Error cant create events$Error cant map view$Error creating filemap (%d)$Error filemap exists$IPC(%s) created$Info - reusing existing filemap$S:(ML;;NW;;;LW)$SeSecurityPrivilege$cant create events$cant create filemap$cant create thread$cant map$map exists$warning map exists
API String ID: 3291243470-2792520954
Opcode ID: e1e4d2c24c486b94928180782bcaf8fbecda1daffafc4b641c279d7d38800a12
Instruction ID: e0f3534def007632db5cc521867dfefedb1bc63d92e862916d16df31d0e36df5
Opcode Fuzzy Hash: e1e4d2c24c486b94928180782bcaf8fbecda1daffafc4b641c279d7d38800a12
Instruction Fuzzy Hash: 221282B590026D9FE724DF61CCD4EAEF7BABB88308F0049A9E11997244D771AD84CF51

Function 11029590 Relevance: 88.0, APIs: 38, Strings: 12, Instructions: 534
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(WinInet.dll,AD96CFBE,759223A0,?,00000000), ref: 110295C5
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102965F
SetLastError.KERNEL32(00000078), ref: 11029673
_malloc.LIBCMT ref: 11029697
GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 110296B1
GetLastError.KERNEL32 ref: 110296D2
_free.LIBCMT ref: 110296DE
_malloc.LIBCMT ref: 110296E7
GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029701
GetProcAddress.KERNEL32(?,InternetOpenA), ref: 1102973B
InternetOpenA.WININET(11194244,?,?,000000FF,00000000), ref: 1102975A
SetLastError.KERNEL32(00000078), ref: 11029764
SetLastError.KERNEL32(00000078), ref: 11029771
SetLastError.KERNEL32(00000078), ref: 1102977B
_free.LIBCMT ref: 11029785

Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D

GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029805
SetLastError.KERNEL32(00000078), ref: 1102981E
GetProcAddress.KERNEL32(?,InternetConnectA), ref: 11029831
InternetConnectA.WININET(000000FF,11199690,00000050,00000000,00000000,00000003,00000000,00000000), ref: 1102984E
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102986A
SetLastError.KERNEL32(00000078), ref: 11029883
GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 110298A9
GetProcAddress.KERNEL32(?,HttpSendRequestA), ref: 110298FD
GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 11029A63
SetLastError.KERNEL32(00000078), ref: 11029B30
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029B82
SetLastError.KERNEL32(00000078), ref: 11029B99
FreeLibrary.KERNEL32(?), ref: 11029BAA

Strings

HttpOpenRequestA, xrefs: 110298A3
InternetCloseHandle, xrefs: 11029659, 110297FF, 11029864, 11029B7C
InternetQueryDataAvailable, xrefs: 11029A5D
GET, xrefs: 110298C9
InternetConnectA, xrefs: 1102982B
HttpSendRequestA, xrefs: 110298F7
InternetErrorDlg, xrefs: 110299A0
://, xrefs: 110297A5
WinInet.dll, xrefs: 110295BD
InternetQueryOptionA, xrefs: 110296AB, 110296FB
HttpQueryInfoA, xrefs: 11029943
InternetOpenA, xrefs: 11029735

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLast$FreeInternetLibrary_free_malloc$ConnectHeapLoadOpen
String ID: ://$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetErrorDlg$InternetOpenA$InternetQueryDataAvailable$InternetQueryOptionA$WinInet.dll
API String ID: 921868004-913974648
Opcode ID: 36508fb7aa93ad5402a0a829a6fade002c528e1580f22bfa2ed00e1b157900af
Instruction ID: e81a0880bf89439be6f70403065d0babe3f5b16467f55efefddb7e1ac6149969
Opcode Fuzzy Hash: 36508fb7aa93ad5402a0a829a6fade002c528e1580f22bfa2ed00e1b157900af
Instruction Fuzzy Hash: 5E127FB0D04269EBEB11CFA9CC88A9EFBF9FF88754F604569E465E7240E7705940CB60

Function 11061C90 Relevance: 76.5, APIs: 22, Strings: 21, Instructions: 1221COMMON

Download Yara Rule

APIs

Part of subcall function 11144EA0: GetLastError.KERNEL32(?,02B6B888,000000FF,?), ref: 11144ED5
Part of subcall function 11144EA0: Sleep.KERNEL32(000000C8,?,?,?,?,?,?,02B6B888,000000FF,?), ref: 11144EE5

_fgets.LIBCMT ref: 11061DC2
_strpbrk.LIBCMT ref: 11061E29
_fgets.LIBCMT ref: 11061F2C
_strpbrk.LIBCMT ref: 11061FA3
__wcstoui64.LIBCMT ref: 11061FBC
_fgets.LIBCMT ref: 11062035
_strpbrk.LIBCMT ref: 1106205B

Strings

expiry, xrefs: 11062730
_checksum, xrefs: 1106240F
_include, xrefs: 110621C9
_version, xrefs: 11062429
%c%04d%s, xrefs: 11062184
ACM, xrefs: 11062697
%s.%04d.%s, xrefs: 110622A9
start, xrefs: 11062739, 11062750
?expirY, xrefs: 11062768
Client, xrefs: 11062262, 110622A4
enforce, xrefs: 11062136
?starT, xrefs: 11062771, 1106277D
product, xrefs: 11062652
licensee, xrefs: 11062A53
defaults, xrefs: 11062116
Expired, xrefs: 1106296B
_License, xrefs: 11062356, 11062414, 1106242E, 110625B6, 11062620, 1106263B, 11062657, 11062751, 11062970, 11062A58
shrink_wrap, xrefs: 11062636
cd_install, xrefs: 1106261B
inactive, xrefs: 110625B1
/- , xrefs: 110627FE, 11062831, 11062864

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: _fgets_strpbrk$ErrorLastSleep__wcstoui64
String ID: %c%04d%s$%s.%04d.%s$/- $?expirY$?starT$ACM$Client$Expired$_License$_checksum$_include$_version$cd_install$defaults$enforce$expiry$inactive$licensee$product$shrink_wrap$start
API String ID: 716802716-1571441106
Opcode ID: 138079b93c76e623c3914dadf52ec1966105b04443ff76c6d6b694830cc74feb
Instruction ID: 9b454a0e08db4b844aa329f9a873b431930d9d904307df7fc69ae15b9a8492e5
Opcode Fuzzy Hash: 138079b93c76e623c3914dadf52ec1966105b04443ff76c6d6b694830cc74feb
Instruction Fuzzy Hash: 55A2D375E0461A9FEB21CF64CC80BEFB7B9AF44345F0041D9E849A7281EB71AA45CF61

Function 11143570 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,8504C483,759223A0), ref: 111435A3
LoadLibraryA.KERNEL32(?), ref: 111435EC
LoadLibraryA.KERNEL32(DBGHELP.DLL), ref: 11143605
LoadLibraryA.KERNEL32(IMAGEHLP.DLL), ref: 11143614
GetModuleHandleA.KERNEL32(?), ref: 1114361A
GetProcAddress.KERNEL32(00000000,SymGetLineFromAddr), ref: 1114362E
GetProcAddress.KERNEL32(00000000,SymGetLineFromName), ref: 1114364D
GetProcAddress.KERNEL32(00000000,SymGetLineNext), ref: 11143658
GetProcAddress.KERNEL32(00000000,SymGetLinePrev), ref: 11143663
GetProcAddress.KERNEL32(00000000,SymMatchFileName), ref: 1114366E
GetProcAddress.KERNEL32(00000000,StackWalk), ref: 11143679
GetProcAddress.KERNEL32(00000000,SymCleanup), ref: 11143684
GetProcAddress.KERNEL32(00000000,SymLoadModule), ref: 1114368F
GetProcAddress.KERNEL32(00000000,SymInitialize), ref: 1114369A
GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 111436A5
GetProcAddress.KERNEL32(00000000,SymSetOptions), ref: 111436B0
GetProcAddress.KERNEL32(00000000,SymGetModuleInfo), ref: 111436BB
GetProcAddress.KERNEL32(00000000,SymGetSymFromAddr), ref: 111436C6
GetProcAddress.KERNEL32(00000000,SymFunctionTableAccess), ref: 111436D1
GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 111436DC

Part of subcall function 11081B40: _strrchr.LIBCMT ref: 11081B4E

Strings

SymInitialize, xrefs: 11143691
IMAGEHLP.DLL, xrefs: 1114360E, 11143613, 11143619
SymMatchFileName, xrefs: 11143665
SymGetModuleInfo, xrefs: 111436B2
SymGetLineFromAddr, xrefs: 11143628
StackWalk, xrefs: 11143673
dbghelp.dll, xrefs: 111435C8
SymGetLineFromName, xrefs: 11143647
MiniDumpWriteDump, xrefs: 111436D3
SymCleanup, xrefs: 1114367B
SymFunctionTableAccess, xrefs: 111436C8
SymGetLineNext, xrefs: 1114364F
SymGetOptions, xrefs: 1114369C
SymGetSymFromAddr, xrefs: 111436BD
SymGetLinePrev, xrefs: 1114365A
DBGHELP.DLL, xrefs: 111435FF, 11143604
SymLoadModule, xrefs: 11143686
SymSetOptions, xrefs: 111436A7

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$Module$FileHandleName_strrchr
String ID: DBGHELP.DLL$IMAGEHLP.DLL$MiniDumpWriteDump$StackWalk$SymCleanup$SymFunctionTableAccess$SymGetLineFromAddr$SymGetLineFromName$SymGetLineNext$SymGetLinePrev$SymGetModuleInfo$SymGetOptions$SymGetSymFromAddr$SymInitialize$SymLoadModule$SymMatchFileName$SymSetOptions$dbghelp.dll
API String ID: 3874234733-2061581830
Opcode ID: cfe4e0547bd5fe59c7f15dfeaa5816d95d94d48cef7707ac470bf4deacf2edb6
Instruction ID: 707b91cc949213dae1a505c6abf15ec2f20ed18dfa7402eb99b54f6ccfa65761
Opcode Fuzzy Hash: cfe4e0547bd5fe59c7f15dfeaa5816d95d94d48cef7707ac470bf4deacf2edb6
Instruction Fuzzy Hash: 05411B70A04714AFD7309F768D84A6BFAF8BF55A04B10492EE496D3A10EBB5E8008F5D

Function 11139090 Relevance: 54.7, APIs: 20, Strings: 11, Instructions: 474
windowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 111390C7
IsWindow.USER32(00020492), ref: 11139125
IsWindowVisible.USER32(00020492), ref: 11139133
IsWindowVisible.USER32(00020492), ref: 1113916B
GetForegroundWindow.USER32 ref: 11139186
EnableWindow.USER32(00020492,00000000), ref: 111391A0
EnableWindow.USER32(00020492,00000001), ref: 111391BC
SetForegroundWindow.USER32(00000000), ref: 111391CB
FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 11139209
IsWindowVisible.USER32(00000000), ref: 11139218
IsWindowVisible.USER32(00020492), ref: 11139248
IsIconic.USER32(00020492), ref: 11139255
GetForegroundWindow.USER32 ref: 1113925F

Part of subcall function 11131210: ShowWindow.USER32(00020492,00000000,?,11139062,00000007,?,?,?,?,?,00000000), ref: 11131234

Part of subcall function 11131210: ShowWindow.USER32(00020492,11139062,?,11139062,00000007,?,?,?,?,?,00000000), ref: 11131246

SetForegroundWindow.USER32(00000000), ref: 11139285
EnableWindow.USER32(00020492,00000001), ref: 11139294
GetLastError.KERNEL32 ref: 11139353
GetLastError.KERNEL32 ref: 111393CB
GetTickCount.KERNEL32 ref: 11139678
GetTickCount.KERNEL32 ref: 11139699

Part of subcall function 11025BB0: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,111396E2), ref: 11025BB8

FreeLibrary.KERNEL32(?,00000000,000000FF,00000000,00000001,00000000,00000001,00000000,0000000A,?,00000000), ref: 11139734

Strings

NeedsReinstall, xrefs: 11139636
Reactivate main window, xrefs: 11139179
Audio, xrefs: 11139455
Shell_TrayWnd, xrefs: 11139204
disableRunplugin, xrefs: 111392D8
ShowNeedsReinstall in 15, user=%s, xrefs: 1113966B
HookDirectSound, xrefs: 11139450
Client, xrefs: 11139159, 111392DD, 1113963B
MainWnd = %08x, visible %d, valid %d, xrefs: 1113913D
File <%s> doesnt exist, e=%d, xrefs: 11139357, 111393CF
HideWhenIdle, xrefs: 11139154

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Window$ForegroundVisible$Enable$CountErrorLastLibraryShowTick$CurrentFindFreeIconicLoadThread
String ID: Audio$Client$File <%s> doesnt exist, e=%d$HideWhenIdle$HookDirectSound$MainWnd = %08x, visible %d, valid %d$NeedsReinstall$Reactivate main window$Shell_TrayWnd$ShowNeedsReinstall in 15, user=%s$disableRunplugin
API String ID: 2511061093-2542869446
Opcode ID: 0e4ccee009b06b63fab7a686928084bc30871ce576c3106fc105d812773a0109
Instruction ID: 168a4b77644d94df8a921335772b55db7e1a21360cf08f879ca3086e41f0bcfd
Opcode Fuzzy Hash: 0e4ccee009b06b63fab7a686928084bc30871ce576c3106fc105d812773a0109
Instruction Fuzzy Hash: 700229B8A1062ADFE716DFA4CDD4B6AF766BBC071EF500178E4255728CEB30A844CB51

Function 11115B70 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 182librarycomloaderCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 11115BC5
CoCreateInstance.OLE32(111C081C,00000000,00000001,111C082C,00000000,?,00000000,Client,silent,00000000,00000000,?,1104BADF), ref: 11115BDF
LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000000,Client,silent,00000000,00000000), ref: 11115C04
GetProcAddress.KERNEL32(00000000,SHGetSettings), ref: 11115C16
SHGetSettings.SHELL32(?,00000200,?,00000000,Client,silent,00000000,00000000), ref: 11115C29
FreeLibrary.KERNEL32(00000000,?,00000000,Client,silent,00000000,00000000), ref: 11115C35
CoUninitialize.COMBASE(00000000), ref: 11115CD1

Strings

SHELL32.DLL, xrefs: 11115BF5
SHGetSettings, xrefs: 11115C10

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Library$AddressCreateFreeInitializeInstanceLoadProcSettingsUninitialize
String ID: SHELL32.DLL$SHGetSettings
API String ID: 4195908086-2348320231
Opcode ID: 840c1eadb0258f47a734e7be087c5142de7588e2c7107701b0399a58d14c8a79
Instruction ID: 591e2108fd72310e634c09c07143bf968b2bad8d72189eb08e80a39284cb5d12
Opcode Fuzzy Hash: 840c1eadb0258f47a734e7be087c5142de7588e2c7107701b0399a58d14c8a79
Instruction Fuzzy Hash: 1751A075A0020A9FDB40DFE5C9C4AAFFBB9FF89304F104629E516AB244E731A941CB61

Function 110733B0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 110734E0
_memset.LIBCMT ref: 11073659

Strings

serial_no, xrefs: 1107349C
NBCTL32.DLL, xrefs: 11073595
_License, xrefs: 110734A1

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: _memset
String ID: NBCTL32.DLL$_License$serial_no
API String ID: 2102423945-35127696
Opcode ID: 1bc3c350b5695b2c8a219e67917739aeea91881a13f4a17e71b6933ab04c4b4d
Instruction ID: b704a80906741011c15d1468992a84ddd821d027e1e1ff2b1c0992d848e69eb8
Opcode Fuzzy Hash: 1bc3c350b5695b2c8a219e67917739aeea91881a13f4a17e71b6933ab04c4b4d
Instruction Fuzzy Hash: 64B18E75E00209AFE714CFA8DC81BAEB7F5FF88304F148169E9499B295DB71A901CB90

Function 1109E910 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,1102FCB2,?,00000000), ref: 1109E948
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109E964
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00ECE240,00ECE240,00ECE240,00ECE240,00ECE240,00ECE240,00ECE240,@,?,00000001,00000001), ref: 1109E990
EqualSid.ADVAPI32(?,00ECE240,?,00000001,00000001), ref: 1109E9A3

Strings

@, xrefs: 1109E96A, 1109E973, 1109E996

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: InformationToken$AllocateEqualInitialize
String ID: @
API String ID: 1878589025-935976969
Opcode ID: df3ee88bcedd232c82b95f826b647b916292d8a5149356288e18f949a5596a8a
Instruction ID: 8f268d00a2632c5decc73a479da56acc1190ac8ef7b7f04f8431c56e7d3a1b5e
Opcode Fuzzy Hash: df3ee88bcedd232c82b95f826b647b916292d8a5149356288e18f949a5596a8a
Instruction Fuzzy Hash: 22217131B0122EABEB10DBA4CC81BBEB7B8EB44708F100469E919D7184E671AD00CBA1

Function 110310C0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(1102E480,?,00000000), ref: 110310E4

Strings

Client32, xrefs: 110310C4
NSMWClass, xrefs: 110310EF
NSMWClass, xrefs: 11031103

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID: Client32$NSMWClass$NSMWClass
API String ID: 3192549508-611217420
Opcode ID: 3211d65015dcc44e5dd59bdf27473333a197f9ceb9b14f7f353df042485d09a4
Instruction ID: e21dedaf74b0f8cf59cf3be59171af9e644e6a1753dc25f7f597d2ad8de8aca1
Opcode Fuzzy Hash: 3211d65015dcc44e5dd59bdf27473333a197f9ceb9b14f7f353df042485d09a4
Instruction Fuzzy Hash: 44F04F7891112A9FCB06DFA9D890A9EF7E4AB4821CB508165E82587348EB30A605CB95

Function 1109D440 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000F01FF,?,11030063,00000000,00000000,00080000,AD96CFBE,00080000,00000000,00000000), ref: 1109D46D
OpenProcessToken.ADVAPI32(00000000), ref: 1109D474
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D485
AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109D4A9

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 2349140579-0
Opcode ID: b2ad1513cc86a00d87a5922bdef26ddabf3e928486d47d374c40a1db595ff72d
Instruction ID: 1acc50509d1dc0efa8f8b8857b060522b21de2b31161cc556941a9c494b785c9
Opcode Fuzzy Hash: b2ad1513cc86a00d87a5922bdef26ddabf3e928486d47d374c40a1db595ff72d
Instruction Fuzzy Hash: AE015EB5640218ABD710DFA4CC89BAAF7BCFF44B05F10452DFA1597280D7B1AA04CB71

Function 1109D4D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,1109E810,00000244,cant create events), ref: 1109D4EC
CloseHandle.KERNEL32(?,00000000,1109E810,00000244,cant create events), ref: 1109D4F5

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: f88a9555f2545ca551a8130bcebdd0bed71c0aa378151d9f95003999b02a9da9
Instruction ID: ae8e9f792a84aceb39bcb46fd7c9804e810fa9328d8f27f892a8d401e6504800
Opcode Fuzzy Hash: f88a9555f2545ca551a8130bcebdd0bed71c0aa378151d9f95003999b02a9da9
Instruction Fuzzy Hash: 55E0EC71654614ABE738CF28DC95FA677ECAF09B01F11495DF9A6D6180CA60F8408B64

Function 1102E640 Relevance: 241.6, APIs: 31, Strings: 106, Instructions: 1869windowthreadsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

GetSystemMetrics.USER32(00002000), ref: 1102E7C4
FindWindowA.USER32(NSMWClass,00000000), ref: 1102E985

Part of subcall function 111100D0: GetCurrentThreadId.KERNEL32 ref: 11110166
Part of subcall function 111100D0: InitializeCriticalSection.KERNEL32(-00000010,?,11031040,00000001,00000000), ref: 11110179
Part of subcall function 111100D0: InitializeCriticalSection.KERNEL32(111F08F0,?,11031040,00000001,00000000), ref: 11110188
Part of subcall function 111100D0: EnterCriticalSection.KERNEL32(111F08F0,?,11031040), ref: 1111019C
Part of subcall function 111100D0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031040), ref: 111101C2

GetWindowThreadProcessId.USER32(00000000,?), ref: 1102E9C1
OpenProcess.KERNEL32(00100400,00000000,?), ref: 1102E9E9
IsILS.PCICHEK(?,?,View,Client,Bridge), ref: 1102ECAB

Part of subcall function 11094B30: OpenProcessToken.ADVAPI32(00000000,00000018,00000000,00000000,00000000,00000000,?,?,1102EA18,00000000,?,00000100,00000000,00000000,00000000), ref: 11094B4C
Part of subcall function 11094B30: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,?,1102EA18,00000000,?,00000100,00000000,00000000,00000000), ref: 11094B59
Part of subcall function 11094B30: CloseHandle.KERNEL32(00000000,00000000,?,00000100,00000000,00000000,00000000), ref: 11094B89

SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 1102EA48
WaitForSingleObject.KERNEL32(00000000,00007530), ref: 1102EA54
CloseHandle.KERNEL32(00000000), ref: 1102EA6C
FindWindowA.USER32(NSMWClass,00000000), ref: 1102EA79
GetWindowThreadProcessId.USER32(00000000,?), ref: 1102EA9B
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1102E7F6

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

LoadIconA.USER32(11000000,000004C1), ref: 1102EE45
LoadIconA.USER32(11000000,000004C2), ref: 1102EE55
DestroyCursor.USER32(00000000), ref: 1102EE7E
DestroyCursor.USER32(00000000), ref: 1102EE92
GetVersion.KERNEL32(?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,View,Client,Bridge), ref: 1102F45F
GetVersionExA.KERNEL32(?,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,View,Client,Bridge), ref: 1102F4B2
Sleep.KERNEL32(00000064,Client,*StartupDelay,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000), ref: 1102FA52
PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1102FA8C

Part of subcall function 11132BF0: wsprintfA.USER32 ref: 11132C60
Part of subcall function 11132BF0: GetTickCount.KERNEL32 ref: 11132C91
Part of subcall function 11132BF0: SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 11132CA4
Part of subcall function 11132BF0: GetTickCount.KERNEL32 ref: 11132CAC

Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D

DispatchMessageA.USER32(?), ref: 1102FA96
PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1102FAA8
CloseHandle.KERNEL32(00000000,11027270,00000001,00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 1102FD40
GetCurrentProcess.KERNEL32(00000000,Client,*PriorityClass,00000080,00000000,Client,*ScreenScrape,00000000,00000000,?,?,?,?,?,00000000), ref: 1102FD78
SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000), ref: 1102FD7F
SetWindowPos.USER32(00020492,000000FF,00000000,00000000,00000000,00000000,00000013,Client,AlwaysOnTop,00000000,00000000), ref: 1102FDB5
CloseHandle.KERNEL32(00000000,11059C10,00000001,00000000,?,?,?,?,?,?,?,?,00000000), ref: 1102FE36
wsprintfA.USER32 ref: 1102FFA5
PostMessageA.USER32(NSMWControl32,00000000,Default,UseIPC,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 110300F7
PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1103010D
PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 11030136
PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1103015F

Part of subcall function 111281B0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,AD96CFBE,00000002,75922EE0), ref: 1112820A
Part of subcall function 111281B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 11128217
Part of subcall function 111281B0: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000), ref: 1112825E

Strings

DisableRunplugin, xrefs: 1102F110
Info. Client running as user=%s, type=%d, xrefs: 1102EA22
NSMWControl32, xrefs: 110300F2
NSMWClassVista, xrefs: 1102E775
NSTWControl32, xrefs: 1103014A
*BeepSound, xrefs: 1102F3A5
CLIENT32.CPP, xrefs: 1102E80A, 1102ED9B
client32, xrefs: 1102EBE5, 1102ED82
Windows 2012, xrefs: 1102F81B
DisableAudioFilter, xrefs: 1102F0A2, 1102F47C
DisableTSAdmin, xrefs: 1102F051
cl32main, xrefs: 1102E673
NSA.LIC, xrefs: 1102EB0B, 1102EB12, 1102EB35
AssertTimeout, xrefs: 1102EF23
UseIPC, xrefs: 1102FFCC
\Explorer.exe, xrefs: 110302FD
NSMWClass, xrefs: 1102E786, 1102E967, 1102EA74, 1102FF8F
Windows CE, xrefs: 1102F959
DisableJournal, xrefs: 1102F22F, 1102F2CD
DisableReplayMenu, xrefs: 1102F1FF, 1102F29D
Windows Vista x64, xrefs: 1102F6D7
Windows Vista, xrefs: 1102F6A9
pcicl32, xrefs: 1102E954
_debug, xrefs: 1102FA09
Windows 95, xrefs: 1102F4C4
Windows 8.1, xrefs: 1102F849
Windows 2008, xrefs: 1102F710
MiniDumpType, xrefs: 1102EF41
View, xrefs: 1102EAD5, 1102EED5, 1102EEEC, 1102EF0D
Windows Millennium, xrefs: 1102F525
EnableSmartcardLogon, xrefs: 1102FE9F
V12.10.8, xrefs: 1102F98E, 1102F9C2
Windows 2016, xrefs: 1102F92E
DisableJournalMenu, xrefs: 1102F247, 1102F2E5
TracePriv, xrefs: 1102FA04
TCPIP, xrefs: 110300A3
ShowKBEnable, xrefs: 1102F1B2
_debug, xrefs: 1102EDED, 1102EF46, 11030004
EnableSmartcardAuth, xrefs: 1102FEDB
Windows NT, xrefs: 1102F588
DisableAudio, xrefs: 1102F069, 1102F08A, 1102F0F8, 1102F25F, 1102F2FD
UseNTSecurity, xrefs: 1102FEBA
Windows 2012 R2, xrefs: 1102F898
ScreenScrape, xrefs: 1102F128, 1102F152, 1102F17C
closed ok, xrefs: 1102EA5E
OS2, xrefs: 1102F567
IsILS returned %d, isvistaservice %d, xrefs: 1102ECBA
Windows 2000, xrefs: 1102F5B5
V12.00.8, xrefs: 1102F987
RestartAfterError, xrefs: 1102F003
Windows 8 x64, xrefs: 1102F7EA
Windows 98, xrefs: 1102F4F5
Error x%x reading nsm.lic, sesh=%d, xrefs: 1102EB66
*ScreenScrape, xrefs: 1102FAD1, 1102FB1A, 1102FD4C
Info. Client already running, pid=%d (x%x), xrefs: 1102E9CF
Windows XP x64, xrefs: 1102F639
Info. Trying to close client, xrefs: 1102EA34
hClientRunning = %x, pid=%d (x%x), xrefs: 1102EAAA
UseLegacyPrintCapture, xrefs: 1102F440
Windows 8, xrefs: 1102F7C2
CabinetWClass, xrefs: 11030257
*BeepUsingSpeaker, xrefs: 1102F372
Bridge, xrefs: 1102EABD
Client, xrefs: 1102EAC9, 1102EFE1, 1102F06E, 1102F08F, 1102F0FD, 1102F115, 1102F12D, 1102F157, 1102F181, 1102F1B7, 1102F1EC, 1102F204, 1102F21C, 1102F234, 1102F24C, 1102F264, 1102F28A, 1102F2A2, 1102F2BA, 1102F2D2, 1102F2EA, 1102F302, 1102F31A, 1102F332, 1102F445, 1102FA2B, 1102FAD6, 1102FB1F, 1102FCFA, 1102FD51, 1102FD6D, 1102FD94, 1102FEA4, 1102FEBF, 1102FEE0, 1102FFD1
*StartupDelay, xrefs: 1102FA26
Windows XP, xrefs: 1102F5E3
NSM.LIC, xrefs: 1102EAFD, 1102EB9B
Windows 2003 x64, xrefs: 1102F672
Windows 2003, xrefs: 1102F60A
Windows 10, xrefs: 1102F8C7
DisableRequestHelp, xrefs: 1102F217, 1102F2B5
General, xrefs: 1102EF28, 1102F008, 1102F377, 1102F3AA
Found new explorer hwnd=x%x h=%d,w=%d,style=x%x (%s), xrefs: 110303E4
Windows 7 x64, xrefs: 1102F794
NeedsReinstall, xrefs: 1102EFDC
Intel error "%s", xrefs: 1102ED48
NoFTWhenLoggedOff, xrefs: 1102F315
istaService, xrefs: 1102E6DB
Default, xrefs: 110300EB, 1103011A, 11030143
gClient.hNotifyEvent, xrefs: 1102E80F
*ListenPort, xrefs: 1103009E
istaUI, xrefs: 1102E6F6
Windows 10 x64, xrefs: 1102F8F7
Global\NSMWClassAdmin, xrefs: 1102FF9A
Session shutting down, exiting..., xrefs: 1102E7CE
Found old explorer hwnd=x%x h=%d,w=%d,style=x%x (%s), xrefs: 11030346
EnableGradientCaptions, xrefs: 1102EED0, 1102EEE7, 1102EF08
Error. Wrong hardware. Terminating, xrefs: 1102ECE9
Windows 8.1 x64, xrefs: 1102F86C
Windows XP Ding.wav, xrefs: 1102F3E1
Windows Ding.wav, xrefs: 1102F3DA
878411, xrefs: 1102FB8D, 1102FBE6, 1102FC27, 1102FD04
Ready, xrefs: 11030161
Error. Could not load transports - perhaps another client is running, xrefs: 1102FC63
Windows 7, xrefs: 1102F773
win8ui, xrefs: 1102EDE8
NSSWControl32, xrefs: 11030121
*PriorityClass, xrefs: 1102FD68
DisableConsoleClient, xrefs: 1102F039, 1102F0CE
LSPloaded=%d, WFPloaded=%d, xrefs: 1102EFBA
TraceIPC, xrefs: 1102FFFF
Audio, xrefs: 1102F0A7, 1102F481
Windows 2008 x64, xrefs: 1102F73C
DisableJoinClass, xrefs: 1102F1E7, 1102F285
AlwaysOnTop, xrefs: 1102FD8F
DisableHelp, xrefs: 1102F32D

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Message$Process$Window$CloseCreateEventHandlePostwsprintf$CriticalOpenSectionThread$CountCurrentCursorDestroyFindIconInitializeLoadObjectPeekSingleTickTokenVersionWait$ClassDispatchEnterErrorExitFolderLastMetricsPathPrioritySendSleepSystem__wcstoi64_malloc_memset
String ID: *BeepSound$*BeepUsingSpeaker$*ListenPort$*PriorityClass$*ScreenScrape$*StartupDelay$878411$AlwaysOnTop$AssertTimeout$Audio$Bridge$CLIENT32.CPP$CabinetWClass$Client$Default$DisableAudio$DisableAudioFilter$DisableConsoleClient$DisableHelp$DisableJoinClass$DisableJournal$DisableJournalMenu$DisableReplayMenu$DisableRequestHelp$DisableRunplugin$DisableTSAdmin$EnableGradientCaptions$EnableSmartcardAuth$EnableSmartcardLogon$Error x%x reading nsm.lic, sesh=%d$Error. Could not load transports - perhaps another client is running$Error. Wrong hardware. Terminating$Found new explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$Found old explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$General$Global\NSMWClassAdmin$Info. Client already running, pid=%d (x%x)$Info. Client running as user=%s, type=%d$Info. Trying to close client$Intel error "%s"$IsILS returned %d, isvistaservice %d$LSPloaded=%d, WFPloaded=%d$MiniDumpType$NSA.LIC$NSM.LIC$NSMWClass$NSMWClassVista$NSMWControl32$NSSWControl32$NSTWControl32$NeedsReinstall$NoFTWhenLoggedOff$OS2$Ready$RestartAfterError$ScreenScrape$Session shutting down, exiting...$ShowKBEnable$TCPIP$TraceIPC$TracePriv$UseIPC$UseLegacyPrintCapture$UseNTSecurity$V12.00.8$V12.10.8$View$Windows 10$Windows 10 x64$Windows 2000$Windows 2003$Windows 2003 x64$Windows 2008$Windows 2008 x64$Windows 2012$Windows 2012 R2$Windows 2016$Windows 7$Windows 7 x64$Windows 8$Windows 8 x64$Windows 8.1$Windows 8.1 x64$Windows 95$Windows 98$Windows CE$Windows Ding.wav$Windows Millennium$Windows NT$Windows Vista$Windows Vista x64$Windows XP$Windows XP Ding.wav$Windows XP x64$\Explorer.exe$_debug$_debug$cl32main$client32$closed ok$gClient.hNotifyEvent$hClientRunning = %x, pid=%d (x%x)$istaService$istaUI$pcicl32$win8ui
API String ID: 1099283604-1539223085
Opcode ID: a9e638ff69f1124c323ad2d8e1e7c75ea6f1f7704d0975bff64711fd33ab6bf8
Instruction ID: 27af1d42f1b4f6ddb2c14770db7fbacfca67435089f052a3aa779117de4136e9
Opcode Fuzzy Hash: a9e638ff69f1124c323ad2d8e1e7c75ea6f1f7704d0975bff64711fd33ab6bf8
Instruction Fuzzy Hash: 3CE25D75F0022AABEF15DBE4DC80FADF7A5AB4474CF904068E925AB3C4D770A944CB52

Function 1102DB00 Relevance: 82.9, APIs: 15, Strings: 32, Instructions: 630
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TCPIP, xrefs: 1102DF05
Warning: Unexpanded clientname=<%s>, xrefs: 1102E1F3
%sessionname%, xrefs: 1102E289, 1102E2A2
computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d, xrefs: 1102E3EA
%s.%02d, xrefs: 1102E250
IsA(), xrefs: 1102E279, 1102E2F8
Client, xrefs: 1102DEE5, 1102DF1D, 1102E034
%session%, xrefs: 1102E2CA
client32, xrefs: 1102DE25
multipoint=%d, softxpand=%d, pid=%d, xrefs: 1102E410
878411, xrefs: 1102E145, 1102E30B, 1102E32F, 1102E33C, 1102E36C, 1102E3E1
NSM.LIC, xrefs: 1102DB22
14/03/16 10:38:31 V12.10F8, xrefs: 1102E3BE
client32 dbi %hs, xrefs: 1102E3C3
NSMWClass, xrefs: 1102DCE4
WTSFreeMemory, xrefs: 1102E061
, xrefs: 1102E0B5
ts macaddr=%s, xrefs: 1102E01C
$session$, xrefs: 1102E2B6
DisableConsoleClient, xrefs: 1102DE67
Trying to get mac addr for %u.%u.%u.%u, xrefs: 1102DFF4
TSMode, xrefs: 1102DEE0
Error x%x reading %s, sesh=%d, xrefs: 1102DDB1
WTSQuerySessionInformationA, xrefs: 1102DF9E
MacAddress, xrefs: 1102E02F
client32.ini, xrefs: 1102DD55
Wtsapi32.dll, xrefs: 1102DF2C
screenscrape, xrefs: 1102DF18
ListenPort, xrefs: 1102DF00
ClientName, xrefs: 1102E0E5
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102E274, 1102E2F3
%02d, xrefs: 1102E238

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: _malloc_memsetwsprintf
String ID: $$session$$%02d$%s.%02d$%session%$%sessionname%$14/03/16 10:38:31 V12.10F8$878411$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$IsA()$ListenPort$MacAddress$NSM.LIC$NSMWClass$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Warning: Unexpanded clientname=<%s>$Wtsapi32.dll$client32$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
API String ID: 3802068140-3299767256
Opcode ID: 8d7e34653a530cc98d4c7b142cb31fa2942002c12a1f4f3c66c79a8befd3f6be
Instruction ID: 727bed6a5d63171c4319a8bac454151215a042d106ed124055d9f0508de139ba
Opcode Fuzzy Hash: 8d7e34653a530cc98d4c7b142cb31fa2942002c12a1f4f3c66c79a8befd3f6be
Instruction Fuzzy Hash: 7932D275D0022A9FDF12DFA4DC84BEDB7B8AB44308F9445E9E55867280EB70AF84CB51

Function 110A9C90 Relevance: 56.2, APIs: 27, Strings: 5, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(setupapi.dll,AD96CFBE,?,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,11184778), ref: 110A9CC3
GetProcAddress.KERNEL32(00000000,SetupDiGetClassDevsA), ref: 110A9CE7
SetupDiGetClassDevsA.SETUPAPI(111A6E0C,00000000,00000000,00000012,?,?,?,?,?,?,?,?,?,00000000,11184778,000000FF), ref: 110A9D01
GetProcAddress.KERNEL32(00000000,SetupDiEnumDeviceInterfaces), ref: 110A9D2C
_free.LIBCMT ref: 110A9D60
GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110A9D72
GetLastError.KERNEL32 ref: 110A9D9D
_malloc.LIBCMT ref: 110A9DB3
GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110A9DD5
SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,00000000,11184778,000000FF,?,1102F1AA,Client), ref: 110A9E07
SetLastError.KERNEL32(00000078), ref: 110A9E1B
GetLastError.KERNEL32 ref: 110A9E21
_free.LIBCMT ref: 110A9E33
SetLastError.KERNEL32(00000078), ref: 110A9E44
SetLastError.KERNEL32(00000078), ref: 110A9E51
_free.LIBCMT ref: 110A9E64
FreeLibrary.KERNEL32(?,?), ref: 110A9E74
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,11184778,000000FF,?,1102F1AA,Client), ref: 110A9F18

Strings

SetupDiGetClassDevsA, xrefs: 110A9CDB
SetupDiEnumDeviceInterfaces, xrefs: 110A9D26
SetupDiGetDeviceInterfaceDetailA, xrefs: 110A9D6C, 110A9DCF
SetupDiDestroyDeviceInfoList, xrefs: 110A9EC0
setupapi.dll, xrefs: 110A9CBB

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: ErrorLast$AddressProc$Library_free$Free$ClassDevsLoadSetup_malloc
String ID: SetupDiDestroyDeviceInfoList$SetupDiEnumDeviceInterfaces$SetupDiGetClassDevsA$SetupDiGetDeviceInterfaceDetailA$setupapi.dll
API String ID: 3464732724-3340099623
Opcode ID: f516254d0abd54e50715bca7ef5168f810df5caaca2cd717629c9093cd8c9f4a
Instruction ID: 033bff87456eb4c9bd2d5bbaba34d7345019b106b940800e90953e4c12ebf53e
Opcode Fuzzy Hash: f516254d0abd54e50715bca7ef5168f810df5caaca2cd717629c9093cd8c9f4a
Instruction Fuzzy Hash: F2816279E14259ABEB04DFF4EC84F9FFBB8AF48704F104528F921A6284EB759905CB50

Function 11133920 Relevance: 51.0, APIs: 16, Strings: 13, Instructions: 278
libraryloadertimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D

GetLocalTime.KERNEL32(?,_debug,CheckLeaks,00000001,00000000,AD96CFBE), ref: 1113398E
LoadLibraryA.KERNEL32(psapi.dll), ref: 111339E6
GetCurrentProcess.KERNEL32 ref: 11133A27
GetProcAddress.KERNEL32(?,GetProcessHandleCount), ref: 11133A51
GetProcessHandleCount.KERNEL32(00000000,?), ref: 11133A62
SetLastError.KERNEL32(00000078), ref: 11133A68
GetProcAddress.KERNEL32(?,GetGuiResources), ref: 11133A84
GetProcAddress.KERNEL32(?,GetGuiResources), ref: 11133AAC
SetLastError.KERNEL32(00000078), ref: 11133AC9
SetLastError.KERNEL32(00000078), ref: 11133AD6
GetProcAddress.KERNEL32(?,GetProcessMemoryInfo), ref: 11133AE8
K32GetProcessMemoryInfo.KERNEL32(?,?,00000028), ref: 11133AFB
SetLastError.KERNEL32(00000078), ref: 11133B01
FreeLibrary.KERNEL32(?), ref: 11133C6B
FreeLibrary.KERNEL32(?), ref: 11133C78
FreeLibrary.KERNEL32(?), ref: 11133C82

Strings

_debug, xrefs: 11133972
RestartGdiObj, xrefs: 11133C0E
Client, xrefs: 11133BC1, 11133BEC, 11133C13, 11133C3A
Date=%04d-%02d-%02d, xrefs: 111339AB
GetProcessMemoryInfo, xrefs: 11133AE2
RestartHandles, xrefs: 11133BE7
psapi.dll, xrefs: 111339C3
Used handles=%d, gdiObj=%d, userObj=%d, mem=%u kB, xrefs: 11133B73
CheckLeaks, xrefs: 1113396D
GetProcessHandleCount, xrefs: 11133A4B
GetGuiResources, xrefs: 11133A7E, 11133AA6
RestartUserObj, xrefs: 11133C35
RestartMB, xrefs: 11133BBC

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: AddressErrorLastLibraryProc$FreeProcess$CountCurrentHandleInfoLoadLocalMemoryTime__wcstoi64
String ID: CheckLeaks$Client$Date=%04d-%02d-%02d$GetGuiResources$GetProcessHandleCount$GetProcessMemoryInfo$RestartGdiObj$RestartHandles$RestartMB$RestartUserObj$Used handles=%d, gdiObj=%d, userObj=%d, mem=%u kB$_debug$psapi.dll
API String ID: 263027137-1001504656
Opcode ID: 87783a789c6862cb7a583f6d0127a67f1abf74d6ca2b18a0a01f6916aa137176
Instruction ID: 17d7fdf42b282dadbb05295794651177f64ab9c07d211a437ec733fd2e53fcc2
Opcode Fuzzy Hash: 87783a789c6862cb7a583f6d0127a67f1abf74d6ca2b18a0a01f6916aa137176
Instruction Fuzzy Hash: A3B1BFB1E242699FDB10DFE9CDC0AADFBB6EB48319F10452AE414E7348DB349844CB65

Function 1102DBC9 Relevance: 49.3, APIs: 7, Strings: 21, Instructions: 319
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Wtsapi32.dll,Client,screenscrape,00000001,00000003,TCPIP,ListenPort,00000000,00000003,00000003,?,?,?,?,?,?), ref: 1102DF31

Strings

TCPIP, xrefs: 1102DF05
, xrefs: 1102E0B5
ts macaddr=%s, xrefs: 1102E01C
computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d, xrefs: 1102E3EA
DisableConsoleClient, xrefs: 1102DE67
Client, xrefs: 1102DEE5, 1102DF1D, 1102E034
Trying to get mac addr for %u.%u.%u.%u, xrefs: 1102DFF4
TSMode, xrefs: 1102DEE0
Error x%x reading %s, sesh=%d, xrefs: 1102DDB1
multipoint=%d, softxpand=%d, pid=%d, xrefs: 1102E410
WTSQuerySessionInformationA, xrefs: 1102DF9E
MacAddress, xrefs: 1102E02F
878411, xrefs: 1102E145, 1102E36C, 1102E3E1
client32.ini, xrefs: 1102DD55
Wtsapi32.dll, xrefs: 1102DF2C
screenscrape, xrefs: 1102DF18
14/03/16 10:38:31 V12.10F8, xrefs: 1102E3BE
client32 dbi %hs, xrefs: 1102E3C3
ListenPort, xrefs: 1102DF00
ClientName, xrefs: 1102E0E5
WTSFreeMemory, xrefs: 1102E061

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: $14/03/16 10:38:31 V12.10F8$878411$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$ListenPort$MacAddress$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
API String ID: 1029625771-1967907091
Opcode ID: efde7a6f29c4b35a1bc2373ff856d498f8aef1b4f42035034b7e6d706e59a609
Instruction ID: 8eab5b2d156e186679f92ce27f1e5cdd209b728942572a9b5b46018c3091c824
Opcode Fuzzy Hash: efde7a6f29c4b35a1bc2373ff856d498f8aef1b4f42035034b7e6d706e59a609
Instruction Fuzzy Hash: 97C1D275E0026AAFDF22DF959C84BEDF7B9AB44308F9440EDE55867280D770AE80CB51

Function 111414A0 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 266
libraryregistryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(User32.dll,00000000,00000000), ref: 111414F3
FreeLibrary.KERNEL32(00000000), ref: 11141563
LoadLibraryA.KERNEL32(imm32,?,?,00000000,00000000), ref: 11141586
GetClassInfoExA.USER32(11000000,NSMWClass,?), ref: 111415E5
_memset.LIBCMT ref: 111415F9
LoadCursorA.USER32(00000000,00007F00), ref: 11141649
GetStockObject.GDI32(00000000), ref: 11141653
RegisterClassExA.USER32(?), ref: 1114166A
LoadLibraryA.KERNEL32(pcihooks,?,?,00000000,00000000), ref: 11141702
GetProcAddress.KERNEL32(00000000,HookKeyboard), ref: 11141717
SetTimer.USER32(00000000,00000000,000003E8,1113CD60), ref: 1114183A
#17.COMCTL32(?,?,?,00000000,00000000), ref: 11141868
LoadLibraryA.KERNEL32(riched32.dll,?,?,?,00000000,00000000), ref: 11141873

Part of subcall function 11017450: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,AD96CFBE,1102FCB2,00000000), ref: 1101747E
Part of subcall function 11017450: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1101748E
Part of subcall function 11017450: GetProcAddress.KERNEL32(00000000,QueueUserWorkItem), ref: 110174D2
Part of subcall function 11017450: FreeLibrary.KERNEL32(00000000), ref: 110174F8

Part of subcall function 110CC7F0: CreateWindowExA.USER32(00000000,button,11194244,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000000,00000000), ref: 110CC829
Part of subcall function 110CC7F0: SetClassLongA.USER32(00000000,000000E8,110CC570), ref: 110CC840

Strings

TraceCopyData, xrefs: 1114176C
UI.CPP, xrefs: 11141621, 1114167C
pcihooks, xrefs: 111416FD
*quiet, xrefs: 111415AD
_debug, xrefs: 11141771
HookKeyboard, xrefs: 11141711
NSMGetAppIcon(), xrefs: 11141626
imm32, xrefs: 1114157C
InitUI (%d), xrefs: 111414CC
View, xrefs: 11141751
riched32.dll, xrefs: 1114186E
NSMWClass, xrefs: 111415D7, 11141663
_License, xrefs: 111415B2
User32.dll, xrefs: 111414E7

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Library$Load$Class$AddressCreateFreeProc$CursorEventInfoLongObjectRegisterStockTimerWindow_memset
String ID: *quiet$HookKeyboard$InitUI (%d)$NSMGetAppIcon()$NSMWClass$TraceCopyData$UI.CPP$User32.dll$View$_License$_debug$imm32$pcihooks$riched32.dll
API String ID: 3706574701-3145203681
Opcode ID: bf77d67e3ec3500b8f2db5927d4705f1cc154319e5a682cee20025d48f6291c1
Instruction ID: 9b294397b9efa9119a6c3372e39ca87a41eafe2d9b680e3b49ce131b24699399
Opcode Fuzzy Hash: bf77d67e3ec3500b8f2db5927d4705f1cc154319e5a682cee20025d48f6291c1
Instruction Fuzzy Hash: 6EA19DB4E0126AAFDB01DFE9C9C4AADFBB4FB4870DB60413EE52997644EB306440CB55

Function 110285F0 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,74601370,?,0000001A), ref: 110286DD
_strrchr.LIBCMT ref: 110286EC

Part of subcall function 111646CE: __stricmp_l.LIBCMT ref: 1116470B

Strings

SupportsChrome, xrefs: 11028AE6
NSSTLA, xrefs: 11028965
TLA, xrefs: 11028905
Home, xrefs: 110288D5
product.dat, xrefs: 110286A0, 110286F1
TechConsole, xrefs: 11028B1D
NSMAppDataDir, xrefs: 110289F5
NSSConfName, xrefs: 11028A55
LongName, xrefs: 11028875
SupportEMail, xrefs: 110289C5
SupportsAndroid, xrefs: 11028B82
NSSLongCaption, xrefs: 11028B55
??F, xrefs: 11028C70
AssistantURL, xrefs: 11028AB9
??I, xrefs: 11028CF7
AssistantName, xrefs: 11028A8C
Name, xrefs: 1102883E
SupportWWW, xrefs: 11028995
NSSAppDataDir, xrefs: 11028A25
ShortName, xrefs: 110288A5
\, xrefs: 1102866C
NSSName, xrefs: 11028935

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: FileModuleName__stricmp_l_strrchr
String ID: ??F$??I$AssistantName$AssistantURL$Home$LongName$NSMAppDataDir$NSSAppDataDir$NSSConfName$NSSLongCaption$NSSName$NSSTLA$Name$ShortName$SupportEMail$SupportWWW$SupportsAndroid$SupportsChrome$TLA$TechConsole$\$product.dat
API String ID: 1609618855-357498123
Opcode ID: f758b9b815b32a629a166d271db5dcc578b7f2649effa84e62f149b16d96c17d
Instruction ID: efd952e0d0f75bab71a6f775fe147756553f35749af42d5d105ea8c6321280ff
Opcode Fuzzy Hash: f758b9b815b32a629a166d271db5dcc578b7f2649effa84e62f149b16d96c17d
Instruction Fuzzy Hash: ED12D67CD0929A8BDB17CF64CC807E5B7F5AB19308F8400EEE9D557201EB729686CB52

Function 11086700 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 161
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,00000001,0000DD7C), ref: 1108678C
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 110867AA
LoadLibraryA.KERNEL32(?), ref: 110867EC
GetProcAddress.KERNEL32(?,CipherServer_Create), ref: 11086807
GetProcAddress.KERNEL32(?,CipherServer_Destroy), ref: 1108681C
GetProcAddress.KERNEL32(00000000,CipherServer_GetInfoBlock), ref: 1108682D
GetProcAddress.KERNEL32(?,CipherServer_OpenSession), ref: 1108683E
GetProcAddress.KERNEL32(?,CipherServer_CloseSession), ref: 1108684F
GetProcAddress.KERNEL32(00000000,CipherServer_EncryptBlocks), ref: 11086860

Strings

CipherServer_EncryptBlocks, xrefs: 1108685A
CipherServer_OpenSession, xrefs: 11086838
CipherServer_GetInfoBlock, xrefs: 11086827
CryptPak.dll, xrefs: 1108675B, 110867BE
CipherServer_CloseSession, xrefs: 11086849
CipherServer_ResetSession, xrefs: 1108688D
CipherServer_DecryptBlocks, xrefs: 1108686B
CipherServer_Destroy, xrefs: 11086816
CipherServer_GetRandomData, xrefs: 1108687C
CipherServer_Create, xrefs: 11086801

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$FileModuleName
String ID: CipherServer_CloseSession$CipherServer_Create$CipherServer_DecryptBlocks$CipherServer_Destroy$CipherServer_EncryptBlocks$CipherServer_GetInfoBlock$CipherServer_GetRandomData$CipherServer_OpenSession$CipherServer_ResetSession$CryptPak.dll
API String ID: 2201880244-3035937465
Opcode ID: 4b4bd3f155fc2ea4308a314feeb32441d96d80ab178d9e56264d575cdcc26986
Instruction ID: c81deb3771c39ade44f8803fbe1e6421c41fb3d40bd553f41274565aeadcb2b4
Opcode Fuzzy Hash: 4b4bd3f155fc2ea4308a314feeb32441d96d80ab178d9e56264d575cdcc26986
Instruction Fuzzy Hash: CD51C174E1834A9BD710DF79DC94BA6FBE9AF54304B1289AED885C7240EAB2E444CF50

Function 11141890 Relevance: 35.7, APIs: 3, Strings: 17, Instructions: 672
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCloseKey.ADVAPI32(00000000), ref: 1114194A

Strings

client., xrefs: 11141D46
Add [%s]%s=%s, xrefs: 11141E36
Del [%s]%s=%s, xrefs: 11141E95
Info. Policy changed - reload transports..., xrefs: 11142036
RoomSpec, xrefs: 11141DC7, 1114207A
_debug, xrefs: 11141DE6
IsA(), xrefs: 111420CD
Client, xrefs: 11141DCC, 1114207F
Chg [%s]%s=%s, xrefs: 11141EF5
client, xrefs: 11141D63
NSM.LIC, xrefs: 11141950
NSA.LIC, xrefs: 1114195F, 11141966, 1114198D
Warning. Can't calc AD policy changes, xrefs: 11141D85
Info. Policy changed - re-initui, xrefs: 11142012
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 111420C8
TracePolicyChange, xrefs: 11141DE1
Info. Lockup averted for AD policy changes, xrefs: 11141B1D, 11141B44

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Close
String ID: Add [%s]%s=%s$Chg [%s]%s=%s$Client$Del [%s]%s=%s$Info. Lockup averted for AD policy changes$Info. Policy changed - re-initui$Info. Policy changed - reload transports...$IsA()$NSA.LIC$NSM.LIC$RoomSpec$TracePolicyChange$Warning. Can't calc AD policy changes$_debug$client$client.$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 3535843008-2062829784
Opcode ID: b095e62f5566da241d3e91ca5be9f891ca13435fdbaa530bea89b8198b644eef
Instruction ID: 6553b1da6d6d14651d2a1fffef45e08f8fb4271012d2e4188a9b1e9169dedbc2
Opcode Fuzzy Hash: b095e62f5566da241d3e91ca5be9f891ca13435fdbaa530bea89b8198b644eef
Instruction Fuzzy Hash: E4420778E002999FEB21CBA0CD90FEEF7766F95B08F1401D8D50967681EB727A84CB51

Function 11074A00 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 294
threadtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

InitializeCriticalSection.KERNEL32(0000000C,?,00000000), ref: 11074AE5
InitializeCriticalSection.KERNEL32(00000024,?,00000000), ref: 11074AEB
InitializeCriticalSection.KERNEL32(0000003C,?,00000000), ref: 11074AF1
InitializeCriticalSection.KERNEL32(0000DB1C,?,00000000), ref: 11074AFA
InitializeCriticalSection.KERNEL32(00000054,?,00000000), ref: 11074B00
InitializeCriticalSection.KERNEL32(0000006C,?,00000000), ref: 11074B06
_strncpy.LIBCMT ref: 11074B68
ExpandEnvironmentStringsA.KERNEL32(?,?,00000100,?,?,?,?,?,?,00000000), ref: 11074BCF
CreateThread.KERNEL32(00000000,00004000,11070C60,00000000,00000000,?), ref: 11074C6C
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 11074C73
SetTimer.USER32(00000000,00000000,000000FA,11063680), ref: 11074CB7
std::exception::exception.LIBCMT ref: 11074D68
__CxxThrowException@8.LIBCMT ref: 11074D83

Strings

DefaultUsername, xrefs: 11074BB0
..\ctl32\Connect.cpp, xrefs: 11074B16
RememberPassword, xrefs: 11074B80
destroy_queue == NULL, xrefs: 11074B1B
Password, xrefs: 11074C23
General, xrefs: 11074B85, 11074BB5, 11074C28

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection$CloseCreateEnvironmentException@8ExpandHandleStringsThreadThrowTimer_malloc_memset_strncpystd::exception::exceptionwsprintf
String ID: ..\ctl32\Connect.cpp$DefaultUsername$General$Password$RememberPassword$destroy_queue == NULL
API String ID: 703120326-1497550179
Opcode ID: 7c8943816f378bc6fd854347406ceee894156ad89ebdfca9a8c75f1e5f5be459
Instruction ID: 2d3153b5a6430d98d64e81d2a1e668bfe4de0d121a1dff3557e595bbadcf65c6
Opcode Fuzzy Hash: 7c8943816f378bc6fd854347406ceee894156ad89ebdfca9a8c75f1e5f5be459
Instruction Fuzzy Hash: 79B1A4B5A00359AFD710CF64CD84FDAF7F4BB48708F0085A9E65997281EBB0B944CB65

Function 11108D30 Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 213
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

OpenEventA.KERNEL32(00000002,00000000,nsm_gina_sas,00000009), ref: 11108E0A
CloseHandle.KERNEL32(00000000), ref: 11108E19
GetSystemDirectoryA.KERNEL32(?,000000F7), ref: 11108E2B
LoadLibraryA.KERNEL32(?), ref: 11108E61
GetProcAddress.KERNEL32(?,GrabKM), ref: 11108E8E
GetProcAddress.KERNEL32(?,LoggedOn), ref: 11108EA6
FreeLibrary.KERNEL32(?), ref: 11108ECB

Part of subcall function 1110F2B0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,76EDC3F0,00000000,?,11110245,1110FDE0,00000001,00000000), ref: 1110F2C7
Part of subcall function 1110F2B0: CreateThread.KERNEL32(00000000,11110245,00000001,00000000,00000000,0000000C), ref: 1110F2EA
Part of subcall function 1110F2B0: WaitForSingleObject.KERNEL32(?,000000FF,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F317
Part of subcall function 1110F2B0: CloseHandle.KERNEL32(?,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F321

GetStockObject.GDI32(0000000D), ref: 11108EDF
GetObjectA.GDI32(00000000,0000003C,?), ref: 11108EEF
InitializeCriticalSection.KERNEL32(0000003C), ref: 11108F0B
InitializeCriticalSection.KERNEL32(111F060C), ref: 11108F16

Part of subcall function 11107290: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11189A56,000000FF), ref: 11107363
Part of subcall function 11107290: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 111073B2

CloseHandle.KERNEL32(00000000,Function_00102C50,00000001,00000000), ref: 11108F59

Part of subcall function 1109E9E0: GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F7D14,00000001,111417B8,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 1109EA01
Part of subcall function 1109E9E0: OpenProcessToken.ADVAPI32(00000000,?,?,110F7D14,00000001,111417B8,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 1109EA08
Part of subcall function 1109E9E0: CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1109EA27

CloseHandle.KERNEL32(00000000,Function_00102C50,00000001,00000000), ref: 11108FAA
CloseHandle.KERNEL32(00000000,Function_00102C50,00000001,00000000), ref: 11108FFF

Strings

\pcigina, xrefs: 11108E40
GrabKM, xrefs: 11108E88
nsm_gina_sas, xrefs: 11108DF4
LoggedOn, xrefs: 11108EA0
LPT1, xrefs: 11108DE9

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CloseHandle$Library$LoadObject$AddressCreateCriticalEventInitializeOpenProcProcessSection$CurrentDirectoryFreeSingleStockSystemThreadTokenWait_malloc_memsetwsprintf
String ID: GrabKM$LPT1$LoggedOn$\pcigina$nsm_gina_sas
API String ID: 3930710499-403456261
Opcode ID: 1bb63630e84e06d7a5d883501c08249baca6a639cf459e52fb6089e18ee58e4a
Instruction ID: 229803012459fbbe5cfd3a30b02a894d1af5bad55287ed163187595495ff030c
Opcode Fuzzy Hash: 1bb63630e84e06d7a5d883501c08249baca6a639cf459e52fb6089e18ee58e4a
Instruction Fuzzy Hash: DC81AFB4E0435AEFEB55DFB48C89B9AFBE9AB48308F00457DE569D7280E7309944CB11

Function 11138C30 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 348
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 111450A0: GetVersionExA.KERNEL32(111F0EF0,75A78400), ref: 111450D0
Part of subcall function 111450A0: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114510F
Part of subcall function 111450A0: _memset.LIBCMT ref: 1114512D
Part of subcall function 111450A0: _strncpy.LIBCMT ref: 111451FA

PostMessageA.USER32(00020492,000006CF,00000007,00000000), ref: 11138E0F

Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D

SetWindowTextA.USER32(00020492,00000000), ref: 11138EB7
IsWindowVisible.USER32(00020492), ref: 11138F7C
GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,00000000), ref: 11138F9C
IsWindowVisible.USER32(00020492), ref: 11138FAA
SetForegroundWindow.USER32(00000000), ref: 11138FD8
EnableWindow.USER32(00020492,00000001), ref: 11138FE7
IsWindowVisible.USER32(00020492), ref: 11139038
IsWindowVisible.USER32(00020492), ref: 11139045
EnableWindow.USER32(00020492,00000000), ref: 11139059
EnableWindow.USER32(00020492,00000000), ref: 11138FBF

Part of subcall function 11131210: ShowWindow.USER32(00020492,00000000,?,11139062,00000007,?,?,?,?,?,00000000), ref: 11131234

EnableWindow.USER32(00020492,00000001), ref: 1113906D

Strings

ConnectedText, xrefs: 11138D48, 11138D57
Client, xrefs: 11138CB1, 11138D5B, 11138D94, 11138DF2
ViewedText, xrefs: 11138D3B
ShowUIOnConnect, xrefs: 11138DED
LockedText, xrefs: 11138D8F
HideWhenIdle, xrefs: 11138CAC

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Window$EnableVisible$Foreground$MessageOpenPostShowTextVersion__wcstoi64_memset_strncpy
String ID: Client$ConnectedText$HideWhenIdle$LockedText$ShowUIOnConnect$ViewedText
API String ID: 3453649892-3803836183
Opcode ID: 391fd03a16533da79435ce5bee1303fc2e717428408a6b437c143b59ca9afbf1
Instruction ID: ae8ec3c714d324370739ddb1cab1952d607c59122f5be0bb7ac7fd02d25128b2
Opcode Fuzzy Hash: 391fd03a16533da79435ce5bee1303fc2e717428408a6b437c143b59ca9afbf1
Instruction Fuzzy Hash: 86C12A75A1122A9BEB11DFF4CD80B6EF769ABC072DF140138EA159B28CEB75E804C751

Function 110281A0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 130librarysynchronizationCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000102,NSM.LIC,00000009), ref: 110281F1

Part of subcall function 11081B40: _strrchr.LIBCMT ref: 11081B4E

wsprintfA.USER32 ref: 11028214
WaitForSingleObject.KERNEL32(?,000000FF), ref: 11028259
GetExitCodeProcess.KERNEL32(?,?), ref: 1102826D
wsprintfA.USER32 ref: 11028291
CloseHandle.KERNEL32(?), ref: 110282A7
CloseHandle.KERNEL32(?), ref: 110282B0
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,?,?,?,NSM.LIC,00000009), ref: 11028311
GetModuleHandleA.KERNEL32(00000000,00000000,?,?,?,?,?,NSM.LIC,00000009), ref: 11028325

Strings

", xrefs: 110281EA
Locales\%d\, xrefs: 11028281
NSM.LIC, xrefs: 110281B9, 110282D0
pcicl32_res.dll, xrefs: 110282E9
\GetUserLang.exe", xrefs: 1102820E
Setting resource langid=%d, xrefs: 110282D1
SetClientResLang called, gPlatform %x, xrefs: 110281BC

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Handle$CloseModulewsprintf$CodeExitFileLibraryLoadNameObjectProcessSingleWait_strrchr
String ID: "$Locales\%d\$NSM.LIC$SetClientResLang called, gPlatform %x$Setting resource langid=%d$\GetUserLang.exe"$pcicl32_res.dll
API String ID: 512045693-419896573
Opcode ID: be2a4d539e06a764388bcf1fddbdd407ba59922a3a30c161602edf8e7ebb4000
Instruction ID: 7a246749baaa4a6e23861a3fd22e5cd13303056935123195fcb9bb693944541c
Opcode Fuzzy Hash: be2a4d539e06a764388bcf1fddbdd407ba59922a3a30c161602edf8e7ebb4000
Instruction Fuzzy Hash: B841D678E04229ABD714CF65CCD5FEAB7B9EB44709F0081A5F95897280DA71AE44CBA0

Function 11085E10 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 218libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PCIINV.DLL,AD96CFBE,02F68BC0,02F68BB0,?,00000000,1118276C,000000FF,?,11031942,02F68BC0,00000000,?,?,?), ref: 11085E45

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

Part of subcall function 1110F520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EDC3F0,?,1111022D,00000000,00000001,?,?,?,?,?,11031040), ref: 1110F53E

GetProcAddress.KERNEL32(00000000,GetInventory), ref: 11085E6B
GetProcAddress.KERNEL32(00000000,Cancel), ref: 11085E7F
GetProcAddress.KERNEL32(00000000,GetInventoryEx), ref: 11085E93
wsprintfA.USER32 ref: 11085F1B
wsprintfA.USER32 ref: 11085F32
wsprintfA.USER32 ref: 11085F49
CloseHandle.KERNEL32(00000000,11085C70,00000001,00000000), ref: 1108609A

Part of subcall function 11085A80: CloseHandle.KERNEL32(?,7591F550,?,?,110860C0,?,11031942,02F68BC0,00000000,?,?,?), ref: 11085A98
Part of subcall function 11085A80: CloseHandle.KERNEL32(?,7591F550,?,?,110860C0,?,11031942,02F68BC0,00000000,?,?,?), ref: 11085AAB
Part of subcall function 11085A80: CloseHandle.KERNEL32(?,7591F550,?,?,110860C0,?,11031942,02F68BC0,00000000,?,?,?), ref: 11085ABE
Part of subcall function 11085A80: FreeLibrary.KERNEL32(00000000,7591F550,?,?,110860C0,?,11031942,02F68BC0,00000000,?,?,?), ref: 11085AD1

Strings

GetInventory, xrefs: 11085E65
%s_SW.%s, xrefs: 11085F2C
%s_HW.%s, xrefs: 11085F12
Cancel, xrefs: 11085E79
%s_HF.%s, xrefs: 11085F43
GetInventoryEx, xrefs: 11085E87
PCIINV.DLL, xrefs: 11085E40

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CloseHandlewsprintf$AddressProc$Library$CreateEventFreeLoad_malloc_memset
String ID: %s_HF.%s$%s_HW.%s$%s_SW.%s$Cancel$GetInventory$GetInventoryEx$PCIINV.DLL
API String ID: 4263811268-2492245516
Opcode ID: f5aef0daa14bc6ea66726438fc532167d4c8a127bd90decb683372eff0d319c6
Instruction ID: c264ff3baa83c9e34b1ea5f373b83d9ca187d225ad452563e08076ac2ec7b834
Opcode Fuzzy Hash: f5aef0daa14bc6ea66726438fc532167d4c8a127bd90decb683372eff0d319c6
Instruction Fuzzy Hash: 40718175E0874AABEB14CF75CC46BDBFBE4AB48304F10452AE956D7280EB71A500CB95

Function 110304B8 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 190synchronizationlibraryloaderCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(001F0001,00000000,PCIMutex), ref: 110305F3
CreateMutexA.KERNEL32(00000000,00000000,PCIMutex), ref: 1103060A
GetProcAddress.KERNEL32(?,SetProcessDPIAware), ref: 110306AC
SetLastError.KERNEL32(00000078), ref: 110306C2
WaitForSingleObject.KERNEL32(?,000001F4), ref: 110306FC
CloseHandle.KERNEL32(?), ref: 11030709
FreeLibrary.KERNEL32(?), ref: 11030714
CloseHandle.KERNEL32(00000000), ref: 1103071B

Strings

_debug\tracefile, xrefs: 11030556
_debug\trace, xrefs: 11030544
PCIMutex, xrefs: 110305E3, 11030603
SOFTWARE\Policies\NetSupport\Client\standard, xrefs: 1103052A
/247, xrefs: 11030616
istaUI, xrefs: 1103050D
SetProcessDPIAware, xrefs: 110306A6

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CloseHandleMutex$AddressCreateErrorFreeLastLibraryObjectOpenProcSingleWait
String ID: /247$PCIMutex$SOFTWARE\Policies\NetSupport\Client\standard$SetProcessDPIAware$_debug\trace$_debug\tracefile$istaUI
API String ID: 2061479752-1320826866
Opcode ID: 344344da4f24c17c6c11c64113ed1526ed618b4690303f5ba055bceda43c688d
Instruction ID: 4511418fabb8e143c6e2e60e2068ec6a59f08b67eb8208c825473cc9362a61df
Opcode Fuzzy Hash: 344344da4f24c17c6c11c64113ed1526ed618b4690303f5ba055bceda43c688d
Instruction Fuzzy Hash: 72613774E1635AAFEB10DFB09C44B9EB7B4AF8470DF1000A9D919A71C5EF70AA44CB51

Function 6D031D3F Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 108threadCOMMON

Download Yara Rule

APIs

__set_flsgetvalue.MSVCR100(6D031DE0,00000008,6D031E16,00000001,?), ref: 6D031D6A

Part of subcall function 6D030341: TlsGetValue.KERNEL32(?,6D030713), ref: 6D03034A

TlsGetValue.KERNEL32(6D031DE0,00000008,6D031E16,00000001,?), ref: 6D031D7B
_calloc_crt.MSVCR100(00000001,00000214), ref: 6D031D8E
DecodePointer.KERNEL32(00000000), ref: 6D031DAC
_initptd.MSVCR100(00000000,00000000), ref: 6D031DBE

Part of subcall function 6D031E9B: GetModuleHandleW.KERNEL32(KERNEL32.DLL,6D031F38,00000008,6D0575E9,00000000,00000000), ref: 6D031EAC
Part of subcall function 6D031E9B: _lock.MSVCR100(0000000D), ref: 6D031EE0
Part of subcall function 6D031E9B: InterlockedIncrement.KERNEL32(?), ref: 6D031EED
Part of subcall function 6D031E9B: _lock.MSVCR100(0000000C), ref: 6D031F01

GetCurrentThreadId.KERNEL32 ref: 6D031DC5
__freeptd.LIBCMT ref: 6D032971
__heap_init.LIBCMT ref: 6D03B8B1
GetCommandLineA.KERNEL32(6D031DE0,00000008,6D031E16,00000001,?), ref: 6D03B8E2
GetCommandLineW.KERNEL32 ref: 6D03B8ED
__ioterm.LIBCMT ref: 6D047B7E
free.MSVCR100(00000000), ref: 6D057485

Strings

x6, xrefs: 6D03B8E8

Memory Dump Source

Source File: 00000002.00000002.3890464582.000000006D021000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000002.00000002.3890446633.000000006D020000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3890532245.000000006D0D4000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3890550927.000000006D0D6000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3890580013.000000006D0D9000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d020000_bild.jbxd

Similarity

API ID: CommandLineValue_lock$CurrentDecodeHandleIncrementInterlockedModulePointerThread__freeptd__heap_init__ioterm__set_flsgetvalue_calloc_crt_initptdfree
String ID: x6
API String ID: 2121586863-2935165365
Opcode ID: 3420823ab969641053c3acaabe141679cf230d11372f794e9dae8c555e0ea27c
Instruction ID: b6c00e8224b58d6d9e2ddb5cf5917459961bdbece1a85f7c87ac082ec22c7140
Opcode Fuzzy Hash: 3420823ab969641053c3acaabe141679cf230d11372f794e9dae8c555e0ea27c
Instruction Fuzzy Hash: 8031B430C5DA23EAFB162BB98944B2D36F4EF8B359B638426DE50C7040DF71C4409AA7

Function 11106100 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 153COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1110612E
EnterCriticalSection.KERNEL32(111F060C), ref: 11106137
GetTickCount.KERNEL32 ref: 1110613D
GetTickCount.KERNEL32 ref: 11106190
LeaveCriticalSection.KERNEL32(111F060C), ref: 11106199
GetTickCount.KERNEL32 ref: 111061CA
LeaveCriticalSection.KERNEL32(111F060C), ref: 111061D3
EnterCriticalSection.KERNEL32(111F060C), ref: 111061FC
LeaveCriticalSection.KERNEL32(111F060C,00000000,?,00000000), ref: 111062C3

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

Part of subcall function 110F0CF0: InitializeCriticalSection.KERNEL32(00000038,00000000,00000000,?,00000000,?,11106267,?), ref: 110F0D1B

Strings

psi, xrefs: 11106183, 11106238, 1110627E
Warning. took %d ms to get simap lock, xrefs: 11106149
e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp, xrefs: 1110617E, 11106233, 11106279
Warning. simap lock held for %d ms, xrefs: 111061A9, 111061E3
info. new psi(%d) = %x, xrefs: 111062B1

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountTick$Leave$Enter$Initialize_malloc_memsetwsprintf
String ID: Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock$e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp$info. new psi(%d) = %x$psi
API String ID: 1574099134-3013461081
Opcode ID: e4cf314df931be329bed10d82e2fbe7145bba63e1bcfccc88a3091ef951cf9c4
Instruction ID: 01093d0ef8ba3b8d66a1f5e3f4838d53f0bc1b4d1e9212342b6ef41ebc516d7c
Opcode Fuzzy Hash: e4cf314df931be329bed10d82e2fbe7145bba63e1bcfccc88a3091ef951cf9c4
Instruction Fuzzy Hash: 64410E79F0411AABD700DFA59C81E9EFBB9EB8462CF524535F909E7240EA306904CBE1

Function 1102C410 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 238synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 1110F340: SetEvent.KERNEL32(00000000,?,1102C44F), ref: 1110F364

WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C455
GetTickCount.KERNEL32 ref: 1102C47A

Part of subcall function 110D0710: __strdup.LIBCMT ref: 110D072A

GetTickCount.KERNEL32 ref: 1102C574

Part of subcall function 110D1370: wvsprintfA.USER32(?,?,1102C511), ref: 110D139B

Part of subcall function 110D07C0: _free.LIBCMT ref: 110D07ED

WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C66C
CloseHandle.KERNEL32(?), ref: 1102C688

Strings

http://geo.netsupportsoftware.com/location/loca.asp, xrefs: 1102C495
GeoIP, xrefs: 1102C4C3
GetLatLong=%s, took %d ms, xrefs: 1102C591
_debug, xrefs: 1102C4C8, 1102C52A
LatLong, xrefs: 1102C438, 1102C525
IsA(), xrefs: 1102C6BE, 1102C6D2, 1102C6E6, 1102C6FA
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102C6B9, 1102C6CD, 1102C6E1, 1102C6F5
?IP=%s, xrefs: 1102C506

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CountObjectSingleTickWait$CloseEventHandle__strdup_freewvsprintf
String ID: ?IP=%s$GeoIP$GetLatLong=%s, took %d ms$IsA()$LatLong$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://geo.netsupportsoftware.com/location/loca.asp
API String ID: 596640303-1725438197
Opcode ID: 609e97f705776535a990b82a8e5f18e172a35da44f01400c4fa73658ea828b55
Instruction ID: 59613557395ae23f7967247d4baf4cae7550bfc3229e85cd4bc92fe2e2f2b4a8
Opcode Fuzzy Hash: 609e97f705776535a990b82a8e5f18e172a35da44f01400c4fa73658ea828b55
Instruction Fuzzy Hash: 6B818275E0020AABDF04DBE8CD94FEEF7B5AF59708F504258E82567284DB34BA05CB61

Function 11061700 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?,00000000,?,?), ref: 1106175A

Part of subcall function 11061140: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 1106117C
Part of subcall function 11061140: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 110611D4

RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 110617AB
RegEnumKeyExA.ADVAPI32(?,00000001,?,00000100,00000000,00000000,00000000,00000000), ref: 11061865
RegCloseKey.ADVAPI32(?), ref: 11061881

Strings

Standard, xrefs: 110617C6
Software\Policies\NetSupport, xrefs: 110617FF
%s\%s\%s\, xrefs: 11061804
Software\Policies\NetSupport\Client\Standard, xrefs: 1106176D
Client.%04d.%s, xrefs: 110617E7
Client, xrefs: 110617FA
Client, xrefs: 11061768, 11061898
DisableUserPolicies, xrefs: 11061893
Software\Policies\NetSupport\Client, xrefs: 11061754

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Enum$Open$CloseValue
String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
API String ID: 2823542970-1528906934
Opcode ID: 4cf0c36994a383612a719e249f3f276c0f36ade9332230c7c569e8670290d878
Instruction ID: 3a074a016260bf88f68c0586b8c591cabbb012c9b5ad66670ab8b6bf40d046b4
Opcode Fuzzy Hash: 4cf0c36994a383612a719e249f3f276c0f36ade9332230c7c569e8670290d878
Instruction Fuzzy Hash: 5F416179E4022DABD724CB55CC81FEAB7BCEB94748F1001D9EA48A6140D6B06E84CFA1

Function 11137630 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130COMMON

Download Yara Rule

APIs

Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D

GetTickCount.KERNEL32 ref: 11137692

Part of subcall function 11096970: CoInitialize.OLE32(00000000), ref: 11096984
Part of subcall function 11096970: CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,1113769B), ref: 1109699E
Part of subcall function 11096970: CoCreateInstance.OLE32(?,00000000,00000001,111C08AC,?,?,?,?,?,?,?,1113769B), ref: 110969BB
Part of subcall function 11096970: CoUninitialize.OLE32(?,?,?,?,?,?,1113769B), ref: 110969D9

GetTickCount.KERNEL32 ref: 111376A1
_memset.LIBCMT ref: 111376E3
GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 111376F9
_strrchr.LIBCMT ref: 11137708
_free.LIBCMT ref: 1113775A

Strings

IsICFPresent() took %d ms, xrefs: 111376AD
IsICFPresent..., xrefs: 1113767F
ICFConfig2 returned 0x%x, xrefs: 11137760
*AutoICFConfig, xrefs: 11137667
ICFConfig, xrefs: 11137645
Client, xrefs: 1113766C
No ICF present, xrefs: 11137792

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CountTick$CreateFileFromInitializeInstanceModuleNameProgUninitialize__wcstoi64_free_memset_strrchr
String ID: *AutoICFConfig$Client$ICFConfig$ICFConfig2 returned 0x%x$IsICFPresent() took %d ms$IsICFPresent...$No ICF present
API String ID: 711243594-1270230032
Opcode ID: 4f0f92e27c35dbd641ed9010d5cad7dccc431a8d4141c0f1938ec124a93e63f3
Instruction ID: 94b21c48fabd249aebac1ca0d473d12a11480cc4bb4ab1ee9f0f9b3b40903c19
Opcode Fuzzy Hash: 4f0f92e27c35dbd641ed9010d5cad7dccc431a8d4141c0f1938ec124a93e63f3
Instruction Fuzzy Hash: 9941AE7AE0022E97C710DF756C89BEFF7699B5471DF040079E90493140EAB1AD44CBE1

Function 11133E80 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11145440: _memset.LIBCMT ref: 11145485
Part of subcall function 11145440: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114549E
Part of subcall function 11145440: LoadLibraryA.KERNEL32(kernel32.dll), ref: 111454C5
Part of subcall function 11145440: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111454D7
Part of subcall function 11145440: FreeLibrary.KERNEL32(00000000), ref: 111454EF
Part of subcall function 11145440: GetSystemDefaultLangID.KERNEL32 ref: 111454FA

AdjustWindowRectEx.USER32(111417B8,00CE0000,00000001,00000001), ref: 11133EC7
LoadMenuA.USER32(00000000,000003EC), ref: 11133ED8
GetSystemMetrics.USER32(00000021), ref: 11133EE9
GetSystemMetrics.USER32(0000000F), ref: 11133EF1
GetSystemMetrics.USER32(00000004), ref: 11133EF7
GetDC.USER32(00000000), ref: 11133F03
GetDeviceCaps.GDI32(00000000,0000005A), ref: 11133F0E
ReleaseDC.USER32(00000000,00000000), ref: 11133F1A
CreateWindowExA.USER32(00000001,NSMWClass,02B6DD98,00CE0000,80000000,80000000,111417B8,?,00000000,?,11000000,00000000), ref: 11133F6F
GetLastError.KERNEL32(?,?,?,?,?,110F7D09,00000001,111417B8,_debug), ref: 11133F77

Strings

CreateMainWnd, hwnd=%x, e=%d, xrefs: 11133F7F
mainwnd ht1=%d, ht2=%d, yppi=%d, xrefs: 11133F2E
NSMWClass, xrefs: 11133F69

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: System$Metrics$LibraryLoadWindow$AddressAdjustCapsCreateDefaultDeviceErrorFreeLangLastMenuProcRectReleaseVersion_memset
String ID: CreateMainWnd, hwnd=%x, e=%d$NSMWClass$mainwnd ht1=%d, ht2=%d, yppi=%d
API String ID: 1594747848-1114959992
Opcode ID: 75f297c2efb98d08cbe097e8d34710f0383f1ebd178d5accfa4770b5d5071ee0
Instruction ID: 5297cf036ba1cbd73fc44df567c8a611b910eb11675e7325f2afb4d5e36916b9
Opcode Fuzzy Hash: 75f297c2efb98d08cbe097e8d34710f0383f1ebd178d5accfa4770b5d5071ee0
Instruction Fuzzy Hash: C4316275E10219ABDB149FF58C85FAFFBB8EB48709F100529FA25B7284D67469008BA4

Function 1102CC10 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 284servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,19141918,1102DD98,00000000,AD96CFBE,?,00000000,00000000), ref: 1102CE44
OpenServiceA.ADVAPI32(00000000,ProtectedStorage,00000004), ref: 1102CE5A
QueryServiceStatus.ADVAPI32(00000000,?), ref: 1102CE6E
CloseServiceHandle.ADVAPI32(00000000), ref: 1102CE75
Sleep.KERNEL32(00000032), ref: 1102CE86
CloseServiceHandle.ADVAPI32(00000000), ref: 1102CE96
Sleep.KERNEL32(000003E8), ref: 1102CEE2
CloseHandle.KERNEL32(?), ref: 1102CF0F

Strings

ProtectedStorage, xrefs: 1102CE54
NSA.LIC, xrefs: 1102CF56, 1102CF5D, 1102CF8D
NSM.LIC, xrefs: 1102CF47
>, xrefs: 1102CDBB

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$OpenSleep$ManagerQueryStatus
String ID: >$NSA.LIC$NSM.LIC$ProtectedStorage
API String ID: 83693535-2077998243
Opcode ID: 8822f1513d5873ee506041ece4c3caa14d779e6eafa0361d2a69553500dbb03f
Instruction ID: 880dc79335238c7f7dd8ff78cda89552a6d5dde84d0873ba54ec41c4173cff75
Opcode Fuzzy Hash: 8822f1513d5873ee506041ece4c3caa14d779e6eafa0361d2a69553500dbb03f
Instruction Fuzzy Hash: 27B19475E012259FDB25DFA4CD80BEDB7B5BB48708F5041E9E919AB381DB70AA80CF50

Function 11132BF0 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 107COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11132C60
GetTickCount.KERNEL32 ref: 11132C91
SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 11132CA4
GetTickCount.KERNEL32 ref: 11132CAC

Strings

HasStudentComponents=%d, xrefs: 11132D27
Software\NSL, xrefs: 11132CD4
Warning. SHGetFolderPath took %d ms, xrefs: 11132CB6
schplayer.exe, xrefs: 11132CE8
%s%s, xrefs: 11132C5A, 11132CFE
CommonPath, xrefs: 11132CCF
runplugin.exe, xrefs: 11132C3E

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CountTick$FolderPathwsprintf
String ID: %s%s$CommonPath$HasStudentComponents=%d$Software\NSL$Warning. SHGetFolderPath took %d ms$runplugin.exe$schplayer.exe
API String ID: 1170620360-4157686185
Opcode ID: 8db97a347cf6facb783ebfea5336d263050bbd002d3c3d3218a55bc412e7ce30
Instruction ID: 1138b9c1199a8041912b1953dd267279d987a2a799c8ea79b9a25deb6d60bab0
Opcode Fuzzy Hash: 8db97a347cf6facb783ebfea5336d263050bbd002d3c3d3218a55bc412e7ce30
Instruction Fuzzy Hash: F33157BAE4022E67E700AFB0AC84FEDF36C9B9471EF1000A9E915A7145EA72B545C761

Function 111450A0 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 175registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetVersionExA.KERNEL32(111F0EF0,75A78400), ref: 111450D0
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114510F
_memset.LIBCMT ref: 1114512D

Part of subcall function 11143000: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110F4CB,75A78400,?,?,1114515F,00000000,CSDVersion,00000000,00000000,?), ref: 11143020

_strncpy.LIBCMT ref: 111451FA

Part of subcall function 11163A2D: __isdigit_l.LIBCMT ref: 11163A52

RegCloseKey.KERNEL32(00000000), ref: 11145296

Strings

Service Pack, xrefs: 111452DD
CurrentMinorVersionNumber, xrefs: 11145260
CurrentMajorVersionNumber, xrefs: 11145228
CSDVersion, xrefs: 1114514A
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 111450FB
CurrentVersion, xrefs: 11145174

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValueVersion__isdigit_l_memset_strncpy
String ID: CSDVersion$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Service Pack
API String ID: 3299820421-2117887902
Opcode ID: a6d85e33813e4188b4b6cdba8074358a089f7fb1fdaa889e4758e92ad03e0a5c
Instruction ID: 1fcbe558ef897eaa1b38a7330f4b62b9d1ba330f7a3c6d488077e096d0eda0f8
Opcode Fuzzy Hash: a6d85e33813e4188b4b6cdba8074358a089f7fb1fdaa889e4758e92ad03e0a5c
Instruction Fuzzy Hash: 6D51D9B1E0022BEFEB51CF60CD41F9EF7B9AB04B08F104199F519A7941E7716A48CB91

Function 11026BA0 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 174sleepCOMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 11026C26
_strtok.LIBCMT ref: 11026C60
Sleep.KERNEL32(1102FC53,?,*max_sessions,0000000A,00000000,00000000,00000002), ref: 11026D54

Strings

TCPIP, xrefs: 11026C82
Retrying..., xrefs: 11026D42
Protocols, xrefs: 11026C11
UseNCS, xrefs: 11026C7D
LoadTransports(%d), xrefs: 11026C9C
*max_sessions, xrefs: 11026CB6
Client, xrefs: 11026C16, 11026CBB
Error. not all transports loaded (%d/%d), xrefs: 11026D28

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: _strtok$Sleep
String ID: *max_sessions$Client$Error. not all transports loaded (%d/%d)$LoadTransports(%d)$Protocols$Retrying...$TCPIP$UseNCS
API String ID: 2009458258-3774545468
Opcode ID: 078eda5116f2816b6dc994d4a65e88964a73d5216bb2e8940b960da01685ed19
Instruction ID: 546c7fd96e7e5c201e62e0728b24f9c1e86d1f0ab762c79c207aecf2c2ec1ca9
Opcode Fuzzy Hash: 078eda5116f2816b6dc994d4a65e88964a73d5216bb2e8940b960da01685ed19
Instruction Fuzzy Hash: A951F375E0525E9BDF11EFA9CC80BBEFBB5EB84308FA44069DC1167284E631A846C742

Function 11102C50 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 68threadCOMMON

Download Yara Rule

APIs

Part of subcall function 11089280: UnhookWindowsHookEx.USER32(?), ref: 110892A3

GetCurrentThreadId.KERNEL32 ref: 11102C6C
GetThreadDesktop.USER32(00000000), ref: 11102C73
OpenDesktopA.USER32(?,00000000,00000000,02000000), ref: 11102C83
SetThreadDesktop.USER32(00000000), ref: 11102C90
CloseDesktop.USER32(00000000), ref: 11102CA9
GetLastError.KERNEL32 ref: 11102CB1
CloseDesktop.USER32(00000000), ref: 11102CC7
GetLastError.KERNEL32 ref: 11102CCF

Strings

SetThreadDesktop(%s) ok, xrefs: 11102C9B
SetThreadDesktop(%s) failed, e=%d, xrefs: 11102CB9
OpenDesktop(%s) failed, e=%d, xrefs: 11102CD7

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseErrorLast$CurrentHookOpenUnhookWindows
String ID: OpenDesktop(%s) failed, e=%d$SetThreadDesktop(%s) failed, e=%d$SetThreadDesktop(%s) ok
API String ID: 2036220054-60805735
Opcode ID: 6b535c7b41aace8396d526edc80c79a44f907d57885ab2fb7f21c89248cbb4d8
Instruction ID: e6b285a79aa3308c0e4e86645e8e2c70f1a73097c1882eeb774c19519f5c9288
Opcode Fuzzy Hash: 6b535c7b41aace8396d526edc80c79a44f907d57885ab2fb7f21c89248cbb4d8
Instruction Fuzzy Hash: 5D11C679A042167BE7086BB15C89FBFFA2DAFC571CF051438F91786545EE24B40483B6

Function 1115E380 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GlobalAddAtomA.KERNEL32(NSMWndClass), ref: 1115E3A8
GetLastError.KERNEL32 ref: 1115E3B5
wsprintfA.USER32 ref: 1115E3C8

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Part of subcall function 11029450: _strrchr.LIBCMT ref: 11029545
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029584

GlobalAddAtomA.KERNEL32(NSMReflect), ref: 1115E40C
GlobalAddAtomA.KERNEL32(NSMDropTarget), ref: 1115E419

Strings

NSMReflect, xrefs: 1115E407
GlobalAddAtom failed, e=%d, xrefs: 1115E3C2
..\ctl32\wndclass.cpp, xrefs: 1115E3D9, 1115E3F5
m_aProp, xrefs: 1115E3FA
NSMDropTarget, xrefs: 1115E40E
NSMWndClass, xrefs: 1115E3A0

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: AtomGlobal$ErrorExitLastProcesswsprintf$Message_strrchr
String ID: ..\ctl32\wndclass.cpp$GlobalAddAtom failed, e=%d$NSMDropTarget$NSMReflect$NSMWndClass$m_aProp
API String ID: 1734919802-1728070458
Opcode ID: c283eabc343593951191b6a2689ac3898b07c71967e340f2684f7c9ae3ac2948
Instruction ID: 2151ae3f148807adf1b9b51829e7bc1db46dc9b6ec15270657221fcdabbc1952
Opcode Fuzzy Hash: c283eabc343593951191b6a2689ac3898b07c71967e340f2684f7c9ae3ac2948
Instruction Fuzzy Hash: 1B110479A01319ABC720EFE69C84A96F7B4FF2231CB40822EE46543240DA706944CB51

Function 111100D0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

std::exception::exception.LIBCMT ref: 1111013A
__CxxThrowException@8.LIBCMT ref: 1111014F
GetCurrentThreadId.KERNEL32 ref: 11110166
InitializeCriticalSection.KERNEL32(-00000010,?,11031040,00000001,00000000), ref: 11110179
InitializeCriticalSection.KERNEL32(111F08F0,?,11031040,00000001,00000000), ref: 11110188
EnterCriticalSection.KERNEL32(111F08F0,?,11031040), ref: 1111019C
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031040), ref: 111101C2
LeaveCriticalSection.KERNEL32(111F08F0,?,11031040), ref: 1111024F

Strings

..\ctl32\Refcount.cpp, xrefs: 111101D6
QueueThreadEvent, xrefs: 111101DB

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_malloc_memsetstd::exception::exceptionwsprintf
String ID: ..\ctl32\Refcount.cpp$QueueThreadEvent
API String ID: 1976012330-1024648535
Opcode ID: db19f8e7b9fff8ba68d37a9baa43a0e7c0721c068b2f24d3f0a3aafd2fe6ed90
Instruction ID: 7e481d80fa827a07ee7257280804c30d2ae959ce5d98406b053f8524d928f6e4
Opcode Fuzzy Hash: db19f8e7b9fff8ba68d37a9baa43a0e7c0721c068b2f24d3f0a3aafd2fe6ed90
Instruction Fuzzy Hash: 6C41C2B5E00216AFDB11CFB98C84BAEFBF5FB48708F00453AE815DB244E675A944CB91

Function 110607F0 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 289registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,1117F505,00000000,00000000,AD96CFBE,00000000,?,00000000), ref: 11060874
_malloc.LIBCMT ref: 110608BB

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

RegEnumValueA.ADVAPI32(?,?,?,00000000,00000000,00000000,000000FF,?,AD96CFBE,00000000), ref: 110608FB
RegEnumValueA.ADVAPI32(?,00000000,?,00000100,00000000,?,000000FF,?), ref: 11060962
_free.LIBCMT ref: 11060974

Strings

maxname < _tsizeof (m_szSectionAndKey), xrefs: 110608A8
strlen (k.m_k) < _tsizeof (m_szSectionAndKey), xrefs: 11060A7A
err == 0, xrefs: 11060888
..\ctl32\Config.cpp, xrefs: 11060883, 110608A3, 11060A75

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: EnumValue$ErrorExitInfoLastMessageProcessQuery_free_mallocwsprintf
String ID: ..\ctl32\Config.cpp$err == 0$maxname < _tsizeof (m_szSectionAndKey)$strlen (k.m_k) < _tsizeof (m_szSectionAndKey)
API String ID: 999355418-161875503
Opcode ID: ede5c3721df02264062f4e77cb696a88b6134c6cdb72e0f87da8dbc6f017e57a
Instruction ID: c47c75eefe38bee888b154a00c4449ad07b8701d7df13cace45a3bfee881b040
Opcode Fuzzy Hash: ede5c3721df02264062f4e77cb696a88b6134c6cdb72e0f87da8dbc6f017e57a
Instruction Fuzzy Hash: E3A1B075A007469FE721CF64C880BABFBF8AF45308F044A5CE99697684E770F508CBA1

Function 1115BA20 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 183commemoryCOMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,AD96CFBE,00000000,?), ref: 1115BA67
CoCreateInstance.OLE32(111C4FEC,00000000,00000017,111C4F1C,?), ref: 1115BA87
wsprintfW.USER32 ref: 1115BAA7
SysAllocString.OLEAUT32(?), ref: 1115BAB3
wsprintfW.USER32 ref: 1115BB67
SysFreeString.OLEAUT32(?), ref: 1115BC08

Strings

SELECT * FROM %s, xrefs: 1115BB61
WQL, xrefs: 1115BB80
root\CIMV2, xrefs: 1115BAA1

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Stringwsprintf$AllocCreateFreeInitializeInstanceSecurity
String ID: SELECT * FROM %s$WQL$root\CIMV2
API String ID: 3050498177-823534439
Opcode ID: 576cfa077ff6f7d7422243c8d6aded75e2d45eb1edbb45dc90fee1c625149e70
Instruction ID: 667e066b75244b2782fe63ff2368f72f8a2c2363a2cb4bcdb988270c73b3585f
Opcode Fuzzy Hash: 576cfa077ff6f7d7422243c8d6aded75e2d45eb1edbb45dc90fee1c625149e70
Instruction Fuzzy Hash: 7351B071B00219ABC764CF69CC84F9AF7B9FB8A714F1042A8E429E7240DA70AE40CF55

Function 11145440 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 11145330: RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 111453A0
Part of subcall function 11145330: RegCloseKey.ADVAPI32(?), ref: 11145404

_memset.LIBCMT ref: 11145485
GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114549E
LoadLibraryA.KERNEL32(kernel32.dll), ref: 111454C5
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111454D7
FreeLibrary.KERNEL32(00000000), ref: 111454EF
GetSystemDefaultLangID.KERNEL32 ref: 111454FA

Strings

GetUserDefaultUILanguage, xrefs: 111454D1
kernel32.dll, xrefs: 111454B0

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Library$AddressCloseDefaultFreeLangLoadOpenProcSystemVersion_memset
String ID: GetUserDefaultUILanguage$kernel32.dll
API String ID: 4251163631-545709139
Opcode ID: 60d783b5b5cd8942fc75307bb254099b366294b2f30fa269448a3e45cf09a56e
Instruction ID: 76ed8f4553af2ae4cc76032582d3c5cf4b75be54885724a55a46303ac3459834
Opcode Fuzzy Hash: 60d783b5b5cd8942fc75307bb254099b366294b2f30fa269448a3e45cf09a56e
Instruction Fuzzy Hash: 07313971E002299BD761DF74D984BE9F7B6EB08729F540164E42DC7A80D7344984CF91

Function 11015010 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128registryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 110150CA
_memset.LIBCMT ref: 1101510E
RegQueryValueExA.KERNEL32(?,PackedCatalogItem,00000000,?,?,?,?,?,00020019), ref: 11015148

Strings

NSLSP, xrefs: 11015158
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries, xrefs: 1101504B
PackedCatalogItem, xrefs: 11015132
%012d, xrefs: 110150C4

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: QueryValue_memsetwsprintf
String ID: %012d$NSLSP$PackedCatalogItem$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
API String ID: 1333399081-1346142259
Opcode ID: 51d8f863940591209aa48ee8c17907a3c30549026713edc7384ebfc6867c5eab
Instruction ID: d38f3a4d66d5a90606c53f5b1b84405609ec5bb3b13ff7cea0d7775b25b40b12
Opcode Fuzzy Hash: 51d8f863940591209aa48ee8c17907a3c30549026713edc7384ebfc6867c5eab
Instruction Fuzzy Hash: C6419D71D02269AFEB11DB64CC90BDEF7B8EB44314F0445E9E819A7281EB35AB48CF50

Function 1100FDC0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 1100FDED
std::_Lockit::_Lockit.LIBCPMT ref: 1100FE10
std::bad_exception::bad_exception.LIBCMT ref: 1100FE94
__CxxThrowException@8.LIBCMT ref: 1100FEA2
std::_Lockit::_Lockit.LIBCPMT ref: 1100FEB5
std::locale::facet::_Facet_Register.LIBCPMT ref: 1100FECF

Strings

bad cast, xrefs: 1100FE8C

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: a7aa4a6049a8ed817bef268ace451c424b01c27ab063a1090bc59c7f390f5fbb
Instruction ID: 563b417412927bd42dfe2d2268ce551a617b01fe8fe711e168dc892134580a96
Opcode Fuzzy Hash: a7aa4a6049a8ed817bef268ace451c424b01c27ab063a1090bc59c7f390f5fbb
Instruction Fuzzy Hash: 5731E975D002669FD711DF94C890BAEF7B8EB04B68F10426DD921A7291DB717D40CB92

Function 11144BD0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,11194AB8), ref: 11144C3D
SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110F4CB), ref: 11144C7E
SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 11144CDB

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Strings

..\ctl32\util.cpp, xrefs: 11144BF7, 11144C99
FALSE || !"wrong nsmdir", xrefs: 11144C9E
nsmdir < GP_MAX, xrefs: 11144BFC

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: FolderPath$ErrorExitFileLastMessageModuleNameProcesswsprintf
String ID: ..\ctl32\util.cpp$FALSE || !"wrong nsmdir"$nsmdir < GP_MAX
API String ID: 3494822531-1878648853
Opcode ID: 942c5252def4268129969c39a1215845e921a51e2954e507dd92eff7077da9be
Instruction ID: dd955378f98185685044f21f066d1e50e049b7277ab8e5714ac6db0ba135c9a8
Opcode Fuzzy Hash: 942c5252def4268129969c39a1215845e921a51e2954e507dd92eff7077da9be
Instruction Fuzzy Hash: AB518835D4022E5BD711CF24DC50BDEF7A4AF15B08F2401A4D8997BA80EBB27B84CBA5

Function 11107290 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 1110F520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EDC3F0,?,1111022D,00000000,00000001,?,?,?,?,?,11031040), ref: 1110F53E

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11189A56,000000FF), ref: 11107363
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 111073B2
std::exception::exception.LIBCMT ref: 11107414
__CxxThrowException@8.LIBCMT ref: 11107429

Strings

Wtsapi32.dll, xrefs: 1110735E
Advapi32.dll, xrefs: 11107365

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: LibraryLoad$CreateEventException@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID: Advapi32.dll$Wtsapi32.dll
API String ID: 2851125068-2390547818
Opcode ID: aaba10e307cec69a1f7ff7a57bac704082b679f648b946fc7c8140d35e3eefa9
Instruction ID: 20da51148d2406ef940ba90f631bbe284ff6dbb95dc7cb8c25b5cdc78ae8e1aa
Opcode Fuzzy Hash: aaba10e307cec69a1f7ff7a57bac704082b679f648b946fc7c8140d35e3eefa9
Instruction Fuzzy Hash: 2A4115B4D09B449FC761CF6A8940BDAFBE8EFA9604F00490EE5AE93210D7797500CF56

Function 11017300 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(0000030C,000000FF), ref: 1101733C
CoInitialize.OLE32(00000000), ref: 11017345
_GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101736C
CoUninitialize.COMBASE ref: 110173D0

Strings

PCSystemTypeEx, xrefs: 1101737C
Win32_ComputerSystem, xrefs: 1101735D

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: InitializeObjectSingleStringUninitializeW@16Wait
String ID: PCSystemTypeEx$Win32_ComputerSystem
API String ID: 2407233060-578995875
Opcode ID: 3ab08bcf13d713d750a6400e0dd08c6ca0ab4b874316cbd8a5b8b2923fc85cec
Instruction ID: df925c951649f52390f194a40c23bf9fa59b5f59fb7a44760539d7ccd5920114
Opcode Fuzzy Hash: 3ab08bcf13d713d750a6400e0dd08c6ca0ab4b874316cbd8a5b8b2923fc85cec
Instruction Fuzzy Hash: 7F2137B5E041259BDB11DFA0CC46BBAB6E8AF40308F0040B9EC69DB184FA79E940D7A1

Function 11017220 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(0000030C,000000FF), ref: 11017252
CoInitialize.OLE32(00000000), ref: 1101725B
_GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017282
CoUninitialize.COMBASE ref: 110172E0

Strings

Win32_SystemEnclosure, xrefs: 11017273
ChassisTypes, xrefs: 11017292

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: InitializeObjectSingleStringUninitializeW@16Wait
String ID: ChassisTypes$Win32_SystemEnclosure
API String ID: 2407233060-2037925671
Opcode ID: 03f14ebb68a291b498bc3e28f26753d57b14005c3c93e514e963537cc8d20d91
Instruction ID: c2f3c346b695d23426c96ecc328f7bdb1aeadc280033f44fb53199f8ba8604cb
Opcode Fuzzy Hash: 03f14ebb68a291b498bc3e28f26753d57b14005c3c93e514e963537cc8d20d91
Instruction Fuzzy Hash: 19210575E016299BD712DFE0CC45BEEB7E89F80718F0001A8FC29DB184EA7AE945C761

Function 111386B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 111386DA
GetTickCount.KERNEL32 ref: 111386E1

Strings

DoICFConfig() OK, xrefs: 11138786
DesktopTimerProc - Further ICF config checking will not be performed, xrefs: 1113879C
Client, xrefs: 11138705
AutoICFConfig, xrefs: 11138700

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CountTick
String ID: AutoICFConfig$Client$DesktopTimerProc - Further ICF config checking will not be performed$DoICFConfig() OK
API String ID: 536389180-1512301160
Opcode ID: a952649d10152439879ed58b5e1132f0d59133535c4a4a3642475d19345c2f1e
Instruction ID: a0019f70d98f4d819e239f855ef0bc8db2e19db1671bc02c3e0d3b7677daedde
Opcode Fuzzy Hash: a952649d10152439879ed58b5e1132f0d59133535c4a4a3642475d19345c2f1e
Instruction Fuzzy Hash: E4210578A247AB4AFB039B759ED4755FB83578073EF450278DE10862CCDB74A458CB42

Function 11096970 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 11096984
CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,1113769B), ref: 1109699E
CoCreateInstance.OLE32(?,00000000,00000001,111C08AC,?,?,?,?,?,?,?,1113769B), ref: 110969BB
CoUninitialize.OLE32(?,?,?,?,?,?,1113769B), ref: 110969D9

Strings

HNetCfg.FwMgr, xrefs: 11096999
ICF Present: , xrefs: 110969E0

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CreateFromInitializeInstanceProgUninitialize
String ID: HNetCfg.FwMgr$ICF Present:
API String ID: 3222248624-258972079
Opcode ID: f34227f50c1ea86a65abb9f5b461b7bcbc9d9ad9ed009c44ac4fae2586091261
Instruction ID: ffe5b7852bae71a5603cb4f529131e3535c43cf5cc9a129c5e7f13935f1cb029
Opcode Fuzzy Hash: f34227f50c1ea86a65abb9f5b461b7bcbc9d9ad9ed009c44ac4fae2586091261
Instruction Fuzzy Hash: 9C11AC74E0012DABC700EAE5DC95AEFBB68AF45709F100029F50AEB144EA21EA40C7E2

Function 11025D00 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA), ref: 11025D16
K32GetProcessImageFileNameA.KERNEL32(?,?,?,1110720F,00000000,00000000,?,11106527,00000000,?,00000104), ref: 11025D32
GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11025D46
SetLastError.KERNEL32(00000078,1110720F,00000000,00000000,?,11106527,00000000,?,00000104), ref: 11025D69

Strings

GetProcessImageFileNameA, xrefs: 11025D10
GetModuleFileNameExA, xrefs: 11025D40

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorFileImageLastNameProcess
String ID: GetModuleFileNameExA$GetProcessImageFileNameA
API String ID: 4186647306-532032230
Opcode ID: fbb342385a7ca70d12a15f9985bda82124cf97ba9cccb812bf362dda13377f65
Instruction ID: 74662284ed99b9a54ad109221a671fe8fcdc3fa540ca7c31caa090441a4958f5
Opcode Fuzzy Hash: fbb342385a7ca70d12a15f9985bda82124cf97ba9cccb812bf362dda13377f65
Instruction Fuzzy Hash: 98016D72601718ABE330DEA5EC48F87B7E8EB88765F10052AF95697200D631E8018BA4

Function 1110F2B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,76EDC3F0,00000000,?,11110245,1110FDE0,00000001,00000000), ref: 1110F2C7
CreateThread.KERNEL32(00000000,11110245,00000001,00000000,00000000,0000000C), ref: 1110F2EA
WaitForSingleObject.KERNEL32(?,000000FF,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F317
CloseHandle.KERNEL32(?,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F321

Strings

..\ctl32\Refcount.cpp, xrefs: 1110F2FB
hThread, xrefs: 1110F300

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID: ..\ctl32\Refcount.cpp$hThread
API String ID: 3360349984-1136101629
Opcode ID: c9018d34e74e4049c7ebca087304ef1218ab8024f9415a3366a00b8023e95b9a
Instruction ID: 7cf91fcea6c2a3c5c2684f5d08a561b662f4dc7f01f0c277a0d6c7245401f800
Opcode Fuzzy Hash: c9018d34e74e4049c7ebca087304ef1218ab8024f9415a3366a00b8023e95b9a
Instruction Fuzzy Hash: E7015E7A7443166FE3209EA9CC86F57FBA8DB44764F104128FA25962C4DA60F805CB64

Function 11031960 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 28COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 110319A7

Strings

_HF, xrefs: 11031988, 1103198D
878411, xrefs: 1103198E
_SW, xrefs: 1103197C
%s%s%s.bin, xrefs: 110319A1
_HW, xrefs: 11031970

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: %s%s%s.bin$878411$_HF$_HW$_SW
API String ID: 2111968516-3519358435
Opcode ID: b97882e65002706a22fb778f12bbc90950e65c749b3e8462a2311051e46cf205
Instruction ID: 34a826dfca0d5743c415d593f242b0f3cefc790b54bbadf5113738552eb06063
Opcode Fuzzy Hash: b97882e65002706a22fb778f12bbc90950e65c749b3e8462a2311051e46cf205
Instruction Fuzzy Hash: 93E092A1D1870C6FF70085589C15F9EFAE87B4978EFC48051BEEDA7292E935D60082D6

Function 11102AB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

GlobalAddAtomA.KERNEL32(NSMDesktopWnd), ref: 11102B03
GetStockObject.GDI32(00000004), ref: 11102B5B
RegisterClassA.USER32(?), ref: 11102B6F
CreateWindowExA.USER32(00000000,NSMDesktopWnd,?,00000000,00000000,00000000,00000000,00000000,00130000,00000000,11000000,00000000), ref: 11102BAC

Strings

NSMDesktopWnd, xrefs: 11102AE9, 11102B68, 11102BA6

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: AtomClassCreateGlobalObjectRegisterStockWindow
String ID: NSMDesktopWnd
API String ID: 2669163067-206650970
Opcode ID: e27069a72c11c1f4eb1c56e7938a9b61728f0754eae0ec1cd31abd721b9bda48
Instruction ID: 4c07b853b75387a4d851a66abc04609236edd6d81c14be1d28904dd9f6a0e6ac
Opcode Fuzzy Hash: e27069a72c11c1f4eb1c56e7938a9b61728f0754eae0ec1cd31abd721b9bda48
Instruction Fuzzy Hash: C231F4B0D15619AFDB44CFA9D980A9EFBF4FB08314F50962EE46AE3640E7346900CF94

Function 1113CC30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(00000000,00000000,TermUI...), ref: 1113CC9A
KillTimer.USER32(00000000,00007F79,TermUI...), ref: 1113CCB3
FreeLibrary.KERNEL32(76A50000,?,TermUI...), ref: 1113CD2B
FreeLibrary.KERNEL32(00000000,?,TermUI...), ref: 1113CD43

Strings

TermUI, xrefs: 1113CC32

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: FreeKillLibraryTimer
String ID: TermUI
API String ID: 2006562601-4085834059
Opcode ID: 0b8b98d89ae2f905afc74c8ae1c01cea1ae783866c2b84ef9f483cfa62b8061f
Instruction ID: 1c615ec055e307fcecd6c2f5a0081f3099d40e524c959ad3afbad8c7da76a6da
Opcode Fuzzy Hash: 0b8b98d89ae2f905afc74c8ae1c01cea1ae783866c2b84ef9f483cfa62b8061f
Instruction Fuzzy Hash: 813182B46121329FE605DF9ACDE496EFB6ABBC4B1C750402BF4689720CE770A845CF91

Function 11145330 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 111453A0
RegCloseKey.ADVAPI32(?), ref: 11145404

Strings

SOFTWARE\NetSupport Ltd\PCICTL, xrefs: 11145380
ForceRTL, xrefs: 111453C3
SOFTWARE\Productive Computer Insight\PCICTL, xrefs: 11145367, 1114539E

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CloseOpen
String ID: ForceRTL$SOFTWARE\NetSupport Ltd\PCICTL$SOFTWARE\Productive Computer Insight\PCICTL
API String ID: 47109696-3245241687
Opcode ID: 2e1f21c9ebfd0fdc4230699bf98ebb40bf83fdb687853d653e48f9fb82f12d2f
Instruction ID: 3a61aca8bf2f26e8be4db12f87e0943ca7983303b4b50086f785ef97d0623835
Opcode Fuzzy Hash: 2e1f21c9ebfd0fdc4230699bf98ebb40bf83fdb687853d653e48f9fb82f12d2f
Instruction Fuzzy Hash: 56218875E0422A9BE760DB64CD80B9EF7B8EB44708F1042AAD85DF7540E771AD458BB0

Function 111114D0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 11111430: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1111145A
Part of subcall function 11111430: __wsplitpath.LIBCMT ref: 11111475
Part of subcall function 11111430: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 111114A9

GetComputerNameA.KERNEL32(?,?), ref: 11111578

Strings

, xrefs: 11111571
ACM, xrefs: 11111532
\Registry\Machine\SOFTWARE\Classes\N%x.%s, xrefs: 11111587
\Registry\Machine\SOFTWARE\Classes\N%x, xrefs: 11111520

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: ComputerDirectoryInformationNameSystemVolume__wsplitpath
String ID: $ACM$\Registry\Machine\SOFTWARE\Classes\N%x$\Registry\Machine\SOFTWARE\Classes\N%x.%s
API String ID: 806825551-1858614750
Opcode ID: 10a04c85090393e181044af2bbe891b78f34dcae4f388202a219c12921f261b8
Instruction ID: bd5304e3d9974d7ab46afc427c644d654ac0d4b62daaa3d8a48381b774377c4d
Opcode Fuzzy Hash: 10a04c85090393e181044af2bbe891b78f34dcae4f388202a219c12921f261b8
Instruction Fuzzy Hash: 4B214676A142491BD701CF309D80BBFFFBA9F8B249F080578D852DB145E626D914C391

Function 11144200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 11143C20: GetCurrentProcess.KERNEL32(1102947F,?,11143E73,?), ref: 11143C2C
Part of subcall function 11143C20: GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Netstat\bild.exe,00000104,?,11143E73,?), ref: 11143C49

WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 11144255
ResetEvent.KERNEL32(0000024C), ref: 11144269
SetEvent.KERNEL32(0000024C), ref: 1114427F
WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 1114428E

Strings

MiniDump, xrefs: 11144207

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: EventMultipleObjectsWait$CurrentFileModuleNameProcessReset
String ID: MiniDump
API String ID: 1494854734-2840755058
Opcode ID: af02bfec1e2ad683ef615fadee7153e651b028109eb63fc5543e4d95a1405a56
Instruction ID: 829689d5ebdc208bf7b78735a50f5ce9a06f611da5f38dced1c13c8e9b13f18e
Opcode Fuzzy Hash: af02bfec1e2ad683ef615fadee7153e651b028109eb63fc5543e4d95a1405a56
Instruction Fuzzy Hash: 4F113875E5422677E300DFF99C81F9AF768AB44B28F200230EA24D75C4EB71A504C7B1

Function 11146DA0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

LoadStringA.USER32(00000000,0000194E,?,00000400), ref: 11146DCF
wsprintfA.USER32 ref: 11146E06

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Strings

..\ctl32\util.cpp, xrefs: 11146E1B
i < _tsizeof (buf), xrefs: 11146E20
#%d, xrefs: 11146E00

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastLoadMessageProcessString
String ID: #%d$..\ctl32\util.cpp$i < _tsizeof (buf)
API String ID: 1985783259-2296142801
Opcode ID: 74c0a5bdbb0b764e858cc1f7afd52fdb49af151022e5f3ed446820e6430d86d5
Instruction ID: b1a6c5171231f01418375ac6f2de6c12625a8d09d3611db16d7d0d369645f93a
Opcode Fuzzy Hash: 74c0a5bdbb0b764e858cc1f7afd52fdb49af151022e5f3ed446820e6430d86d5
Instruction Fuzzy Hash: FA11A5FAE00128ABC720DB65ED81FAAF77C9B4461DF000565EB19B6141EA35AA05C7A8

Function 1110F420 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1110F439

Part of subcall function 11162B51: __FF_MSGBANNER.LIBCMT ref: 11162B6A
Part of subcall function 11162B51: __NMSG_WRITE.LIBCMT ref: 11162B71
Part of subcall function 11162B51: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162B96

wsprintfA.USER32 ref: 1110F454

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

_memset.LIBCMT ref: 1110F477

Strings

..\ctl32\Refcount.cpp, xrefs: 1110F465
Can't alloc %u bytes, xrefs: 1110F44E

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: wsprintf$AllocateErrorExitHeapLastMessageProcess_malloc_memset
String ID: ..\ctl32\Refcount.cpp$Can't alloc %u bytes
API String ID: 3234921582-2664294811
Opcode ID: 483ab18efc666d7fafa6765eedd91fa0800c96548fafe518ebc1f691375ec46a
Instruction ID: e8e28b36a5a63397ef775e95fa380a20e388029766e4784519104262db02a7f0
Opcode Fuzzy Hash: 483ab18efc666d7fafa6765eedd91fa0800c96548fafe518ebc1f691375ec46a
Instruction Fuzzy Hash: 1CF0F6B5E0012863C720AFA5AC06FEFF37C9F91658F440169EE04A7241EA71BA11C7E9

Function 11145AE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 111450A0: GetVersionExA.KERNEL32(111F0EF0,75A78400), ref: 111450D0
Part of subcall function 111450A0: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114510F
Part of subcall function 111450A0: _memset.LIBCMT ref: 1114512D
Part of subcall function 111450A0: _strncpy.LIBCMT ref: 111451FA

LoadLibraryA.KERNEL32(shcore.dll,00000000,?,11030690,00000002), ref: 11145AFF
GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 11145B11
FreeLibrary.KERNEL32(00000000,?,11030690,00000002), ref: 11145B24

Strings

shcore.dll, xrefs: 11145AFA
SetProcessDpiAwareness, xrefs: 11145B0B

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadOpenProcVersion_memset_strncpy
String ID: SetProcessDpiAwareness$shcore.dll
API String ID: 1108920153-1959555903
Opcode ID: 84c8b7a82ef375d59f410a45cba939869921b52f6e49d691c42b1d567085cd2e
Instruction ID: 699a5c6b52ff0bb6954823876d42b720b76b3255f49526743c1f98bd9e848574
Opcode Fuzzy Hash: 84c8b7a82ef375d59f410a45cba939869921b52f6e49d691c42b1d567085cd2e
Instruction Fuzzy Hash: 67F0A03A70022877E21416BAAC08F9ABB5A8BC8A75F140230F928D69C0EB51C90086B5

Function 11031870 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 78COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11031926

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Strings

878411, xrefs: 11031907
%s%s.bin, xrefs: 11031920
m_pDoInv == NULL, xrefs: 110318A3
clientinv.cpp, xrefs: 1103189E

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastMessageProcess
String ID: %s%s.bin$878411$clientinv.cpp$m_pDoInv == NULL
API String ID: 4180936305-973242369
Opcode ID: 84e0b1850b63e3f6f9fe70c2d5af7440bbdd732114a0c990adb36dbba2c833c3
Instruction ID: 64da4217f7417b153db366359b1c36bd372b32cb55e7c28d29c46c6ec3487e21
Opcode Fuzzy Hash: 84e0b1850b63e3f6f9fe70c2d5af7440bbdd732114a0c990adb36dbba2c833c3
Instruction Fuzzy Hash: 5421A1B9E04709AFD710CF65DC81BAAB7F4FB88718F40453EE86597680EB35A9008B65

Function 11144670 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(11144D48,00000000,?,11144D48,00000000), ref: 1114468C
__strdup.LIBCMT ref: 111446A7

Part of subcall function 11081B40: _strrchr.LIBCMT ref: 11081B4E

Part of subcall function 11144670: _free.LIBCMT ref: 111446CE

_free.LIBCMT ref: 111446DC

Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D

CreateDirectoryA.KERNEL32(11144D48,00000000,?,?,?,11144D48,00000000), ref: 111446E7

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: _free$AttributesCreateDirectoryErrorFileFreeHeapLast__strdup_strrchr
String ID:
API String ID: 398584587-0
Opcode ID: 1d6e66add7aa45a35b25948c47e98be79544d5c3af84ae5a96c3b7650b6c772d
Instruction ID: 9245e394badc27c9d68c775c1ae1103ae8f1f8453310ecf51c29309078bed6c3
Opcode Fuzzy Hash: 1d6e66add7aa45a35b25948c47e98be79544d5c3af84ae5a96c3b7650b6c772d
Instruction Fuzzy Hash: F4016D7A7441065BF301197D7C057ABBB8C8F82AADF144032F89DC3D80F752E41682A1

Function 1100ED70 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 1100EDA2

Part of subcall function 11160824: _setlocale.LIBCMT ref: 11160836

_free.LIBCMT ref: 1100EDB4

Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D

_free.LIBCMT ref: 1100EDC7
_free.LIBCMT ref: 1100EDDA
_free.LIBCMT ref: 1100EDED

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 3515823920-0
Opcode ID: e9cccfb890659d646b87ebb6d02808fc30e7ad32e75d4fdbd2f602c0bae7d034
Instruction ID: 71b49ece8787e94f553dd036e4ff5c8d0ec16ff98238e97fea1187b5179b4c62
Opcode Fuzzy Hash: e9cccfb890659d646b87ebb6d02808fc30e7ad32e75d4fdbd2f602c0bae7d034
Instruction Fuzzy Hash: E61190B1D046109BD620DF599C40A5BF7FCEB44754F144A2AE456D3780E672F900CB91

Function 11145910 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 11144BD0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11194AB8), ref: 11144C3D
Part of subcall function 11144BD0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110F4CB), ref: 11144C7E
Part of subcall function 11144BD0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 11144CDB

wsprintfA.USER32 ref: 1114593E
wsprintfA.USER32 ref: 11145954

Part of subcall function 11143230: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110F4CB,75A78400,?), ref: 111432C7
Part of subcall function 11143230: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 111432E7
Part of subcall function 11143230: CloseHandle.KERNEL32(00000000), ref: 111432EF

Strings

%sNSM.LIC, xrefs: 11145938
NSM.LIC, xrefs: 11145923
%sNSA.LIC, xrefs: 1114594E

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: File$CreateFolderPathwsprintf$CloseHandleModuleName
String ID: %sNSA.LIC$%sNSM.LIC$NSM.LIC
API String ID: 3779116287-2600120591
Opcode ID: 67484a9d389779804940ba9c5ec62be4ee321b08fc9342a56252b28d4b9918b0
Instruction ID: 1f9a4f0ce9ce2038842d239495dc50e58c380b2d1dc072d0c6c391bd72002940
Opcode Fuzzy Hash: 67484a9d389779804940ba9c5ec62be4ee321b08fc9342a56252b28d4b9918b0
Instruction Fuzzy Hash: 9C01B1B990521D66CB109BB0AC41FEAF77C9B1470DF100199EC1996940EE21BA548BA4

Function 11143230 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110F4CB,75A78400,?), ref: 111432C7
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 111432E7
CloseHandle.KERNEL32(00000000), ref: 111432EF

Strings

", xrefs: 1114327E

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CreateFile$CloseHandle
String ID: "
API String ID: 1443461169-123907689
Opcode ID: 6335c3239e743a75aad2b4d26ce3924e96bfc614049b49f4e6d7105e566d10f2
Instruction ID: 150de81b6b92e27c68bcdd2e608667d56283c35638c5ea37a79585d4ca6bceb2
Opcode Fuzzy Hash: 6335c3239e743a75aad2b4d26ce3924e96bfc614049b49f4e6d7105e566d10f2
Instruction Fuzzy Hash: 38217C30A1C269AFE3128E78DD54FD9BBA49F45B14F3041E0E4999B1C1DBB1A948C750

Function 1102D0D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D

SetEvent.KERNEL32(?,Client,DisableGeolocation,00000000,00000000,AD96CFBE,75922EE0,?,00000000,1118083B,000000FF,?,110300D6,UseIPC,00000001,00000000), ref: 1102D187

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

Part of subcall function 1110F520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EDC3F0,?,1111022D,00000000,00000001,?,?,?,?,?,11031040), ref: 1110F53E

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 1102D14A

Strings

Client, xrefs: 1102D103
DisableGeolocation, xrefs: 1102D0FE

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Event$Create$__wcstoi64_malloc_memsetwsprintf
String ID: Client$DisableGeolocation
API String ID: 3315423714-4166767992
Opcode ID: a2dd62344aa7ed2eba45e03fd0b01f9a1bb13e0d2f8602a6c4817aeae004d655
Instruction ID: 1755caac6fc2658334c1ed2ebc8622a08952aff54e10c128aab6c20125b970ec
Opcode Fuzzy Hash: a2dd62344aa7ed2eba45e03fd0b01f9a1bb13e0d2f8602a6c4817aeae004d655
Instruction Fuzzy Hash: 8521E474A40315BBE712CFA8CD42B6EF7A4E708B18F500269F921AB3C0D7B5B8008785

Function 110271B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110271DA

Part of subcall function 110CD550: EnterCriticalSection.KERNEL32(00000000,00000000,75A73760,00000000,75A8A1D0,1105DCBB,?,?,?,?,11026543,00000000,?,?,00000000), ref: 110CD56B
Part of subcall function 110CD550: SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110CD598
Part of subcall function 110CD550: SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110CD5AA
Part of subcall function 110CD550: LeaveCriticalSection.KERNEL32(?,?,?,?,11026543,00000000,?,?,00000000), ref: 110CD5B4

TranslateMessage.USER32(?), ref: 110271F0
DispatchMessageA.USER32(?), ref: 110271F6

Strings

Exit Msgloop, quit=%d, xrefs: 1102722D

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Message$CriticalSectionSend$DispatchEnterLeaveTranslate
String ID: Exit Msgloop, quit=%d
API String ID: 3212272093-2210386016
Opcode ID: 4c35fe21e6f1fdccfd242282fb0e51879004b37df93db9ac228ac0a7d4dc8e25
Instruction ID: 083e85bce0718499e1b375aadfda5de5654481b636091be3423b85693ac47093
Opcode Fuzzy Hash: 4c35fe21e6f1fdccfd242282fb0e51879004b37df93db9ac228ac0a7d4dc8e25
Instruction Fuzzy Hash: 3D01D876E0521D66EB15DAE99C82F6FF3BD6B64718FD00065EE1092185F760F404CBA1

Function 110173F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 110173FD

Part of subcall function 11017300: WaitForSingleObject.KERNEL32(0000030C,000000FF), ref: 1101733C
Part of subcall function 11017300: CoInitialize.OLE32(00000000), ref: 11017345
Part of subcall function 11017300: _GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101736C
Part of subcall function 11017300: CoUninitialize.COMBASE ref: 110173D0

Part of subcall function 11017220: WaitForSingleObject.KERNEL32(0000030C,000000FF), ref: 11017252
Part of subcall function 11017220: CoInitialize.OLE32(00000000), ref: 1101725B
Part of subcall function 11017220: _GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017282
Part of subcall function 11017220: CoUninitialize.COMBASE ref: 110172E0

SetEvent.KERNEL32(0000030C), ref: 1101741D
GetTickCount.KERNEL32 ref: 11017423

Strings

touchkbd, systype=%d, chassis=%d, took %d ms, xrefs: 1101742D

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CountInitializeObjectSingleStringTickUninitializeW@16Wait$Event
String ID: touchkbd, systype=%d, chassis=%d, took %d ms
API String ID: 3804766296-4122679463
Opcode ID: 66f2a400a49d4a3db1117531ae3dbc6183e4453ddcab9e324682772d92ed33ab
Instruction ID: c54e938b4ab1921e6220328725fe5e45cb955b1045b44cf9de438437e8313787
Opcode Fuzzy Hash: 66f2a400a49d4a3db1117531ae3dbc6183e4453ddcab9e324682772d92ed33ab
Instruction Fuzzy Hash: 47F0A0B6E1011C6BE700DBF9AC8AE6BBB9CDB4471CB100026F910C7245E9A6BC1087A1

Function 111377F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D

CreateThread.KERNEL32(00000000,00001000,Function_00137630,00000000,00000000,11138782), ref: 1113782E
CloseHandle.KERNEL32(00000000,?,11138782,AutoICFConfig,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 11137835

Strings

*AutoICFConfig, xrefs: 11137807
Client, xrefs: 1113780C

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleThread__wcstoi64
String ID: *AutoICFConfig$Client
API String ID: 3257255551-59951473
Opcode ID: 58a92f72c8c5fc2ca777e547e4c7fef86ef2c1d8c64fc3a44eb11c2425719861
Instruction ID: 9aee7181833ba8711af7cecc10eced9f2f0784297ad8accf53734ae3fbf9e9e1
Opcode Fuzzy Hash: 58a92f72c8c5fc2ca777e547e4c7fef86ef2c1d8c64fc3a44eb11c2425719861
Instruction Fuzzy Hash: 98E0D8757A062D7AF6149AE98C86F65F6199744B26F500154FA20A50C4D6A0A440CB64

Function 11070C60 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000000FA), ref: 11070CB7
EnterCriticalSection.KERNEL32(?), ref: 11070CC4
LeaveCriticalSection.KERNEL32(?), ref: 11070D96

Strings

Push, xrefs: 11070C86

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveSleep
String ID: Push
API String ID: 1566154052-4278761818
Opcode ID: a72291858ce6dc6b0c64ae6c986eadc989c908336576dbf916d062231e355c4c
Instruction ID: e8f6e055aac827a13dfabc2dec6ad808bd843e21556e42594c7620890779e76f
Opcode Fuzzy Hash: a72291858ce6dc6b0c64ae6c986eadc989c908336576dbf916d062231e355c4c
Instruction Fuzzy Hash: 1B51CC78E04784DFE721DF64C880B8AFBE0EF09318F1546A9D8998B285D770BC84CB91

Function 00261020 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 00261027
GetStartupInfoA.KERNEL32(?), ref: 0026107B
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,?), ref: 00261096
ExitProcess.KERNEL32 ref: 002610A3

Memory Dump Source

Source File: 00000002.00000002.3888305638.0000000000261000.00000020.00000001.01000000.00000009.sdmp, Offset: 00260000, based on PE: true

Associated: 00000002.00000002.3888290603.0000000000260000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.3888318749.0000000000262000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_260000_bild.jbxd

Yara matches

Similarity

API ID: CommandExitHandleInfoLineModuleProcessStartup
String ID:
API String ID: 2164999147-0
Opcode ID: 213af5006eed2941cea62b3352f514b38caca6e7b94cef4765d521d244881c5a
Instruction ID: 47e13cd6f740bc82e5fe16cc6be724b1b201411e58204b0b77fd98181f06d957
Opcode Fuzzy Hash: 213af5006eed2941cea62b3352f514b38caca6e7b94cef4765d521d244881c5a
Instruction Fuzzy Hash: D011D6204187C69AEF315F6089497FABFA59F22381F2C0044ECD697146D29668FBC7A5

Function 110306E7 Relevance: 6.0, APIs: 4, Instructions: 36synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000001F4), ref: 110306FC
CloseHandle.KERNEL32(?), ref: 11030709
FreeLibrary.KERNEL32(?), ref: 11030714
CloseHandle.KERNEL32(00000000), ref: 1103071B

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CloseHandle$FreeLibraryObjectSingleWait
String ID:
API String ID: 1314093303-0
Opcode ID: 7d2e314c4a79abf06013014507abe82da34b4e69185c6a4a9ad4d68e1235ff59
Instruction ID: 8e76f7fb4e107f93cb89770177b2081f40004907d07b5dfd0c3c9c847909df3d
Opcode Fuzzy Hash: 7d2e314c4a79abf06013014507abe82da34b4e69185c6a4a9ad4d68e1235ff59
Instruction Fuzzy Hash: A7F08135E1425ADFE714DF60D889BADF774FB88319F0002A9D82A52180DF355940CB50

Function 11143C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(1102947F,?,11143E73,?), ref: 11143C2C
GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Netstat\bild.exe,00000104,?,11143E73,?), ref: 11143C49

Strings

C:\Users\Public\Netstat\bild.exe, xrefs: 11143C34, 11143C42

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CurrentFileModuleNameProcess
String ID: C:\Users\Public\Netstat\bild.exe
API String ID: 2251294070-3316297413
Opcode ID: 723324e2a123dfbea80ddcbfb8a880b064ecb9608f963ee43b1e571dd00f4a9e
Instruction ID: b9aa28b4973dc8f7500fb142756b1fa860f28402029a3e5f5efe4e67c4e883a6
Opcode Fuzzy Hash: 723324e2a123dfbea80ddcbfb8a880b064ecb9608f963ee43b1e571dd00f4a9e
Instruction Fuzzy Hash: F811E7747282235BE7149F76C994719F7A5AB40B5DF20403EE819C76C4DB71F845C744

Function 1110F4A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1110F4A9

Part of subcall function 11162B51: __FF_MSGBANNER.LIBCMT ref: 11162B6A
Part of subcall function 11162B51: __NMSG_WRITE.LIBCMT ref: 11162B71
Part of subcall function 11162B51: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162B96

_memset.LIBCMT ref: 1110F4D2

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Strings

..\ctl32\Refcount.cpp, xrefs: 1110F4BC

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: AllocateErrorExitHeapLastMessageProcess_malloc_memsetwsprintf
String ID: ..\ctl32\Refcount.cpp
API String ID: 2803934178-2363596943
Opcode ID: 1dad7423e7d09c371aaf82e5f4f0c79299b8a2cfda0255715acc90ffe98602aa
Instruction ID: 747f5be640ff5df7f7be77ac0748be8e5b1ae2afb2ba592a3adef8646797d69b
Opcode Fuzzy Hash: 1dad7423e7d09c371aaf82e5f4f0c79299b8a2cfda0255715acc90ffe98602aa
Instruction Fuzzy Hash: B5E0C23AE4013933C112258A2C03FDBF69C8BD19FCF060021FE0CAA201E586B55181E6

Function 11014FD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(\\.\NSWFPDrv,80000000,00000000,00000000,00000003,40000000,00000000,00000001,1102EFB6,MiniDumpType,000000FF,00000000,00000000,?,?,View), ref: 11014FE7
CloseHandle.KERNEL32(00000000,?,?,View,Client,Bridge), ref: 11014FF8

Strings

\\.\NSWFPDrv, xrefs: 11014FE2

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle
String ID: \\.\NSWFPDrv
API String ID: 3498533004-85019792
Opcode ID: f0badf7843dd101c9c7a596aad23f33c11cadc83e0c29f65da520d4fe63b43e1
Instruction ID: 0b573536b28af4079515d3142ca801f5deca53cbeb6a996f0a1660ae0aa1d84a
Opcode Fuzzy Hash: f0badf7843dd101c9c7a596aad23f33c11cadc83e0c29f65da520d4fe63b43e1
Instruction Fuzzy Hash: A9D0C971A051387AF23416B66C4CFC7AD09DF06BB5F210264B53DE11D886104C41C2F1

Function 1115BDE0 Relevance: 4.7, APIs: 3, Instructions: 158COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 1115BE03

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: _calloc
String ID:
API String ID: 1679841372-0
Opcode ID: 9cedd041eecb3df7698fbc33d80b44fc007d69f78d2f5524ab9bd2bf2492814b
Instruction ID: 0024421513bb2e1abb717dbf2ce3cdefbb73aa1ee3cdb3a5feae03928f974db8
Opcode Fuzzy Hash: 9cedd041eecb3df7698fbc33d80b44fc007d69f78d2f5524ab9bd2bf2492814b
Instruction Fuzzy Hash: 8C519E7560020AAFDB50CF68CC81FAAB7A6FF8A704F148459F929DB280D771E901CF95

Function 6D0309A9 Relevance: 4.6, APIs: 3, Instructions: 54memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6D031E32,00000001,?,00000000,00000000,00000000,?,6D0575BC,00000001,00000214), ref: 6D0309E8
_errno.MSVCR100(?,6D031E32,00000001,?,00000000,00000000,00000000,?,6D0575BC,00000001,00000214), ref: 6D05F3D7

Memory Dump Source

Source File: 00000002.00000002.3890464582.000000006D021000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000002.00000002.3890446633.000000006D020000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3890532245.000000006D0D4000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3890550927.000000006D0D6000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3890580013.000000006D0D9000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d020000_bild.jbxd

Similarity

API ID: AllocateHeap_errno
String ID:
API String ID: 242259997-0
Opcode ID: 67fb72a28df43ed315900cbb115b4621e6a4ea095cb8aecca2215fe23e9e1abb
Instruction ID: 8af9592790cf8e6aac158a95602f6d4a7257305f0db91d4f594019520827250e
Opcode Fuzzy Hash: 67fb72a28df43ed315900cbb115b4621e6a4ea095cb8aecca2215fe23e9e1abb
Instruction Fuzzy Hash: 4F01B53125A2279BFB059F2AD844B7B3BDCAF42751F02862AAD25CB1D0DBB4D450C750

Function 11111430 Relevance: 4.5, APIs: 3, Instructions: 49COMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1111145A
__wsplitpath.LIBCMT ref: 11111475

Part of subcall function 11169044: __splitpath_helper.LIBCMT ref: 11169086

GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 111114A9

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: DirectoryInformationSystemVolume__splitpath_helper__wsplitpath
String ID:
API String ID: 1847508633-0
Opcode ID: 7498e584b69856d4904a5e87c0faea6464729445070a8fc0c411536d822b12a4
Instruction ID: 71a9510f599fa1c136cb45ff21797ad5c5790827a759e4d2b52c0b71367846c8
Opcode Fuzzy Hash: 7498e584b69856d4904a5e87c0faea6464729445070a8fc0c411536d822b12a4
Instruction Fuzzy Hash: 34116175A4021DABEB14DF94CD42FE9F378AB48B04F404199E7246B1C0E7B12A48CB65

Function 1109E9E0 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F7D14,00000001,111417B8,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 1109EA01
OpenProcessToken.ADVAPI32(00000000,?,?,110F7D14,00000001,111417B8,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 1109EA08

Part of subcall function 1109E910: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,1102FCB2,?,00000000), ref: 1109E948
Part of subcall function 1109E910: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109E964
Part of subcall function 1109E910: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00ECE240,00ECE240,00ECE240,00ECE240,00ECE240,00ECE240,00ECE240,@,?,00000001,00000001), ref: 1109E990
Part of subcall function 1109E910: EqualSid.ADVAPI32(?,00ECE240,?,00000001,00000001), ref: 1109E9A3

CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1109EA27

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Token$InformationProcess$AllocateCloseCurrentEqualHandleInitializeOpen
String ID:
API String ID: 2256153495-0
Opcode ID: 3278d9adbe4d3509b3b3548b9dad78e2718189f4cc0d765404142b0664a012dd
Instruction ID: 36b54363b319bb335bc5da0d0e9bdd0405b18079b131e91390d3ecc07929186c
Opcode Fuzzy Hash: 3278d9adbe4d3509b3b3548b9dad78e2718189f4cc0d765404142b0664a012dd
Instruction Fuzzy Hash: DCF05E78A15328EFD709CFF5D88482EB7A9AF08208700447DF629D3205E631EE009F50

Function 1110F720 Relevance: 3.8, APIs: 3, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(111F0908,AD96CFBE,?,?,?,?,-00000001,11182078,000000FF,?,1110F7F8,00000001,?,11169683,?), ref: 1110F754
EnterCriticalSection.KERNEL32(111F0908,AD96CFBE,?,?,?,?,-00000001,11182078,000000FF,?,1110F7F8,00000001,?,11169683,?), ref: 1110F770
LeaveCriticalSection.KERNEL32(111F0908,?,?,?,?,-00000001,11182078,000000FF,?,1110F7F8,00000001,?,11169683,?), ref: 1110F7B8

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: de9cc3b242b9749762f72f1a9abe3d064888d8cc99300df6bb387b99347c91a8
Instruction ID: 724175da6b3b5eb63f60f43096b8b9410b0df93e13cce3f4766159a849acac97
Opcode Fuzzy Hash: de9cc3b242b9749762f72f1a9abe3d064888d8cc99300df6bb387b99347c91a8
Instruction Fuzzy Hash: 3D11C675A0061AAFE700CF65CD85B5BF7A9FB88714F010129E829E3340F7359808CB92

Function 11068950 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000), ref: 11068A12

Strings

??CTL32.DLL, xrefs: 110689D3

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: ??CTL32.DLL
API String ID: 1029625771-2984404022
Opcode ID: f114da26ba1a202df3ee97640f196ffb6169a957819133968d89773a25347f90
Instruction ID: 38d720fc7c26638894156a2f8924bac31edb6b50614c34829f37a9a02c5b1e22
Opcode Fuzzy Hash: f114da26ba1a202df3ee97640f196ffb6169a957819133968d89773a25347f90
Instruction Fuzzy Hash: 5831F5B2A04781DFE711CF59DC40B5AF7E8FB45724F0482AAE92897380E735A900CB92

Function 11026B40 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetDriveTypeA.KERNEL32(?), ref: 11026B6D

Strings

?:\, xrefs: 11026B62

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: DriveType
String ID: ?:\
API String ID: 338552980-2533537817
Opcode ID: b7a90a31e7e06615914d848c67eda86d39421f745c303f5cb5263aa0826e519a
Instruction ID: c0198090b602517e4922a9d0df48f1c050a77905515f879100581957a4b6d58d
Opcode Fuzzy Hash: b7a90a31e7e06615914d848c67eda86d39421f745c303f5cb5263aa0826e519a
Instruction Fuzzy Hash: 64F09065C083DA2AEB23DE608844596BFE84B463A8F5488D9DCE887541D165E1C58791

Function 110ED1A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32registryCOMMON

Download Yara Rule

APIs

Part of subcall function 110ED160: RegCloseKey.KERNEL32(?,?,?,110ED1AD,?,00000000,00000001,?,1103053F,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED16D

RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,?,00000000,00000001,?,1103053F,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED1BC

Part of subcall function 110ECF40: wvsprintfA.USER32(?,00020019,?), ref: 110ECF6B

Strings

Error %d Opening regkey %s, xrefs: 110ED1CA

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CloseOpenwvsprintf
String ID: Error %d Opening regkey %s
API String ID: 1772833024-3994271378
Opcode ID: 503dc904c3fe8a3076b33c474287afaa84f0668cd560d7128fb7a99791884548
Instruction ID: 33cf1931661e2960d377c619dd89904b97ea319b13ae6f8f8dcb9591a9c6775e
Opcode Fuzzy Hash: 503dc904c3fe8a3076b33c474287afaa84f0668cd560d7128fb7a99791884548
Instruction Fuzzy Hash: 60E0927A6012187FD210961B9C89F9BBB2DDB856A4F000069FD1487201C972EC1082B0

Function 110ED160 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(?,?,?,110ED1AD,?,00000000,00000001,?,1103053F,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED16D

Part of subcall function 110ECF40: wvsprintfA.USER32(?,00020019,?), ref: 110ECF6B

Strings

Error %d closing regkey %x, xrefs: 110ED17D

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Closewvsprintf
String ID: Error %d closing regkey %x
API String ID: 843752472-892920262
Opcode ID: c03f117d653720bd7e371fb7cf4e9287afa325923508867b0082396cad6e8e67
Instruction ID: 72b2cf3cdd4b8fd577e25b07e2838f9a8e734d144b1f96517ba84771a8eadcbb
Opcode Fuzzy Hash: c03f117d653720bd7e371fb7cf4e9287afa325923508867b0082396cad6e8e67
Instruction Fuzzy Hash: 4EE08679A022126BD3289A1EAC18F5BB6E8DFC4300F1604ADF850C3240DA70D8018664

Function 111463D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(NSMTRACE,?,1102DE54,11026580,02B6B888,?,?,?,00000100,?,?,00000009), ref: 111463E9

Part of subcall function 111456A0: GetModuleHandleA.KERNEL32(NSMTRACE,11194AB8), ref: 111456BA

Strings

NSMTRACE, xrefs: 111463E4

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: NSMTRACE
API String ID: 4133054770-4175627554
Opcode ID: e82bf018f903e4ea25f627aae3f92f4affe26e4f9d0fd19bd58a96316eee6a50
Instruction ID: cf49eb18fee32400038a48a9d82a087192b912de878353ac6c822cd252c7dc11
Opcode Fuzzy Hash: e82bf018f903e4ea25f627aae3f92f4affe26e4f9d0fd19bd58a96316eee6a50
Instruction Fuzzy Hash: 50D05EB520033BCFDB489F7995B4269F7EAAB4CA1D3540075E469C2A07EBB0D848C714

Function 11025CD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,?,110302C4), ref: 11025CD8

Strings

psapi.dll, xrefs: 11025CD1

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: psapi.dll
API String ID: 1029625771-80456845
Opcode ID: 84de3e9765d3447a8351f1b6b6d8569fbb25dc0ee6f9e080ef7528236ef5d75a
Instruction ID: d2f0b82a95d6fc878682dccaf19b7a180456f678ee46f3fe844c8dbdc6f5fb44
Opcode Fuzzy Hash: 84de3e9765d3447a8351f1b6b6d8569fbb25dc0ee6f9e080ef7528236ef5d75a
Instruction Fuzzy Hash: C9E001B1A11B248FC3B4CF3AA844642FAF0BB18A103118A3ED4AEC3A00E330A5448F80

Function 11014F80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(nslsp.dll,00000000,1102EF80,MiniDumpType,000000FF,00000000,00000000,?,?,View,Client,Bridge), ref: 11014F8E

Strings

nslsp.dll, xrefs: 11014F83

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: nslsp.dll
API String ID: 1029625771-3933918195
Opcode ID: 09252c17772e29db9c623e4f38910c48fc62fdaa09ce42d8982732414e450a92
Instruction ID: 60eb6736f29bf142f24d4cfcc231741db50fe0cc1946b431100be770a733e412
Opcode Fuzzy Hash: 09252c17772e29db9c623e4f38910c48fc62fdaa09ce42d8982732414e450a92
Instruction Fuzzy Hash: E7C092B17152388FE3685F7CAC085D2FAE4EB48A91351986EE4B5D3308E6B09C40CFE4

Function 11074DC0 Relevance: 3.1, APIs: 2, Instructions: 80COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 11074E1F
FreeLibrary.KERNEL32(00000000,?,?,?,?,00000000,11194245,?), ref: 11074E89

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: FreeLibrary_memset
String ID:
API String ID: 1654520187-0
Opcode ID: f6776980cd6796a903c6ab2b2bc3f730c5ac8cd4990655cc289426affdaed8f3
Instruction ID: 144a06a128bfe4de4bcaa8ee3b5ec3a734aa963de7831f9780c3e5d6e94517af
Opcode Fuzzy Hash: f6776980cd6796a903c6ab2b2bc3f730c5ac8cd4990655cc289426affdaed8f3
Instruction Fuzzy Hash: 6E218376D04228A7D710DA99EC41FEFFBACEB44325F4045AAE909D7200D7315A55CBE1

Function 1105FCF0 Relevance: 3.1, APIs: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

std::exception::exception.LIBCMT ref: 1105FD93
__CxxThrowException@8.LIBCMT ref: 1105FDA8

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID:
API String ID: 1338273076-0
Opcode ID: 008f8e93dd07e0136ec59ea579b5f73905d9fad81b76f295f420d5e427868693
Instruction ID: 65be3d9b06008521879bde957bfb15225efad016ffb254945ac63f30ffb56918
Opcode Fuzzy Hash: 008f8e93dd07e0136ec59ea579b5f73905d9fad81b76f295f420d5e427868693
Instruction Fuzzy Hash: F5117FBA900619ABC710CF99C940ADAF7F8FB48614F10862EE91997740E774B900CBE1

Function 1105EC90 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1105ECD6
_memmove.LIBCMT ref: 1105ECE1

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: _malloc_memmove
String ID:
API String ID: 1183979061-0
Opcode ID: 457b307eca14e29342672ca62ef5147d46d8b4d4f126d6aa85e0778cfe473ab4
Instruction ID: db33143030e4a9298ca15ccbefe9b49d771c33472961b073c023ff9ae0ea679a
Opcode Fuzzy Hash: 457b307eca14e29342672ca62ef5147d46d8b4d4f126d6aa85e0778cfe473ab4
Instruction Fuzzy Hash: 98F0F47AE002666F9741CF2C9844896FBDCDF8A158314C4A2E999CB301D671EC0687E0

Function 110883D0 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 110883EF
InitializeCriticalSection.KERNEL32(0000E3D0,00000000,?,11070993,00000000,00000000,1118201E,000000FF), ref: 11088460

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection_memset
String ID:
API String ID: 453477542-0
Opcode ID: 26224d68f3b9d4a1246f00074b5df241b75f7fb3c3b45871788fd623fb5031c3
Instruction ID: 54b2584c526ac61f8aa3306390e259e673957fd90be6398fea32980b523eb801
Opcode Fuzzy Hash: 26224d68f3b9d4a1246f00074b5df241b75f7fb3c3b45871788fd623fb5031c3
Instruction Fuzzy Hash: EE1157B0911B148FC3A4CF7A88817C7FBE5BB58310F80892E96EEC2200DB716664CF94

Function 11144440 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11144461
ExtractIconExA.SHELL32(?,00000000,0002049B,00020493,00000001), ref: 11144498

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: ExtractFileIconModuleName
String ID:
API String ID: 3911389742-0
Opcode ID: 332011ad7d7a15df78cd41dd82658ea2b53a242fc2ea7d2347e2db9624e2eb71
Instruction ID: eab236796224ce85d4984e15688285b8376dcc0e4438f4162dfbb4c1a1faa056
Opcode Fuzzy Hash: 332011ad7d7a15df78cd41dd82658ea2b53a242fc2ea7d2347e2db9624e2eb71
Instruction Fuzzy Hash: 3EF0F0787581189FE708DFA0C892FF9B369F794709F444269E912C6184CE706A4C8B51

Function 11163DB7 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 111692EF: __getptd_noexit.LIBCMT ref: 111692EF

__lock_file.LIBCMT ref: 11163DFE

Part of subcall function 1116AF99: __lock.LIBCMT ref: 1116AFBE

__fclose_nolock.LIBCMT ref: 11163E09

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 7e8abcb520b3f17e3ade4ddc40c81544b3d820678823afdad6ab473755d4e59e
Instruction ID: 92e00479c768bfe57184568fb50af5c8f285ad3b4a4164507b2fffc520e9ca87
Opcode Fuzzy Hash: 7e8abcb520b3f17e3ade4ddc40c81544b3d820678823afdad6ab473755d4e59e
Instruction Fuzzy Hash: 5CF0F6348143079ED7119B79D80078EFBA86F0033CF518248C0289A0C0CBFA6521CE56

Function 11144EA0 Relevance: 2.6, APIs: 2, Instructions: 58sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 11144DC0: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,NSM.LIC), ref: 11144DE7

Part of subcall function 11163FED: __fsopen.LIBCMT ref: 11163FFA

GetLastError.KERNEL32(?,02B6B888,000000FF,?), ref: 11144ED5
Sleep.KERNEL32(000000C8,?,?,?,?,?,?,02B6B888,000000FF,?), ref: 11144EE5

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: EnvironmentErrorExpandLastSleepStrings__fsopen
String ID:
API String ID: 3768737497-0
Opcode ID: 31fc0bde93ac12b3b57265c96de8f634bcc1559677f471cf9725baf87a88f7fc
Instruction ID: cc8fd34c32098476147d622d57126809c91a32baa97f0e350d3592d26a0b2836
Opcode Fuzzy Hash: 31fc0bde93ac12b3b57265c96de8f634bcc1559677f471cf9725baf87a88f7fc
Instruction Fuzzy Hash: 8D110875D4411AEBD7119F94C9C4A6EF3BCEF85A29F200164FC0497A00E775AD11C7A3

Function 110106C0 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 11010774

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_
String ID:
API String ID: 3382485803-0
Opcode ID: b33c3b2a793c511d1b6f960a0ad5a8f3eee08100d5ee20f4381cce5b941f1766
Instruction ID: 0f97abe7109b731a14a0a5233c6982db04001c22e931a1e4a38e375530e3522e
Opcode Fuzzy Hash: b33c3b2a793c511d1b6f960a0ad5a8f3eee08100d5ee20f4381cce5b941f1766
Instruction Fuzzy Hash: D9515D74E00645DFDB04CF98C980AADBBF5BF88318F24829DD5869B385C776E942CB90

Function 11143000 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110F4CB,75A78400,?,?,1114515F,00000000,CSDVersion,00000000,00000000,?), ref: 11143020

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c6c1c190ce3e4d21182f90f0e4bfd6bcd18f91cafc0a2026145ecac98104bfaa
Instruction ID: 1cdda14904265755d753c391d3c49599355d775305d59026304f2c7825c43cec
Opcode Fuzzy Hash: c6c1c190ce3e4d21182f90f0e4bfd6bcd18f91cafc0a2026145ecac98104bfaa
Instruction Fuzzy Hash: 5D1193716282655AEB218E14D690BAFFBAAEFC5B24F30836AE51547E04C3329886C750

Function 110FACC0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000048,?,?), ref: 110FACED

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: e293ede8765d0badea50781af9c0a4ddb492315e77c2591cd008e5b0916e1792
Instruction ID: 5942e99df11cc5ddd12142181c934b3f7ef04b83757ceed83c361bf33f076152
Opcode Fuzzy Hash: e293ede8765d0badea50781af9c0a4ddb492315e77c2591cd008e5b0916e1792
Instruction Fuzzy Hash: 8911AC71E1011DDBDB11DFA8DC557EE73F8DB58305F0041D9E9099B240DA71AE488B90

Function 11170166 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,110310DF,00000000,?,11169DD4,?,110310DF,00000000,00000000,00000000,?,1116B767,00000001,00000214,?,1110F4AE), ref: 111701A9

Part of subcall function 111692EF: __getptd_noexit.LIBCMT ref: 111692EF

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 5fa111ebdd6cb86adb28227364e3270cd3b42bcfca1d5c7b723611f66f651fb7
Instruction ID: 37eba9f6ddbe8283f17829f7b0a109b8136aa2f13792341ea1fc2e0acbbf6d66
Opcode Fuzzy Hash: 5fa111ebdd6cb86adb28227364e3270cd3b42bcfca1d5c7b723611f66f651fb7
Instruction Fuzzy Hash: 590124392013669BEB099F25EC60B5BB799AB83365F014529EC15CA3C0DB70D900C340

Function 111672E3 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

__waccess_s.LIBCMT ref: 111672EE

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: __waccess_s
String ID:
API String ID: 4272103461-0
Opcode ID: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
Instruction ID: b67d37eb909022d12c4b3a5208e3be1f16578853890f7fcac85d973ba88585e6
Opcode Fuzzy Hash: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
Instruction Fuzzy Hash: C5C09B3705811D7F5F055DE5EC00C557F5DD6806747148156F91C89590DD73E561D540

Function 11163FED Relevance: 1.5, APIs: 1, Instructions: 10COMMONLIBRARYCODE

Download Yara Rule

APIs

__fsopen.LIBCMT ref: 11163FFA

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: __fsopen
String ID:
API String ID: 3646066109-0
Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction ID: 3fb95567750ac4c2837cb65daf82bfaf3169cdeaa60eaf7921ceae4fe4d00650
Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction Fuzzy Hash: 76C0927645424C77DF112A82EC02E4A7F2E9BC0668F448060FB1C19160AAB3EA71DACA

Function 00261000 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

_NSMClient32@8.PCICL32(?,?,?,002610A2,00000000), ref: 0026100B

Memory Dump Source

Source File: 00000002.00000002.3888305638.0000000000261000.00000020.00000001.01000000.00000009.sdmp, Offset: 00260000, based on PE: true

Associated: 00000002.00000002.3888290603.0000000000260000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.3888318749.0000000000262000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_260000_bild.jbxd

Yara matches

Similarity

API ID: Client32@8
String ID:
API String ID: 433899448-0
Opcode ID: 4d0d81f4ec4ebde950740ae3d3ffe2836bfeb21466b6828822f600e6eeb2d30b
Instruction ID: 1c427522f25c885655c014e9921e41579c9602ecca8cab84f8c454eca6c03ecb
Opcode Fuzzy Hash: 4d0d81f4ec4ebde950740ae3d3ffe2836bfeb21466b6828822f600e6eeb2d30b
Instruction Fuzzy Hash: 28B092B212434D9B8B14EE98E841C7B339CAB98600B040809BD0543282CA61FCB09A71

Function 6D031E1C Relevance: 1.3, APIs: 1, Instructions: 32sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D0309A9: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6D031E32,00000001,?,00000000,00000000,00000000,?,6D0575BC,00000001,00000214), ref: 6D0309E8

Sleep.KERNEL32(00000000), ref: 6D05F1D1

Memory Dump Source

Source File: 00000002.00000002.3890464582.000000006D021000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000002.00000002.3890446633.000000006D020000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3890532245.000000006D0D4000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3890550927.000000006D0D6000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3890580013.000000006D0D9000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d020000_bild.jbxd

Similarity

API ID: AllocateHeapSleep
String ID:
API String ID: 4201116106-0
Opcode ID: 9327228329cdd046378321e5164dfaea14eb01df6a4b39b9f1dcd669e2830b39
Instruction ID: 70a72b022c88d7e00a11405c27ee2ecc425ddf3193f15657cb2830076e67d6d2
Opcode Fuzzy Hash: 9327228329cdd046378321e5164dfaea14eb01df6a4b39b9f1dcd669e2830b39
Instruction Fuzzy Hash: 7FF0A7355401265BDB114666D804B9A3AEAABC6370B220722E938C3184DB328501C393

Non-executed Functions

Function 110EB120 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 141windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D

wsprintfA.USER32 ref: 110EB1B8
GetTickCount.KERNEL32 ref: 110EB212
SendMessageA.USER32(?,0000004A,?,?), ref: 110EB226
GetTickCount.KERNEL32 ref: 110EB22E
SendMessageTimeoutA.USER32(?,0000004A,?,?,00000000,?,?), ref: 110EB276
OpenEventA.KERNEL32(00000002,00000000,runplugin.dmp.1,?,00000001), ref: 110EB2A8
SetEvent.KERNEL32(00000000,?,00000001), ref: 110EB2B5
CloseHandle.KERNEL32(00000000,?,00000001), ref: 110EB2BC

Strings

Error. Runplugin is unresponsive, xrefs: 110EB2C2
Warning: SendMessage to Runplugin took %d ms (possibly unresponsive), xrefs: 110EB23A
INIT, xrefs: 110EB15C
runplugin %s (hWnd=%x,u=%d,64=%d) , xrefs: 110EB1B2
%s, xrefs: 110EB1E3
DATA, xrefs: 110EB166
_debug, xrefs: 110EB14D
TracePlugins, xrefs: 110EB140
runplugin.dmp.1, xrefs: 110EB29F

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CountEventMessageSendTick$CloseHandleOpenTimeout__wcstoi64wsprintf
String ID: %s$DATA$Error. Runplugin is unresponsive$INIT$TracePlugins$Warning: SendMessage to Runplugin took %d ms (possibly unresponsive)$_debug$runplugin %s (hWnd=%x,u=%d,64=%d) $runplugin.dmp.1
API String ID: 3451743168-2289091950
Opcode ID: 7081efb8229b45fa1a91f50154a3e59ac40d63dc77862fc88f6c1544d8f2fef1
Instruction ID: f1114c107ee76d929ad16cd328bd8b6b93bc0bc6479e919ac6bcab8c7865c9c3
Opcode Fuzzy Hash: 7081efb8229b45fa1a91f50154a3e59ac40d63dc77862fc88f6c1544d8f2fef1
Instruction Fuzzy Hash: D441A675A012199FD724DFA5DC44FAEF7B8EF48319F0085AEE91AA7240D631A940CFB1

Function 1102310A Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 363windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1115ADD0: IsIconic.USER32(?), ref: 1115AE77
Part of subcall function 1115ADD0: ShowWindow.USER32(?,00000009), ref: 1115AE87
Part of subcall function 1115ADD0: BringWindowToTop.USER32(?), ref: 1115AE91

CheckMenuItem.USER32(00000000,000013EB,-00000009), ref: 1102324D
ShowWindow.USER32(?,00000003), ref: 110232D1
LoadMenuA.USER32(00000000,000013A3), ref: 110233FB
GetSubMenu.USER32(00000000,00000000), ref: 11023409
CheckMenuItem.USER32(00000000,000013EB,?), ref: 11023429
GetDlgItem.USER32(?,000013B2), ref: 1102343C
GetWindowRect.USER32(00000000), ref: 11023443
PostMessageA.USER32(?,00000111,?,00000000), ref: 11023499
DestroyMenu.USER32(?,?,00000000,00000000,00000102,?,?,?,00000000), ref: 110234A3

Strings

Chat, xrefs: 110233B0
AddToJournal, xrefs: 110233AB

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Menu$Window$Item$CheckShow$BringDestroyIconicLoadMessagePostRect
String ID: AddToJournal$Chat
API String ID: 693070851-2976406578
Opcode ID: d2fe2766ddb3d34030bb972f012e30f748b4f8edd59272365cd546290ab4e6ab
Instruction ID: 337dba7d0f02a97e7c7211def3ec221287211942730252afe18814347e7ecccc
Opcode Fuzzy Hash: d2fe2766ddb3d34030bb972f012e30f748b4f8edd59272365cd546290ab4e6ab
Instruction Fuzzy Hash: 87A1F178B04616ABDB09DF74CC85FAEB3E5AB88704F504519EA26DF2C0CF74B9408B65

Function 1115F100 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

SetForegroundWindow.USER32(?), ref: 1115F12E

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

SystemParametersInfoA.USER32(00002000,00000000,00000000,00000000), ref: 1115F14F
SystemParametersInfoA.USER32(00002001,00000000,00000000,00000000), ref: 1115F15C
SetForegroundWindow.USER32(?), ref: 1115F162
SystemParametersInfoA.USER32(00002001,00000000,00000000,00000000), ref: 1115F177

Strings

..\ctl32\wndclass.cpp, xrefs: 1115F112
m_hWnd, xrefs: 1115F117

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: InfoParametersSystem$ForegroundWindow$ErrorExitLastMessageProcesswsprintf
String ID: ..\ctl32\wndclass.cpp$m_hWnd
API String ID: 3960414890-2201682149
Opcode ID: a1720cd828d96b31de3ae11535927becd6a6cc7cf2a6108b9844e59effaa0828
Instruction ID: 490c9e9faa58dc1df28f1acf4c3aa341e93c1bd023cf24429d0d7fa3412acb83
Opcode Fuzzy Hash: a1720cd828d96b31de3ae11535927becd6a6cc7cf2a6108b9844e59effaa0828
Instruction Fuzzy Hash: 8F01F276790318BBE30096A9CC86F55F398EB54B14F104126F718AA1C0DAF1B851C7E1

Function 11025122 Relevance: 12.1, APIs: 8, Instructions: 121windowCOMMON

Download Yara Rule

APIs

GetWindowTextA.USER32(?,?,00000050), ref: 11025176
_strncat.LIBCMT ref: 1102518B
SetWindowTextA.USER32(?,?), ref: 11025198

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

GetDlgItemTextA.USER32(?,00001395,?,00000040), ref: 11025224
GetDlgItemTextA.USER32(?,00001397,?,00000040), ref: 11025238
SetDlgItemTextA.USER32(?,00001397,?), ref: 11025250
SetDlgItemTextA.USER32(?,00001395,?), ref: 11025262
SetFocus.USER32(?), ref: 11025265

Part of subcall function 11024C70: GetDlgItem.USER32(?,?), ref: 11024CC0

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Text$Item$Window$Focus_malloc_memset_strncatwsprintf
String ID:
API String ID: 3832070631-0
Opcode ID: 60fab7655721e0b3046f2d3ba99d2d3761f65fbfa148eacead4071a3fd212dff
Instruction ID: 7712de199883e751ea03bfa735f50b434bc7bb1cc5edca5bff12a9cf5cd7df4a
Opcode Fuzzy Hash: 60fab7655721e0b3046f2d3ba99d2d3761f65fbfa148eacead4071a3fd212dff
Instruction Fuzzy Hash: 0E4192B5A10359ABE710DB74CC45BBAF7F8FB44714F01452AE61AD76C0EAB4A904CB50

Function 11147110 Relevance: 9.0, APIs: 6, Instructions: 48threadsynchronizationCOMMON

Download Yara Rule

APIs

OpenThread.KERNEL32(0000004A,00000000,11147278,?,?,?,?,?,11147278), ref: 1114713A
CreateThread.KERNEL32(00000000,00001000,111470B0,?,00000000,?), ref: 1114715E
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,11147278), ref: 11147169
GetExitCodeThread.KERNEL32(00000000,00000000,?,?,?,?,?,?,11147278), ref: 11147174
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,11147278), ref: 11147181
CloseHandle.KERNEL32(?,?,?,?,?,?,?,11147278), ref: 11147187

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Thread$CloseHandle$CodeCreateExitObjectOpenSingleWait
String ID:
API String ID: 180989782-0
Opcode ID: f968cd3be34acbbfc001fc2c5c2cf1c984ef6abb93f92428a018694f843edebd
Instruction ID: 262247fb5796f255492f056fed215dfab2d13c04184fcb9cbdc2136a2e7489e8
Opcode Fuzzy Hash: f968cd3be34acbbfc001fc2c5c2cf1c984ef6abb93f92428a018694f843edebd
Instruction Fuzzy Hash: 6901FA75D14219ABDB04DFA8C845BAEBBB8EF08710F108166F924E7284D774AA018B91

Function 11143110 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000100,00000000), ref: 1114314B
_strrchr.LIBCMT ref: 1114315A
_strrchr.LIBCMT ref: 1114316A
wsprintfA.USER32 ref: 11143185

Part of subcall function 111456A0: GetModuleHandleA.KERNEL32(NSMTRACE,11194AB8), ref: 111456BA

Strings

BILD, xrefs: 11143180, 1114318E, 11143195, 111431C2

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Module_strrchr$FileHandleNamewsprintf
String ID: BILD
API String ID: 2529650285-1114602597
Opcode ID: 832b53a00f043e857d3b8e09e9a2ce5d770147cd639c4bf1822df3017942b825
Instruction ID: d978b5afe12e8555e920acd6faf46f6bc40337599c773746d871781ff4fb06a8
Opcode Fuzzy Hash: 832b53a00f043e857d3b8e09e9a2ce5d770147cd639c4bf1822df3017942b825
Instruction Fuzzy Hash: DD21DD31A182698FE712EF348D407DAFBB4DF15B0CF2000D8D8850B182D7716885C7A0

Function 11001110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 1100113B

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Strings

m_hWnd, xrefs: 11001126
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001121

Memory Dump Source

Source File: 00000002.00000002.3889946977.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000002.00000002.3889926008.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890074972.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890116495.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890140346.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3890159496.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessShowWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1604732272-2830328467
Opcode ID: b62a108dd0f1a298b3da6ec4c3cd6e44d75acd6edd0f1b2899dc5cb61eb0235d
Instruction ID: 825df7ee52a795a689a6901b0494195ba864db9fe7d9b2cdbf909eadc0dc9b6b
Opcode Fuzzy Hash: b62a108dd0f1a298b3da6ec4c3cd6e44d75acd6edd0f1b2899dc5cb61eb0235d
Instruction Fuzzy Hash: 4ED02BB561031CABC314DA92DC41FD2F38CAB20364F004435F52542500D571F54083A4

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Netstat\HTCTL32.DLL

C:\Users\Public\Netstat\NSM.LIC

C:\Users\Public\Netstat\PCICHEK.DLL

C:\Users\Public\Netstat\PCICL32.DLL

C:\Users\Public\Netstat\TCCTL32.DLL

C:\Users\Public\Netstat\bild.exe

C:\Users\Public\Netstat\client32.ini

C:\Users\Public\Netstat\msvcr100.dll

C:\Users\Public\Netstat\nskbfltr.inf

C:\Users\Public\Netstat\pcicapi.dll

C:\Users\Public\Netstat\remcmdstub.exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\loca[1].htm

Static File Info

Windows Analysis Report
file.exe

Function 00007FF75AAD0754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380
filesleeptimeCOMMON

Function 00007FF75AABA4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250
COMMON

Function 00007FF75AAC8624 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101
memorywindowCOMMON

Function 00007FF75AAB40BC Relevance: 10.7, APIs: 7, Instructions: 153
fileCOMMON

Function 00007FF75AABDFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440
libraryfileloaderCOMMON

Function 00007FF75AAD1900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195
libraryCOMMONLIBRARYCODE

Function 00007FF75AACF4E0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285
COMMON

Function 00007FF75AACF0A4 Relevance: 16.6, APIs: 11, Instructions: 102
windowCOMMON

Function 00007FF75AAB24C0 Relevance: 9.2, APIs: 6, Instructions: 164
filetimeCOMMON

Function 00007FF75AACB014 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54
windowCOMMON

Function 00007FF75AACAE1C Relevance: 7.5, APIs: 5, Instructions: 27
windowCOMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre