Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1558739
MD5:	3f97ee2b5aefb68fc0d7c6383b41385d
SHA1:	1169a86fb0b2ccb367f9cc886b209e77c6418983
SHA256:	3fb4d76805f5d0d3f23f37fea0f19da7a8e11c6e2a6104035511aded0696fc82
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Creates files with lurking names (e.g. Crack.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

File is packed with WinRar

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 5916 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3F97EE2B5AEFB68FC0D7C6383B41385D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 87.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\crack.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: crack.exe.0.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: file.exe

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB040BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF76DB040BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB1B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF76DB1B190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB2FCA0 FindFirstFileExA,	0_2_00007FF76DB2FCA0

Source: IObit.Malware.Fighter.Pro-12.0.0.1433.exe.0.dr

String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

System Summary

Creates files with lurking names (e.g. Crack.exe)

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\crack.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF76DAFC2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF76DAFC2F0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB1CE88	0_2_00007FF76DB1CE88
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DAF5E24	0_2_00007FF76DAF5E24
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB11F20	0_2_00007FF76DB11F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DAFF930	0_2_00007FF76DAFF930
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB04928	0_2_00007FF76DB04928
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB20754	0_2_00007FF76DB20754
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB1B190	0_2_00007FF76DB1B190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB0A4AC	0_2_00007FF76DB0A4AC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB13484	0_2_00007FF76DB13484
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB18DF4	0_2_00007FF76DB18DF4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB20754	0_2_00007FF76DB20754
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB12D58	0_2_00007FF76DB12D58
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB32080	0_2_00007FF76DB32080
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB0AF18	0_2_00007FF76DB0AF18
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB35AF8	0_2_00007FF76DB35AF8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DAF1AA4	0_2_00007FF76DAF1AA4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB12AB0	0_2_00007FF76DB12AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB01A48	0_2_00007FF76DB01A48
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB2FA94	0_2_00007FF76DB2FA94
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB289A0	0_2_00007FF76DB289A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB13964	0_2_00007FF76DB13964
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB0C96C	0_2_00007FF76DB0C96C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB28C1C	0_2_00007FF76DB28C1C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB14B98	0_2_00007FF76DB14B98
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB0BB90	0_2_00007FF76DB0BB90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB05B60	0_2_00007FF76DB05B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DAF76C0	0_2_00007FF76DAF76C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB0B534	0_2_00007FF76DB0B534
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB32550	0_2_00007FF76DB32550
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DAF4840	0_2_00007FF76DAF4840
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB2C838	0_2_00007FF76DB2C838
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DAFA310	0_2_00007FF76DAFA310
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DAFC2F0	0_2_00007FF76DAFC2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DAF7288	0_2_00007FF76DAF7288
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB0126C	0_2_00007FF76DB0126C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB121D0	0_2_00007FF76DB121D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB0F180	0_2_00007FF76DB0F180
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB153F0	0_2_00007FF76DB153F0

Source: IObit.Malware.Fighter.Pro-12.0.0.1433.exe.0.dr

Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: classification engine

Classification label: mal56.evad.winEXE@1/3@0/0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF76DAFB6D8 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF76DAFB6D8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF76DB18624 FindResourceExW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF76DB18624

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_5823640

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ndfapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: atlthunk.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: file.exe

Static file information: File size 80591650 > 1048576

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: crack.exe.0.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: file.exe

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_5823640

Jump to behavior

Source: file.exe	Static PE information: section name: .didat
Source: file.exe	Static PE information: section name: _RDATA
Source: crack.exe.0.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB35166 push rsi; retf		0_2_00007FF76DB35167
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB35156 push rsi; retf		0_2_00007FF76DB35157

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\crack.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\IObit.Malware.Fighter.Pro-12.0.0.1433.exe			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\crack.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IObit.Malware.Fighter.Pro-12.0.0.1433.exe			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB040BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF76DB040BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB1B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF76DB1B190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB2FCA0 FindFirstFileExA,	0_2_00007FF76DB2FCA0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF76DB216A4 VirtualQuery,GetSystemInfo,

0_2_00007FF76DB216A4

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF76DB276D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF76DB276D8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF76DB30D20 GetProcessHeap,

0_2_00007FF76DB30D20

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB276D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF76DB276D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB23170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF76DB23170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB22510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF76DB22510
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF76DB23354 SetUnhandledExceptionFilter,	0_2_00007FF76DB23354

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF76DB1B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF76DB1B190

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF76DB0DC70 cpuid

0_2_00007FF76DB0DC70

Source: C:\Users\user\Desktop\file.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00007FF76DB1A2CC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF76DB20754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF76DB20754

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF76DB04EB0 GetVersionExW,

0_2_00007FF76DB04EB0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Software Packing	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	24 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\crack.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IObit.Malware.Fighter.Pro-12.0.0.1433.exe	3%	ReversingLabs

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	IObit.Malware.Fighter.Pro-12.0.0.1433.exe.0.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558739
Start date and time:	2024-11-19 18:57:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal56.evad.winEXE@1/3@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 70 Number of non-executed functions: 93
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	44
Entropy (8bit):	4.450195892351691
Encrypted:	false
SSDEEP:	3:SAN9XLrBdO:SKPB0
MD5:	E329DD38FDB925C2D653E4A3415E465B
SHA1:	D2A746E823FCD9EAE438DE8D8C10A688315F23D8
SHA-256:	37847DCF7A973752F350E3250237A8967C341ADA351005EFF9A0EE45990B5578
SHA-512:	FAAB380172D8C0B670D6150B6BC4A80DB3FE80000344716E6DA01A7A47A695C9218B5891D13B07EDB4EABC5CF4538BC325ADAF11CBAB4EE02C920FCFFA6E3C7F
Malicious:	false
Reputation:	low
Preview:	IObit.Malware.Fighter.Pro-12.0.0.1433.exe /S

C:\Users\user\AppData\Local\Temp\IObit.Malware.Fighter.Pro-12.0.0.1433.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	77088228
Entropy (8bit):	7.9989824995755425
Encrypted:	true
SSDEEP:	1572864:iO9tDrNScQik6TAH9MF9gDa9WsBNOoeP6HKWonWYCkEBvbdr2zE9SPSt5NG9lEF:hUQAd6gDad+SHSj8BMSt7GDEF
MD5:	5523E18197DA0439445F3B02163F77D0
SHA1:	F28C166B81731DE72B499E3A5EAE2BA4557F80B7
SHA-256:	9F0EE3D02648F63ACB2686E374D832CB0B657E17A7424FFB42D74EF3B15019C2
SHA-512:	A60CEE37A397C6B5FBB7685B4410E7CB2BA55229B04F9047C6DF89711218E549EC97E10E4D048A58C1D135770DDF5E5685B52552E219227F23830FA18F960B7F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u.Q.............lW.........j....lG......lP......lU.....Rich....................PE..L....#.].................n...,......]9............@.......................................@.............................................`............................................................................................................text....m.......n.................. ..`.rdata...............r..............@..@.data...<...........................@....ndata...P...............................rsrc...`...........................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\crack.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3541575
Entropy (8bit):	7.970506285180278
Encrypted:	false
SSDEEP:	98304:yiqOnX5D2wa4mzAPzlJZ+roUn2G5csZXa8k1Jx1Qi:oIp1sw/+dZ05Qi
MD5:	E209F482DBF07FC1C7D9A9458C8D6F5A
SHA1:	C3F91C3C04D2B45B1937708602DC7DCCF65BBC19
SHA-256:	F51A97ACAFE22E2AF11AEFE3B4098BE19092644D4111ACAE4CA1686CC95ADD61
SHA-512:	C26981BA7B53953A560E98DAA07F9815B0617F5EDE75FB73F39F261A24931FD8F70AF04C0C1B7FC37A006A31296D8F0ED57856DC4ECFDEEBC3BC4A6862036700
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................P............@.........................p...4.......P....@....................... ..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc........@......................@..@.reloc..<#... ...$..................@..B................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.999818697187227
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	80'591'650 bytes
MD5:	3f97ee2b5aefb68fc0d7c6383b41385d
SHA1:	1169a86fb0b2ccb367f9cc886b209e77c6418983
SHA256:	3fb4d76805f5d0d3f23f37fea0f19da7a8e11c6e2a6104035511aded0696fc82
SHA512:	0e6827c292643aaf6dd3a4d96e6811e61d8a1c804054f5cb67eaec28cb228565cf1bc46aa683b37c34aea4fa9f63096ce9c4ed51b85c2104824955779abbdd6e
SSDEEP:	1572864:gbQ9z3vD69+yI1/RvrpuV+YS2C4EL9XdMDTw24g21EVGOI0RlR/xojgrYnitOpUd:Zd3rRvrsVRS73bYT9x2WgMReA5r
TLSH:	3D0833D7F6761CF4F82BFEBE2509AC8A96B538412365519E678332A60F277200E35F41
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x140032ee0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x66409723 [Sun May 12 10:17:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	b1c5b1beabd90d9fdabd1df0779ea832

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F32C50BDC28h
dec eax
add esp, 28h
jmp 00007F32C50BD5BFh
int3
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ebp
mov edx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
inc ecx
mov ebx, dword ptr [edx]
dec eax
shl ebx, 04h
dec ecx
add ebx, edx
dec esp
lea eax, dword ptr [ebx+04h]
call 00007F32C50BCA43h
mov eax, dword ptr [ebp+04h]
and al, 66h
neg al
mov eax, 00000001h
sbb edx, edx
neg edx
add edx, eax
test dword ptr [ebx+04h], edx
je 00007F32C50BD753h
dec esp
mov ecx, edi
dec ebp
mov eax, esi
dec eax
mov edx, esi
dec eax
mov ecx, ebp
call 00007F32C50BF767h
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov ebp, dword ptr [esp+38h]
dec eax
mov esi, dword ptr [esp+40h]
dec eax
mov edi, dword ptr [esp+48h]
dec eax
add esp, 20h
inc ecx
pop esi
ret
int3
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F32C50ABFD3h
dec eax
lea edx, dword ptr [00025747h]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F32C50BE822h
int3
jmp 00007F32C50C4A04h
int3
int3
int3
int3
int3
int3

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x597a0	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x597d4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x70000	0xe3bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6a000	0x306c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7f000	0x970	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x536c0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x53780	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4b3f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x48000	0x508	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x588bc	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4676e	0x46800	f06bb06e02377ae8b223122e53be35c2	False	0.5372340425531915	data	6.47079645411382	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x48000	0x128c4	0x12a00	2de06d4a6920a6911e64ff20000ea72f	False	0.4499003775167785	data	5.273999097784603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5b000	0xe75c	0x1a00	0dbdb901a7d477980097e42e511a94fb	False	0.28275240384615385	data	3.2571023907881185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x6a000	0x306c	0x3200	b0ce0f057741ad2a4ef4717079fa34e9	False	0.483359375	data	5.501810413666288	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x6e000	0x360	0x400	1fcc7b1d7a02443319f8fcc2be4ca936	False	0.2578125	data	3.0459938492946015	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x6f000	0x15c	0x200	3f331ec50f09ba861beaf955b33712d5	False	0.408203125	data	3.3356393424384843	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x70000	0xe3bc	0xe400	1b279dad3e3d77fcdfb269a130bf474b	False	0.6334121436403509	data	6.778407783727912	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7f000	0x970	0xa00	77a9ddfc47a5650d6eebbcc823e39532	False	0.52421875	data	5.336289720085303	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
PNG	0x70674	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	1.0027729636048528
PNG	0x711bc	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	0.9363390441839495
RT_ICON	0x72768	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	0.47832369942196534
RT_ICON	0x72cd0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	0.5410649819494585
RT_ICON	0x73578	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	0.4933368869936034
RT_ICON	0x74420	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	0.5390070921985816
RT_ICON	0x74888	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	0.41393058161350843
RT_ICON	0x75930	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	0.3479253112033195
RT_ICON	0x77ed8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9809269502193401
RT_DIALOG	0x7bc4c	0x2ba	data	0.5286532951289399
RT_DIALOG	0x7bf08	0x13a	data	0.6560509554140127
RT_DIALOG	0x7c044	0xf2	data	0.71900826446281
RT_DIALOG	0x7c138	0x14a	data	0.6
RT_DIALOG	0x7c284	0x314	data	0.47588832487309646
RT_DIALOG	0x7c598	0x24a	data	0.6279863481228669
RT_STRING	0x7c7e4	0x1fc	data	0.421259842519685
RT_STRING	0x7c9e0	0x246	data	0.41924398625429554
RT_STRING	0x7cc28	0x1a6	data	0.514218009478673
RT_STRING	0x7cdd0	0xdc	data	0.65
RT_STRING	0x7ceac	0x470	data	0.3873239436619718
RT_STRING	0x7d31c	0x164	data	0.5056179775280899
RT_STRING	0x7d480	0x110	data	0.5772058823529411
RT_STRING	0x7d590	0x158	data	0.4563953488372093
RT_STRING	0x7d6e8	0xe8	data	0.5948275862068966
RT_STRING	0x7d7d0	0x1c6	data	0.5242290748898678
RT_STRING	0x7d998	0x268	data	0.4837662337662338
RT_GROUP_ICON	0x7dc00	0x68	data	0.7019230769230769
RT_MANIFEST	0x7dc68	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	LocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

Target ID:	0
Start time:	12:58:20
Start date:	19/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x7ff76daf0000
File size:	80'591'650 bytes
MD5 hash:	3F97EE2B5AEFB68FC0D7C6383B41385D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	27.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	29

Executed Functions

Function 00007FF76DB1B190 Relevance: 123.9, APIs: 60, Strings: 10, Instructions: 1421windowfilesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76DAF255C: GetDlgItem.USER32 ref: 00007FF76DAF25AC
Part of subcall function 00007FF76DAF255C: SetWindowTextW.USER32 ref: 00007FF76DAF25C8

EndDialog.USER32 ref: 00007FF76DB1B2D0
SetDlgItemTextW.USER32 ref: 00007FF76DB1B320
GetMessageW.USER32 ref: 00007FF76DB1B350
IsDialogMessageW.USER32 ref: 00007FF76DB1B369
TranslateMessage.USER32 ref: 00007FF76DB1B37B
DispatchMessageW.USER32 ref: 00007FF76DB1B389
EndDialog.USER32 ref: 00007FF76DB1B3D3
GetDlgItem.USER32 ref: 00007FF76DB1B410
SendMessageW.USER32 ref: 00007FF76DB1B431
SendMessageW.USER32 ref: 00007FF76DB1B449
SetFocus.USER32 ref: 00007FF76DB1B452
GetLastError.KERNEL32 ref: 00007FF76DB1B634
GetLastError.KERNEL32 ref: 00007FF76DB1B665
GetTickCount.KERNEL32 ref: 00007FF76DB1B68B
GetLastError.KERNEL32 ref: 00007FF76DB1B6F5
GetCommandLineW.KERNEL32 ref: 00007FF76DB1B841
CreateFileMappingW.KERNEL32 ref: 00007FF76DB1B900
MapViewOfFile.KERNEL32 ref: 00007FF76DB1B923
Sleep.KERNEL32 ref: 00007FF76DB1B9B6
UnmapViewOfFile.KERNEL32 ref: 00007FF76DB1B9DF
CloseHandle.KERNEL32 ref: 00007FF76DB1B9E8
SetDlgItemTextW.USER32 ref: 00007FF76DB1BCDE
DialogBoxParamW.USER32 ref: 00007FF76DB1C0D7
EndDialog.USER32 ref: 00007FF76DB1C0EF
EnableWindow.USER32 ref: 00007FF76DB1C2A6
SendMessageW.USER32 ref: 00007FF76DB1C2F8
ShellExecuteExW.SHELL32 ref: 00007FF76DB1B95B

Part of subcall function 00007FF76DB0AAE0: LoadStringW.USER32 ref: 00007FF76DB0AB67
Part of subcall function 00007FF76DB0AAE0: LoadStringW.USER32 ref: 00007FF76DB0AB80

SendMessageW.USER32 ref: 00007FF76DB1BEC3
SendDlgItemMessageW.USER32 ref: 00007FF76DB1BEEA
GetDlgItem.USER32 ref: 00007FF76DB1BEF8
SendMessageW.USER32 ref: 00007FF76DB1BF12
GetDlgItem.USER32 ref: 00007FF76DB1BF4F
SetDlgItemTextW.USER32 ref: 00007FF76DB1BFEC
SetDlgItemTextW.USER32 ref: 00007FF76DB1C004
SetDlgItemTextW.USER32 ref: 00007FF76DB1C321
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1C363
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1C369
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1C36F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1C375
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1C37B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1C381
SendDlgItemMessageW.USER32 ref: 00007FF76DB1C449
EndDialog.USER32 ref: 00007FF76DB1C463
GetDlgItem.USER32 ref: 00007FF76DB1C491
SetFocus.USER32 ref: 00007FF76DB1C49A
SendDlgItemMessageW.USER32 ref: 00007FF76DB1C53E
FindFirstFileW.KERNEL32 ref: 00007FF76DB1C562
FindClose.KERNEL32 ref: 00007FF76DB1C68A
SendDlgItemMessageW.USER32 ref: 00007FF76DB1C7AF

Part of subcall function 00007FF76DAF129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF76DAF1396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1CAA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1CAAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1CAB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1CABB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1CAC1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1CAC7

Strings

winrarsfxmappingfile.tmp, xrefs: 00007FF76DB1B8E0
p, xrefs: 00007FF76DB1B7AB
REPLACEFILEDLG, xrefs: 00007FF76DB1C3D3
@, xrefs: 00007FF76DB1B7B6
LICENSEDLG, xrefs: 00007FF76DB1C0C9
%s %s, xrefs: 00007FF76DB1C6D9, 00007FF76DB1C946
__tmp_rar_sfx_access_check_, xrefs: 00007FF76DB1B6A9
STARTDLG, xrefs: 00007FF76DB1B1CA
-el -s2 "-d%s" "-sp%s", xrefs: 00007FF76DB1B799
runas, xrefs: 00007FF76DB1B7C9

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Item$Message$_invalid_parameter_noinfo_noreturn$Send$DialogText$File$ErrorLast$CloseFindFocusLoadStringViewWindow$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleLineMappingParamShellSleepTickTranslateUnmap
String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
API String ID: 255727823-2702805183
Opcode ID: b06a604dd1e1a1014e6e042a78463e585c17e51e9bce1e84f9241aa3d162bcb5
Instruction ID: 7803298c24c5dc4da1c63e6cf4bc78aff20ef8a5a8569c7463d40ca4dda920ff
Opcode Fuzzy Hash: b06a604dd1e1a1014e6e042a78463e585c17e51e9bce1e84f9241aa3d162bcb5
Instruction Fuzzy Hash: 62D27262A2C682C1EA21FB25E8546F9E361EF8A780FD04135D94D466EDFE7CE944C720

Function 00007FF76DB1CE88 Relevance: 65.0, APIs: 26, Strings: 10, Instructions: 1963windowfileCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF76DB1D5F3
SendMessageW.USER32 ref: 00007FF76DB1D626
SendMessageW.USER32 ref: 00007FF76DB1D655
MoveFileW.KERNEL32 ref: 00007FF76DB1DB4B
MoveFileExW.KERNEL32 ref: 00007FF76DB1DB69
GetTempPathW.KERNEL32 ref: 00007FF76DB1DC49

Part of subcall function 00007FF76DAF1FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAF1FFB

EndDialog.USER32 ref: 00007FF76DB1DFCA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF76DB1EEE3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1EEEF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1EF07
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1EF0D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1EF13
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1EF19
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1EF1F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1EF25
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1EF2B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1EF31
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1EF37
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1EF3D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1EF43
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1EF49
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1EF4F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1EF55
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1EF5B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF76DB1EF67
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF76DB1EF73

Strings

ProgramFilesDir, xrefs: 00007FF76DB1D4F0
MAX, xrefs: 00007FF76DB1EA82, 00007FF76DB1EA91
.lnk, xrefs: 00007FF76DB1E406, 00007FF76DB1E415
.tmp, xrefs: 00007FF76DB1DA85
@set:user, xrefs: 00007FF76DB1DD96, 00007FF76DB1DDA5
Software\Microsoft\Windows\CurrentVersion, xrefs: 00007FF76DB1D501
<br>, xrefs: 00007FF76DB1D6DA, 00007FF76DB1D6E9
lnk, xrefs: 00007FF76DB1E3CA, 00007FF76DB1E3D9
HIDE, xrefs: 00007FF76DB1E9E5, 00007FF76DB1E9F4
MIN, xrefs: 00007FF76DB1EAE5, 00007FF76DB1EAF4

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$FileMessageMoveSend$DialogItemPathTemp
String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
API String ID: 3007431893-3916287355
Opcode ID: ade84c13a5dc0a923d4b23a7709a57b38a9eab8197af02a88ef7afa6ef055700
Instruction ID: e7e9c4e0f1a67e599037fc17226c357f5a65f511af62441db85950b81df67c20
Opcode Fuzzy Hash: ade84c13a5dc0a923d4b23a7709a57b38a9eab8197af02a88ef7afa6ef055700
Instruction Fuzzy Hash: 1A139062B2C782D5EB11EF64D8402EC67A2EB48798FD00536DA1D57ADDEF38E584C360

Function 00007FF76DB20754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF76DB0DFD0: GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF76DB0E018
Part of subcall function 00007FF76DB0DFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF76DB0E030
Part of subcall function 00007FF76DB0DFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF76DB0E05D

Part of subcall function 00007FF76DB062DC: GetCurrentDirectoryW.KERNEL32 ref: 00007FF76DB062F2
Part of subcall function 00007FF76DB062DC: GetCurrentDirectoryW.KERNEL32 ref: 00007FF76DB0632C

Part of subcall function 00007FF76DB1946C: OleInitialize.OLE32 ref: 00007FF76DB19486
Part of subcall function 00007FF76DB1946C: SHGetMalloc.SHELL32 ref: 00007FF76DB194D4

GetCommandLineW.KERNEL32 ref: 00007FF76DB2096E
OpenFileMappingW.KERNEL32 ref: 00007FF76DB20A07
MapViewOfFile.KERNEL32 ref: 00007FF76DB20A30
UnmapViewOfFile.KERNEL32 ref: 00007FF76DB20A46
MapViewOfFile.KERNEL32 ref: 00007FF76DB20A63
UnmapViewOfFile.KERNEL32 ref: 00007FF76DB20ACA
CloseHandle.KERNEL32 ref: 00007FF76DB20AD3
SetEnvironmentVariableW.KERNEL32 ref: 00007FF76DB20BAD
GetLocalTime.KERNEL32 ref: 00007FF76DB20BB8
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF76DB20C13
SetEnvironmentVariableW.KERNEL32 ref: 00007FF76DB20C26
GetModuleHandleW.KERNEL32 ref: 00007FF76DB20C2E
LoadIconW.USER32 ref: 00007FF76DB20C4D
DialogBoxParamW.USER32 ref: 00007FF76DB20CB6
Sleep.KERNEL32 ref: 00007FF76DB20CE6
DeleteObject.GDI32 ref: 00007FF76DB20D0D
DeleteObject.GDI32 ref: 00007FF76DB20D1F
CloseHandle.KERNEL32 ref: 00007FF76DB20D67
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB20DD7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB20DDD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB20DE3

Part of subcall function 00007FF76DB1FD0C: SetEnvironmentVariableW.KERNEL32 ref: 00007FF76DB1FD43
Part of subcall function 00007FF76DB1FD0C: SetEnvironmentVariableW.KERNEL32 ref: 00007FF76DB1FDBC

Strings

winrarsfxmappingfile.tmp, xrefs: 00007FF76DB209F9
sfxstime, xrefs: 00007FF76DB20C1F
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00007FF76DB20C02
STARTDLG, xrefs: 00007FF76DB20CA5
sfxname, xrefs: 00007FF76DB20B9B

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 1048086575-3710569615
Opcode ID: 5a0cbdb8d1f0485109b3182adadad79a05d95305e578c214513e8b8f27ec5f32
Instruction ID: 78882203a30877c7fcb288195f0688c2f4a13a5d3d59edb255fb4b120d987ba8
Opcode Fuzzy Hash: 5a0cbdb8d1f0485109b3182adadad79a05d95305e578c214513e8b8f27ec5f32
Instruction Fuzzy Hash: A7126662E2C782C1EB10AF25E8552B9A361FF8D784F804235DA5D46AADFF7CE544C720

Function 00007FF76DB0A4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF76DB0A504

Part of subcall function 00007FF76DB10F68: WideCharToMultiByte.KERNEL32 ref: 00007FF76DB10F99

SetDlgItemTextW.USER32 ref: 00007FF76DB0A573
GetWindowRect.USER32 ref: 00007FF76DB0A5AD
GetClientRect.USER32 ref: 00007FF76DB0A5BB
GetWindowLongPtrW.USER32 ref: 00007FF76DB0A66C
GetWindowRect.USER32 ref: 00007FF76DB0A6B2
SetWindowTextW.USER32 ref: 00007FF76DB0A6EC
GetSystemMetrics.USER32 ref: 00007FF76DB0A6F7
GetWindow.USER32 ref: 00007FF76DB0A708
GetWindowRect.USER32 ref: 00007FF76DB0A746
GetWindow.USER32 ref: 00007FF76DB0A808

Strings

$%s:, xrefs: 00007FF76DB0A4EF
CAPTION, xrefs: 00007FF76DB0A6CF

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWideswprintf
String ID: $%s:$CAPTION
API String ID: 2100155373-404845831
Opcode ID: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction ID: 145190f1ea3e40a07ecd3de3857bef1d6f7ff474017247dcf97ada4d37b79358
Opcode Fuzzy Hash: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction Fuzzy Hash: B391D632B2C641C6E714EF29E804A6EA7A1FB88784F845535EE4D57B5CEE3DE805CB10

Function 00007FF76DB18624 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceExW.KERNELBASE ref: 00007FF76DB1863D
SizeofResource.KERNEL32 ref: 00007FF76DB18659
LoadResource.KERNEL32 ref: 00007FF76DB18673
LockResource.KERNEL32 ref: 00007FF76DB18685
GlobalAlloc.KERNELBASE ref: 00007FF76DB186A6
GlobalLock.KERNEL32 ref: 00007FF76DB186BB
CreateStreamOnHGlobal.COMBASE ref: 00007FF76DB186E8
GdipAlloc.GDIPLUS ref: 00007FF76DB186FE
GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF76DB18769
GlobalUnlock.KERNEL32 ref: 00007FF76DB1878C
GlobalFree.KERNEL32 ref: 00007FF76DB18795

Strings

PNG, xrefs: 00007FF76DB1862F

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
Instruction ID: ba26915fb8a23958c3352d3d445d4a8f56dbcc4e19950f630ef307fc4cc2c6c1
Opcode Fuzzy Hash: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
Instruction Fuzzy Hash: 64413D29A2DB42D1EE15AB16D854379E3A1BF8CB90F880535CE0D87768FF7CE4489720

Function 00007FF76DAFF930 Relevance: 17.2, APIs: 8, Strings: 1, Instructions: 1417COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB01239
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB0123F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB01245
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB0124B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB01251
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB01257
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB0125D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB01263

Strings

__tmp_reference_source_, xrefs: 00007FF76DAFFCCF, 00007FF76DAFFCDE

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: __tmp_reference_source_
API String ID: 3668304517-685763994
Opcode ID: 288aadb9850286666244f589a7a65127607e522c818528ab99dbe7041c3f50d5
Instruction ID: 700e5424733f7fed5502bca2309565ed53fbc6fffa487920e44c148f284941f4
Opcode Fuzzy Hash: 288aadb9850286666244f589a7a65127607e522c818528ab99dbe7041c3f50d5
Instruction Fuzzy Hash: 72E2C662A2C6C2D2EA64EB25D0407FEE761FB89784F844136DB9D436A9EF3CE454C710

Function 00007FF76DAF4840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAF511E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAF5124
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAF512A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAF5E16
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAF5E1C

Strings

CMT, xrefs: 00007FF76DAF59B2

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: CMT
API String ID: 3668304517-2756464174
Opcode ID: 7d1c6c22bd83c666423e6e8ace876ca52384bc33d34e44693625b0213485e245
Instruction ID: 59917cd4d95c10d4081a72695850cf02215c06212d4b7e110c0446df6b02fda6
Opcode Fuzzy Hash: 7d1c6c22bd83c666423e6e8ace876ca52384bc33d34e44693625b0213485e245
Instruction Fuzzy Hash: 03E20622B2C682C6EB14EB75D150AFDA7A1FB49384F884032DA5E47796EF7CE954C310

Function 00007FF76DB040BC Relevance: 10.7, APIs: 7, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00007FF76DB0410B
FindFirstFileW.KERNEL32 ref: 00007FF76DB0415E
GetLastError.KERNEL32 ref: 00007FF76DB041AF
FindNextFileW.KERNEL32 ref: 00007FF76DB041D7
GetLastError.KERNEL32 ref: 00007FF76DB041E5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB0430F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB04315

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
String ID:
API String ID: 474548282-0
Opcode ID: 302a779ab95c7aaca0ba1f13af6e7309770b234b011da9b93882c2eb88fdf2be
Instruction ID: 41fdd2a1173c4987afa6e096342996f6f70accd2c2d6223ddc2b775c1156a21e
Opcode Fuzzy Hash: 302a779ab95c7aaca0ba1f13af6e7309770b234b011da9b93882c2eb88fdf2be
Instruction Fuzzy Hash: F561B362A2CA46C1EA10AB24E84067DA361FF9D7A4F905331EAAD43ADDEF7CD544C710

Function 00007FF76DAF5E24 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMT, xrefs: 00007FF76DAF59B2, 00007FF76DAF675B

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID:
String ID: CMT
API String ID: 0-2756464174
Opcode ID: 920946c3a46788dbc14b960d280913d1087d646ed99960bedbc598b6726ca41f
Instruction ID: 2aa83eb56e7bd934acae2bc947f415b0c6ca9167017039fee652feb165e186c0
Opcode Fuzzy Hash: 920946c3a46788dbc14b960d280913d1087d646ed99960bedbc598b6726ca41f
Instruction Fuzzy Hash: 9542FF22B2C682D6EB18EB74C1506FDB7A1EB15344F880176DB5E53796EF38E918C360

Function 00007FF76DB11F20 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00cc9b5d49baee892d39d1da46008d2b4229947a5b0a2c39888c4d08721f4c94
Instruction ID: bcc6315be46deeb5c03434c8daa23f0126a4c0c3c70bb8f4f889afb71af80d72
Opcode Fuzzy Hash: 00cc9b5d49baee892d39d1da46008d2b4229947a5b0a2c39888c4d08721f4c94
Instruction Fuzzy Hash: FBE11722A2C2C2CAEB61EF28A84427DB792FB4D78CF454135DB4E87749EE3CE5458714

Function 00007FF76DB13484 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27e1d97200dc275f03108a64776f1fd30e61297024d66dcfdcf317728c87068d
Instruction ID: 0b0908e59adfefaab742b2a57e182c85295f71d08826d920ce25fcf9ddc6aad3
Opcode Fuzzy Hash: 27e1d97200dc275f03108a64776f1fd30e61297024d66dcfdcf317728c87068d
Instruction Fuzzy Hash: 54B1C2A2B196C992DE5AEB65D908AE9A392B709FC4F848036DE0D07749FF3CE155C310

Function 00007FF76DB04928 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID:
API String ID: 3340455307-0
Opcode ID: 388497648aa7178462f46e8a8cb48851b3eb3f46bbabbbefb59410a44eea80d8
Instruction ID: cbcd7424181c76624d226ef20aae0690c88870c3b7e8822dd3d2c7778abfe589
Opcode Fuzzy Hash: 388497648aa7178462f46e8a8cb48851b3eb3f46bbabbbefb59410a44eea80d8
Instruction Fuzzy Hash: 94411922B2D656CAFB64EF11A900B7AA252FBDC784F844030DE4D07798EE3CE4468714

Function 00007FF76DB0DFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF76DB0E018
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF76DB0E030
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF76DB0E05D
CreateFileW.KERNEL32 ref: 00007FF76DB0E3F0
SetFilePointer.KERNEL32 ref: 00007FF76DB0E40E
ReadFile.KERNEL32 ref: 00007FF76DB0E436

Part of subcall function 00007FF76DB0DFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF76DB0DDDF

CompareStringW.KERNELBASE ref: 00007FF76DB0E559
CloseHandle.KERNEL32 ref: 00007FF76DB0E4F3

Part of subcall function 00007FF76DAF1FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAF1FFB

Part of subcall function 00007FF76DB051A4: GetVersionExW.KERNEL32 ref: 00007FF76DB051D5

Part of subcall function 00007FF76DB0DFD0: LoadLibraryExW.KERNELBASE ref: 00007FF76DB0DEFF
Part of subcall function 00007FF76DB0DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB0DFB5
Part of subcall function 00007FF76DB0DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB0DFBB
Part of subcall function 00007FF76DB0DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB0DFC1
Part of subcall function 00007FF76DB0DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB0DFC7

AllocConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF76DB0E74B
GetCurrentProcessId.KERNEL32(?,?,?,00000000,?), ref: 00007FF76DB0E755
AttachConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF76DB0E75D
GetStdHandle.KERNEL32(?,?,?,00000000,?), ref: 00007FF76DB0E780
WriteConsoleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF76DB0E799
Sleep.KERNEL32(?,?,?,00000000,?), ref: 00007FF76DB0E7A4
FreeConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF76DB0E7AA
ExitProcess.KERNEL32 ref: 00007FF76DB0E7BB

Strings

browcli.dll, xrefs: 00007FF76DB0E301
atl.dll, xrefs: 00007FF76DB0E136
peerdist.dll, xrefs: 00007FF76DB0E38D
mlang.dll, xrefs: 00007FF76DB0E2BB
rsaenh.dll, xrefs: 00007FF76DB0E0A7
SetDefaultDllDirectories, xrefs: 00007FF76DB0E053
devrtl.dll, xrefs: 00007FF76DB0E29F
UXTheme.dll, xrefs: 00007FF76DB0E0B2
uxtheme.dll, xrefs: 00007FF76DB0E66D
dhcpcsvc.dll, xrefs: 00007FF76DB0E32B
dsrole.dll, xrefs: 00007FF76DB0E37F
ws2help.dll, xrefs: 00007FF76DB0E10A
XmlLite.dll, xrefs: 00007FF76DB0E339
mpr.dll, xrefs: 00007FF76DB0E291
shell32.dll, xrefs: 00007FF76DB0E1BF
samcli.dll, xrefs: 00007FF76DB0E2C9
iphlpapi.DLL, xrefs: 00007FF76DB0E267
aclui.dll, xrefs: 00007FF76DB0E371
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00007FF76DB0E73B
setupapi.dll, xrefs: 00007FF76DB0E141
samlib.dll, xrefs: 00007FF76DB0E2D7
profapi.dll, xrefs: 00007FF76DB0E205
comres.dll, xrefs: 00007FF76DB0E0F4
msasn1.dll, xrefs: 00007FF76DB0E195
usp10.dll, xrefs: 00007FF76DB0E0DE
sfc_os.dll, xrefs: 00007FF76DB0E091
apphelp.dll, xrefs: 00007FF76DB0E14F
WINNSI.DLL, xrefs: 00007FF76DB0E275
ws2_32.dll, xrefs: 00007FF76DB0E0FF
kernel32, xrefs: 00007FF76DB0E011
ntshrui.dll, xrefs: 00007FF76DB0E12B
ntmarta.dll, xrefs: 00007FF76DB0E1F7
cryptbase.dll, xrefs: 00007FF76DB0E0C8
SSPICLI.DLL, xrefs: 00007FF76DB0E09C
linkinfo.dll, xrefs: 00007FF76DB0E347
oleaccrc.dll, xrefs: 00007FF76DB0E1E9
dnsapi.DLL, xrefs: 00007FF76DB0E259
clbcatq.dll, xrefs: 00007FF76DB0E0E9
wintrust.dll, xrefs: 00007FF76DB0E1B1
DXGIDebug.dll, xrefs: 00007FF76DB0E086, 00007FF76DB0E5B6
netapi32.dll, xrefs: 00007FF76DB0E16B
WindowsCodecs.dll, xrefs: 00007FF76DB0E213
netutils.dll, xrefs: 00007FF76DB0E283
cabinet.dll, xrefs: 00007FF76DB0E1DB
crypt32.dll, xrefs: 00007FF76DB0E187
version.dll, xrefs: 00007FF76DB0E07B
dwmapi.dll, xrefs: 00007FF76DB0E0BD, 00007FF76DB0E661
dfscli.dll, xrefs: 00007FF76DB0E2F3
userenv.dll, xrefs: 00007FF76DB0E15D
wkscli.dll, xrefs: 00007FF76DB0E2E5
RpcRtRemote.dll, xrefs: 00007FF76DB0E363
cryptui.dll, xrefs: 00007FF76DB0E1A3
slc.dll, xrefs: 00007FF76DB0E23D
cryptsp.dll, xrefs: 00007FF76DB0E355
secur32.dll, xrefs: 00007FF76DB0E1CD
ieframe.dll, xrefs: 00007FF76DB0E120
shdocvw.dll, xrefs: 00007FF76DB0E179
propsys.dll, xrefs: 00007FF76DB0E2AD
lpk.dll, xrefs: 00007FF76DB0E0D3
rasadhlp.dll, xrefs: 00007FF76DB0E30F
imageres.dll, xrefs: 00007FF76DB0E24B
psapi.dll, xrefs: 00007FF76DB0E115
dhcpcsvc6.dll, xrefs: 00007FF76DB0E31D
SetDllDirectoryW, xrefs: 00007FF76DB0E026
cscapi.dll, xrefs: 00007FF76DB0E22F
srvcli.dll, xrefs: 00007FF76DB0E221

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
API String ID: 1496594111-2013832382
Opcode ID: 652c747d7e630e86415ee3ad066f254a367a94a472fe2acd263d178260856de2
Instruction ID: ae0f320c16891c86e521ef51f4168120da06dcf25602287661acf1e29e33863e
Opcode Fuzzy Hash: 652c747d7e630e86415ee3ad066f254a367a94a472fe2acd263d178260856de2
Instruction Fuzzy Hash: 6E323C35A2DB82D5EB21AF20E8405E9B3A4FF48354F810236DA4D46BA9FF7CD254D350

Function 00007FF76DB098DC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76DB08E58: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF76DB08F8D

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF76DB09F75
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB0A42F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB0A435

Part of subcall function 00007FF76DB10BBC: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF76DB10B44), ref: 00007FF76DB10BE9

Strings

*messages***, xrefs: 00007FF76DB09C04
MENU, xrefs: 00007FF76DB09DD9
,, xrefs: 00007FF76DB09FAA
*messages***, xrefs: 00007FF76DB09BC6
DIALOG, xrefs: 00007FF76DB09DCD
@%s:, xrefs: 00007FF76DB09F57
DIRECTION, xrefs: 00007FF76DB09DE5
$%s:, xrefs: 00007FF76DB09F50
, xrefs: 00007FF76DB09DF9
STRINGS, xrefs: 00007FF76DB09DC1
RTL, xrefs: 00007FF76DB09F2E

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
API String ID: 3629253777-3268106645
Opcode ID: c449468cbcdcc3f584a662d802def55668ac00cfe72deb88729f3f670db9afdb
Instruction ID: b8fed4fac491a311764754281a2c4bf4b0f440c4cb20b164780333121ea433ca
Opcode Fuzzy Hash: c449468cbcdcc3f584a662d802def55668ac00cfe72deb88729f3f670db9afdb
Instruction Fuzzy Hash: BF62BD22A2DA82C5EB20EB24D444ABDA365FB48784FC48536DA4D476DDFF3CE944C760

Function 00007FF76DB21900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF76DB21558: DloadProtectSection.DELAYIMP ref: 00007FF76DB215C9

RaiseException.KERNEL32 ref: 00007FF76DB219A7
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF76DB21993

Part of subcall function 00007FF76DB21868: DloadProtectSection.DELAYIMP ref: 00007FF76DB218C7

LoadLibraryExA.KERNELBASE ref: 00007FF76DB21A46
GetLastError.KERNEL32 ref: 00007FF76DB21A54
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF76DB21A86
RaiseException.KERNEL32 ref: 00007FF76DB21A9A

Strings

H, xrefs: 00007FF76DB21974

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
String ID: H
API String ID: 3432403771-2852464175
Opcode ID: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction ID: 76f668cc70b58042c60f31fcdb793942adbe815c35cbe1b12f900522928264dc
Opcode Fuzzy Hash: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction Fuzzy Hash: CF915C26A29B91CAEB10DF65D8846B8B3B1FB0CB94B894435DE0D17B58FF79E445C320

Function 00007FF76DB1F4E0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32 ref: 00007FF76DB1F747
ShowWindow.USER32 ref: 00007FF76DB1F786
GetExitCodeProcess.KERNEL32 ref: 00007FF76DB1F7BD
CloseHandle.KERNEL32 ref: 00007FF76DB1F7E7
ShowWindow.USER32 ref: 00007FF76DB1F83F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1F8FB

Strings

.exe, xrefs: 00007FF76DB1F7F2
p, xrefs: 00007FF76DB1F529
.inf, xrefs: 00007FF76DB1F675
Install, xrefs: 00007FF76DB1F684

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
String ID: .exe$.inf$Install$p
API String ID: 1054546013-3607691742
Opcode ID: 48140b0d21dce65f81d100c807e52341a8602df26a51c2eeeaab42c3cb1b7ebd
Instruction ID: 2402fdd531d21fe0a42fc7fc6077588ec1d1b2f268ab2e125b601288b42688c9
Opcode Fuzzy Hash: 48140b0d21dce65f81d100c807e52341a8602df26a51c2eeeaab42c3cb1b7ebd
Instruction Fuzzy Hash: DFC16D62F2C602D5FB11EB65D94027DA3A2AF8DB84F844131DA4D47AA9FF7CE855C320

Function 00007FF76DB1F0A4 Relevance: 16.6, APIs: 11, Instructions: 102
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF76DB1AE1C: PeekMessageW.USER32 ref: 00007FF76DB1AE32
Part of subcall function 00007FF76DB1AE1C: GetMessageW.USER32 ref: 00007FF76DB1AE49
Part of subcall function 00007FF76DB1AE1C: IsDialogMessageW.USER32 ref: 00007FF76DB1AE60
Part of subcall function 00007FF76DB1AE1C: TranslateMessage.USER32 ref: 00007FF76DB1AE6F
Part of subcall function 00007FF76DB1AE1C: DispatchMessageW.USER32 ref: 00007FF76DB1AE7A

GetDlgItem.USER32 ref: 00007FF76DB1F0E3
ShowWindow.USER32 ref: 00007FF76DB1F109
SendMessageW.USER32 ref: 00007FF76DB1F11E
SendMessageW.USER32 ref: 00007FF76DB1F136
SendMessageW.USER32 ref: 00007FF76DB1F157
SendMessageW.USER32 ref: 00007FF76DB1F173
SendMessageW.USER32 ref: 00007FF76DB1F1B6
SendMessageW.USER32 ref: 00007FF76DB1F1D4
SendMessageW.USER32 ref: 00007FF76DB1F1E8
SendMessageW.USER32 ref: 00007FF76DB1F212
SendMessageW.USER32 ref: 00007FF76DB1F22A

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID:
API String ID: 3569833718-0
Opcode ID: 6d17268858d6b6aed380ad60cc2cf8b16547cb3a0c40a3112c59011326a33119
Instruction ID: ee477364f1235bcdcbb936c56ffd7913d54cbaa95d16ec8a9adaeef4baaf5ca8
Opcode Fuzzy Hash: 6d17268858d6b6aed380ad60cc2cf8b16547cb3a0c40a3112c59011326a33119
Instruction Fuzzy Hash: 1341D432B28642C6F300EF61E800BAD6360EB8DB88F840135DD0D47B9CDE7DD8498764

Function 00007FF76DAFEF10 Relevance: 11.0, APIs: 7, Instructions: 453COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFF542
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFF548
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFF554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFF55A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFF560
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFF56C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFF572

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 809eb512f13192bff50bcfd52d504cde0913946dec18b9405ddbe5e6ea7d9c14
Instruction ID: b8184999ef1c2b379f70869ec9e68ba718aa77e24428f811fddea7ec3bdbd39f
Opcode Fuzzy Hash: 809eb512f13192bff50bcfd52d504cde0913946dec18b9405ddbe5e6ea7d9c14
Instruction Fuzzy Hash: D212C062F2CB42C4EA20EB64D4446FDA371EB457A8F840276DA5C17AD9EF3CD989C310

Function 00007FF76DB024C0 Relevance: 9.2, APIs: 6, Instructions: 164
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF76DB0259B
GetLastError.KERNEL32 ref: 00007FF76DB025AE
CreateFileW.KERNEL32 ref: 00007FF76DB0260E
GetLastError.KERNEL32 ref: 00007FF76DB02617
SetFileTime.KERNEL32 ref: 00007FF76DB026C9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB02736

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3536497005-0
Opcode ID: 33f6b48159d5b7d750ef9f2960fa93fa1ced6f4fdcb3bbf877704cc21e72eec3
Instruction ID: 00f2fdff30aeb3d09c26d0ac8b7e68fa3b991b34cca5e2ceee5023d76f933c1e
Opcode Fuzzy Hash: 33f6b48159d5b7d750ef9f2960fa93fa1ced6f4fdcb3bbf877704cc21e72eec3
Instruction Fuzzy Hash: 2261E366A2C681C5E7209B29E54076EA7B1FB887A8F501334DFAD03ADCEF3DD4588714

Function 00007FF76DB1B014 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadBitmapW.USER32 ref: 00007FF76DB1B02A
GetObjectW.GDI32 ref: 00007FF76DB1B05B
DeleteObject.GDI32 ref: 00007FF76DB1B095
DeleteObject.GDI32 ref: 00007FF76DB1B0C5

Part of subcall function 00007FF76DB18624: FindResourceExW.KERNELBASE ref: 00007FF76DB1863D
Part of subcall function 00007FF76DB18624: SizeofResource.KERNEL32 ref: 00007FF76DB18659
Part of subcall function 00007FF76DB18624: LoadResource.KERNEL32 ref: 00007FF76DB18673
Part of subcall function 00007FF76DB18624: LockResource.KERNEL32 ref: 00007FF76DB18685
Part of subcall function 00007FF76DB18624: GlobalAlloc.KERNELBASE ref: 00007FF76DB186A6
Part of subcall function 00007FF76DB18624: GlobalLock.KERNEL32 ref: 00007FF76DB186BB
Part of subcall function 00007FF76DB18624: CreateStreamOnHGlobal.COMBASE ref: 00007FF76DB186E8
Part of subcall function 00007FF76DB18624: GdipAlloc.GDIPLUS ref: 00007FF76DB186FE
Part of subcall function 00007FF76DB18624: GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF76DB18769
Part of subcall function 00007FF76DB18624: GlobalUnlock.KERNEL32 ref: 00007FF76DB1878C
Part of subcall function 00007FF76DB18624: GlobalFree.KERNEL32 ref: 00007FF76DB18795

Strings

], xrefs: 00007FF76DB1B063

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Global$Resource$Object$AllocBitmapCreateDeleteGdipLoadLock$FindFreeFromSizeofStreamUnlock
String ID: ]
API String ID: 3561356813-3352871620
Opcode ID: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
Instruction ID: 53bec2ebfc137fcaab81dcfe7b7838d2544a37d32c6755d9af814a8184aeb34d
Opcode Fuzzy Hash: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
Instruction Fuzzy Hash: 2C115425B1D643C1FA65BB119A55279D393AF8DBC4F880038D95D47B9DFE2CE8048614

Function 00007FF76DB1AE1C Relevance: 7.5, APIs: 5, Instructions: 27
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32 ref: 00007FF76DB1AE32
GetMessageW.USER32 ref: 00007FF76DB1AE49
IsDialogMessageW.USER32 ref: 00007FF76DB1AE60
TranslateMessage.USER32 ref: 00007FF76DB1AE6F
DispatchMessageW.USER32 ref: 00007FF76DB1AE7A

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
Instruction ID: d91a0bb074895c126ecbd37e89f0f266e87f1a490c952d32e1ebec825c639667
Opcode Fuzzy Hash: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
Instruction Fuzzy Hash: 35F09126B3C552C2FB50AF25E855E7AA361BF98B45FD05431E54E81858EF2CD509CB10

Function 00007FF76DB191E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32 ref: 00007FF76DB19211
SHAutoComplete.SHLWAPI ref: 00007FF76DB19255

Part of subcall function 00007FF76DB113C4: CompareStringW.KERNEL32 ref: 00007FF76DB113E3

FindWindowExW.USER32 ref: 00007FF76DB1923F

Strings

EDIT, xrefs: 00007FF76DB1921B, 00007FF76DB19233

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction ID: 5bfcedf53e8f06dc32d94c63d92bd47e65395eab0cc1cd20353842c1d7f3f0e5
Opcode Fuzzy Hash: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction Fuzzy Hash: F3016D21B3CA83C1FE20AB21EC107BAA391AF9C740FC80031C95D4B65CFE6CE549CA60

Function 00007FF76DB02CE0 Relevance: 6.1, APIs: 4, Instructions: 136
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(00007FF76DB08C9A), ref: 00007FF76DB02D22
WriteFile.KERNEL32 ref: 00007FF76DB02D6C
WriteFile.KERNELBASE ref: 00007FF76DB02D9A

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 0e24b38da4911ce84cd1995b05bc76a48cdbb6549566894b7731c3bd6f5b2069
Instruction ID: b515a32f15037976b8007df4349da10b902a905e9fe1cbcdfdd7b7e70004ded4
Opcode Fuzzy Hash: 0e24b38da4911ce84cd1995b05bc76a48cdbb6549566894b7731c3bd6f5b2069
Instruction Fuzzy Hash: 8751E822A3D642D2FA20AB15D444B7AA360FF49794FC41231DB0D46A98FF7CE889C350

Function 00007FF76DB203E0 Relevance: 6.1, APIs: 4, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextW.USER32 ref: 00007FF76DB20556
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB205C1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB205C7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB205CD

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$TextWindow
String ID:
API String ID: 2912839123-0
Opcode ID: ddbc6463633b4561293e059f1e2bc995c27909e3b92e1583c4456597393468a2
Instruction ID: 55ba759824bbd2c820326d1e9e16bb3b60c50a11e5646d3454afc057651543f6
Opcode Fuzzy Hash: ddbc6463633b4561293e059f1e2bc995c27909e3b92e1583c4456597393468a2
Instruction Fuzzy Hash: 31518F63F38692C4FB00ABA5D8542BDA322AB49B94FC04636DA5C16BD9FE6CD440C320

Function 00007FF76DB03684 Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?,?,?,?,?,?,00000000,?,00007FF76DB0309D), ref: 00007FF76DB036CE
CreateDirectoryW.KERNEL32 ref: 00007FF76DB03733
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FF76DB0309D), ref: 00007FF76DB03791
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB037CE

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2359106489-0
Opcode ID: c692564d5d1c2d87129f870fd8c4aa882645ff23391cbc0b7309d447f995f5b9
Instruction ID: f000a739bbe79a3810c4782f7994b7a8430ea3c8731dc160abcbee29ccc8bad9
Opcode Fuzzy Hash: c692564d5d1c2d87129f870fd8c4aa882645ff23391cbc0b7309d447f995f5b9
Instruction Fuzzy Hash: E131B566A2C682C1EA20BB25A458E7DE351FF8C7A0FD44231EE9D827DDEF3CD4458610

Function 00007FF76DB22D6C Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF76DB22D7B

Part of subcall function 00007FF76DB227FC: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF76DB2281E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF76DB22D90
__scrt_release_startup_lock.LIBCMT ref: 00007FF76DB22DFE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF76DB22E51

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
Instruction ID: 94f2275f465c25b64c990bfbb1a8ae769a325621d8251e5128b6705af3b4c69f
Opcode Fuzzy Hash: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
Instruction Fuzzy Hash: 0F313026A3C183C1FA64BB65D4113B99291AF4D784FC41438D94D8B6EFFE2CE8049271

Function 00007FF76DB02320 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,00000000,00007FF76DB02927,?,00100000,?,00000001,00000000,00000000,?,00007FF76DB014C1), ref: 00007FF76DB02348
ReadFile.KERNELBASE ref: 00007FF76DB02367
GetLastError.KERNEL32 ref: 00007FF76DB0239B
GetLastError.KERNEL32 ref: 00007FF76DB023BA

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction ID: e7e39c9f8bb866c7c1cb32cec18b79bc669e9f1327ec02c9c9c3049880295251
Opcode Fuzzy Hash: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction Fuzzy Hash: 52219521A2C642C9EA706B11E400A3DE368FF49B94F944534DA5D4E78CEF7CD8898761

Function 00007FF76DB0E948 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76DB0ECD8: ResetEvent.KERNEL32 ref: 00007FF76DB0ECF1
Part of subcall function 00007FF76DB0ECD8: ReleaseSemaphore.KERNEL32 ref: 00007FF76DB0ED07

ReleaseSemaphore.KERNEL32 ref: 00007FF76DB0E974
CloseHandle.KERNELBASE ref: 00007FF76DB0E993
DeleteCriticalSection.KERNEL32 ref: 00007FF76DB0E9AA
CloseHandle.KERNEL32 ref: 00007FF76DB0E9B7

Part of subcall function 00007FF76DB0EA5C: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF76DB0E95F,?,?,?,00007FF76DB0463A,?,?,?), ref: 00007FF76DB0EA63
Part of subcall function 00007FF76DB0EA5C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF76DB0E95F,?,?,?,00007FF76DB0463A,?,?,?), ref: 00007FF76DB0EA6E

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 502429940-0
Opcode ID: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction ID: 0c208e0593075f28d7f1f81e908fe344851f75c56058c7a5f44c849f648f824b
Opcode Fuzzy Hash: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction Fuzzy Hash: 2D012D36A28A81D2E648AB21E58466DE331FB8CB90F404031DB6D43629DF79E4B4C754

Function 00007FF76DB0EAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF76DB0EAE0
SetThreadPriority.KERNEL32 ref: 00007FF76DB0EB36

Strings

CreateThread failed, xrefs: 00007FF76DB0EAEE

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Thread$CreatePriority
String ID: CreateThread failed
API String ID: 2610526550-3849766595
Opcode ID: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction ID: f3e015822f2101a7dec5697a117ae1bca23e7d67b9cdd28408896b17d6316a28
Opcode Fuzzy Hash: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction Fuzzy Hash: F0115E31A2CA42C2EB10EB15E8416A9F361FB88784F984231D64D4266CFF7CE981C760

Function 00007FF76DB1946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76DB0DFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF76DB0DDDF

OleInitialize.OLE32 ref: 00007FF76DB19486
SHGetMalloc.SHELL32 ref: 00007FF76DB194D4

Strings

riched20.dll, xrefs: 00007FF76DB19475

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: DirectoryInitializeMallocSystem
String ID: riched20.dll
API String ID: 174490985-3360196438
Opcode ID: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
Instruction ID: 36fbc84c4048a9ad02a2f0a5c69ad89a1458b36b9ce81baa2840b27f7f395ca0
Opcode Fuzzy Hash: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
Instruction Fuzzy Hash: 53F03C71A2CA81C2EB11AF20F45556EB3A0FB88754F840135E98D82B58EFBCD5498B20

Function 00007FF76DB1095C Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76DB1853C: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF76DB1856C

Part of subcall function 00007FF76DB0AAE0: LoadStringW.USER32 ref: 00007FF76DB0AB67
Part of subcall function 00007FF76DB0AAE0: LoadStringW.USER32 ref: 00007FF76DB0AB80

Part of subcall function 00007FF76DAF1FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAF1FFB

Part of subcall function 00007FF76DAF129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF76DAF1396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB201BB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB201C1
SendDlgItemMessageW.USER32 ref: 00007FF76DB201F2

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
String ID:
API String ID: 3106221260-0
Opcode ID: c331156a73b0a66eb66e79d0130550220cf0b56257511766079ec54958d0214b
Instruction ID: 6cd9289998daf79d39aa79e0144d95d27f94bdedfadf49798e6c6008bff60f3e
Opcode Fuzzy Hash: c331156a73b0a66eb66e79d0130550220cf0b56257511766079ec54958d0214b
Instruction Fuzzy Hash: C851B262F2D682D6FB10ABA5D4516FDA322AB89784F800236DA0D577DEFE6CD500C360

Function 00007FF76DAF1744 Relevance: 4.6, APIs: 3, Instructions: 118COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAF189C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF76DAF18A8
__std_exception_copy.LIBVCRUNTIME ref: 00007FF76DAF18D4

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task__std_exception_copy_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2371198981-0
Opcode ID: 311d9ade44a112f174f5058e8ed5e9daeb1f31e852fd979eace312b941542748
Instruction ID: 054226b50e55bfd4d697e7e39823d8afba691d04284e55a6be9fb1d87bf82caa
Opcode Fuzzy Hash: 311d9ade44a112f174f5058e8ed5e9daeb1f31e852fd979eace312b941542748
Instruction Fuzzy Hash: EE4115A2B2C685C1EA14EF12E6405B9E355EB04BE0F884632DE6C07BD9FF7CE4918314

Function 00007FF76DB02134 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FF76DB021CF
CreateFileW.KERNEL32 ref: 00007FF76DB0223C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB022D8

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: CreateFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2272807158-0
Opcode ID: c0a24921bb432fc979f0151b166e22e2d4d2ab91ccee52ff8beeeb5fa3cca71f
Instruction ID: 91d2d010de71d0aac7c78946de55b6ea5decd75851fb430c7148c8f250732f7e
Opcode Fuzzy Hash: c0a24921bb432fc979f0151b166e22e2d4d2ab91ccee52ff8beeeb5fa3cca71f
Instruction Fuzzy Hash: 3541D673A2C781C2EB20AB15E444669A3A1FB897B4F905334DFAD07AD9EF7CD4948710

Function 00007FF76DAF23F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 00007FF76DAF243E
GetWindowTextW.USER32 ref: 00007FF76DAF2476
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAF2505

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2176759853-0
Opcode ID: 41410b057bf1bfc832f9111b5635005432e9644e209f963b7c0d07f0c95fee55
Instruction ID: 07d50b4ee15061f5f43dc54771c31a22674d87bca5919547f0240d0cf3ac2c72
Opcode Fuzzy Hash: 41410b057bf1bfc832f9111b5635005432e9644e209f963b7c0d07f0c95fee55
Instruction Fuzzy Hash: 37219362A2CB8181EA209B65A44057EA364FB8DBD0F945236EB9D43B99EF7CD541C700

Function 00007FF76DB11F94 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF76DB1205B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF76DB12077
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF76DB12093

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: std::bad_alloc::bad_alloc
String ID:
API String ID: 1875163511-0
Opcode ID: 65d8091f10f06cce83768fe095ce433e052fa83f4fe25a8c85fad3cbd40ccd0d
Instruction ID: fcd8c356187fe417ad4cba1c7e8a635529cbd53e1f47e21f422fe1f0c9fe9210
Opcode Fuzzy Hash: 65d8091f10f06cce83768fe095ce433e052fa83f4fe25a8c85fad3cbd40ccd0d
Instruction Fuzzy Hash: F031D412A2C687D5FB25B710E8493B9A3A1FB59B84F944135D24C029ADFF7CD946C311

Function 00007FF76DB03D34 Relevance: 4.6, APIs: 3, Instructions: 62COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?,?,?,?,?,00000000,00000001,?,00007FF76DB107E1), ref: 00007FF76DB03D5E
SetFileAttributesW.KERNEL32 ref: 00007FF76DB03DB0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB03E1A

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: a1f7dc1dbaba3642fc9690cddce522cfa30acb7a6fd15afbd6a0ae69969149b0
Instruction ID: cd144a3bffaf5ee236f1f5eca38c68587ad55349c4850271a0db6d2e7d5264bc
Opcode Fuzzy Hash: a1f7dc1dbaba3642fc9690cddce522cfa30acb7a6fd15afbd6a0ae69969149b0
Instruction Fuzzy Hash: 5221F822A2C781C1EA20AF25E44567EA360FF8CB94F805330EA9D4679CFF3DD540C650

Function 00007FF76DB031BC Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,00007FF76DB10822), ref: 00007FF76DB031E7
DeleteFileW.KERNEL32 ref: 00007FF76DB03237
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB032A1

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3118131910-0
Opcode ID: 69d2c27007a20e930861445e234d5951a1cf09c7b93575dd70fe51422861bc3e
Instruction ID: 9e3da84e984512932762b12d1145c3048efb4227e3d9adc7e036b6023603a1a1
Opcode Fuzzy Hash: 69d2c27007a20e930861445e234d5951a1cf09c7b93575dd70fe51422861bc3e
Instruction Fuzzy Hash: 22218622A2C781C1EA10AB25E44566EA360FF8DB94F905234EA9E46B9DFF3CD541C650

Function 00007FF76DB032BC Relevance: 4.6, APIs: 3, Instructions: 57COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,00007FF76DB0E5B1,?,?,?,00000000,?), ref: 00007FF76DB032E7
GetFileAttributesW.KERNELBASE ref: 00007FF76DB03334
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB03399

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: 07782a0afab47d92a22bff3076416a7edfcd43da74ab10a948eda14518e6746e
Instruction ID: 5b9b42d867b832ad163c0eb95dbb785a8dcf1e040e9a6b93c74e9a97ef251373
Opcode Fuzzy Hash: 07782a0afab47d92a22bff3076416a7edfcd43da74ab10a948eda14518e6746e
Instruction Fuzzy Hash: 89217422A2C781C1EA20AB29E48452DA371FBCD7A4F905331EA9D47BEDEF7CD541C614

Function 00007FF76DB2BF64 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF76DB2BF48), ref: 00007FF76DB2BF8C
TerminateProcess.KERNEL32(?,?,?,00007FF76DB2BF48), ref: 00007FF76DB2BF97
ExitProcess.KERNEL32 ref: 00007FF76DB2BFA6

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
Instruction ID: 4f14d586afebc6c5f953336dc2cd215c5a046e84be9051a7c310168991bf678e
Opcode Fuzzy Hash: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
Instruction Fuzzy Hash: 1DE09A2AE2C745C2EB447B218890379A352AF8C741F400038C80E0339EFE7CA4088722

Function 00007FF76DAFF578 Relevance: 3.2, APIs: 2, Instructions: 193COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFF895
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFF89B

Part of subcall function 00007FF76DB03EC8: FindClose.KERNELBASE(?,?,00000000,00007FF76DB10811), ref: 00007FF76DB03EFD

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseFind
String ID:
API String ID: 3587649625-0
Opcode ID: 1dab662a9ca4cd49b80cf28d58332847119bc68e87dbe30dfd54b4e2fad17f15
Instruction ID: a2aeba43c7c5aca6f831ef69651768d26a00e90fbe9e9c1282f16167a82c1734
Opcode Fuzzy Hash: 1dab662a9ca4cd49b80cf28d58332847119bc68e87dbe30dfd54b4e2fad17f15
Instruction Fuzzy Hash: BB919F73A2C681D0EB10EF24D8446EDA361FB84B98FD44536EA4C07AE9EF78D949C350

Function 00007FF76DAF3904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAF3AB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAF3AB9

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: e528197958c249f96fae0a8177de4e8d77b9f71d72b6948629aa37281091aefa
Instruction ID: f490b31c8e91b15acf49519dca7de3b8853539e62b2cf8e2bbe8fb5c610aeec6
Opcode Fuzzy Hash: e528197958c249f96fae0a8177de4e8d77b9f71d72b6948629aa37281091aefa
Instruction Fuzzy Hash: 8741A262F2D652C4FB10FB71D4506FDA321AF44B94F981136DE5D27A99EE38D8828210

Function 00007FF76DB02778 Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,00007FF76DB0274D), ref: 00007FF76DB028A9
GetLastError.KERNEL32(?,00007FF76DB0274D), ref: 00007FF76DB028B8

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction ID: e02c78dc099d93707ea5b0f7c8e627cb2c41a48640bc62a4c31d92ebf1f0cb17
Opcode Fuzzy Hash: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction Fuzzy Hash: D031B626B3D752C2EE746B2AD580A7DA350AF08BD4F940131DE1D47B98FE3CD8499660

Function 00007FF76DAF22BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF76DAF22F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAF23F0

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Item_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1746051919-0
Opcode ID: 8d40ccc84b580f33f3dafee36447434fcdf79cb76bf08fc935a239d44bb79c76
Instruction ID: 180baf892e1f7433171beb1f3e1442b7f2a22d56f506b99b754ae1079c6898d5
Opcode Fuzzy Hash: 8d40ccc84b580f33f3dafee36447434fcdf79cb76bf08fc935a239d44bb79c76
Instruction Fuzzy Hash: D531F662A2C781C1EA20AF15E4443BEF360EB84790F845232E79C4BB99FF3CE5448714

Function 00007FF76DB02AD0 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32 ref: 00007FF76DB02AFE
SetFileTime.KERNELBASE ref: 00007FF76DB02B9B

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction ID: debea80a831a1b0145c590366c707a0ec899d3153c24a3ef9a62df1e2e1f13ac
Opcode Fuzzy Hash: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction Fuzzy Hash: 3E21C462F1DB42D9FA76AE11D444BBAD790AF09794F954031DE4C062A9FE3CE48EC310

Function 00007FF76DB0AAE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF76DB0AB67
LoadStringW.USER32 ref: 00007FF76DB0AB80

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
Instruction ID: ccb1d13a7e344816565a5ed7a5c1686e78526328973817433f3d586972e08976
Opcode Fuzzy Hash: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
Instruction Fuzzy Hash: 89119D71B2C601C6EA40AF1AA844968F7A1BF8DFC0F944435CE0DA3B28EF7CE9418754

Function 00007FF76DB02BB0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007FF76DB02C11
GetLastError.KERNEL32 ref: 00007FF76DB02C1E

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction ID: 72a9622c3434092795b83428bc286cf9091cab082ac8d9e965fedf1614a7794d
Opcode Fuzzy Hash: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction Fuzzy Hash: EC119D21A2C641C1FB70AB25E480679A360FB59778F944331DA7D566DCEF3CD586C310

Function 00007FF76DAF255C Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76DB0A4AC: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF76DB0A504
Part of subcall function 00007FF76DB0A4AC: SetDlgItemTextW.USER32 ref: 00007FF76DB0A573
Part of subcall function 00007FF76DB0A4AC: GetWindowRect.USER32 ref: 00007FF76DB0A5AD
Part of subcall function 00007FF76DB0A4AC: GetClientRect.USER32 ref: 00007FF76DB0A5BB

GetDlgItem.USER32 ref: 00007FF76DAF25AC
SetWindowTextW.USER32 ref: 00007FF76DAF25C8

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: ItemRectTextWindow$Clientswprintf
String ID:
API String ID: 3322643685-0
Opcode ID: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
Instruction ID: 949027cbaff123dc84c904f41d66e07a3e867e6f433956907a6b5f2e2a7b65f9
Opcode Fuzzy Hash: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
Instruction Fuzzy Hash: 09017510A2D28AC1FF657F52A454AB9D7519F49748FCC4075C84D466DDFE2CEC85C320

Function 00007FF76DB0EB58 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00007FF76DB0EBAD,?,?,?,?,00007FF76DB05752,?,?,?,00007FF76DB056DE), ref: 00007FF76DB0EB5C
GetProcessAffinityMask.KERNEL32 ref: 00007FF76DB0EB6F

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction ID: fc39bd837abb03a4c3d7e944a475ce5106530445980e5e1b7c2219f72fcfb55e
Opcode Fuzzy Hash: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction Fuzzy Hash: 86E06565B2894686DB599B55C4519A9A392BF8CB40FC48035D60FC3A18EE2CE5458B50

Function 00007FF76DB221D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF76DB22200

Part of subcall function 00007FF76DB22F7C: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF76DB22F85

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF76DB22206

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: ac554a43d54612151bc7e480101717375080be3004ee5b366f50feb51e7139dd
Instruction ID: ef0aedd32490d2b9f4a5e9b4525cf050f3c0868e1ef434082e8d8fc4fce51661
Opcode Fuzzy Hash: ac554a43d54612151bc7e480101717375080be3004ee5b366f50feb51e7139dd
Instruction Fuzzy Hash: D5E0EC42E3E187C5F938366158265B580504F2D771EDC1730DE3E842DEBD1CA5928530

Function 00007FF76DB2D90C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL ref: 00007FF76DB2D922
GetLastError.KERNEL32 ref: 00007FF76DB2D934

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction ID: 04e2b524abd4aa41ea43a078b247595a2b06b145ecdd3278846e9784e6086a7c
Opcode Fuzzy Hash: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction Fuzzy Hash: 24E08651E2D183C2FF057BB2B8452B892915FDCB50F840034D90D8625AFE7C94818660

Function 00007FF76DAF33E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAF388C

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: bdd91355d2d85a11a0457ea89a247bcc926dc6e93a1eb2f33b56411797ecd77f
Instruction ID: 8de493be7e75f18d4886211414d7c66ebaaf5450cca28d15f8407a6de1cf3715
Opcode Fuzzy Hash: bdd91355d2d85a11a0457ea89a247bcc926dc6e93a1eb2f33b56411797ecd77f
Instruction Fuzzy Hash: 16D1CA62B2C681D5EF68AB25C5406F9F7A1FB05B84F880476CB9D477A5DF3CE8608321

Function 00007FF76DB05294 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB0551B

Part of subcall function 00007FF76DB113F4: CompareStringW.KERNEL32 ref: 00007FF76DB1145A

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: CompareString_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1017591355-0
Opcode ID: d592eabcbe9af83a373b8b16b8cc449c2e49e9c4d9704c8b20a1f27e4dd7bd8a
Instruction ID: fc2ce590185a1fb4912851ef4a070a2612c762843fdc415775337574d2062ef8
Opcode Fuzzy Hash: d592eabcbe9af83a373b8b16b8cc449c2e49e9c4d9704c8b20a1f27e4dd7bd8a
Instruction Fuzzy Hash: F861EE51A2C647C1FA64BA254814ABED2D5AF4DBD0F940531EE4E06ECDFEACE8408238

Function 00007FF76DB11870 Relevance: 1.7, APIs: 1, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76DB0E948: ReleaseSemaphore.KERNEL32 ref: 00007FF76DB0E974
Part of subcall function 00007FF76DB0E948: CloseHandle.KERNELBASE ref: 00007FF76DB0E993
Part of subcall function 00007FF76DB0E948: DeleteCriticalSection.KERNEL32 ref: 00007FF76DB0E9AA
Part of subcall function 00007FF76DB0E948: CloseHandle.KERNEL32 ref: 00007FF76DB0E9B7

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB11ACB

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: CloseHandle$CriticalDeleteReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 904680172-0
Opcode ID: d0ac03a7bcf372d2f09e5791c3f93ba946dfab79c47e876fabcf93b187fb1f6c
Instruction ID: dbfbe491f7e84261b2de171eb3e2deb662fa50d8c00be642caa6e434f8f38bd5
Opcode Fuzzy Hash: d0ac03a7bcf372d2f09e5791c3f93ba946dfab79c47e876fabcf93b187fb1f6c
Instruction Fuzzy Hash: AD61C062B39685D2EE08EF65D5541BCB365FB58FC0F984132D72D07AC9EF28E4658310

Function 00007FF76DAFEC9C Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFEEB8

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: f25d7cbdbd4b6051481d9dea9bfabb1fe63e2ef918cd70fdc00b4907c2d0f41a
Instruction ID: 2da3da13946a58ff8f6d876ea9c3ba044cf79eab499c711c25742f6c33300bcc
Opcode Fuzzy Hash: f25d7cbdbd4b6051481d9dea9bfabb1fe63e2ef918cd70fdc00b4907c2d0f41a
Instruction Fuzzy Hash: EF51D652A2C681D0EA14AF15E444BFDA751FB89BC4F880173EE4D47796EE3DE985C320

Function 00007FF76DAFE7A8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76DB03EC8: FindClose.KERNELBASE(?,?,00000000,00007FF76DB10811), ref: 00007FF76DB03EFD

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFE993

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: CloseFind_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1011579015-0
Opcode ID: 1ed87b38f53b3cf50e1c2200cac218cce737f4e527dde5fbd83d50be022e59e1
Instruction ID: 3c9b13792bb3f936ff0fb37f14b6aae926a3ebfda568f596bcdd8f16e2f487d6
Opcode Fuzzy Hash: 1ed87b38f53b3cf50e1c2200cac218cce737f4e527dde5fbd83d50be022e59e1
Instruction Fuzzy Hash: 1351A322A2C785C1FB60AF24D4847BDA361FF84B84F880576DA9D476A9EF2CD941C360

Function 00007FF76DB01794 Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB0187D

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: edbd1a57a037b29b8a92448ef74654e9c5fa8602ea7b4a83cea3799d4ce57b1a
Instruction ID: da79c3b57c39d4868a944dcfd2b1be3ca388253468d46c779081916fb22cdcdd
Opcode Fuzzy Hash: edbd1a57a037b29b8a92448ef74654e9c5fa8602ea7b4a83cea3799d4ce57b1a
Instruction Fuzzy Hash: 6541CA62B2C79181EA18AB17A544779E251FB88FC4F888535EE4C47F5EEF7CD5518300

Function 00007FF76DB02F58 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB030C8

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 56fb8cc9aabd16c687145b8809587fd2b26f3257f780f8e7ed96006f2e57f286
Instruction ID: 43c7cd005f81d45209fdf40e2e853b568776491519e4ebd37151560b135a699a
Opcode Fuzzy Hash: 56fb8cc9aabd16c687145b8809587fd2b26f3257f780f8e7ed96006f2e57f286
Instruction Fuzzy Hash: B4411762A2DB41C0EE10AB25E549B7DA361EB8DBD4F845139EA4D0779DFF3DE4808320

Function 00007FF76DB2BDF8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF76DB2BE20

Part of subcall function 00007FF76DB2BFB0: GetModuleHandleExW.KERNEL32 ref: 00007FF76DB2BFD0
Part of subcall function 00007FF76DB2BFB0: GetProcAddress.KERNEL32 ref: 00007FF76DB2BFE6
Part of subcall function 00007FF76DB2BFB0: FreeLibrary.KERNEL32 ref: 00007FF76DB2C00B

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
Instruction ID: ac08cc31aa92c2fcee06964bf6dd0f3d31f255fe0c3d4ee7a50fd9f538f0fdab
Opcode Fuzzy Hash: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
Instruction Fuzzy Hash: 8E419123E3C682C2FA14BB11D490178A2A1AF5CB50FC4483ADA0D47AADFF7DE8418765

Function 00007FF76DAF129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF76DAF1396

Part of subcall function 00007FF76DAF1F80: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF76DAF1F89

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
String ID:
API String ID: 680105476-0
Opcode ID: 6f88c17e658a7e6a764477403b9247f1d27f5880b65831beeeee99c6ba04093e
Instruction ID: c0d5523d81428962b6269ce66aa486ea3f75665d71ec60c94642b0481653a8ab
Opcode Fuzzy Hash: 6f88c17e658a7e6a764477403b9247f1d27f5880b65831beeeee99c6ba04093e
Instruction Fuzzy Hash: A621A362A1C651C5EA64AF91A4006B9A250EB04BF0F9C0732DF3D47BC5FE7CE8518350

Function 00007FF76DB3124C Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76DB31280

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
Instruction ID: ae6d1af5f330b188bd52971263153f7356dea2250eb7160b32a4200033c3fe2d
Opcode Fuzzy Hash: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
Instruction Fuzzy Hash: 6D11513292C682C6F710AF55E840579F2A9FB4C380FDA0135EA4D87A99FF6CE8109764

Function 00007FF76DB1FC68 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76DB1F0A4: GetDlgItem.USER32 ref: 00007FF76DB1F0E3
Part of subcall function 00007FF76DB1F0A4: ShowWindow.USER32 ref: 00007FF76DB1F109
Part of subcall function 00007FF76DB1F0A4: SendMessageW.USER32 ref: 00007FF76DB1F11E
Part of subcall function 00007FF76DB1F0A4: SendMessageW.USER32 ref: 00007FF76DB1F136
Part of subcall function 00007FF76DB1F0A4: SendMessageW.USER32 ref: 00007FF76DB1F157
Part of subcall function 00007FF76DB1F0A4: SendMessageW.USER32 ref: 00007FF76DB1F173
Part of subcall function 00007FF76DB1F0A4: SendMessageW.USER32 ref: 00007FF76DB1F1B6
Part of subcall function 00007FF76DB1F0A4: SendMessageW.USER32 ref: 00007FF76DB1F1D4
Part of subcall function 00007FF76DB1F0A4: SendMessageW.USER32 ref: 00007FF76DB1F1E8
Part of subcall function 00007FF76DB1F0A4: SendMessageW.USER32 ref: 00007FF76DB1F212
Part of subcall function 00007FF76DB1F0A4: SendMessageW.USER32 ref: 00007FF76DB1F22A

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1FD03

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: MessageSend$ItemShowWindow_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1587882848-0
Opcode ID: 7989e94252765e26adec07c6a490604036e5cdaaff5fd5deefe014bb99c4005d
Instruction ID: c0cb1b9146b113611f731d7ce2d9bb51b74da25056dc1bbd53393ffe2f99bfb8
Opcode Fuzzy Hash: 7989e94252765e26adec07c6a490604036e5cdaaff5fd5deefe014bb99c4005d
Instruction Fuzzy Hash: A701C8A3A3C68581E920A765D44537EA312EFCD794FD01331EA9C466DEFE2CE140C614

Function 00007FF76DAF3AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAF3B6C

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 58579bce4bc1021bb98a03ef504395245509186ce5efb4717343b6b5f18682a3
Instruction ID: b911ac0a91be1fd51f4fa952bb1e5297994259997eecc7300db07442244973a4
Opcode Fuzzy Hash: 58579bce4bc1021bb98a03ef504395245509186ce5efb4717343b6b5f18682a3
Instruction Fuzzy Hash: 3601A162E3C6C5C1EA21A728E445269B361FF89790FC05332E6DC07AA9FF6CD5408615

Function 00007FF76DB21558 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF76DB21604: GetModuleHandleW.KERNEL32(?,?,?,00007FF76DB21573,?,?,?,00007FF76DB2192A), ref: 00007FF76DB2162B

DloadProtectSection.DELAYIMP ref: 00007FF76DB215C9

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: DloadHandleModuleProtectSection
String ID:
API String ID: 2883838935-0
Opcode ID: 908f49ac33541a8240f4269ada82e733cc5c0c647bda27ab8868a2cee9a60ef3
Instruction ID: f2bf5b608a11fa5d54e2c32965cfa0392c0d10001e671acf59917be0c1a99251
Opcode Fuzzy Hash: 908f49ac33541a8240f4269ada82e733cc5c0c647bda27ab8868a2cee9a60ef3
Instruction Fuzzy Hash: C711BA65D3D647C1FB61BF05E842374A350AF1C388F980075C90E862B9FE2DA8958661

Function 00007FF76DB03EC8 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76DB040BC: FindFirstFileW.KERNELBASE ref: 00007FF76DB0410B
Part of subcall function 00007FF76DB040BC: FindFirstFileW.KERNEL32 ref: 00007FF76DB0415E
Part of subcall function 00007FF76DB040BC: GetLastError.KERNEL32 ref: 00007FF76DB041AF

FindClose.KERNELBASE(?,?,00000000,00007FF76DB10811), ref: 00007FF76DB03EFD

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
Instruction ID: ae8aa0648f7f480b12efa4aefa4287848279e714a800d9149e28ee9cf91fc08b
Opcode Fuzzy Hash: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
Instruction Fuzzy Hash: 04F0F46291C241C1EA10BB70A148979B3609F1EBB4F541338EA3D073CFDE2CD4448760

Function 00007FF76DB0273C Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE ref: 00007FF76DB02755

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 7793d0dfaf1bed477703e517dfb550f1e48d00439aedf8bd4eeb9f79e866bcb3
Instruction ID: ba7d2757f57350c3c48e5b8b4138fd9b4ae2664e9f04654557b7a4508f6d0962
Opcode Fuzzy Hash: 7793d0dfaf1bed477703e517dfb550f1e48d00439aedf8bd4eeb9f79e866bcb3
Instruction Fuzzy Hash: 74E08C16E38615C2EF20BB2AC852A289320AF8CB84F895030CE0C47729DE2CC8858A10

Function 00007FF76DB02490 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF76DB024A2

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction ID: 2be9b3efc0851beba05160e86685b6afef2d36f04cd3df8b2bd5fee0412fd473
Opcode Fuzzy Hash: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction Fuzzy Hash: 0ED0121AD1D441C2ED20A736D89143C6350AF9BB35FE40770D73EC16E5DE5D949AA321

Function 00007FF76DB07FC4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE ref: 00007FF76DB07FD2

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
Instruction ID: 7f4d7c436eeb6227bb0e0f03a82dd962dbc24853d07f1365ca2e09d21f6a1b34
Opcode Fuzzy Hash: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
Instruction Fuzzy Hash: 52C08C20F29542C1DA086B26C8C981853A5BB48B04FA14038C10CC1120EE2CC8FAA396

Function 00007FF76DB2FA04 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF76DB2FA59

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
Instruction ID: 04a3e2033552d063e819a774e0fbb9fab9c1c79132ecb540366413d4573a38bd
Opcode Fuzzy Hash: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
Instruction Fuzzy Hash: 23F06256B2D287C5FE557BA699113B592A09FCEB80FC85430C90E863C9FD1CE5814230

Function 00007FF76DB020D0 Relevance: 1.3, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000001,00007FF76DB0207E), ref: 00007FF76DB020F6

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction ID: 8b2980f74ab724d18605cb21e7786cc6939056df96c2d6d007a8c1cb97b0167b
Opcode Fuzzy Hash: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction Fuzzy Hash: ABF0AF22A2C682C5FB349B20E085779A660EB18B78F894335DB3D011DCEF68D8998320

Function 00007FF76DB2D94C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF76DB2D98A

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction ID: 467c68043c7e1f819432bcd4e5a4d08d8328babee25b6a3b7f200470c16101e2
Opcode Fuzzy Hash: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction Fuzzy Hash: BFF05E52B2D287C4FF14777168403B592905FCC7A0FC81A30ED2E862C9FE1CE44081B0

Non-executed Functions

Function 00007FF76DAFC2F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76DAFDE04: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF76DAFCF4B), ref: 00007FF76DAFDE27
Part of subcall function 00007FF76DAFDE04: GetLastError.KERNEL32 ref: 00007FF76DAFDE88
Part of subcall function 00007FF76DAFDE04: CloseHandle.KERNEL32 ref: 00007FF76DAFDE9B

wcscpy.LIBCMT ref: 00007FF76DAFCBC8
wcscpy.LIBCMT ref: 00007FF76DAFCBFE
CreateFileW.KERNEL32 ref: 00007FF76DAFCC38
DeviceIoControl.KERNEL32 ref: 00007FF76DAFCD01
CloseHandle.KERNEL32 ref: 00007FF76DAFCD12
GetLastError.KERNEL32 ref: 00007FF76DAFCD2E
RemoveDirectoryW.KERNEL32 ref: 00007FF76DAFCD7D
DeleteFileW.KERNEL32 ref: 00007FF76DAFCD88
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFCE89
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFCE8F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFCE9B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFCEA1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFCEAD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFCEB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFCEB9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFCEBF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFCEC5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFCECB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFCED1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFCED7

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 00007FF76DAFC34F
SeRestorePrivilege, xrefs: 00007FF76DAFC343
\??\, xrefs: 00007FF76DAFC392, 00007FF76DAFC3B8
UNC\, xrefs: 00007FF76DAFC53F, 00007FF76DAFC55D

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseErrorFileHandleLastwcscpy$ControlCreateCurrentDeleteDeviceDirectoryProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 2659423929-3508440684
Opcode ID: ba0fc76c453fe0fc40a0c4e7d0d05333b86268085c20e76f46298bccd8a5c1a2
Instruction ID: a97bb2fa51739051e77e55a7dbc835b384e7d8a8deebd2bca9ab0a075e22f5a1
Opcode Fuzzy Hash: ba0fc76c453fe0fc40a0c4e7d0d05333b86268085c20e76f46298bccd8a5c1a2
Instruction Fuzzy Hash: E562C062F2C682C5FB00EB75D4846FDA361AB897A4F944232DA6C53AD9FE7CD584C310

Function 00007FF76DB0F180 Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON

Download Yara Rule

APIs

_Init_thread_footer.LIBCMT ref: 00007FF76DB10528

Part of subcall function 00007FF76DB0AAE0: LoadStringW.USER32 ref: 00007FF76DB0AB67
Part of subcall function 00007FF76DB0AAE0: LoadStringW.USER32 ref: 00007FF76DB0AB80

Part of subcall function 00007FF76DB1B0DC: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00007FF76DB10429), ref: 00007FF76DB1B110
Part of subcall function 00007FF76DB1B0DC: SetLastError.KERNEL32 ref: 00007FF76DB1B153

Part of subcall function 00007FF76DAF129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF76DAF1396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB10490
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB10496
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1049C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB104A2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB104A8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB104AE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB104B4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB104BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB104C0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB104C6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB104CC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB104D2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB104D8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB104DE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB104E4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB104EA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB104F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB104F6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB10532
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB10538

Strings

%ls, xrefs: 00007FF76DB0F3AC, 00007FF76DB0F3FF
%s: %s, xrefs: 00007FF76DB0FC11

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLoadString$Concurrency::cancel_current_taskInit_thread_footer
String ID: %ls$%s: %s
API String ID: 2539828978-2259941744
Opcode ID: eef6348a9063751b6e9008af8d2ebfd6cfbeec8057516790c7af88f51b0d5763
Instruction ID: e0efa44a671f355be4203870e2d11a1af6d0c874e273e524291d292b7a72fdb5
Opcode Fuzzy Hash: eef6348a9063751b6e9008af8d2ebfd6cfbeec8057516790c7af88f51b0d5763
Instruction Fuzzy Hash: 6EB2A862A3C682C1EA11BB25D8545BAE321EFCE790F904236E69D43BDEFE6CD540C714

Function 00007FF76DB32550 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76DB32C12
memcpy_s.LIBCMT ref: 00007FF76DB335BF
memcpy_s.LIBCMT ref: 00007FF76DB33666

Part of subcall function 00007FF76DB338BC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76DB338EE

memcpy_s.LIBCMT ref: 00007FF76DB3372F

Part of subcall function 00007FF76DB2D008: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76DB2D02D

Strings

1#QNAN, xrefs: 00007FF76DB337E8
1#IND, xrefs: 00007FF76DB337AA
1#INF, xrefs: 00007FF76DB33807
1#SNAN, xrefs: 00007FF76DB337C9

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfomemcpy_s
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 1759834784-2761157908
Opcode ID: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
Instruction ID: c98ef4051e0cebaa55916c1fb1b346bbf6ca82064ea214d735af23f852b0d48b
Opcode Fuzzy Hash: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
Instruction Fuzzy Hash: 16B2F672A2C282CBE7359E29D4406FEA791FB48788F815135DA0E57F8CEF78E5049B50

Function 00007FF76DB01A48 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 00007FF76DB01A97
GetLongPathNameW.KERNEL32 ref: 00007FF76DB01AE0
GetShortPathNameW.KERNEL32 ref: 00007FF76DB01B21
GetShortPathNameW.KERNEL32 ref: 00007FF76DB01B6A

Part of subcall function 00007FF76DB113C4: CompareStringW.KERNEL32 ref: 00007FF76DB113E3

MoveFileW.KERNEL32 ref: 00007FF76DB01DFE
MoveFileW.KERNEL32 ref: 00007FF76DB01E65

Part of subcall function 00007FF76DB02134: CreateFileW.KERNEL32 ref: 00007FF76DB0223C

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB01FE1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB01FE7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB01FED

Strings

rtmp, xrefs: 00007FF76DB01CF4, 00007FF76DB01D03

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
String ID: rtmp
API String ID: 3587137053-870060881
Opcode ID: 4f136222ae8c555ed678084566c827b4cbf2143fff5110646e5a632cefb97133
Instruction ID: 6447005f21d60b2931f7bdc36455c0a40684c21bed763aa2d05a7da112c80f8e
Opcode Fuzzy Hash: 4f136222ae8c555ed678084566c827b4cbf2143fff5110646e5a632cefb97133
Instruction Fuzzy Hash: B1F1D422F2CA82D5EB10EB65D4405FDA761EB893C8F941136EA4D87AADEF3CD584C350

Function 00007FF76DB05B60 Relevance: 12.3, APIs: 8, Instructions: 256COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 00007FF76DB05BC2
GetFullPathNameW.KERNEL32 ref: 00007FF76DB05C0E
GetFullPathNameW.KERNEL32 ref: 00007FF76DB05D2B
GetFullPathNameW.KERNEL32 ref: 00007FF76DB05D70
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB05EE0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB05EE6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB05EEC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB05EF2

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: FullNamePath_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1693479884-0
Opcode ID: 1e7c5ac9d18d4859634b67c516166c1ae8f0dcc4e332a300e03a2fc1b19988e3
Instruction ID: da2b9f379a7d9394ed52cfe6b1d197d7f0b7767bfd483b57d5cb234c2f577b47
Opcode Fuzzy Hash: 1e7c5ac9d18d4859634b67c516166c1ae8f0dcc4e332a300e03a2fc1b19988e3
Instruction Fuzzy Hash: FFA1B362F28B51C4FF10EB7988449BCA361AB49BA4F945231DE5D17FCCEE7CE4818214

Function 00007FF76DB23170 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF76DB2318C
RtlCaptureContext.KERNEL32 ref: 00007FF76DB231B9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF76DB231D3
RtlVirtualUnwind.KERNEL32 ref: 00007FF76DB23214
IsDebuggerPresent.KERNEL32 ref: 00007FF76DB23268
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF76DB23289
UnhandledExceptionFilter.KERNEL32 ref: 00007FF76DB23294

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
Instruction ID: e12c7bedef22f32b3aaa4442d0dd0d37d0a69d6349cedc172797afdfe1691b5a
Opcode Fuzzy Hash: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
Instruction Fuzzy Hash: 67314D76618B81CAEB64AF60E8507FDB360FB88744F84443ADA4D47B98EF78D548C720

Function 00007FF76DB276D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF76DB27751
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF76DB27769
RtlVirtualUnwind.KERNEL32 ref: 00007FF76DB277A4
IsDebuggerPresent.KERNEL32 ref: 00007FF76DB277DD
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF76DB277E7
UnhandledExceptionFilter.KERNEL32 ref: 00007FF76DB277F2

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
Instruction ID: 1ae4377c50429e92392bd0c07eb7c5bbdda2e42989b217bfe2c32fc27c07fa96
Opcode Fuzzy Hash: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
Instruction Fuzzy Hash: 14317F36628B81C5EB249F25E8406AEB3A0FB88754F900135EA8D43B58EF7CC545CB10

Function 00007FF76DAF1AA4 Relevance: 6.3, APIs: 4, Instructions: 285COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAF1EA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAF1EAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAF1EB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAF1EBB

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 2a322e159852dab68bb665a72e630183d686e9f0b395d04b86c8934c1a7a8b0d
Instruction ID: 4e54a8ba9c13c80fd897e3d0c469c9259b9dcfa894a22543ed9de495347cfd46
Opcode Fuzzy Hash: 2a322e159852dab68bb665a72e630183d686e9f0b395d04b86c8934c1a7a8b0d
Instruction Fuzzy Hash: 1AB1CFA2B2C786C5EA10AB65D8446FDA361FB89794F841236EA4C47BD9FF3CD940C310

Function 00007FF76DB2FA94 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76DB2FAC4

Part of subcall function 00007FF76DB27934: GetCurrentProcess.KERNEL32(00007FF76DB30CCD), ref: 00007FF76DB27961

Strings

*?, xrefs: 00007FF76DB2FAEB
., xrefs: 00007FF76DB2FEE4

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: CurrentProcess_invalid_parameter_noinfo
String ID: *?$.
API String ID: 2518042432-3972193922
Opcode ID: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
Instruction ID: 168f1daba5b1f8a977fbc18ee969baf1391d071ec87f08fe52c037a9e69fce7f
Opcode Fuzzy Hash: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
Instruction Fuzzy Hash: 1451C363B29AD5C5EF10EFA298145B9A7A4FB4CBD8B844531DE1D17B89FE3CD0428310

Function 00007FF76DB32080 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.LIBCMT ref: 00007FF76DB3210B

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction ID: 6f4b258e44143020a8db41995b31bbada6d0de1a272e311220f4200a43a421df
Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction Fuzzy Hash: D6D1D332B2C686C7DB34DF15E58466AB7A1FB88784F858134CB4E57B48EA3CE941DB40

Function 00007FF76DAFB6D8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF76DAFBA9D), ref: 00007FF76DAFB6E5
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,00007FF76DAFBA9D), ref: 00007FF76DAFB719
LocalFree.KERNEL32(?,?,?,?,?,?,?,00007FF76DAFBA9D), ref: 00007FF76DAFB743

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
Instruction ID: 29651a884015a0906b4d12c2103a144478db5ac47bc542945f79c06c1d8d52bc
Opcode Fuzzy Hash: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
Instruction Fuzzy Hash: 5201F47571C781C2E710AF12F4905BAA365FB897C0F884135DA8D87B49EF3CD9059715

Function 00007FF76DB2FCA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

., xrefs: 00007FF76DB2FEE4

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
Instruction ID: 3e6a27e97da1f1bb557b32893f975bea0fe482ae3c387bb882f7ef6b023a9f6b
Opcode Fuzzy Hash: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
Instruction Fuzzy Hash: 8E310A23B2C6D585F720AA2798047B9AA91AB9DBE4F848235DE5C47BC9FE3CD5018300

Function 00007FF76DB35AF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF76DB35D45
RaiseException.KERNEL32 ref: 00007FF76DB35D56

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
Instruction ID: 181310be264211ca89f98f05ece7a6f04776b6cc427eba01f5b3dba986d9adfa
Opcode Fuzzy Hash: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
Instruction Fuzzy Hash: 1FB17A73618B88CBEB15CF2AC8463687BE0F748B48F568831DA5D83BA8DB79D451C714

Function 00007FF76DB18DF4 Relevance: 3.2, APIs: 2, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76DB185E0: GetDC.USER32 ref: 00007FF76DB185EC
Part of subcall function 00007FF76DB185E0: GetDeviceCaps.GDI32 ref: 00007FF76DB185FD
Part of subcall function 00007FF76DB185E0: ReleaseDC.USER32 ref: 00007FF76DB1860A

GetObjectW.GDI32 ref: 00007FF76DB18E48

Part of subcall function 00007FF76DB190B0: GetDC.USER32 ref: 00007FF76DB190D9
Part of subcall function 00007FF76DB190B0: GetObjectW.GDI32 ref: 00007FF76DB19107
Part of subcall function 00007FF76DB190B0: ReleaseDC.USER32 ref: 00007FF76DB191BB

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID:
API String ID: 1061551593-0
Opcode ID: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
Instruction ID: 580f52b2a066cfefa94ba0dd162161c40067bdcfc9e178091f47a25bf7c06b33
Opcode Fuzzy Hash: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
Instruction Fuzzy Hash: 9781392AB28A05C6EB119F6AD8406ACB371FB88B88F814132DE0D57B28EF38D545C350

Function 00007FF76DB1A2CC Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 00007FF76DB1A315
GetNumberFormatW.KERNEL32 ref: 00007FF76DB1A371

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
Instruction ID: e2c2eda1c74549810dd1edd43ab388c86004cc2018d84522f325020eb2d08258
Opcode Fuzzy Hash: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
Instruction Fuzzy Hash: 46112762A2CB81D5E661AF21E8006AAB360FF88B44F844135DA4D42A68EF3CA549C658

Function 00007FF76DB0126C Relevance: 1.7, APIs: 1, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76DB024C0: CreateFileW.KERNELBASE ref: 00007FF76DB0259B
Part of subcall function 00007FF76DB024C0: GetLastError.KERNEL32 ref: 00007FF76DB025AE
Part of subcall function 00007FF76DB024C0: CreateFileW.KERNEL32 ref: 00007FF76DB0260E
Part of subcall function 00007FF76DB024C0: GetLastError.KERNEL32 ref: 00007FF76DB02617

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB015D0

Part of subcall function 00007FF76DB03980: MoveFileW.KERNEL32 ref: 00007FF76DB039BD
Part of subcall function 00007FF76DB03980: MoveFileW.KERNEL32 ref: 00007FF76DB03A34

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: File$CreateErrorLastMove$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 34527147-0
Opcode ID: ff8db0b7e6220f8763dd011d447b107dd9c9988147a577c1b56b2c29d4da8d2e
Instruction ID: 1ecf9daba967df8abbae2c4d929849e2886385a241619be1e53d69664fc2caa5
Opcode Fuzzy Hash: ff8db0b7e6220f8763dd011d447b107dd9c9988147a577c1b56b2c29d4da8d2e
Instruction Fuzzy Hash: 6E91C622B3CA41D2EB14EB66D444ABDA361FB58BC8F844036EE0D97B99EE3CD545C710

Function 00007FF76DB04EB0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00007FF76DB04EE2

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 5e1f820920c456f15e44ae9d5f0cc3b6f822566f542002a6e47536c5256bfc9c
Instruction ID: 430d54fc636415be61a4e4fc3563b21a8c09a17b9d0b47840671bc86711b782d
Opcode Fuzzy Hash: 5e1f820920c456f15e44ae9d5f0cc3b6f822566f542002a6e47536c5256bfc9c
Instruction Fuzzy Hash: 1D018F71D6D5C2C9FA31BB21A4147B6E390AFBE309FC40134D59C062ADFE3CA4888A34

Function 00007FF76DB28C1C Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF76DB28DD3

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
Instruction ID: d65bb873fb37c32126ba6f9b534ac76d0dfddd37bade645b41590e26d4d2c267
Opcode Fuzzy Hash: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
Instruction Fuzzy Hash: 77811A1BA3C1C2C2EA68BA16904057DA390EF58784FD41635DD0D87A9DFF3DE84AC761

Function 00007FF76DB289A0 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF76DB28B3A

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
Instruction ID: d39e7151c0890c916b47fdca89ea6a10ab3b903dd67e4a9f25365e0f70f04ea1
Opcode Fuzzy Hash: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
Instruction Fuzzy Hash: ED715A2BA3C2C2C6FB68AA2444442BDE3909F4A744F945535CD0D876DEFE2EE8468771

Function 00007FF76DB0C96C Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

gj, xrefs: 00007FF76DB0C97B

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
Instruction ID: fd2f45bf35f84642f9c12f5637dd46a7ca8c3f6b03345dbef07e2974f1ba9260
Opcode Fuzzy Hash: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
Instruction Fuzzy Hash: 865190377286908BD724CF25E404A9EB3A5F388758F455126EF8A93B09DB3DE945CF40

Function 00007FF76DB2C838 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF76DB2C874

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
Instruction ID: 1b56474348d66c7ce4cae04f083b2fb81fdfea3008e04c4c12dfc498a1fb9d86
Opcode Fuzzy Hash: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
Instruction Fuzzy Hash: 4B41B023728A44C6EA04DF2AE4182A9B3A1A75CFD0B899036DF4D87758FE3CD446C300

Function 00007FF76DB30D20 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF76DB30D24

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
Instruction ID: 9abba5af6afe0934e64d2cccb2755ff42019c651fad957f8b8f4e1c33eb5cb79
Opcode Fuzzy Hash: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
Instruction Fuzzy Hash: F8B09224E2BA02C2EA093F11AC8229462A4BF4C700FD58039D14C82324EE6C24A55B21

Function 00007FF76DB13964 Relevance: .9, Instructions: 931COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df1e6e81a57214c8643d36be1bb9cde3812740f73d4ab830297bee2ffae98a2
Instruction ID: aaf35787b3ad64d81b2c303eab78a269ee08332d605bf92331a8f4c9743c5aa5
Opcode Fuzzy Hash: 1df1e6e81a57214c8643d36be1bb9cde3812740f73d4ab830297bee2ffae98a2
Instruction Fuzzy Hash: 2B820663A2D6C1C6D716EF24D8446BCBB62E759B88F59813ACA4E07389FE3CD445C320

Function 00007FF76DAF76C0 Relevance: .9, Instructions: 893COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
Instruction ID: f8736a2c7283acb3edd8fdf9fee09917ab904bfef06e21d97105c364e38abcaf
Opcode Fuzzy Hash: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
Instruction Fuzzy Hash: 85627D9AD3AF9A1EE303A53954131D2E35C0EF74C9551E31BFCE431E66EB92A6832314

Function 00007FF76DB153F0 Relevance: .9, Instructions: 891COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a45c88a368d7276059de07aefbbc35b61cea5d64746511b72f3674958eea04
Instruction ID: 8eed238c346d73ec7b0d99a7b9dc465f55082d0955b60534d91554afa58005f0
Opcode Fuzzy Hash: 83a45c88a368d7276059de07aefbbc35b61cea5d64746511b72f3674958eea04
Instruction Fuzzy Hash: 8E8200B3A1D6C18AD716DE28C8446FCBBB2F759B48F588136CA4D07789EA38D485C724

Function 00007FF76DB0BB90 Relevance: .6, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
Instruction ID: 1089aaf30c582fae8fb8b0c52f20c0b1a43ab962814d4e49e4a0bedc2947852b
Opcode Fuzzy Hash: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
Instruction Fuzzy Hash: 7F22E573B246508BD728CF15C89AE5E3766F799744B4B8228DF0ACB789EB38D505CB40

Function 00007FF76DB14B98 Relevance: .6, Instructions: 578COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
Instruction ID: f2c44547e598d092118a0b23b9b305f7396824af69cabc5e3b5c1cc31d4a6cb3
Opcode Fuzzy Hash: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
Instruction Fuzzy Hash: 6B32D173A28191CBE719DF24D950ABC77A2F758708F458139DA4E87B88EB3CE860C750

Function 00007FF76DAF7288 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
Instruction ID: 8bd9f93afa4754560292713b3175c16498d2e39b1ae5c9e391947456d079ca0e
Opcode Fuzzy Hash: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
Instruction Fuzzy Hash: B8C1ACB7B281908FE350CF7AE400A9D7BB1F39878CB515125DF59A3B09D639E605CB40

Function 00007FF76DB12D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
Instruction ID: 9fe42d7b4de0b18421ad8af676dd062c30f7c215f21efd9181d15a5198f814b5
Opcode Fuzzy Hash: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
Instruction Fuzzy Hash: B4A13773E1C186C6EB26EA24D8057BDA792EBA9784FC54135DA4D47789FE3CD841C320

Function 00007FF76DB0AF18 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
Instruction ID: f27b24dc413a70ac8b99a3a2608ae1886644396c0480f6edb12f2ea5810e496b
Opcode Fuzzy Hash: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
Instruction Fuzzy Hash: 39C10673A292E08DE302CBB5A4248FD3FB5E71D34DB4A4152EFA656B4ED6285201DF70

Function 00007FF76DAFA310 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
Instruction ID: 180ff80e60117ebda100846b6d9bceb8e72ed5f300f9c7f23b59cfa2996f4482
Opcode Fuzzy Hash: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
Instruction Fuzzy Hash: 5491F063B2C58196EB11EF29D451AFDA721FB99788F841132EF4E07749EE38DA46C310

Function 00007FF76DB0B534 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
Instruction ID: 43c06133e714b8ed7c7a24f35225044020b64828d49a5bc97b7bcc7e97e34f13
Opcode Fuzzy Hash: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
Instruction Fuzzy Hash: BB611223B2C1D189EB11DF7585148FDBFA1A71D784B868032CF9E5764AEA3CE506CB24

Function 00007FF76DB121D0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
Instruction ID: a0ab4497e092ae486ecf4ea93c88378f6e0198e74405fe3b87bb352359dc9eac
Opcode Fuzzy Hash: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
Instruction Fuzzy Hash: 85511273A2C1918BE32A9F28A405B7DB752F798B44F844134DB4D4B68CEE3DE541CB50

Function 00007FF76DB12AB0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
Instruction ID: 843ee3e7b715db562d4071eebb595631f2b0f611b338ac631d12e6213c93d16a
Opcode Fuzzy Hash: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
Instruction Fuzzy Hash: 423126B2A2C5818BD719EF16D96167EBBD1F759380F409038DB4A83B85EA3CE045C710

Function 00007FF76DB0DC70 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
Instruction ID: 55642a10f092749edee653da8131a71e52bd7c1d522488125786302d34f964b8
Opcode Fuzzy Hash: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
Instruction Fuzzy Hash: 23F0FE61F3C003C2FB7820287819B39A0569B99310FD44935E11FC6ACDFDADE8811129

Function 00007FF76DB23354 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
Instruction ID: 01562c2d36a9f3c34739ed7c47318393a6ac68f4a3c9ff2632059517001e9aa5
Opcode Fuzzy Hash: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
Instruction Fuzzy Hash: 4DA0026692CC82D0E749AB10E8608B0A330FB58300BD10035F00D817BCFF7CA601D321

Function 00007FF76DAFD7D0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFD964

Strings

::$DATA, xrefs: 00007FF76DAFD812
::$INDEX_ROOT, xrefs: 00007FF76DAFD854
:$EFS:$LOGGED_UTILITY_STREAM, xrefs: 00007FF76DAFD86A
::$LOGGED_UTILITY_STREAM, xrefs: 00007FF76DAFD85F
::$OBJECT_ID, xrefs: 00007FF76DAFD880
::$EA, xrefs: 00007FF76DAFD81D
::$REPARSE_POINT, xrefs: 00007FF76DAFD88B
::$BITMAP, xrefs: 00007FF76DAFD807
:$TXF_DATA:$LOGGED_UTILITY_STREAM, xrefs: 00007FF76DAFD875
::$FILE_NAME, xrefs: 00007FF76DAFD833
:$I30:$INDEX_ALLOCATION, xrefs: 00007FF76DAFD849
::$INDEX_ALLOCATION, xrefs: 00007FF76DAFD83E
::$ATTRIBUTE_LIST, xrefs: 00007FF76DAFD7FC
::$EA_INFORMATION, xrefs: 00007FF76DAFD828

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
API String ID: 3668304517-727060406
Opcode ID: fc44dbfd106e66ad26630d810067bee7702886ae7b68d41755c36eb4d41d7e9a
Instruction ID: 39ebf160a0776197e6d39eead2459df3de7a8e2ad1cf134f4959730c4d3e4936
Opcode Fuzzy Hash: fc44dbfd106e66ad26630d810067bee7702886ae7b68d41755c36eb4d41d7e9a
Instruction Fuzzy Hash: 4D411836B29F01D8EB01AB64E4803E873B5FB48798F850236DA4C43B68FE78D555C390

Function 00007FF76DB22A10 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF76DB22A26
GetModuleHandleW.KERNEL32 ref: 00007FF76DB22A33
GetModuleHandleW.KERNEL32 ref: 00007FF76DB22A48
GetProcAddress.KERNEL32 ref: 00007FF76DB22A60
GetProcAddress.KERNEL32 ref: 00007FF76DB22A73
CreateEventW.KERNEL32 ref: 00007FF76DB22A9F
DeleteCriticalSection.KERNEL32 ref: 00007FF76DB22AEB
CloseHandle.KERNEL32 ref: 00007FF76DB22AFD

Strings

WakeAllConditionVariable, xrefs: 00007FF76DB22A66
kernel32.dll, xrefs: 00007FF76DB22A41
SleepConditionVariableCS, xrefs: 00007FF76DB22A56
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF76DB22A2C

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
Instruction ID: 9022f654de8ff5f1c29558e7e55d5a2f5da9de89a85263932b9925ce351b7aec
Opcode Fuzzy Hash: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
Instruction Fuzzy Hash: 35212A69E3DA43D1FE69BB51E855574A3A0AF4D780FC50034C90E86BACFE7CE4459321

Function 00007FF76DB06A0C Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB070A6

Part of subcall function 00007FF76DAF2004: std::_Xinvalid_argument.LIBCPMT ref: 00007FF76DAF200F

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB070B2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB070B8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB070C4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB070D6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB070DC

Strings

\\?\, xrefs: 00007FF76DB06A57, 00007FF76DB06A66
UNC, xrefs: 00007FF76DB06BBF
DXGIDebug.dll, xrefs: 00007FF76DB06A18

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
String ID: DXGIDebug.dll$UNC$\\?\
API String ID: 4097890229-4048004291
Opcode ID: 679bcbf7d584aa38b2e22764c1af6e01fe464e1a33c10589402711c3c672582b
Instruction ID: 8f5737c9028de07fcb0925349bb73d7de1c87be32aa7fd571fb4d4ed5eb84e0b
Opcode Fuzzy Hash: 679bcbf7d584aa38b2e22764c1af6e01fe464e1a33c10589402711c3c672582b
Instruction Fuzzy Hash: 1A12CE62A2CB42C1EB10EB65D4405BDA371EB49B88F904236DB5D07AA9EE7CD589C350

Function 00007FF76DB1A440 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 257COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76DAF129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF76DAF1396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1A72F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1A735
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1A73B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1A741
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1A747
EndDialog.USER32 ref: 00007FF76DB1A7BA

Strings

Software\WinRAR SFX, xrefs: 00007FF76DB1A52B, 00007FF76DB1A53A
GETPASSWORD1, xrefs: 00007FF76DB1A773

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialog
String ID: GETPASSWORD1$Software\WinRAR SFX
API String ID: 431506467-1315819833
Opcode ID: d20c2f114c9109beee27ce5cf2a2d2fb90c2edf5e9b936924732424cb653f975
Instruction ID: 0399642f27522586fe5399cac1c580fdc9b150712a06e32f884841e1cf079668
Opcode Fuzzy Hash: d20c2f114c9109beee27ce5cf2a2d2fb90c2edf5e9b936924732424cb653f975
Instruction Fuzzy Hash: C8B1B762F2D782C5FB00EB64D8446BC6372AB49394F904235DA5C26ADDFE7CE54AC314

Function 00007FF76DB16E80 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF76DB17E9B), ref: 00007FF76DB17080
CreateStreamOnHGlobal.COMBASE ref: 00007FF76DB170B1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1717B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB17181
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB17187

Strings

</html>, xrefs: 00007FF76DB16F72, 00007FF76DB16F81
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>, xrefs: 00007FF76DB16ED5, 00007FF76DB16EE4
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00007FF76DB16F2C, 00007FF76DB16F3B
<html>, xrefs: 00007FF76DB16F13

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Global$AllocCreateStream
String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 2868844859-1533471033
Opcode ID: 7d5a2165bcb14269ce88758dc811b505d41036279ac82267a240c61270d62392
Instruction ID: 8ea027417120e638f77ec02b84b56915978fd17caa76816ab811766507f16e8c
Opcode Fuzzy Hash: 7d5a2165bcb14269ce88758dc811b505d41036279ac82267a240c61270d62392
Instruction Fuzzy Hash: F1818F62F2CA42D5FB01EBA5D8402FDA372AB49784F800135DE1D57A9DFE78E50AC364

Function 00007FF76DB2E650 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76DB2E7CD

Strings

nan, xrefs: 00007FF76DB2E6B8
nan(snan), xrefs: 00007FF76DB2E6F0
nan(ind), xrefs: 00007FF76DB2E706
inf, xrefs: 00007FF76DB2E6D6
NAN(SNAN), xrefs: 00007FF76DB2E6E5
INF, xrefs: 00007FF76DB2E6C3
NAN, xrefs: 00007FF76DB2E6B1
NAN(IND), xrefs: 00007FF76DB2E6FB

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
Instruction ID: 0902e3f6300090554bf5921eba8d5000189465d86a11622f7c1876c1d765c63b
Opcode Fuzzy Hash: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
Instruction Fuzzy Hash: F241CF32A19B85C9E701DF65E8417ED73A4EB18394F824636EE4C47B58EE3CD025C354

Function 00007FF76DB1F390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32 ref: 00007FF76DB1F3CF
GetClassNameW.USER32 ref: 00007FF76DB1F3FC
GetWindowLongPtrW.USER32 ref: 00007FF76DB1F41D
SendMessageW.USER32 ref: 00007FF76DB1F437
GetObjectW.GDI32 ref: 00007FF76DB1F452
SendMessageW.USER32 ref: 00007FF76DB1F487
DeleteObject.GDI32 ref: 00007FF76DB1F490
GetWindow.USER32 ref: 00007FF76DB1F49E

Strings

STATIC, xrefs: 00007FF76DB1F402

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassDeleteLongName
String ID: STATIC
API String ID: 2845197485-1882779555
Opcode ID: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
Instruction ID: 8f8e736da902cad3290539c3565d933cd6013383cec49327a5f0350bfe58844b
Opcode Fuzzy Hash: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
Instruction Fuzzy Hash: 01315226B2C652C6FA61BB12A9547B9A392BB8DBD0F840430DD4D47B5DEE3CD806C760

Function 00007FF76DB1AE90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

LICENSEDLG, xrefs: 00007FF76DB1AEAE

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: ItemTextWindow
String ID: LICENSEDLG
API String ID: 2478532303-2177901306
Opcode ID: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
Instruction ID: 493bb756683c0f502fa6c34353b3ae233f261bbb9c96957f2e81e0adefd7b5ee
Opcode Fuzzy Hash: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
Instruction Fuzzy Hash: DA418121E2C652C2FB55AF16A814B7DA361AF8CB84FD44035D90D43B9CEF7CE94A8724

Function 00007FF76DB0B9B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF76DB0BA12
GetProcAddress.KERNEL32 ref: 00007FF76DB0BA2D
GetCurrentProcessId.KERNEL32 ref: 00007FF76DB0BACA

Part of subcall function 00007FF76DB0DFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF76DB0DDDF

Strings

CryptProtectMemory failed, xrefs: 00007FF76DB0BA80
Crypt32.dll, xrefs: 00007FF76DB0B9F0
CryptProtectMemory, xrefs: 00007FF76DB0BA08
CryptUnprotectMemory failed, xrefs: 00007FF76DB0BAC1
CryptUnprotectMemory, xrefs: 00007FF76DB0BA1F

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: AddressProc$CurrentDirectoryProcessSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
API String ID: 2915667086-2207617598
Opcode ID: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
Instruction ID: 845770ef7aca00ec23b7416c6b00cb661f3b9add0ff75b42dc77b1d9fd3fa0eb
Opcode Fuzzy Hash: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
Instruction Fuzzy Hash: B2314C24F2DB06C1FE14AB16E960975A7A0AF4CB90FC54135C85E437ACFEBCE9419324

Function 00007FF76DB187D8 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB18DB6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB18DC2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB18DCE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB18DDA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB18DE0

Strings

, xrefs: 00007FF76DB18A55
, xrefs: 00007FF76DB188BE

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: $
API String ID: 3668304517-227171996
Opcode ID: ab3e1cf375e14aa7788add7031566744a4a2a58747ae13a7e3943128d7c57d22
Instruction ID: ba46468eeeff14be08dccea9291b6eee9e6f7be67b8eff983f7c0dfe5b2055f8
Opcode Fuzzy Hash: ab3e1cf375e14aa7788add7031566744a4a2a58747ae13a7e3943128d7c57d22
Instruction Fuzzy Hash: A3F1CF66F2CB46E0EE11AB65D8441BDA362BB48B98F905235CA1D177DDFF7CE1808360

Function 00007FF76DB257EC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF76DB2598A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF76DB25CAD
abort.LIBCMT ref: 00007FF76DB25CE1

Strings

csm, xrefs: 00007FF76DB258D1
csm, xrefs: 00007FF76DB259B1
csm, xrefs: 00007FF76DB25933

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 2940173790-393685449
Opcode ID: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
Instruction ID: d2e8d7e5095ce76d487ced04bcd44d6ca4b82b3fae2d19a15c60edd7e39ba4d2
Opcode Fuzzy Hash: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
Instruction Fuzzy Hash: 69E18C7392C6C2CAE710AB24D4803BDB7A0FB49758F944135DA8D5769EFE38E485C714

Function 00007FF76DB04F38 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76DB04E24: SysAllocString.OLEAUT32 ref: 00007FF76DB04E5F

VariantClear.OLEAUT32 ref: 00007FF76DB05125

Strings

ROOT\CIMV2, xrefs: 00007FF76DB04F7B
WQL, xrefs: 00007FF76DB0502A
SELECT * FROM Win32_OperatingSystem, xrefs: 00007FF76DB05017
Name, xrefs: 00007FF76DB050F9
Windows 10, xrefs: 00007FF76DB0510A

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: AllocClearStringVariant
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 1959693985-3505469590
Opcode ID: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
Instruction ID: 44c6f05aa9d61386a0c48742e2860045017bd04761e2f47b4a29cf176bd61911
Opcode Fuzzy Hash: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
Instruction Fuzzy Hash: 0A713A36A28B05C5EB10EF25D8905ADB7B4FB88B98F815136DA4D43B68EF7CD544C350

Function 00007FF76DB272EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,00000000,00007FF76DB274F3,?,?,?,00007FF76DB2525E,?,?,?,00007FF76DB25219), ref: 00007FF76DB27371
GetLastError.KERNEL32(?,?,00000000,00007FF76DB274F3,?,?,?,00007FF76DB2525E,?,?,?,00007FF76DB25219), ref: 00007FF76DB2737F
LoadLibraryExW.KERNEL32(?,?,00000000,00007FF76DB274F3,?,?,?,00007FF76DB2525E,?,?,?,00007FF76DB25219), ref: 00007FF76DB273A9
FreeLibrary.KERNEL32(?,?,00000000,00007FF76DB274F3,?,?,?,00007FF76DB2525E,?,?,?,00007FF76DB25219), ref: 00007FF76DB273EF
GetProcAddress.KERNEL32(?,?,00000000,00007FF76DB274F3,?,?,?,00007FF76DB2525E,?,?,?,00007FF76DB25219), ref: 00007FF76DB273FB

Strings

api-ms-, xrefs: 00007FF76DB27391

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
Instruction ID: 5c48cde4d4d8927faecae13f318fd97069b09aad76c3b778b94599211f38c620
Opcode Fuzzy Hash: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
Instruction Fuzzy Hash: 9B31C422E3E682C1EE11BB06A800A75A294FF0CBA0F994535DD5D4B788FFBCE4418734

Function 00007FF76DB21604 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,00007FF76DB21573,?,?,?,00007FF76DB2192A), ref: 00007FF76DB2162B
GetProcAddress.KERNEL32(?,?,?,00007FF76DB21573,?,?,?,00007FF76DB2192A), ref: 00007FF76DB21648
GetProcAddress.KERNEL32(?,?,?,00007FF76DB21573,?,?,?,00007FF76DB2192A), ref: 00007FF76DB21664

Strings

ReleaseSRWLockExclusive, xrefs: 00007FF76DB21653
AcquireSRWLockExclusive, xrefs: 00007FF76DB2163E
KERNEL32.DLL, xrefs: 00007FF76DB21624

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
Instruction ID: bc6aa59c33c84ff108eba856be1e1059e248c4fe073488e6dce1d7fe5f753e1e
Opcode Fuzzy Hash: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
Instruction Fuzzy Hash: A9112A26A3DB82C1EE56AF00E94027DA2916F0C7D0FCD4435C81E0A75CFE7DA8449630

Function 00007FF76DB0ED24 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76DB051A4: GetVersionExW.KERNEL32 ref: 00007FF76DB051D5

FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF76DAF5AB4), ref: 00007FF76DB0ED8C
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF76DAF5AB4), ref: 00007FF76DB0ED98
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF76DAF5AB4), ref: 00007FF76DB0EDA8
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF76DAF5AB4), ref: 00007FF76DB0EDB6
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF76DAF5AB4), ref: 00007FF76DB0EDC4
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF76DAF5AB4), ref: 00007FF76DB0EE05

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
Instruction ID: 9fedfcb0c15f4905c6e302d9669f29b65db3d51eef6a3ea0dac35cb965dd7fcf
Opcode Fuzzy Hash: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
Instruction Fuzzy Hash: 12518DB2B24651CAEB14DF65D8404AC77B1F74C788BA0403ADE0D97B58EF38D546C710

Function 00007FF76DB0F010 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32 ref: 00007FF76DB0F074

Part of subcall function 00007FF76DB051A4: GetVersionExW.KERNEL32 ref: 00007FF76DB051D5

LocalFileTimeToFileTime.KERNEL32 ref: 00007FF76DB0F096
FileTimeToSystemTime.KERNEL32 ref: 00007FF76DB0F0A2
TzSpecificLocalTimeToSystemTime.KERNEL32 ref: 00007FF76DB0F0B2
SystemTimeToFileTime.KERNEL32 ref: 00007FF76DB0F0C0
SystemTimeToFileTime.KERNEL32 ref: 00007FF76DB0F0CE

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
Instruction ID: 74b644b7722a9143fd917112034b01affce026c1e6133130094120a74cf0e322
Opcode Fuzzy Hash: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
Instruction Fuzzy Hash: 51314766B24A51CEEB00DFB5E8801AC7370FB0C758B94503AEE0E97A58EF78D895C315

Function 00007FF76DB07918 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB07C8C

Strings

.rar, xrefs: 00007FF76DB07969, 00007FF76DB07978
rar, xrefs: 00007FF76DB07A9B, 00007FF76DB07AAA, 00007FF76DB07B67, 00007FF76DB07B7C
sfx, xrefs: 00007FF76DB079F3, 00007FF76DB07A02
exe, xrefs: 00007FF76DB079AF, 00007FF76DB079BE

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: .rar$exe$rar$sfx
API String ID: 3668304517-630704357
Opcode ID: 2782df0ac0d906a6dfd4afc5fd13043494203347564149d90fad9f6fe0172506
Instruction ID: 744799f54324f5d6eec2662e3dfd11953a6d87c1af1e0813e2520b4ac365148a
Opcode Fuzzy Hash: 2782df0ac0d906a6dfd4afc5fd13043494203347564149d90fad9f6fe0172506
Instruction Fuzzy Hash: D0A1C262E2CA46D0EB10AB25D4546BCA361BF48B98FD41235CD1D076EDEFBCE585C360

Function 00007FF76DB25CE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF76DB25D58

Part of subcall function 00007FF76DB25210: abort.LIBCMT ref: 00007FF76DB25223

_CallSETranslator.LIBVCRUNTIME ref: 00007FF76DB25DA3
abort.LIBCMT ref: 00007FF76DB25FD1

Strings

RCC, xrefs: 00007FF76DB25D74
MOC, xrefs: 00007FF76DB25D6C

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
Instruction ID: 9c98fb941550a0fb49bdbbb78f46bfe51d8186a3d3569174d45c8ea288d63860
Opcode Fuzzy Hash: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
Instruction Fuzzy Hash: 05917E73A18B81CAE710EB65D4802BDB7A0F758788F94413AEA8D17B5DEF38D195CB10

Function 00007FF76DB24F80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF76DB24FAB
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF76DB25040
RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF76DB22F5E), ref: 00007FF76DB2508F

Strings

f, xrefs: 00007FF76DB24FBE
csm, xrefs: 00007FF76DB25026

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
Instruction ID: d852ea3846284bb204075943aa0d80ad307d1540f4a08a6e33cb304f113f3dbb
Opcode Fuzzy Hash: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
Instruction Fuzzy Hash: 6651A033A2D682C6EB14EB15E844A39B795FB48B98F918034DA1E4774CFF78E8418758

Function 00007FF76DAFCEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF76DAFD03D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFD0D1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFD0D7

Part of subcall function 00007FF76DAFDE04: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF76DAFCF4B), ref: 00007FF76DAFDE27
Part of subcall function 00007FF76DAFDE04: GetLastError.KERNEL32 ref: 00007FF76DAFDE88
Part of subcall function 00007FF76DAFDE04: CloseHandle.KERNEL32 ref: 00007FF76DAFDE9B

Strings

SeRestorePrivilege, xrefs: 00007FF76DAFCF5E
SeSecurityPrivilege, xrefs: 00007FF76DAFCF3F

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 2102711378-639343689
Opcode ID: 8e19f0960acccde70cdb6f4ae44bfdba7dde49cd3aecb391576d39059d5aab7f
Instruction ID: 6b3d9e71028b7e8d2c8f06d1aa497227e42ff04d0832adf79ce8582a07a4a2ed
Opcode Fuzzy Hash: 8e19f0960acccde70cdb6f4ae44bfdba7dde49cd3aecb391576d39059d5aab7f
Instruction Fuzzy Hash: 2251D362E2C742C5FB11FB65D8415BDA370AF897A4F880176DE1D1769AFE3CA885C220

Function 00007FF76DB17B28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 00007FF76DB17B6F
GetWindowRect.USER32 ref: 00007FF76DB17BC0
ShowWindow.USER32 ref: 00007FF76DB17C96
ShowWindow.USER32 ref: 00007FF76DB17CC3

Strings

RarHtmlClassName, xrefs: 00007FF76DB17C4B

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Window$Show$Rect
String ID: RarHtmlClassName
API String ID: 2396740005-1658105358
Opcode ID: 7f8a0b662af83a4f47b362c37f36e9414f73daccdb18f375bc1ce0a7ee57f15d
Instruction ID: c93b1d2a92d34dbbbce056639530f20cdb2b7c68367ab36db69d560e31bf9888
Opcode Fuzzy Hash: 7f8a0b662af83a4f47b362c37f36e9414f73daccdb18f375bc1ce0a7ee57f15d
Instruction Fuzzy Hash: 3F519322A2C781C6EA25AF21E85477AE361FB8C780F844435DE4E47B5CEF7CE4458710

Function 00007FF76DB1FD0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32 ref: 00007FF76DB1FD43
SetEnvironmentVariableW.KERNEL32 ref: 00007FF76DB1FDBC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB1FE1B

Strings

sfxpar, xrefs: 00007FF76DB1FDB5
sfxcmd, xrefs: 00007FF76DB1FD3C

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
String ID: sfxcmd$sfxpar
API String ID: 3540648995-3493335439
Opcode ID: ce72e9bcdfddcf2667ebe4c513ec0d1727c59f1d3b739ca42450d660fec21911
Instruction ID: 26dd70beaaa12d7d4d3f926923044fe99aff85c31ccd1e14d6a82a92d9c2e287
Opcode Fuzzy Hash: ce72e9bcdfddcf2667ebe4c513ec0d1727c59f1d3b739ca42450d660fec21911
Instruction Fuzzy Hash: 49318132A28A05C4EF00EB6AE8841BCA372FB4CB98F941131DE5D57BADEE78D141C354

Function 00007FF76DB1FED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00007FF76DB1FF34, 00007FF76DB1FF99
RENAMEDLG, xrefs: 00007FF76DB1FF60

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
Instruction ID: ba715d6b7a3b305b2c6be6ef852f5898c51ff2d0cce0ce08ae3350e6ad5f0dcd
Opcode Fuzzy Hash: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
Instruction Fuzzy Hash: F1210C66E2DA47C0FA12AF15F844574E361AB4D788FD44036D94D4326CEEBCE485C760

Function 00007FF76DB2BFB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF76DB2BFD0
GetProcAddress.KERNEL32 ref: 00007FF76DB2BFE6
FreeLibrary.KERNEL32 ref: 00007FF76DB2C00B

Strings

mscoree.dll, xrefs: 00007FF76DB2BFC7
CorExitProcess, xrefs: 00007FF76DB2BFDF

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
Instruction ID: 68de0e6ef72640d1c8741726e87499543d6a155e944b465252e2b972fed8f579
Opcode Fuzzy Hash: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
Instruction Fuzzy Hash: A0F06866A3DA42C1EF44AB51F850379A360EF8C790F851039D94F46A58FE7CD484D710

Function 00007FF76DB345C0 Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76DB34605

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
Instruction ID: 3d0936d96f1bebbaf82035ebb08a7ec42ef6756c4bfd41110f202b901b4c5f85
Opcode Fuzzy Hash: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
Instruction Fuzzy Hash: 6C81CF22E3C642C5F710AF65D8406BDA6A1BB4DB88F824135CD0E53B9DEFBDA445E320

Function 00007FF76DB03AF8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF76DB03BBB
CreateFileW.KERNEL32 ref: 00007FF76DB03C24
SetFileTime.KERNEL32 ref: 00007FF76DB03CEC
CloseHandle.KERNEL32 ref: 00007FF76DB03CF6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB03D2C

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2398171386-0
Opcode ID: ed02a809717236ee1ed586c7e858dbefa1ed7ae72bbe3c8719455611c93ecd51
Instruction ID: c4481d07cf52dcb06c56f05fe188a9bc9403b7fd66a9298cad1fa6747218451a
Opcode Fuzzy Hash: ed02a809717236ee1ed586c7e858dbefa1ed7ae72bbe3c8719455611c93ecd51
Instruction Fuzzy Hash: 5651A122B2CB4299FB60EB65E444BBDA371AB4C7A8F804635DE1D867DCFE38D4458310

Function 00007FF76DB33F34 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF76DB34767), ref: 00007FF76DB33F91
WideCharToMultiByte.KERNEL32 ref: 00007FF76DB3406D
WriteFile.KERNEL32 ref: 00007FF76DB34093
WriteFile.KERNEL32 ref: 00007FF76DB340D2
GetLastError.KERNEL32 ref: 00007FF76DB3410A

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
Instruction ID: dc56928fa98b81ead44e51e7c0b7732d8c5060b93973e2855728f40716d6f544
Opcode Fuzzy Hash: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
Instruction Fuzzy Hash: BC51CE32A28A51C9E710DB25E8443ACBBB0FB4C798F858135DE4E57B98EF79D145C720

Function 00007FF76DB21E00 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF76DB04DF4), ref: 00007FF76DB21E87
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF76DB04DF4), ref: 00007FF76DB21F09
SysAllocString.OLEAUT32 ref: 00007FF76DB21F16

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 7e9601d2247a13adf5892490d0984888a090eff7ba9d3fa4ff308a8b8e371313
Instruction ID: efc28cf00b45acfb681b39c5950e6cc4565524cd2aded52ee7fd405085717a1e
Opcode Fuzzy Hash: 7e9601d2247a13adf5892490d0984888a090eff7ba9d3fa4ff308a8b8e371313
Instruction Fuzzy Hash: 81419622A2D685C5EB14BF219850279A291EF0CBE4FD84634EA6D87BDDFF7DD1418320

Function 00007FF76DB2F414 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF76DB2F536

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
Instruction ID: dbd88efc9f2a3a2966ce4c304be37cd79275778aa9fe24228bce948d6aec4f7d
Opcode Fuzzy Hash: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
Instruction Fuzzy Hash: 06410622B2DA82C1FA15AF13A814675A395BF4CBD0F894535DE5E4BB4CFE7CE4408320

Function 00007FF76DB356D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF76DB356FF
_set_statfp.LIBCMT ref: 00007FF76DB3571A
_set_statfp.LIBCMT ref: 00007FF76DB35736
_set_statfp.LIBCMT ref: 00007FF76DB35772

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction ID: 68fef63d04940238e428c7cd50e33fd9faf632965d676650c13a2c1c51a4f27a
Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction Fuzzy Hash: 52119D76E3CA17D1F6543124E54237991C16F4C3A0ECA4230EA7E0AEDEBEACA440622D

Function 00007FF76DB1FE24 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00007FF76DB1FE41
GetMessageW.USER32 ref: 00007FF76DB1FE58
TranslateMessage.USER32 ref: 00007FF76DB1FE63
DispatchMessageW.USER32 ref: 00007FF76DB1FE6E
WaitForSingleObject.KERNEL32 ref: 00007FF76DB1FE7C

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Message$DispatchObjectPeekSingleTranslateWait
String ID:
API String ID: 3621893840-0
Opcode ID: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
Instruction ID: 4847d567e479d37ab14284986ddbde28961284dc71fa549d1703d21bd6341736
Opcode Fuzzy Hash: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
Instruction Fuzzy Hash: B4F01222B3C546C2FB50AB30E855B7AA251FFECB05FC41030E54E81998EE2CD549C720

Function 00007FF76DB2625C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF76DB26286
abort.LIBCMT ref: 00007FF76DB264EA

Strings

csm, xrefs: 00007FF76DB262AB
csm, xrefs: 00007FF76DB2641A

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: __except_validate_context_recordabort
String ID: csm$csm
API String ID: 746414643-3733052814
Opcode ID: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
Instruction ID: b87734ab9b811d980aba195483d4ae423ea19daf315125a28c064ec2566e5c58
Opcode Fuzzy Hash: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
Instruction Fuzzy Hash: CA71AF7361C6C1C6D760AB25945077DBBA0EB09F88F948236DA9C07A8DFB2CD591C790

Function 00007FF76DB280F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76DB2811B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF76DB282ED

Strings

, xrefs: 00007FF76DB28276
*, xrefs: 00007FF76DB28221

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
Instruction ID: d6f1b19e900bd44dee3a03e2efbc460d89cd1ec360f698f3b1fa77a3f6d548b9
Opcode Fuzzy Hash: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
Instruction Fuzzy Hash: D7517F7B92CA82CAE765AE28845537CBBB1FB0DB09F941135C64E412DDFF2CE481C625

Function 00007FF76DB31758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF76DB317CB
MultiByteToWideChar.KERNEL32 ref: 00007FF76DB31894
GetStringTypeW.KERNEL32 ref: 00007FF76DB318AE

Strings

$%s, xrefs: 00007FF76DB3175A

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$StringType
String ID: $%s
API String ID: 3586891840-3791308623
Opcode ID: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
Instruction ID: 7271627e2a9f21ddb93d6cda04f524da17fd2969afed063816742b780cf9e1e7
Opcode Fuzzy Hash: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
Instruction Fuzzy Hash: C0419822B29781C6EB109F25D8003A9A295FB58BE8F894635DE1D47BC8FF7CE4458314

Function 00007FF76DB266A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76DB25210: abort.LIBCMT ref: 00007FF76DB25223

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF76DB2674A
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF76DB26776

Strings

csm, xrefs: 00007FF76DB26876

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_recordabort
String ID: csm
API String ID: 2466640111-1018135373
Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction ID: 9da3858651a2984dd017500a512d2767f22aa18ff72da6bfc1b793c28e63c613
Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction Fuzzy Hash: 9D514B73A2C781C7D620AB15A04027EB7B4FB8DB90F940135EA8D47B9AEF38E450CB50

Function 00007FF76DB34360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF76DB34446
WriteFile.KERNEL32 ref: 00007FF76DB34479
GetLastError.KERNEL32 ref: 00007FF76DB3449B

Strings

U, xrefs: 00007FF76DB34424

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: U
API String ID: 2456169464-4171548499
Opcode ID: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
Instruction ID: 070d6d3d906aad1b751e952c246111b196fe8321bffe4f3da6093d5b0a267f5a
Opcode Fuzzy Hash: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
Instruction Fuzzy Hash: 8741B32262DA85C2D7209F25E8447BAB760FB8CB94F854131EE4D87B48EF7DD445C710

Function 00007FF76DB190B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF76DB190D9
GetObjectW.GDI32 ref: 00007FF76DB19107
ReleaseDC.USER32 ref: 00007FF76DB191BB

Strings

, xrefs: 00007FF76DB19153

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: ObjectRelease
String ID:
API String ID: 1429681911-3916222277
Opcode ID: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
Instruction ID: d7d4f64dd51dd2c0a49f3393b027cfbc3cd114d0dcfd65f6111e125aace7d6c1
Opcode Fuzzy Hash: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
Instruction Fuzzy Hash: E9313C3561874186EA04AF12B81962AB760F78DFD1F844539ED4E83B58DE3CE849CB10

Function 00007FF76DB0E870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,?,00007FF76DB1317F,?,?,00001000,00007FF76DAFE51D), ref: 00007FF76DB0E8BB
CreateSemaphoreW.KERNEL32(?,?,?,00007FF76DB1317F,?,?,00001000,00007FF76DAFE51D), ref: 00007FF76DB0E8CB
CreateEventW.KERNEL32(?,?,?,00007FF76DB1317F,?,?,00001000,00007FF76DAFE51D), ref: 00007FF76DB0E8E4

Strings

Thread pool initialization failed., xrefs: 00007FF76DB0E900

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
Instruction ID: 4e90d9277c8961b473f9b26691c27a207be0bd0adb548d13ff50e90087609224
Opcode Fuzzy Hash: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
Instruction Fuzzy Hash: FB21E732E2D601C6F750AF24D4447AD72A2EB9CB0CF588134CA0D4A699EFBE9845C7A0

Function 00007FF76DB185E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF76DB185EC
GetDeviceCaps.GDI32 ref: 00007FF76DB185FD
ReleaseDC.USER32 ref: 00007FF76DB1860A

Strings

, xrefs: 00007FF76DB18610

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: CapsDeviceRelease
String ID:
API String ID: 127614599-3916222277
Opcode ID: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
Instruction ID: 1a9aafccecc54c4f2dc561666341dbdb1aa9269e9cc5b42f64036ae1c2eecd2f
Opcode Fuzzy Hash: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
Instruction Fuzzy Hash: 8AE0CD20B1C641C2FB086F75B58903E5251974CBD0F554035D91F8375CDD3DC8C44310

Function 00007FF76DAFD1A8 Relevance: 6.2, APIs: 4, Instructions: 238timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNEL32 ref: 00007FF76DAFD46C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFD554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFD55A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFD560

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FileTime
String ID:
API String ID: 1137671866-0
Opcode ID: 2d452471b7d5dd184fe666455331b196c35d21b330d78aced89ac185778723fc
Instruction ID: 931b47f6eb6d2338834a30d3640224916abecd981cdbdeda9f360c5bf994014d
Opcode Fuzzy Hash: 2d452471b7d5dd184fe666455331b196c35d21b330d78aced89ac185778723fc
Instruction Fuzzy Hash: DBA19062A2CA82C1EE11EB65D8445EDA371FFC5784F845232EA8D03A99EF3CE944C710

Function 00007FF76DB10548 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF76DB105FC
SetLastError.KERNEL32 ref: 00007FF76DB10697

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 5aa82b6364e12ec5417afa2caacf8d198bf7c475976c756bafdf9cf489c7b7c1
Instruction ID: 4f1e67dec26a9c3a6c905061d1f11dc650e779ab2501a02bf31dc7c2b2cec007
Opcode Fuzzy Hash: 5aa82b6364e12ec5417afa2caacf8d198bf7c475976c756bafdf9cf489c7b7c1
Instruction Fuzzy Hash: 8A51A462B28A42D5FB00AF65D8452FCA322EB89B98F804232DA5C57BDDFE7CD544C350

Function 00007FF76DB19D90 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF76DB19DBC
GetLastError.KERNEL32 ref: 00007FF76DB19E08
CreateDirectoryW.KERNEL32 ref: 00007FF76DB19F10
LocalFree.KERNEL32 ref: 00007FF76DB19F20

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
String ID:
API String ID: 1077098981-0
Opcode ID: decc2da6846149065e747433b686ffe20880dedc2611ac47de6390cb5f5191d4
Instruction ID: 0c4563ab30ae394d271b84d5d600f8a8ec21ae2e3b00ee2f4098081ffb53f367
Opcode Fuzzy Hash: decc2da6846149065e747433b686ffe20880dedc2611ac47de6390cb5f5191d4
Instruction Fuzzy Hash: A9516232A2CB82C6EB509F21E84476EB375FB88B84F941139EA4D57A58EF3CD504CB10

Function 00007FF76DB2DB5C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76DB2DBAF
WideCharToMultiByte.KERNEL32 ref: 00007FF76DB2DC81
GetLastError.KERNEL32 ref: 00007FF76DB2DCA4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF76DB2DCD6

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 4141327611-0
Opcode ID: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
Instruction ID: 611f548f9cbfe013c2cc86d12e70bf30e12248d45bdfb093f3b59518b54e7f36
Opcode Fuzzy Hash: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
Instruction Fuzzy Hash: 45419333A2C6C2C6F761AA10A4443B9E290EFD8BA0F948531DA4D46ADDFF7CD8418660

Function 00007FF76DB03980 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32 ref: 00007FF76DB039BD
MoveFileW.KERNEL32 ref: 00007FF76DB03A34
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB03AEB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB03AF1

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: FileMove_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3823481717-0
Opcode ID: 1e191b709e62ef26e60e8f1d0cc24d6cdbe4e9a67f5d62f6318cd10f240089dc
Instruction ID: 5f9c2930020ff14e6ffcf1c10603ff2b26507dd1b32917ddd334f740dd4ea9ef
Opcode Fuzzy Hash: 1e191b709e62ef26e60e8f1d0cc24d6cdbe4e9a67f5d62f6318cd10f240089dc
Instruction Fuzzy Hash: A441BE62F38B91C4FB00EB75D8489AC6371BB48BA8F805235DE5D66B9DEF78D045C210

Function 00007FF76DB30B78 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF76DB2C45B), ref: 00007FF76DB30B91
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF76DB2C45B), ref: 00007FF76DB30BF3
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF76DB2C45B), ref: 00007FF76DB30C2D
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF76DB2C45B), ref: 00007FF76DB30C57

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
Instruction ID: 1578e7cb469302a70595848261c3e54534b206715924f1dea2954ae8e10aec86
Opcode Fuzzy Hash: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
Instruction Fuzzy Hash: D5215221A2CB51C1E624AF16A440129E6A4FF98BD0B894134DE8E63FD8EF7CE4529314

Function 00007FF76DB2D440 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF76DB27F28,?,?,?,00007FF76DB29D35), ref: 00007FF76DB2D44A
SetLastError.KERNEL32(?,?,?,00007FF76DB27F28,?,?,?,00007FF76DB29D35), ref: 00007FF76DB2D4B2
SetLastError.KERNEL32(?,?,?,00007FF76DB27F28,?,?,?,00007FF76DB29D35), ref: 00007FF76DB2D4C8
abort.LIBCMT ref: 00007FF76DB2D4CE

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
Instruction ID: 228f565894c6f9bb8b7d770f3f6ad014a47e03144065a1c3ef4e0ff83af9ee24
Opcode Fuzzy Hash: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
Instruction Fuzzy Hash: BC019216B2C682C2FA59B762B65523DD1615FCCB90FC40938D96E42BDEFD2CB8048270

Function 00007FF76DB18590 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF76DB18598
GetDeviceCaps.GDI32 ref: 00007FF76DB185AE
GetDeviceCaps.GDI32 ref: 00007FF76DB185C2
ReleaseDC.USER32 ref: 00007FF76DB185D3

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
Instruction ID: 28b5094714ba0cac2b161e177cc853697d99375609739349857d3c0d2b610a70
Opcode Fuzzy Hash: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
Instruction Fuzzy Hash: 0AE01260F2D702C2FF09BF75685913AA291AF4C741F888579D81F86358FD3DA885C720

Function 00007FF76DAFE34C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DAFE549

Strings

DXGIDebug.dll, xrefs: 00007FF76DAFE35A

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: DXGIDebug.dll
API String ID: 3668304517-540382549
Opcode ID: 6f2cc4c21ac84bf77e587620cb9a44cf3404ae28cc3e8307b621819abafd7d0e
Instruction ID: 046eaad76931192e97c02518a7104356da4f46a79ae50ce6f82e2cd68b18c0dd
Opcode Fuzzy Hash: 6f2cc4c21ac84bf77e587620cb9a44cf3404ae28cc3e8307b621819abafd7d0e
Instruction Fuzzy Hash: 1071AC72A28B81C2EB14DB25E8406ADB3A4FB587D4F844236DBAC47B99EF78D551C300

Function 00007FF76DB2E1F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76DB2E237

Strings

e+000, xrefs: 00007FF76DB2E2DF
gfff, xrefs: 00007FF76DB2E362

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
Instruction ID: 797baa3b104e6213a66002109d28657d96ca2f78a99a8a0e7dbd534af2a0950e
Opcode Fuzzy Hash: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
Instruction Fuzzy Hash: 44511663B2C7C1C6E7259B36984077DAB91EB89B90F888235C69D87BD9FE2CD444C710

Function 00007FF76DB09408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76DB095A8: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF76DB095E6

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB0959C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF76DB095A2

Strings

SIZE, xrefs: 00007FF76DB09443

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$swprintf
String ID: SIZE
API String ID: 449872665-3243624926
Opcode ID: e0bc738575b9dfc7518a9e38475377609f14f4f1dbbb3954c7928ccc9b577437
Instruction ID: bb4f1c0621dacf3d1fe7c88bd5b7a222aeebbbdc83479dc96a67dadb63231699
Opcode Fuzzy Hash: e0bc738575b9dfc7518a9e38475377609f14f4f1dbbb3954c7928ccc9b577437
Instruction Fuzzy Hash: B541BF62A3C782D5EE10AB19E4457BDE360AF99790F848231EA9D426DEFE7CD540C710

Function 00007FF76DB2C2C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76DB2C2EA
GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF76DB22CD5), ref: 00007FF76DB2C30B

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00007FF76DB2C2F9

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: FileModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\file.exe
API String ID: 3307058713-4010620828
Opcode ID: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
Instruction ID: 791ddd8f48895da79f583b6bdcf12a94154f6bd221915ad4eefc5afb1c96ae40
Opcode Fuzzy Hash: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
Instruction Fuzzy Hash: 13419073A2CA82C6EB15AF21A4401BDB7A4EF8CB94B844435E94D47B49FF3DE441C360

Function 00007FF76DB19B40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76DAF255C: GetDlgItem.USER32 ref: 00007FF76DAF25AC
Part of subcall function 00007FF76DAF255C: SetWindowTextW.USER32 ref: 00007FF76DAF25C8

EndDialog.USER32 ref: 00007FF76DB19C24
SetDlgItemTextW.USER32 ref: 00007FF76DB19CAA

Strings

ASKNEXTVOL, xrefs: 00007FF76DB19B72

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 75a4ef6a6cdb84fc8c98b7401f85638b76a9530d4b428818baa7d4c6ec3066de
Instruction ID: 39d49f6657b8dfebdf2964d702f4b31a0faf46895df53c4c3f930c1173764316
Opcode Fuzzy Hash: 75a4ef6a6cdb84fc8c98b7401f85638b76a9530d4b428818baa7d4c6ec3066de
Instruction Fuzzy Hash: A9419362E2C682C1FA11BF12E9401BAA391AF8DBC0F944035DE4D4779DEF3DE8458760

Function 00007FF76DB09638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF76DB096EA

Part of subcall function 00007FF76DB10F68: WideCharToMultiByte.KERNEL32 ref: 00007FF76DB10F99

Strings

@%s, xrefs: 00007FF76DB096CE
$%s, xrefs: 00007FF76DB096D7

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_snwprintf
String ID: $%s$@%s
API String ID: 2650857296-834177443
Opcode ID: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
Instruction ID: 68a48ed2e1c0e0206c74c6ff29327cee2e3377286c39bb21a1dc1e9c1d616045
Opcode Fuzzy Hash: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
Instruction Fuzzy Hash: B7318F72B2DA46D5EE10AF66E440AA9A3A0AB4C784F841032EE4D17B9DFE3DE505C750

Function 00007FF76DB2EB04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF76DB2EB76
GetFileType.KERNEL32 ref: 00007FF76DB2EB8C

Strings

@, xrefs: 00007FF76DB2EBB7

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
Instruction ID: 819df9cc466f92b81fee645565599f326efe41a6b2475055c56a9a2bf8a5f775
Opcode Fuzzy Hash: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
Instruction Fuzzy Hash: 8A216F23A2C6C2C1EB649B3698D413DA651EB49774F680335D66F467DCFE38D881D321

Function 00007FF76DB24078 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF76DB21D3E), ref: 00007FF76DB240BC
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF76DB21D3E), ref: 00007FF76DB24102

Strings

csm, xrefs: 00007FF76DB240EF

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
Instruction ID: 3f4341a80e85357aa1ecfdf7f68820145071a12d57a09ff17945fa60d4e07e1e
Opcode Fuzzy Hash: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
Instruction Fuzzy Hash: AD115B32618B81C2EB209B15E44026AB7A1FB9CB84F584234DE8C07B58EF3CC591C700

Function 00007FF76DB0EA5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF76DB0E95F,?,?,?,00007FF76DB0463A,?,?,?), ref: 00007FF76DB0EA63
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF76DB0E95F,?,?,?,00007FF76DB0463A,?,?,?), ref: 00007FF76DB0EA6E

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00007FF76DB0EA78

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1211598281-2248577382
Opcode ID: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
Instruction ID: b727ba76167a0668b7a2be7cb4e526d0f2d40fb4df4544b459645df71a424e81
Opcode Fuzzy Hash: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
Instruction Fuzzy Hash: 36E01A65E3D842C2F640B725DC828B8A2217F6D774FD40331D03E819E9BF6CA9459321

Function 00007FF76DB0A43C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF76DB0A447
FindResourceW.KERNEL32 ref: 00007FF76DB0A45D

Strings

RTL, xrefs: 00007FF76DB0A453

Memory Dump Source

Source File: 00000000.00000002.1455500039.00007FF76DAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DAF0000, based on PE: true

Associated: 00000000.00000002.1455480631.00007FF76DAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455550821.00007FF76DB38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455582251.00007FF76DB54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455646543.00007FF76DB5E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76daf0000_file.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
Instruction ID: 5791f1107a0da9c55e5a8d7ec80e773d38cc7588bd2195d559b88723e2d5a90e
Opcode Fuzzy Hash: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
Instruction Fuzzy Hash: BBD05E99F2DA02C2FF196B75E44973452505F1CF41FC94038C84E4A798FEACD088C762

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\????? ?????????.cmd

C:\Users\user\AppData\Local\Temp\IObit.Malware.Fighter.Pro-12.0.0.1433.exe

C:\Users\user\AppData\Local\Temp\crack.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: file.exePID: 5916, Parent PID: 4056

General

Chronological Activities

Disassembly

Analysis Process: file.exePID: 5916, Parent PID: 4056COMMON

Execution Graph

Windows Analysis Report
file.exe

Function 00007FF76DB20754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380
filesleeptimeCOMMON

Function 00007FF76DB0A4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250
COMMON

Function 00007FF76DB18624 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101
memorywindowCOMMON

Function 00007FF76DB040BC Relevance: 10.7, APIs: 7, Instructions: 153
fileCOMMON

Function 00007FF76DAF5E24 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586
COMMON

Function 00007FF76DB0DFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440
libraryfileloaderCOMMON

Function 00007FF76DB21900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195
libraryCOMMONLIBRARYCODE

Function 00007FF76DB1F4E0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285
COMMON

Function 00007FF76DB1F0A4 Relevance: 16.6, APIs: 11, Instructions: 102
windowCOMMON

Function 00007FF76DB024C0 Relevance: 9.2, APIs: 6, Instructions: 164
filetimeCOMMON

Function 00007FF76DB1B014 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54
windowCOMMON

Function 00007FF76DB1AE1C Relevance: 7.5, APIs: 5, Instructions: 27
windowCOMMON

Function 00007FF76DB191E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMON

Function 00007FF76DB02CE0 Relevance: 6.1, APIs: 4, Instructions: 136
fileCOMMON

Function 00007FF76DB203E0 Relevance: 6.1, APIs: 4, Instructions: 123
COMMON