Edit tour

Windows Analysis Report
flashcenter_pp_ax_inst78ll_cn.exe

Overview

General Information

Sample name:	flashcenter_pp_ax_inst78ll_cn.exe
Analysis ID:	1567181
MD5:	72469bd8f1f59ddf5512635418b4dcfa
SHA1:	7319eff3e05f09169e94f68b365f4b765bba4682
SHA256:	d21de9b307b41aaab3ca9efdf78d15518fa40158eabeb8a06eca0373cf0068db
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

PE file contains section with special chars

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

flashcenter_pp_ax_inst78ll_cn.exe (PID: 7132 cmdline: "C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe" MD5: 72469BD8F1F59DDF5512635418B4DCFA)

flashcenter_pp_ax_inst78ll_cn.tmp (PID: 4972 cmdline: "C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp" /SL5="$2042C,19484773,802304,C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe" MD5: 4AB29A55C7DDA14917A7D3E75504E7E1)

99e5df4d8.exe (PID: 5252 cmdline: "C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe" -p4f63a7bd -y -o"C:\Users\user\AppData\Local\Temp\is-3DAJ2.tmp\..\76809449335627201121797450\" MD5: 1265F20F7C304FCD1B1E4E92A1C61266)

conhost.exe (PID: 1764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svaulpzg.exe (PID: 4052 cmdline: "C:\Users\user\AppData\Local\Temp\is-3DAJ2.tmp\..\76809449335627201121797450\svaulpzg.exe" MD5: 0A20FE1FA39C704C6292B05F367D634B)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\WXFManager64.dll

Virustotal: Detection: 18%

Perma Link

Source: flashcenter_pp_ax_inst78ll_cn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: flashcenter_pp_ax_inst78ll_cn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\Courier\Courier\out\build\windows-release-x64\Release\ZipSendService.pdb source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmp, svaulpzg.exe, 00000005.00000000.2159327028.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmp, svaulpzg.exe.3.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2190175865.00007FFDA54B5000.00000002.00000001.01000000.0000000B.sdmp, vcruntime140_1.dll.3.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmp, msvcp140.dll.3.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdbGCTL source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmp, msvcp140.dll.3.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: D:\a\Courier\Courier\out\build\windows-release-x64\Release\ZipSendService.pdbDD0GCTL source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmp, svaulpzg.exe, 00000005.00000000.2159327028.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmp, svaulpzg.exe.3.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2190175865.00007FFDA54B5000.00000002.00000001.01000000.0000000B.sdmp, vcruntime140_1.dll.3.dr

Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	Code function: 3_2_00405A8D FindFirstFileW,		3_2_00405A8D
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD944EA3A0 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,		5_2_00007FFD944EA3A0

Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr	String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr	String found in binary or memory: http://ocsps.ssl.com0
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr	String found in binary or memory: http://www.winzip.com/authenticode.htm0
Source: flashcenter_pp_ax_inst78ll_cn.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: flashcenter_pp_ax_inst78ll_cn.exe, 00000000.00000003.2125986998.000000007F1FB000.00000004.00001000.00020000.00000000.sdmp, flashcenter_pp_ax_inst78ll_cn.exe, 00000000.00000003.2125606246.00000000029B0000.00000004.00001000.00020000.00000000.sdmp, flashcenter_pp_ax_inst78ll_cn.tmp, 00000002.00000000.2127558309.0000000000431000.00000020.00000001.01000000.00000004.sdmp, flashcenter_pp_ax_inst78ll_cn.tmp.0.dr	String found in binary or memory: https://www.innosetup.com/
Source: flashcenter_pp_ax_inst78ll_cn.exe, 00000000.00000003.2125986998.000000007F1FB000.00000004.00001000.00020000.00000000.sdmp, flashcenter_pp_ax_inst78ll_cn.exe, 00000000.00000003.2125606246.00000000029B0000.00000004.00001000.00020000.00000000.sdmp, flashcenter_pp_ax_inst78ll_cn.tmp, 00000002.00000000.2127558309.0000000000431000.00000020.00000001.01000000.00000004.sdmp, flashcenter_pp_ax_inst78ll_cn.tmp.0.dr	String found in binary or memory: https://www.remobjects.com/ps
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr	String found in binary or memory: https://www.ssl.com/repository0

System Summary

PE file contains section with special chars

Source: WXFManager64.dll.3.dr

Static PE information: section name: . vt

Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	Code function: 3_2_00414F30	3_2_00414F30
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	Code function: 3_2_0040704D	3_2_0040704D
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	Code function: 3_2_004240A0	3_2_004240A0
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	Code function: 3_2_0041E1E0	3_2_0041E1E0
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	Code function: 3_2_004212C0	3_2_004212C0
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	Code function: 3_2_00425360	3_2_00425360
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	Code function: 3_2_004253EC	3_2_004253EC
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	Code function: 3_2_004194A9	3_2_004194A9
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	Code function: 3_2_00426620	3_2_00426620
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	Code function: 3_2_004226B0	3_2_004226B0
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	Code function: 3_2_00402866	3_2_00402866
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	Code function: 3_2_004248E0	3_2_004248E0
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	Code function: 3_2_0041E9A0	3_2_0041E9A0
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	Code function: 3_2_00424AB0	3_2_00424AB0
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	Code function: 3_2_00420CA9	3_2_00420CA9
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	Code function: 3_2_0041DDB0	3_2_0041DDB0
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FF7E3BDBC40	5_2_00007FF7E3BDBC40
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FF7E3BDF400	5_2_00007FF7E3BDF400
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FF7E3BD23C0	5_2_00007FF7E3BD23C0
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FF7E3BDA680	5_2_00007FF7E3BDA680
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FF7E3BD59B0	5_2_00007FF7E3BD59B0
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FF7E3BDF160	5_2_00007FF7E3BDF160
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD944FF4CC	5_2_00007FFD944FF4CC
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD944F6490	5_2_00007FFD944F6490
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD944EBDCC	5_2_00007FFD944EBDCC
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD94502D60	5_2_00007FFD94502D60
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD94512E20	5_2_00007FFD94512E20
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD945135F0	5_2_00007FFD945135F0
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD944FAEAC	5_2_00007FFD944FAEAC
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD94515690	5_2_00007FFD94515690
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD94517F58	5_2_00007FFD94517F58
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD9451A718	5_2_00007FFD9451A718
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD945117CC	5_2_00007FFD945117CC
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD944F67C0	5_2_00007FFD944F67C0
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD9451A018	5_2_00007FFD9451A018
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD945147E0	5_2_00007FFD945147E0
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD94504898	5_2_00007FFD94504898
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD94505130	5_2_00007FFD94505130
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD9450A9C0	5_2_00007FFD9450A9C0
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD9450096C	5_2_00007FFD9450096C
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD944EF220	5_2_00007FFD944EF220
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD944EBA48	5_2_00007FFD944EBA48
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD94503A10	5_2_00007FFD94503A10
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD944F6B18	5_2_00007FFD944F6B18
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD944ED3A8	5_2_00007FFD944ED3A8
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD944F8B78	5_2_00007FFD944F8B78
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD944F7364	5_2_00007FFD944F7364
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD944FA38C	5_2_00007FFD944FA38C
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD94518BF8	5_2_00007FFD94518BF8
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFDA3733042	5_2_00007FFDA3733042
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFDA3561000	5_2_00007FFDA3561000
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFDA3732EDA	5_2_00007FFDA3732EDA
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFDA433635C	5_2_00007FFDA433635C

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\msvcp140.dll A4C2229BDC2A2A630ACDC095B4D86008E5C3E3BC7773174354F3DA4F5BEB9CDE

Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	Code function: String function: 00425A80 appears 186 times
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	Code function: String function: 00403BA5 appears 61 times

Source: flashcenter_pp_ax_inst78ll_cn.tmp.0.dr

Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: flashcenter_pp_ax_inst78ll_cn.exe	Static PE information: Number of sections : 11 > 10
Source: flashcenter_pp_ax_inst78ll_cn.tmp.0.dr	Static PE information: Number of sections : 11 > 10

Source: flashcenter_pp_ax_inst78ll_cn.exe, 00000000.00000000.2123366862.00000000002E9000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs flashcenter_pp_ax_inst78ll_cn.exe
Source: flashcenter_pp_ax_inst78ll_cn.exe, 00000000.00000003.2125986998.000000007F4EB000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs flashcenter_pp_ax_inst78ll_cn.exe
Source: flashcenter_pp_ax_inst78ll_cn.exe, 00000000.00000003.2125606246.0000000002ABF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs flashcenter_pp_ax_inst78ll_cn.exe
Source: flashcenter_pp_ax_inst78ll_cn.exe	Binary or memory string: OriginalFileName vs flashcenter_pp_ax_inst78ll_cn.exe
Source: flashcenter_pp_ax_inst78ll_cn.exe	Binary or memory string: OriginalFilename7z.sfx.exe, vs flashcenter_pp_ax_inst78ll_cn.exe

Source: flashcenter_pp_ax_inst78ll_cn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal52.winEXE@8/11@0/0

Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe

Code function: 5_2_00007FFD944EA880 GetDiskFreeSpaceExW,_invalid_parameter_noinfo_noreturn,

5_2_00007FFD944EA880

Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe

Code function: 5_2_00007FF7E3BDB970 CoCreateInstance,GetModuleFileNameW,

5_2_00007FF7E3BDB970

Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp

File created: C:\Users\user\AppData\Roaming\9430dad

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1764:120:WilError_03

Source: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe

File created: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp

Jump to behavior

Source: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: flashcenter_pp_ax_inst78ll_cn.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe

File read: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe "C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe"
Source: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe	Process created: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp "C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp" /SL5="$2042C,19484773,802304,C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe"
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Process created: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe "C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe" -p4f63a7bd -y -o"C:\Users\user\AppData\Local\Temp\is-3DAJ2.tmp\..\76809449335627201121797450\"
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Process created: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe "C:\Users\user\AppData\Local\Temp\is-3DAJ2.tmp\..\76809449335627201121797450\svaulpzg.exe"
Source: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe	Process created: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp "C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp" /SL5="$2042C,19484773,802304,C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Process created: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe "C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe" -p4f63a7bd -y -o"C:\Users\user\AppData\Local\Temp\is-3DAJ2.tmp\..\76809449335627201121797450\"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Process created: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe "C:\Users\user\AppData\Local\Temp\is-3DAJ2.tmp\..\76809449335627201121797450\svaulpzg.exe"	Jump to behavior

Source: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Section loaded: wxfmanager64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: flashcenter_pp_ax_inst78ll_cn.exe

Static file information: File size 20442024 > 1048576

Source: flashcenter_pp_ax_inst78ll_cn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\Courier\Courier\out\build\windows-release-x64\Release\ZipSendService.pdb source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmp, svaulpzg.exe, 00000005.00000000.2159327028.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmp, svaulpzg.exe.3.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2190175865.00007FFDA54B5000.00000002.00000001.01000000.0000000B.sdmp, vcruntime140_1.dll.3.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmp, msvcp140.dll.3.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdbGCTL source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmp, msvcp140.dll.3.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: D:\a\Courier\Courier\out\build\windows-release-x64\Release\ZipSendService.pdbDD0GCTL source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmp, svaulpzg.exe, 00000005.00000000.2159327028.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmp, svaulpzg.exe.3.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2190175865.00007FFDA54B5000.00000002.00000001.01000000.0000000B.sdmp, vcruntime140_1.dll.3.dr

Source: msvcp140.dll.3.dr

Static PE information: 0xB3DF2F63 [Mon Aug 17 15:25:23 2065 UTC]

Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe

Code function: 5_2_00007FF7E3BDBC40 RegOpenKeyExW,RegQueryInfoKeyW,RegCloseKey,malloc,RegEnumValueW,memcpy,GetFileVersionInfoSizeW,malloc,GetFileVersionInfoW,VerQueryValueW,memcpy,free,free,RegCloseKey,RegOpenKeyExW,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,LoadLibraryW,GetProcAddress,FreeLibrary,SHDeleteKeyW,RegSetValueExW,RegCloseKey,

5_2_00007FF7E3BDBC40

Source: flashcenter_pp_ax_inst78ll_cn.exe	Static PE information: section name: .didata
Source: flashcenter_pp_ax_inst78ll_cn.tmp.0.dr	Static PE information: section name: .didata
Source: is-URMQG.tmp.2.dr	Static PE information: section name: .sxdata
Source: vcruntime140.dll.3.dr	Static PE information: section name: fothk
Source: vcruntime140.dll.3.dr	Static PE information: section name: _RDATA
Source: WXFManager64.dll.3.dr	Static PE information: section name: .00cfg
Source: WXFManager64.dll.3.dr	Static PE information: section name: .gxfg
Source: WXFManager64.dll.3.dr	Static PE information: section name: .retplne
Source: WXFManager64.dll.3.dr	Static PE information: section name: _RDATA
Source: WXFManager64.dll.3.dr	Static PE information: section name: . vt

Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	Code function: 3_2_00425A80 push eax; ret	3_2_00425A9E
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	Code function: 3_2_00425E10 push eax; ret	3_2_00425E3E
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFDA356613F push r14; iretd	5_2_00007FFDA3566168
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFDA3562853 push rcx; iretd	5_2_00007FFDA3562854
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFDA35627E5 push rsi; ret	5_2_00007FFDA35627E6
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFDA3564FF7 push rsp; retf	5_2_00007FFDA3565009
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFDA35686A2 pushfq ; ret	5_2_00007FFDA35686AA

Source: WXFManager64.dll.3.dr	Static PE information: section name: .text entropy: 7.221036407638945
Source: WXFManager64.dll.3.dr	Static PE information: section name: . vt entropy: 7.917881220510166

Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	File created: C:\Users\user\AppData\Local\Temp\is-3DAJ2.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	File created: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe	File created: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	File created: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	File created: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	File created: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	File created: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	File created: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\WXFManager64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	File created: C:\Users\user\AppData\Roaming\9430dad\is-URMQG.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3DAJ2.tmp\_isetup\_setup64.tmp

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe

API coverage: 1.1 %

Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe	Code function: 3_2_00405A8D FindFirstFileW,		3_2_00405A8D
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD944EA3A0 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,		5_2_00007FFD944EA3A0

Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe

Code function: 3_2_0040736E GetSystemInfo,

3_2_0040736E

Source: flashcenter_pp_ax_inst78ll_cn.exe, is-URMQG.tmp.2.dr

Binary or memory string: hgfS]

Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe

Code function: 5_2_00007FF7E3BE20F0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_00007FF7E3BE20F0

Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe

Code function: 5_2_00007FF7E3BE24C0 GetLastError,IsDebuggerPresent,OutputDebugStringW,

5_2_00007FF7E3BE24C0

Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe

5_2_00007FF7E3BDBC40

Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FF7E3BE18DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FF7E3BE18DC
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FF7E3BE20F0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FF7E3BE20F0
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FF7E3BE22D0 SetUnhandledExceptionFilter,	5_2_00007FF7E3BE22D0
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFD945323A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FFD945323A0
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFDA4340C18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FFDA4340C18
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: 5_2_00007FFDA54B4738 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FFDA54B4738

Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe

Code function: 3_2_00426100 cpuid

3_2_00426100

Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: ___lc_locale_name_func,GetLocaleInfoEx,		5_2_00007FFD9450D830
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	Code function: GetLocaleInfoEx,FormatMessageA,		5_2_00007FFD944F207C

Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe

Code function: 3_2_00407455 GetSystemTimeAsFileTime,

3_2_00407455

Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe

Code function: 3_2_00426040 GetVersion,

3_2_00426040

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	2 System Owner/User Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	25 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
flashcenter_pp_ax_inst78ll_cn.exe	4%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\76809449335627201121797450\WXFManager64.dll	18%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\76809449335627201121797450\msvcp140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\76809449335627201121797450\msvcp140.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\76809449335627201121797450\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\76809449335627201121797450\vcruntime140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-3DAJ2.tmp\_isetup\_setup64.tmp	0%	ReversingLabs

Name	Source	Malicious	Reputation
http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0	99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr	false	high
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	flashcenter_pp_ax_inst78ll_cn.exe	false	high
http://ocsps.ssl.com0	99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr	false	high
http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0	99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr	false	high
http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_	99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr	false	high
http://www.winzip.com/authenticode.htm0	99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr	false	high
http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0	99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr	false	high
https://www.remobjects.com/ps	flashcenter_pp_ax_inst78ll_cn.exe, 00000000.00000003.2125986998.000000007F1FB000.00000004.00001000.00020000.00000000.sdmp, flashcenter_pp_ax_inst78ll_cn.exe, 00000000.00000003.2125606246.00000000029B0000.00000004.00001000.00020000.00000000.sdmp, flashcenter_pp_ax_inst78ll_cn.tmp, 00000002.00000000.2127558309.0000000000431000.00000020.00000001.01000000.00000004.sdmp, flashcenter_pp_ax_inst78ll_cn.tmp.0.dr	false	high
https://www.innosetup.com/	flashcenter_pp_ax_inst78ll_cn.exe, 00000000.00000003.2125986998.000000007F1FB000.00000004.00001000.00020000.00000000.sdmp, flashcenter_pp_ax_inst78ll_cn.exe, 00000000.00000003.2125606246.00000000029B0000.00000004.00001000.00020000.00000000.sdmp, flashcenter_pp_ax_inst78ll_cn.tmp, 00000002.00000000.2127558309.0000000000431000.00000020.00000001.01000000.00000004.sdmp, flashcenter_pp_ax_inst78ll_cn.tmp.0.dr	false	high
https://www.ssl.com/repository0	99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1567181
Start date and time:	2024-12-03 08:53:46 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	flashcenter_pp_ax_inst78ll_cn.exe
Detection:	MAL
Classification:	mal52.winEXE@8/11@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 85% Number of executed functions: 86 Number of non-executed functions: 246
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
02:54:40	API Interceptor	1x Sleep call for process: svaulpzg.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\76809449335627201121797450\msvcp140.dll	iDvmIRCPBw.exe	Get hash	malicious	Unknown	Browse
	ZdXUGLQpoL.exe	Get hash	malicious	Unknown	Browse
	jaPB8q3WL1.exe	Get hash	malicious	Unknown	Browse
	yx7VCK1nxU.exe	Get hash	malicious	Unknown	Browse
	https://cdn-fastly.obsproject.com/downloads/OBS-Studio-30.2.3-Windows-Installer.exe	Get hash	malicious	Unknown	Browse
	https://github.com/GPSBabel/gpsbabel/releases/download/Continuous-Windows/GPSBabel-20240815T1150Z-e9b2084-Setup.exe	Get hash	malicious	Unknown	Browse
	https://cdn-fastly.obsproject.com/downloads/OBS-Studio-30.2.0-Windows-Installer.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\76809449335627201121797450\960AD1F5A671F16810.2f9

Download File

Process:	C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe
File Type:	data
Category:	dropped
Size (bytes):	16491806
Entropy (8bit):	7.999988289903242
Encrypted:	true
SSDEEP:	196608:h0eR4R1zsUUUsTVwYq5IN4pNT//KAiLGXbrTUEv1u4oNnbCgqioJBAsGAu0XB9kG:h0e+IUUpTCyy/ukUq1lmOgqvMeXL4Bxk
MD5:	BFFE2D81B725B67C3B0BACA57724D31E
SHA1:	95C8FF27C508D42D4DC44C9D5D24A00A83E8A1AE
SHA-256:	17C546B857F8BD9C6AB5C42F80697CA4681C3574057DE9EB05C005A1BACE06DD
SHA-512:	841AFB92EB7E6EF28E87E9CC51B3BB3A362EEBD1501436B7B0191D4F268D409F4A0628B8F0F2D9645ABDA71122A6805FFFE4D31CB6166DF4A7F8E948A0F568C4
Malicious:	false
Reputation:	low
Preview:	..>.'.<...Z...G...H......>.........M:.....l!?JU..{.....ooo.dooxcooh..of....YKOoooooooo-X][+WW\.X_\V-)]WWV..V^V_-YoooooooooooooooooooooooooooooooooH..(H...$........H..(.@UATH.l$.H..h...D..H..$`...L..3.I..$eH..%`...L.d$PH.H.H......H.A0.x8....t H..H..u.....H..$`...H..h...A\].H.X.H..u..C.H..$`...H..h...A\].HcC<H..$P...D.......L..A.H H..A9P.........H..H......H.......8GuuH.......x.euhH.......x.tu[H.......x.PuNH.......x.ruAH.......x.ou4H.......x.cu'H.......x.Au.H.......x.du.H.......x.dt...H...A;P...c.........V...A.@$Hc.H.....HA.@.H....<.H..H.}.t..E.L.E.o.E.a.E.d.E.L.E.i.E.b.E.r.E.a.E.r.E.y.E.AH.U.H...E..H..$X.....H..H.E.H..u..F.......D$pV.D$qi.D$rr.D$st.D$tu.D$ua.D$vl.D$wA.D$xl.D$yl.D$zo.D${cH.T$pH...D$\|.L..$@.....L..H..u.A.F..g....D$XV.D$Yi.D$Zr.D$[t.D$\u.D$]a.D$^l.D$_F.D$`r.D$ae.D$beH.T$XH...D$c...H.E.H..u............E.n.E.t.E.d.E.l.E.l.E...E.d.E.l.E.lH.M..E....H..H..u..C.......E.m.E.e.E.m.E.c.E.p.E.yH.U.H...E..L..$H.....L..H..u.A.E......D$0R.D$1t.D$2l.D$3D.D$4e.D$5c.D$6o.D$7m.D$8p.D$9r

C:\Users\user\AppData\Local\Temp\76809449335627201121797450\WXFManager64.dll

Download File

Process:	C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1929632
Entropy (8bit):	7.8296508043954764
Encrypted:	false
SSDEEP:	49152:WCDxnjhRW1rrAFJ9XGE+5vXF+jIcfB8/oJE:VLRg3mJpGE+5vaIcp8/oJE
MD5:	8843FCEF19B3259B56510D7B8C597A4A
SHA1:	8C9700AEE7CA03AE7DD5A28F52FDAD4E7AE97B81
SHA-256:	5B638D5706D1502A2B0A994C5F24D94431C8CDC409B2A4DF61EEC9DE44835667
SHA-512:	913413949FFB47D493F5F90CD0EB01AEE89AEE226F8298872FB7B23D037169DC5E642B283708619766DEF074FD317FA78098958DDC35F19F620F5A55A764408B
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 18%, Browse
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....Ig.........." ................PU....................................................`..........................................Z......rc..<...........p........H...).......................................... ...@...........Pf...............................text............................... ..`.rdata..D...........................@..@.data...p!...........t..............@....pdata..`...........................@..@.00cfg..8...........................@..@.gxfg...............................@..@.retplne................................_RDATA....... ......................@..@. vt.........0...................... ..h.reloc...............<..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\76809449335627201121797450\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	575056
Entropy (8bit):	6.529434803175356
Encrypted:	false
SSDEEP:	12288:rSTTigI46Bb3SUPvRgrKtzL4oaQEKZm+jWodEEVPLwtQB:rUStZaQEKZm+jWodEE9CQB
MD5:	72F3D84384E888BF0D38852EB863026B
SHA1:	8E6A0257591EB913AE7D0E975C56306B3F680B3F
SHA-256:	A4C2229BDC2A2A630ACDC095B4D86008E5C3E3BC7773174354F3DA4F5BEB9CDE
SHA-512:	6D53634BC51BD383358E0D55988D70AEE6ED3897BC6AE5E0D2413BED27ECFF4C8092020682CD089859023B02D9A1858AC42E64D59C38BA90FBAF89B656C539A6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: iDvmIRCPBw.exe, Detection: malicious, Browse Filename: ZdXUGLQpoL.exe, Detection: malicious, Browse Filename: jaPB8q3WL1.exe, Detection: malicious, Browse Filename: yx7VCK1nxU.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H...0...H...0...H...H...H......H......H......H....._H......H....w..H......H..Rich.H..................PE..d...c/..........." ...(.6...X......0...............................................J,....`A.........................................2..h...X...,............p.. :...v..PP..............p...........................`...@............P..x............................text....4.......6.................. ..`.rdata.......P.......:..............@..@.data...p8...0......................@....pdata.. :...p...<...,..............@..@.rsrc................h..............@..@.reloc...............l..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe

Download File

Process:	C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	148384
Entropy (8bit):	6.06949151748684
Encrypted:	false
SSDEEP:	3072:9zYLxFZzHKtlCa9SobrnEWXu7m2mySvl1Y/VP:nlCe/brnEWXuDSvLYF
MD5:	0A20FE1FA39C704C6292B05F367D634B
SHA1:	208F24227E53A01045E254497B6E5BAF3C312DD2
SHA-256:	802D983C1076B5D42555BC340178130113C35DE533956EE87346E56854382DF3
SHA-512:	B67D721CF502B20A4F7BBA130C09EF6879AE949F0D0B10357406F9D6F1F3AAAB16753079215E03D39B12947264541025B057044FA185F3CAD2B825606B8F2CC7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........^h..0;..0;..0;..;..0;.(3:..0;.(4:..0;.(5:..0;.(1:..0;..4:..0;.)1:..0;..1:..0;..1;#.0;.)9:..0;.).;..0;...;..0;.)2:..0;Rich..0;........................PE..d......g.........."....).".....................@.............................p.......e....`.............................................................`R......X........)...`..h...p]..p...........................0\..@............@...............................text.... .......".................. ..`.rdata...r...@...t...&..............@..@.data...............................@....pdata..X...........................@..@.rsrc...`R.......T..................@..@.reloc..h....`......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\76809449335627201121797450\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	119888
Entropy (8bit):	6.600983758182253
Encrypted:	false
SSDEEP:	1536:dI2v39UXigCBs29DdxfggO6vMMKZsY2ofRjoecbdhUwdJTzmZhTzC:diwskD8B6vMMEs5oGecbd2wHT0Te
MD5:	CAF9EDDED91C1F6C0022B278C16679AA
SHA1:	4812DA5EB86A93FB0ADC5BB60A4980EE8B0AD33A
SHA-256:	02C6AA0E6E624411A9F19B0360A7865AB15908E26024510E5C38A9C08362C35A
SHA-512:	32AC84642A9656609C45A6B649B222829BE572B5FDEB6D5D93ACEA203E02816CF6C06063334470E8106871BDC9F2F3C7F0D1D3E554DA1832BA1490F644E18362
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|6..8W..8W..8W..s/..:W..1/S.3W..8W...W..8W..9W......(W......'W......-W......9W....?.9W......9W..Rich8W..........PE..d................." ...(."...d............................................................`A........................................0u..4...d}..........................PP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...&..............@..@.data................j..............@....pdata...............n..............@..@_RDATA...............z..............@..@.rsrc................\|..............@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\76809449335627201121797450\vcruntime140_1.dll

Download File

Process:	C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49640
Entropy (8bit):	6.698209069449079
Encrypted:	false
SSDEEP:	768:IzzO6ujT3MbR3vXCz6S5Mq83yJ9d3+DuO9zUgElq9z6m:Fq/XuA3o9dgzUZWz5
MD5:	2BD576CBC5CB712935EB1B10E4D312F5
SHA1:	DFA7A46012483837F47D8C870973A2DEA786D9FF
SHA-256:	7DD9AA02E271C68CA6D5F18D651D23A15D7259715AF43326578F7DDE27F37637
SHA-512:	ABBD3EB628D5B7809F49AE08E2436AF3D1B69F8A38DE71EDE3D0CB6E771C7758E35986A0DC0743B763AD91FD8190084EE5A5FBE1AC6159EB03690CCC14C64542
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i..............p......6........pH.............6.......6.......6.......6.......6.$.....6.......Rich............PE..d...;AL..........." ...(.<...8.......@..............................................O.....`A........................................pm.......m..x....................r...O......D....c..p...........................`b..@............P..`............................text....;.......<.................. ..`.rdata.."#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-3DAJ2.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp

Download File

Process:	C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3292160
Entropy (8bit):	6.587860518692336
Encrypted:	false
SSDEEP:	49152:gdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQ0333B9:SJYVM+LtVt3P/KuG2ONG9iqLRQ0333n
MD5:	4AB29A55C7DDA14917A7D3E75504E7E1
SHA1:	F086464C185781EB516D7B302C88BECD05F8147B
SHA-256:	11EE0AF6AFAC89AC3C5AD37C93C2E6864BFCC4EACC861D95C60CE02F868B620F
SHA-512:	9B0280C01FBB309B7AF2D03E88AE6D98D9DDD50A24F9DFDD8780943FD1E80D14120DA74DE58A5BF6CE157F92B5F8C147591E2E643D7D38D4D4BBA3F05EC2B551
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f....................v..................@...........................3...........@......@...................P,.n.....,.j:...P0.<.....................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc...<....P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18682465
Entropy (8bit):	7.999435767384203
Encrypted:	true
SSDEEP:	393216:f/uTWF93J9DnFaDYcdeJ7gzipurYopPAgzqzsPs7wp:uTWPsDeJszVpYgzqA
MD5:	1265F20F7C304FCD1B1E4E92A1C61266
SHA1:	673A9BB75331F4AA0921AD9D9185CA3B37EB15FB
SHA-256:	56DF24C94188AFA761F371E2CBF1D8C0FD800CCE73F8F8D5ADFEBADE480F516E
SHA-512:	C89EE347B3E9D523E4D757A850E42B2CBDAD08C196DC03FBF44A4192698AEDF77200DA9F0DC314E4DF982CA17391D46F9AC8576376A00CBE72E74E557432B524
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S"1..C_W.C_W.C_Wx\TW.C_W._QW.C_Wx\UW.C_Wx\[W.C_W.K.W.C_W.C^WmC_W.K.W.C_W!eTWEC_W..[V.C_W!eUW.C_W...W.C_W.1\V.C_W.EYW.C_WRich.C_W........PE..L.....f........../......x..........L^............@.............................................................................d....p...............................................................................................................text....v.......x.................. ..`.rdata..Ze.......f...\|..............@..@.data....V..........................@....sxdata......`......................@....rsrc........p......................@..@................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\9430dad\is-URMQG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18682465
Entropy (8bit):	7.999435767384203
Encrypted:	true
SSDEEP:	393216:f/uTWF93J9DnFaDYcdeJ7gzipurYopPAgzqzsPs7wp:uTWPsDeJszVpYgzqA
MD5:	1265F20F7C304FCD1B1E4E92A1C61266
SHA1:	673A9BB75331F4AA0921AD9D9185CA3B37EB15FB
SHA-256:	56DF24C94188AFA761F371E2CBF1D8C0FD800CCE73F8F8D5ADFEBADE480F516E
SHA-512:	C89EE347B3E9D523E4D757A850E42B2CBDAD08C196DC03FBF44A4192698AEDF77200DA9F0DC314E4DF982CA17391D46F9AC8576376A00CBE72E74E557432B524
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S"1..C_W.C_W.C_Wx\TW.C_W._QW.C_Wx\UW.C_Wx\[W.C_W.K.W.C_W.C^WmC_W.K.W.C_W!eTWEC_W..[V.C_W!eUW.C_W...W.C_W.1\V.C_W.EYW.C_WRich.C_W........PE..L.....f........../......x..........L^............@.............................................................................d....p...............................................................................................................text....v.......x.................. ..`.rdata..Ze.......f...\|..............@..@.data....V..........................@....sxdata......`......................@....rsrc........p......................@..@................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	308
Entropy (8bit):	5.1328862082984035
Encrypted:	false
SSDEEP:	6:AMuzkotkUCST3N7aZ5TVSvOrv1ov1AieN7aZ5TVSvOrv+s/F+KFo6papP:p/6bT9+HZtoqV+HZGs/cKW6AP
MD5:	8E35C2F3F2ABEBBD1E312D8FBA5DB66D
SHA1:	203CA9DB6192F8D9AB70B116C685E4B1B33C5FBE
SHA-256:	507F32FE79701EF86411BAEB22F9E7B8415750CA771CD6A2A54CED0829E30F69
SHA-512:	F089D47902C66D506FD783FF0ADA10F886A713943E9B41838D9C3A77B2B47674673F48C977C09ECB1125D2EB0E8F684992A705A2008157B22D234DFE5A44AFC2
Malicious:	false
Preview:	..7-Zip SFX 24.08 (x86) : Copyright (c) 1999-2024 Igor Pavlov : 2024-08-11....Extracting archive: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe..--..Path = C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe..Type = 7z.... 0%. . 98% 1 - msvcp140.dll. .Everything is Ok..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.98992584185606
TrID:	Win32 Executable (generic) a (10002005/4) 98.45% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	flashcenter_pp_ax_inst78ll_cn.exe
File size:	20'442'024 bytes
MD5:	72469bd8f1f59ddf5512635418b4dcfa
SHA1:	7319eff3e05f09169e94f68b365f4b765bba4682
SHA256:	d21de9b307b41aaab3ca9efdf78d15518fa40158eabeb8a06eca0373cf0068db
SHA512:	6161c6915496fe0c0ec4d4d8574dc8ac9ffebf6332d2b2b52f13b90282b85b39a5b17c23f9ac0517795d245021fb5b961e08833d65855e03c9ad07e412926ebb
SSDEEP:	393216:fn/uTWF93J9DnFaDYcdeJ7gzipurYopPAgzqzsPs7w1SY6:+TWPsDeJszVpYgzqHY6
TLSH:	B1273316B2CBD03EE0890B3A06B2B265D0FB76559A127E67D6F489BCCF250541E3E347
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	4c0f31edc9c16730

Static PE Info

General

Entrypoint:	0x4a83bc
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	40ab50289f7ef5fae60801f88d4541fc

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004A2EBCh
call 00007F309105B7A5h
xor eax, eax
push ebp
push 004A8AC1h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004A8A7Bh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004B0634h]
call 00007F30910ED12Bh
call 00007F30910ECC7Eh
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F30910E7958h
mov edx, dword ptr [ebp-14h]
mov eax, 004B41F4h
call 00007F3091055853h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004B41F4h]
mov dl, 01h
mov eax, dword ptr [0049CD14h]
call 00007F30910E8C83h
mov dword ptr [004B41F8h], eax
xor edx, edx
push ebp
push 004A8A27h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F30910ED1B3h
mov dword ptr [004B4200h], eax
mov eax, dword ptr [004B4200h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F30910F3E9Ah
mov eax, dword ptr [004B4200h]
mov edx, 00000028h
call 00007F30910E9578h
mov edx, dword ptr [004B4200h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xb7000	0x71	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb5000	0xfec	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcb000	0x64ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0x10fa8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb9000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb52d4	0x25c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xb6000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa568c	0xa5800	b889d302f6fc48a904de33d8d947ae80	False	0.3620185045317221	data	6.377190161826806	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xa7000	0x1b64	0x1c00	588dd0a8ab499300d3701cbd11b017d9	False	0.548828125	data	6.109264411030635	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa9000	0x3838	0x3a00	5c0c76e77aef52ebc6702430837ccb6e	False	0.35338092672413796	data	4.95916338709992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xad000	0x7258	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb5000	0xfec	0x1000	627340dff539ef99048969aa4824fb2d	False	0.380615234375	data	5.020404933181373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xb6000	0x1a4	0x200	fd11c1109737963cc6cb7258063abfd6	False	0.34765625	data	2.729290535217263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xb7000	0x71	0x200	7de8ca0c7a61668a728fd3a88dc0942d	False	0.1796875	data	1.305578535725827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xb8000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xb9000	0x5d	0x200	d84006640084dc9f74a07c2ff9c7d656	False	0.189453125	data	1.3892750148744617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0x10fa8	0x11000	a85fda2741bd9417695daa5fc5a9d7a5	False	0.5789579503676471	data	6.709466460182023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xcb000	0x64ac	0x6600	0146baaf6ce7487c463de56259f0bf57	False	0.6391697303921569	data	6.485422667963741	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xcb4f8	0x304	PNG image data, 15 x 16, 8-bit/color RGBA, non-interlaced	English	United States	1.0142487046632125
RT_ICON	0xcb7fc	0x54c	PNG image data, 23 x 24, 8-bit/color RGBA, non-interlaced	English	United States	1.0081120943952802
RT_ICON	0xcbd48	0x79e	PNG image data, 30 x 32, 8-bit/color RGBA, non-interlaced	English	United States	1.0056410256410255
RT_ICON	0xcc4e8	0xc90	PNG image data, 45 x 48, 8-bit/color RGBA, non-interlaced	English	United States	1.0034203980099503
RT_ICON	0xcd178	0x11d1	PNG image data, 60 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0024117518088138
RT_STRING	0xce34c	0x3f8	data			0.3198818897637795
RT_STRING	0xce744	0x2dc	data			0.36475409836065575
RT_STRING	0xcea20	0x430	data			0.40578358208955223
RT_STRING	0xcee50	0x44c	data			0.38636363636363635
RT_STRING	0xcf29c	0x2d4	data			0.39226519337016574
RT_STRING	0xcf570	0xb8	data			0.6467391304347826
RT_STRING	0xcf628	0x9c	data			0.6410256410256411
RT_STRING	0xcf6c4	0x374	data			0.4230769230769231
RT_STRING	0xcfa38	0x398	data			0.3358695652173913
RT_STRING	0xcfdd0	0x368	data			0.3795871559633027
RT_STRING	0xd0138	0x2a4	data			0.4275147928994083
RT_RCDATA	0xd03dc	0x10	data			1.5
RT_RCDATA	0xd03ec	0x310	data			0.6173469387755102
RT_RCDATA	0xd06fc	0x2c	data			1.1818181818181819
RT_GROUP_ICON	0xd0728	0x4c	data	English	United States	0.868421052631579
RT_VERSION	0xd0774	0x584	data	English	United States	0.25920679886685555
RT_MANIFEST	0xd0cf8	0x7b3	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3389142567224759

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

Exports

Name	Ordinal	Address
__dbk_fcall_wrapper	2	0x40fc10
dbkFCallWrapperAddr	1	0x4b063c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	02:54:36
Start date:	03/12/2024
Path:	C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe"
Imagebase:	0x230000
File size:	20'442'024 bytes
MD5 hash:	72469BD8F1F59DDF5512635418B4DCFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:54:36
Start date:	03/12/2024
Path:	C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp" /SL5="$2042C,19484773,802304,C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe"
Imagebase:	0x430000
File size:	3'292'160 bytes
MD5 hash:	4AB29A55C7DDA14917A7D3E75504E7E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:54:38
Start date:	03/12/2024
Path:	C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe" -p4f63a7bd -y -o"C:\Users\user\AppData\Local\Temp\is-3DAJ2.tmp\..\76809449335627201121797450\"
Imagebase:	0x400000
File size:	18'682'465 bytes
MD5 hash:	1265F20F7C304FCD1B1E4E92A1C61266
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:54:38
Start date:	03/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:54:39
Start date:	03/12/2024
Path:	C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\is-3DAJ2.tmp\..\76809449335627201121797450\svaulpzg.exe"
Imagebase:	0x7ff7e3bd0000
File size:	148'384 bytes
MD5 hash:	0A20FE1FA39C704C6292B05F367D634B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	2000
Total number of Limit Nodes:	17

Executed Functions

Function 00414F30 Relevance: 7.9, APIs: 3, Strings: 1, Instructions: 894COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414F35

Part of subcall function 0041836A: _CxxThrowException.MSVCRT(?,0042C050), ref: 004183B3

Strings

, xrefs: 00414F81

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: ExceptionH_prologThrow
String ID:
API String ID: 461045715-3916222277
Opcode ID: 54ba90d0e3e1a2cd44b3a8127065b3736ec06a04d7834e202b5ebaa4a6c5cc2e
Instruction ID: 9730df7e2326ecd6f3b7c656d3358000a3777ff4a4df54740873238864095401
Opcode Fuzzy Hash: 54ba90d0e3e1a2cd44b3a8127065b3736ec06a04d7834e202b5ebaa4a6c5cc2e
Instruction Fuzzy Hash: 1A829F30900659DFDB15DFA8C884BEEBBB1BF48314F14419EE815AB391C738AE85CB65

Function 00405A8D Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405A6D: FindClose.KERNELBASE(00000000,000000FF,00405A9E), ref: 00405A78

FindFirstFileW.KERNELBASE(?,?), ref: 00405AAC

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d3e20e893d103623865192cbfbd50d7f980ab7106058d3680fa755dbd2b51631
Instruction ID: ed05b2355a57328246007ee694caf2b5fc6674e02e4ec3abcb408285466e3139
Opcode Fuzzy Hash: d3e20e893d103623865192cbfbd50d7f980ab7106058d3680fa755dbd2b51631
Instruction Fuzzy Hash: DBE0923020091857CF20AF64CCC55EB3768EF51318F104376A861A72D1E7389D4A8FA8

Function 0040100A Relevance: 46.1, APIs: 18, Strings: 8, Instructions: 608
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040100F

Part of subcall function 0041EBC0: GetVersion.KERNEL32 ref: 0041EBC7
Part of subcall function 0041EBC0: GetModuleHandleW.KERNEL32(kernel32.dll,SetDefaultDllDirectories), ref: 0041EBDD
Part of subcall function 0041EBC0: GetProcAddress.KERNEL32(00000000), ref: 0041EBE4
Part of subcall function 0041EBC0: GetSystemDirectoryW.KERNEL32(?,00000106), ref: 0041EC07
Part of subcall function 0041EBC0: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0041EC8D

SetFileApisToOEM.KERNEL32 ref: 00401025
fputs.MSVCRT ref: 0040103D
GetCommandLineW.KERNEL32 ref: 0040104E

Part of subcall function 004023C8: __EH_prolog.LIBCMT ref: 004023CD

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

Part of subcall function 0040542C: GetModuleFileNameW.KERNEL32(00000000,00000000,00000105), ref: 0040545C

fputs.MSVCRT ref: 004010B2
fputs.MSVCRT ref: 0040111F
fputs.MSVCRT ref: 0040113B
_CxxThrowException.MSVCRT(?,0042BC68), ref: 00401864

Part of subcall function 00401E69: fputs.MSVCRT ref: 00401E75

Part of subcall function 004024D3: __EH_prolog.LIBCMT ref: 004024D8

Strings

Error: , xrefs: 00401562
Can't open as archive, xrefs: 004016D9
GetFullPathName Error, xrefs: 004010AD
Archive Errors, xrefs: 0040170E
Sub items Errors: , xrefs: 00401740
ERROR: Unknown command:, xrefs: 004011E7
Open Errors: , xrefs: 00401785
Command line error:, xrefs: 0040111A

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: fputs$H_prolog$FileModule$AddressApisCommandDirectoryExceptionHandleLibraryLineLoadNameProcSystemThrowVersionfree
String ID: Archive Errors$Can't open as archive$Command line error:$ERROR: Unknown command:$Error: $GetFullPathName Error$Open Errors: $Sub items Errors:
API String ID: 1316033296-2186481410
Opcode ID: a8d33f717df1afc205c6f6fc5be29a96f206f1e3117ba57bbeba55c80b253504
Instruction ID: 37754d37836912fedcf3d689fcb171cea941b93a5e0cdad8537999c6aa24026e
Opcode Fuzzy Hash: a8d33f717df1afc205c6f6fc5be29a96f206f1e3117ba57bbeba55c80b253504
Instruction Fuzzy Hash: 47428D31900259DFDF25EFA5D895AEDBBB4AF04304F1440AFE44AB72E2DB381A45CB19

Function 0041171E Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00411723
fputs.MSVCRT ref: 00411759
fputs.MSVCRT ref: 0041177E

Part of subcall function 00403CEE: fputc.MSVCRT ref: 00403CF5

Part of subcall function 00406F66: VariantClear.OLEAUT32(?), ref: 00406F88

SysFreeString.OLEAUT32(00000000), ref: 004118B0
fputs.MSVCRT ref: 004118D3
SysFreeString.OLEAUT32(00000000), ref: 0041196D
SysFreeString.OLEAUT32(00000000), ref: 004119B7

Strings

----, xrefs: 004118CE
Warning: The archive is open with offset, xrefs: 00411779
--, xrefs: 0041174E
Type, xrefs: 004117EB

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: FreeStringfputs$ClearH_prologVariantfputc
String ID: --$----$Type$Warning: The archive is open with offset
API String ID: 2072268484-1245056967
Opcode ID: fb3390146c81334d396c99daa6d3461159feaf5986877ce0f5b400962f183e80
Instruction ID: a3d5f6d9cfde6feea9fdbc4782c9a90494907b9087194ce7bf4d0a7410971838
Opcode Fuzzy Hash: fb3390146c81334d396c99daa6d3461159feaf5986877ce0f5b400962f183e80
Instruction Fuzzy Hash: D491AC71A10209EFDB14DFA5D981AEEB7B5FF48314F10412EE512A72A0DB38AD85CB58

Function 00425E4C Relevance: 15.1, APIs: 10, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00425E78
__p__fmode.MSVCRT ref: 00425E8D
__p__commode.MSVCRT ref: 00425E9B
__setusermatherr.MSVCRT ref: 00425EC8
_initterm.MSVCRT ref: 00425EDE
__getmainargs.MSVCRT ref: 00425F01
_initterm.MSVCRT ref: 00425F11
__p___initenv.MSVCRT ref: 00425F16
exit.KERNELBASE ref: 00425F36
_XcptFilter.MSVCRT ref: 00425F48

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: _initterm$FilterXcpt__getmainargs__p___initenv__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 167530163-0
Opcode ID: d4e87e20f13268a2368b37537ec0d8a4c7ebd2ceb8382e40c53da9a686bd4e22
Instruction ID: 5d8486ae153206ccce82f6c4c9ba7e61262e203fc83edcfd9949eb2a5c758f24
Opcode Fuzzy Hash: d4e87e20f13268a2368b37537ec0d8a4c7ebd2ceb8382e40c53da9a686bd4e22
Instruction Fuzzy Hash: 16318575A00719EFDB14DFA0ED4AEAD7B74FB08321F50022AF515A32A0DB785900CF28

Function 004110B7 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 004110BC
fputs.MSVCRT ref: 004111D2
fputs.MSVCRT ref: 004112BA
fputs.MSVCRT ref: 004113D2
fputs.MSVCRT ref: 00411421

Part of subcall function 00403CDF: fflush.MSVCRT ref: 00403CE1

Part of subcall function 00403D01: __EH_prolog.LIBCMT ref: 00403D06

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

Strings

Can't allocate required memory, xrefs: 0041141C
WARNINGS:, xrefs: 0041127B, 004112B5
ERRORS:, xrefs: 00411193, 004111CD

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: fputs$H_prolog$fflushfree
String ID: Can't allocate required memory$ERRORS:$WARNINGS:
API String ID: 1750297421-1898165966
Opcode ID: 3337441fc7a0776c9f4238b91f1044a6ef0d067e4b8c70e6cfac88f835a85e45
Instruction ID: 33d289f6b5c606ebc4a1115891c26e2319c58622cdac9781428c791bf3c2c158
Opcode Fuzzy Hash: 3337441fc7a0776c9f4238b91f1044a6ef0d067e4b8c70e6cfac88f835a85e45
Instruction Fuzzy Hash: 2FB1A4306017059FEB24DF61C891BEAB7E1BF44308F04852FD65AA76A1CB39BD84CB59

Function 004114D9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 004114DE
EnterCriticalSection.KERNEL32(00430538), ref: 004114F4
fputs.MSVCRT ref: 00411586
fputs.MSVCRT ref: 004115CC
fputs.MSVCRT ref: 00411652
fputs.MSVCRT ref: 0041166F

Part of subcall function 004123AF: fputs.MSVCRT ref: 00412418

Part of subcall function 00403D01: __EH_prolog.LIBCMT ref: 00403D06

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

LeaveCriticalSection.KERNEL32(00430538), ref: 004116BD

Strings

Sub items Errors: , xrefs: 004115C7

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: fputs$CriticalH_prologSection$EnterLeavefree
String ID: Sub items Errors:
API String ID: 777174534-2637271492
Opcode ID: c1a4c0227faf2a1eb2b0c2454e411b2b285b3bc7d7242277324e758b1d64e425
Instruction ID: c436f3324885b6c5f0cde1dde4f741d5a44cae6dcfed69199f3fe9034af22f22
Opcode Fuzzy Hash: c1a4c0227faf2a1eb2b0c2454e411b2b285b3bc7d7242277324e758b1d64e425
Instruction Fuzzy Hash: 36519D32601600DFDB25DF65D884AEABBE2FF84310F54852FE15B97261DB3A6D90CB09

Function 0040739D Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 004073C1
GetProcAddress.KERNEL32(00000000), ref: 004073C8
GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 004073D6
GlobalMemoryStatus.KERNEL32(?), ref: 00407408

Strings

kernel32.dll, xrefs: 004073AB
GlobalMemoryStatusEx, xrefs: 004073A6
, xrefs: 00407400
@, xrefs: 004073BA

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: GlobalMemoryStatus$AddressHandleModuleProc
String ID: $@$GlobalMemoryStatusEx$kernel32.dll
API String ID: 180289352-802862622
Opcode ID: 2a986c63f2b6fa7951a361114db15d026d7f1eb5d0adc5c4a8a9ed1fa11470ce
Instruction ID: bd3d2fabc704362d9ca5d338a6c6718327ec6968a32443d636c6e2c65d652486
Opcode Fuzzy Hash: 2a986c63f2b6fa7951a361114db15d026d7f1eb5d0adc5c4a8a9ed1fa11470ce
Instruction Fuzzy Hash: 41113970E04219DBEB20DF94D989BAEBBF5FB04341F50042AE942F7280D778B844DB59

Function 00401190 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fputs.MSVCRT ref: 004011EC
_CxxThrowException.MSVCRT(?,0042BC88), ref: 004012F2
_CxxThrowException.MSVCRT(?,0042BC78), ref: 00401307

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

Strings

Error: , xrefs: 00401562

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: ExceptionThrow$fputsfree
String ID: Error:
API String ID: 3322102733-1682980639
Opcode ID: cb713b701b404916949d04a6c4d16adeee2ca955423f9cf93048dcc92e8eafc9
Instruction ID: 4a2e7b9742cb2017b67176a9351b53f13f8677fefdef250d775b56a696d96fcd
Opcode Fuzzy Hash: cb713b701b404916949d04a6c4d16adeee2ca955423f9cf93048dcc92e8eafc9
Instruction Fuzzy Hash: 3FE16C31900259DEDF21EFA4C991BEDBBB4AF14304F1444AFE449B72A2DB385A49CF25

Function 00404CBA Relevance: 7.7, APIs: 5, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00404CBF
_CxxThrowException.MSVCRT(?,0042BC78), ref: 00404CE5
wcscmp.MSVCRT ref: 00404D83
wcscmp.MSVCRT ref: 00404DDD
wcscmp.MSVCRT ref: 00404DED

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: wcscmp$ExceptionH_prologThrow
String ID:
API String ID: 2750596395-0
Opcode ID: 589eae14b945e66ded5d862d77fd0a401752f7eb3523f6666398b11f1596b00b
Instruction ID: a49034ca18766dd2985d6115f704c3eb646d16e2e938f66f16f9e822e2dcca93
Opcode Fuzzy Hash: 589eae14b945e66ded5d862d77fd0a401752f7eb3523f6666398b11f1596b00b
Instruction Fuzzy Hash: 4791BF71D002499FCF15DFA8C845AEEBBB0BF95304F54806EE500B72D1CB385A45CB58

Function 00417DFD Relevance: 7.7, APIs: 5, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00417E02

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6465af3b85f9c6ec0544edb33d8b4d85580d0812a5a0e51c2c98df890fa78ea5
Instruction ID: fc13bfd809c8fc2b6a0ab506a486224924f27f492ec3e4f1722cabba43a86d91
Opcode Fuzzy Hash: 6465af3b85f9c6ec0544edb33d8b4d85580d0812a5a0e51c2c98df890fa78ea5
Instruction Fuzzy Hash: 9A519B76A043159FDB10DFA4C881BFFB7B5BF88314F14441AE905AB341D778AD868BA8

Function 0041086D Relevance: 7.7, APIs: 5, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00430538), ref: 00410878
fputs.MSVCRT ref: 00410924
fputs.MSVCRT ref: 0041099C
fputs.MSVCRT ref: 004109B6
LeaveCriticalSection.KERNEL32(00430538,?), ref: 00410A46

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: fputs$CriticalSection$EnterLeave
String ID:
API String ID: 1081906680-0
Opcode ID: 4b232bbd17f4a76d09bbce54b306d6d23778686cbaaac9dcbf2d7c0cfa658c83
Instruction ID: 027993372e94a90fe108f72b057ff34fb2b178c490f9bd66c7364564f43692ce
Opcode Fuzzy Hash: 4b232bbd17f4a76d09bbce54b306d6d23778686cbaaac9dcbf2d7c0cfa658c83
Instruction Fuzzy Hash: 7351D231604306DFEB24DF20C955BEA7BA1FF48314F04842FE45A6B291CBB8A9D5CB59

Function 00405C98 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 319
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00405C9D
SetLastError.KERNEL32(00000002,?,?,0000FBEF,:$DATA,?,00000000,00000000,?,00000001), ref: 00405DEC

Part of subcall function 00405C98: wcscmp.MSVCRT ref: 00405FC6

Part of subcall function 00405C89: GetFileAttributesW.KERNELBASE(?,00405FE7,?,?,0000002A,?,?,00000000,?,00000001), ref: 00405C8A

Strings

:$DATA, xrefs: 00405D02, 00405D14

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: AttributesErrorFileH_prologLastwcscmp
String ID: :$DATA
API String ID: 3506966624-2587938151
Opcode ID: 87bfde631d3deb79e08e3bd7bfe69129d78864a065144b55b4a4eba179ff856b
Instruction ID: 07b953e3390746c4a9dc82bd7aadb35804c006ab05ede8c66105daedd2d37e57
Opcode Fuzzy Hash: 87bfde631d3deb79e08e3bd7bfe69129d78864a065144b55b4a4eba179ff856b
Instruction Fuzzy Hash: E6C1D030900A059ADF25EFA5C485AEEBBB5EF14318F10813FE882772D2DB3D5A55CB18

Function 0040EFA5 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040EFAA

Part of subcall function 00403B71: malloc.MSVCRT ref: 00403B84
Part of subcall function 00403B71: _CxxThrowException.MSVCRT(?,0042C1C8), ref: 00403B9E

Part of subcall function 0040ED49: __EH_prolog.LIBCMT ref: 0040ED4E

Strings

.001, xrefs: 0040F188
Split, xrefs: 0040F125
.exe, xrefs: 0040F0E3

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog$ExceptionThrowmalloc
String ID: .001$.exe$Split
API String ID: 3744649731-1819480430
Opcode ID: 8a5e57ecd8d467f13b4767564fc4cb883c967624f50ec570ad460c2d1a20d4bb
Instruction ID: 6ee4b62a70a765373665152c840579a13589d10806b9eb9c9327f76c0b6f4a6d
Opcode Fuzzy Hash: 8a5e57ecd8d467f13b4767564fc4cb883c967624f50ec570ad460c2d1a20d4bb
Instruction Fuzzy Hash: 8AA1D334A00205DBCF21DFA5C445BAEBBB4AF45314F1445BEE845BB6D2CB39AE49CB14

Function 00411A47 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00411A4C
fputs.MSVCRT ref: 00411A61
fputs.MSVCRT ref: 00411A6A

Part of subcall function 00411AD2: __EH_prolog.LIBCMT ref: 00411AD7
Part of subcall function 00411AD2: fputs.MSVCRT ref: 00411B17
Part of subcall function 00411AD2: fputs.MSVCRT ref: 00411BA6

Strings

= , xrefs: 00411A65

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: fputs$H_prolog
String ID: =
API String ID: 2614055831-2525689732
Opcode ID: cb02bf5d739171821884010db5d4c3a9afc62b04c47f741bb3b2f8847e761e53
Instruction ID: 4685179e67a5387b9933c8bac1fb032a3b631e83bc1fbaf7f8a336648ebc960e
Opcode Fuzzy Hash: cb02bf5d739171821884010db5d4c3a9afc62b04c47f741bb3b2f8847e761e53
Instruction Fuzzy Hash: 84012831A00005ABDF15BF66D802BEE7F79AF80359F00402FF841622A1CB7C5A91CB9A

Function 00424660 Relevance: 6.0, APIs: 4, Instructions: 38
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0042466A
GetLastError.KERNEL32(?,000000FF), ref: 0042467B
CloseHandle.KERNELBASE(00000000,?,000000FF), ref: 0042468F
GetLastError.KERNEL32(?,000000FF), ref: 00424699

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: ErrorLast$CloseHandleObjectSingleWait
String ID:
API String ID: 1796208289-0
Opcode ID: 9ad817bcdee8a37bd63ddf115caa5bcabacb03681436272bee2871554aa3e524
Instruction ID: 0e6695afe9b1d70dfe2be0eee00a61d69e8467993ccb29156463d7536a55e89f
Opcode Fuzzy Hash: 9ad817bcdee8a37bd63ddf115caa5bcabacb03681436272bee2871554aa3e524
Instruction Fuzzy Hash: 01F05E713046324BDB305AB9AC44A1776DCDFD2774BA10737E960C33D0DA6CCC028A68

Function 0040C369 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 733COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040C36E

Part of subcall function 004062C4: GetLastError.KERNEL32(0040CC4F,?,00000001,?,00000010,00000000,00000000), ref: 004062C4

Part of subcall function 0040CF00: __EH_prolog.LIBCMT ref: 0040CF05

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

Strings

Cannot find archive file, xrefs: 0040C526, 0040CC56
The item is a directory, xrefs: 0040C539

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog$ErrorLastfree
String ID: Cannot find archive file$The item is a directory
API String ID: 683690243-1569138187
Opcode ID: d4b52d7e044e471e1c830f5b7b4d30bcba43f6748932abe95ee6bd99c13eb021
Instruction ID: b5a1b32bc12d711d5e0a8161568501f8c01d54cd71bc8ef7c26888fa0a065d70
Opcode Fuzzy Hash: d4b52d7e044e471e1c830f5b7b4d30bcba43f6748932abe95ee6bd99c13eb021
Instruction Fuzzy Hash: D6724970900258DFDB21DF68C884BDEBBB5AF59304F1441AAE849B7392C778AE81CF55

Function 004124E9 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0041250B
fputs.MSVCRT ref: 0041271D

Strings

. , xrefs: 0041269B

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: CountTickfputs
String ID: .
API String ID: 290905099-4150638102
Opcode ID: 62978d2e05be1da6066eb87697aec2cc0ac5a4a437e1c063d05335f7abfea39d
Instruction ID: cb26736c674bc8d9c7ca26a32cfd03a69c5f5ceaab9adc37427ae5af0aaaee1d
Opcode Fuzzy Hash: 62978d2e05be1da6066eb87697aec2cc0ac5a4a437e1c063d05335f7abfea39d
Instruction Fuzzy Hash: 21814C30600B459FCB25DF65C6D0AABB7F6AF40304F10482EE496D7691DBB8F989CB18

Function 00416E44 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 0040739D: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 004073C1
Part of subcall function 0040739D: GetProcAddress.KERNEL32(00000000), ref: 004073C8
Part of subcall function 0040739D: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 004073D6

__aulldiv.LIBCMT ref: 00416ECD
__aulldiv.LIBCMT ref: 00416ED9

Strings

3333, xrefs: 00416EB7

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
String ID: 3333
API String ID: 3520896023-2924271548
Opcode ID: 14d98df592c1ed9401447ad19b8c5cbbf4c4088a852356cff76e661ec3d3721c
Instruction ID: 5119751143de8b55060969e9aa1b5a70445e0105ff33e8ddafc95c9096c2d0b2
Opcode Fuzzy Hash: 14d98df592c1ed9401447ad19b8c5cbbf4c4088a852356cff76e661ec3d3721c
Instruction Fuzzy Hash: 6521B7B5A00704AFE730DF6A9881A6FFAF8EB84714F44892FB145D3641D674ED408B59

Function 00411E83 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00411E88

Part of subcall function 00412153: GetVersionExW.KERNEL32(?), ref: 0041216D

fputs.MSVCRT ref: 00411EBF

Strings

Unsupported Windows version, xrefs: 00411EBA

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prologVersionfputs
String ID: Unsupported Windows version
API String ID: 1051792753-2397968907
Opcode ID: 6c2c40629df218334bec5ec3bc1302cec0765b107ed07878728180e7a12435a0
Instruction ID: a092db236a47294cc3f6e096509d2604d9432d6bca79f67c2c86b4b3dc796ef4
Opcode Fuzzy Hash: 6c2c40629df218334bec5ec3bc1302cec0765b107ed07878728180e7a12435a0
Instruction Fuzzy Hash: 8C01D871900245EFDB00EF99E9567EE77B0EB04329F20465FE502B31A1D7B81A458F59

Function 004063E4 Relevance: 4.5, APIs: 3, Instructions: 49COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,?,80004004,80004004,?,?,?,?,0040646C,80004004,80004004,00000000,?,0040666B,00000000), ref: 00406404
GetLastError.KERNEL32(?,0040646C,80004004,80004004,00000000,?,0040666B,00000000,?,00000000,?,?,?,?,0040AE79,?), ref: 00406411

Part of subcall function 00406389: SetFilePointer.KERNEL32(?,00000000,?,00000001,00000000,?,?,?,00406427,?,?,0040646C,80004004,80004004,00000000,?), ref: 0040639D
Part of subcall function 00406389: GetLastError.KERNEL32(?,00406427,?,?,0040646C,80004004,80004004,00000000,?,0040666B,00000000,?,00000000,?,?,?), ref: 004063AA

SetLastError.KERNEL32(00000000,?,?,0040646C,80004004,80004004,00000000,?,0040666B,00000000,?,00000000,?,?,?), ref: 00406428

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 0b05d6185b408afcdee46b4b0f28ff2912608ed381f3cb98e0708fe1c876e7e2
Instruction ID: 864dc6c6c593cf8bf19505ec3c4d2a71f9220abb1ddbe6d7f18ae570c31cdd18
Opcode Fuzzy Hash: 0b05d6185b408afcdee46b4b0f28ff2912608ed381f3cb98e0708fe1c876e7e2
Instruction Fuzzy Hash: 89018475300208AFCB119F68EC45A9F3BE9AF48320F51813AF906E7391D6758D119668

Function 00405759 Relevance: 4.5, APIs: 3, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040575E
CreateDirectoryW.KERNELBASE(?,00000000,80004004,00000000), ref: 0040576E
GetLastError.KERNEL32(?,00000000,80004004,00000000), ref: 0040577C

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: CreateDirectoryErrorH_prologLast
String ID:
API String ID: 2841023564-0
Opcode ID: 9cacd7261072eef841eea90e155f46b680eb7036377b12a0fd961b6c2ca1e33c
Instruction ID: 079377e55826ee0f4379d49620bbc90c1195ddaef26b68593b7f8623b37cd9bc
Opcode Fuzzy Hash: 9cacd7261072eef841eea90e155f46b680eb7036377b12a0fd961b6c2ca1e33c
Instruction Fuzzy Hash: E2F06D75A01A18DEDB14AF54E985AEF7778EB15348F50003EE802B72D2CA385E06DE69

Function 0040E825 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 422COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040E82A

Strings

Split, xrefs: 0040E97F

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog
String ID: Split
API String ID: 3519838083-1882502421
Opcode ID: bbca351a3752bb955aacaa789748a3f82b9a69272ada15e68eeb157a7eb85066
Instruction ID: 736ae2316e5d0145198b9a3bf66f2ac6d4ce90c3458676da96f14d14a3bbf3ba
Opcode Fuzzy Hash: bbca351a3752bb955aacaa789748a3f82b9a69272ada15e68eeb157a7eb85066
Instruction Fuzzy Hash: 6F025070A00249DFDB11DFA6C884AAEBBB5BF08304F14887EE446BB391D739AD55CB54

Function 0040CF6F Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 384COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040CF74

Part of subcall function 00405618: __EH_prolog.LIBCMT ref: 0040561D

Strings

Cannot create output directory, xrefs: 0040D32C

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog
String ID: Cannot create output directory
API String ID: 3519838083-1181934277
Opcode ID: 0a2daac4de3efc79e484f2d5e690c8759645e8bb826c42a2e8713bfbc5c64fdf
Instruction ID: 1cab3c87023adceb4cf1cff07f82d3cc3a0dce552b336292f606194224630fe1
Opcode Fuzzy Hash: 0a2daac4de3efc79e484f2d5e690c8759645e8bb826c42a2e8713bfbc5c64fdf
Instruction Fuzzy Hash: 2FF18E31D00249DFCF11EFE4C8949EEBBB5AF59308F14806EE84577292DB389A49CB55

Function 0040A565 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 302COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040A56A

Part of subcall function 00409F0A: __EH_prolog.LIBCMT ref: 00409F0F

Part of subcall function 0040D993: __EH_prolog.LIBCMT ref: 0040D998

Part of subcall function 0040A130: __EH_prolog.LIBCMT ref: 0040A135

Part of subcall function 0040A23C: __EH_prolog.LIBCMT ref: 0040A241

Strings

Cannot seek to begin of file, xrefs: 0040A8C0

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog
String ID: Cannot seek to begin of file
API String ID: 3519838083-2298593816
Opcode ID: 8332cf66c7340a2e0d8a83573379208fd480841702d1361402cef0b3b1fd7fd2
Instruction ID: ecade97c4e2ac40fd8b16c0bf8f986f2c90cabb7ab41a2d788bc46ed2bc5babc
Opcode Fuzzy Hash: 8332cf66c7340a2e0d8a83573379208fd480841702d1361402cef0b3b1fd7fd2
Instruction Fuzzy Hash: B6C1F171A003419EDB21DB64C484BAEBBF4AF40304F14887FE486B72D2DB78AD55C75A

Function 004123AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

fputs.MSVCRT ref: 00412418

Part of subcall function 00402CC8: _CxxThrowException.MSVCRT(00000000,0042C050), ref: 00402CEA

Strings

, xrefs: 004123E7

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: ExceptionThrowfputs
String ID:
API String ID: 1334390793-399585960
Opcode ID: ec99868a2370106556cac535b7a6e100cd634181ff94c6eddc8767ec8ac5bdfa
Instruction ID: d8e4c1249425f7f36e7589520ef7ed907c8d3a90e64baa80d70663753212215a
Opcode Fuzzy Hash: ec99868a2370106556cac535b7a6e100cd634181ff94c6eddc8767ec8ac5bdfa
Instruction Fuzzy Hash: 6711DD716047049FEB25CF59D881BAABBE6FF4A304F44406EE186CB281C7B9BC54CB64

Function 00410DC7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00410E4B

Strings

Open, xrefs: 00410E7D

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: fputs
String ID: Open
API String ID: 1795875747-71445658
Opcode ID: ae14ebf0cd98cf96a64dc60231d62bdc906b1897b720879a927c219a97561d33
Instruction ID: b3d4efdce60f7cf7a5ac5682edf5dbbf603c16c6f2166bcf7d74fcf7ccc6ffd6
Opcode Fuzzy Hash: ae14ebf0cd98cf96a64dc60231d62bdc906b1897b720879a927c219a97561d33
Instruction Fuzzy Hash: A811EE321047449FE721EF32D891ADBBBA5BF10314F00882FE49A83291DB766994CF49

Function 0040A23C Relevance: 3.3, APIs: 2, Instructions: 253COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040A241

Part of subcall function 00405C98: __EH_prolog.LIBCMT ref: 00405C9D

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: 3cad1ab7b769f2d1acacac0414ec1099ca9b1d7be8c662c3c923ed6bed840f9a
Instruction ID: 119d2db5184c98bb620e655760488671e2cf7285567f933d7f5c7ab3a4145e28
Opcode Fuzzy Hash: 3cad1ab7b769f2d1acacac0414ec1099ca9b1d7be8c662c3c923ed6bed840f9a
Instruction Fuzzy Hash: F291D431900204ABCF21EFA5D885AAEBBB5AF85308F14403FE841B72D1CB395E55CB5A

Function 0041923A Relevance: 3.2, APIs: 2, Instructions: 188COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041923F
_CxxThrowException.MSVCRT(?,0042E810), ref: 00419459

Part of subcall function 00414F30: __EH_prolog.LIBCMT ref: 00414F35

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog$ExceptionThrow
String ID:
API String ID: 2366012087-0
Opcode ID: 5b91504e9a128caa8ba8520bba2a7aec4533bf77359d1d494c76c090470ab4c4
Instruction ID: 4dd68368b573ab2b3fbb2926aa4f54af7d60f28f21f52d43cd7d550c9688040f
Opcode Fuzzy Hash: 5b91504e9a128caa8ba8520bba2a7aec4533bf77359d1d494c76c090470ab4c4
Instruction Fuzzy Hash: 2B816D70D00159DFCB11DFA4C891AEEBBB5BF09308F10809AE455B7292DB38AE95CF64

Function 00405618 Relevance: 3.1, APIs: 2, Instructions: 112COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040561D

Part of subcall function 00405C89: GetFileAttributesW.KERNELBASE(?,00405FE7,?,?,0000002A,?,?,00000000,?,00000001), ref: 00405C8A

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: AttributesFileH_prolog
String ID:
API String ID: 3244726999-0
Opcode ID: 7307f15d7dcd26a1028437531f8b3d46531374772733964b746c2e4a545ecfa4
Instruction ID: 1ec97c357641f2a95409124c811880a2bc8558c2d5f8d70d5842d2e5aa1dfbfc
Opcode Fuzzy Hash: 7307f15d7dcd26a1028437531f8b3d46531374772733964b746c2e4a545ecfa4
Instruction Fuzzy Hash: 96318A31900916DACF24ABA8C5814FFB775EF11318F90047BD802B72D1DB3A6E469FA9

Function 00419F2B Relevance: 3.0, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00419F30

Part of subcall function 00419C39: __EH_prolog.LIBCMT ref: 00419C3E

_CxxThrowException.MSVCRT(?,0042E810), ref: 00419F7B

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog$ExceptionThrow
String ID:
API String ID: 2366012087-0
Opcode ID: f3ed8672d2c2e4200345710861aa6959bc24473354d3664b997b8fe4b6267530
Instruction ID: 46f78fe5ae91ca0ba6bfca82b63fd184bcf2fa2220459aed858054068ed78b21
Opcode Fuzzy Hash: f3ed8672d2c2e4200345710861aa6959bc24473354d3664b997b8fe4b6267530
Instruction Fuzzy Hash: 0401DF32500248BFDF118F54C816BEE7BA4EB45314F44414AF4489B211C3BA9990CBA4

Function 004246C0 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 004246D4
GetLastError.KERNEL32 ref: 004246E8

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: ErrorLast_beginthreadex
String ID:
API String ID: 4034172046-0
Opcode ID: 84ad473c3d34086ae7fede349773d0ba2c5fd96f40ec9ed9a40fef1eb1428159
Instruction ID: 467cfe1d8112a966019ebae5ced0304520bc6109d9d80bdd01151506748d1c69
Opcode Fuzzy Hash: 84ad473c3d34086ae7fede349773d0ba2c5fd96f40ec9ed9a40fef1eb1428159
Instruction Fuzzy Hash: C2E0CDB63042115FF3109B54AC01F7771DCDBD0701F80443EBA44CA180E6A5CD00C379

Function 0040735B Relevance: 3.0, APIs: 2, Instructions: 7COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0040737C), ref: 00407360
GetProcessAffinityMask.KERNEL32(00000000), ref: 00407367

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 81c132c54f17672c127dd815764c6083acefeaec05c63578e1865d3c67dcce40
Instruction ID: 6c427cee417cddacfba452fddf0a978d30e57e06aa7b4599873eb5b06c94d529
Opcode Fuzzy Hash: 81c132c54f17672c127dd815764c6083acefeaec05c63578e1865d3c67dcce40
Instruction Fuzzy Hash: C9B092B1500108ABCE209BA09D0CC163B2CBB052017508464B101C2010C636C802CB24

Function 004105CF Relevance: 2.5, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00430538), ref: 004105D7
LeaveCriticalSection.KERNEL32(00430538), ref: 00410616

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 233e16de90028f4b419763472694496bf6d9b53b4615fc2cbc689a092118ae32
Instruction ID: 685853894ae39eee227984b1d0e7600127116368531782c57f48b05f3866eb5d
Opcode Fuzzy Hash: 233e16de90028f4b419763472694496bf6d9b53b4615fc2cbc689a092118ae32
Instruction Fuzzy Hash: 04F058346412109FD318DF16C808FAA37A1AFD5315F1A80BEE00587362CB78CCC6CB94

Function 00403B71 Relevance: 2.5, APIs: 2, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00403B84
_CxxThrowException.MSVCRT(?,0042C1C8), ref: 00403B9E

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: ExceptionThrowmalloc
String ID:
API String ID: 2436765578-0
Opcode ID: 3e791b120deac60a940b24b1a74ec80c1e3bf78372a8eec457417a2a87f4d28b
Instruction ID: 413c76808b874f20dff1fc6092fe03bbab6c47668a85a4a3cdc964c164a5b717
Opcode Fuzzy Hash: 3e791b120deac60a940b24b1a74ec80c1e3bf78372a8eec457417a2a87f4d28b
Instruction Fuzzy Hash: E2E0CD3120460C69DF105F50D8467AD3F7C5F10355F809026FC0C5D142C278D7D48744

Function 00416494 Relevance: 2.1, APIs: 1, Instructions: 649COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416499

Part of subcall function 00415A25: memset.MSVCRT ref: 00415A39

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prologfreememset
String ID:
API String ID: 743394225-0
Opcode ID: ecb5d9f32fce810a4cf2dad596e34102d691c2a121b38bb246af0aaa1a2a0c01
Instruction ID: 2c44f47edba988f8aeb80a4babf8dfcf021c45bdc66655be1d995d0b6d76fbbe
Opcode Fuzzy Hash: ecb5d9f32fce810a4cf2dad596e34102d691c2a121b38bb246af0aaa1a2a0c01
Instruction Fuzzy Hash: B5528170900249DFDB15CFA8C588BEEBBB5AF49304F19409EE445AB391DB38DE85CB25

Function 0040F345 Relevance: 2.0, APIs: 1, Instructions: 488COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040F34A

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 1aee6a2b02e4ed9202893e1c1d1e0e5268040115cd70fa0940a311bbe32e592f
Instruction ID: 82ec2a547574f120ef1af248452345df4ce190c02b8900f5607f34d2821a8202
Opcode Fuzzy Hash: 1aee6a2b02e4ed9202893e1c1d1e0e5268040115cd70fa0940a311bbe32e592f
Instruction Fuzzy Hash: 5B128F71D00209DFCF24DFA4C984ADEBBB5AF45314F2441BAE445BB291DB38AE49CB15

Function 0040AA7B Relevance: 1.7, APIs: 1, Instructions: 243COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040AA80

Part of subcall function 0040A565: __EH_prolog.LIBCMT ref: 0040A56A

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 65ca0c2dc067e8dd7b604a56fa9051946c2790ea55eaf7037d4eae63aaf6ad7c
Instruction ID: 0ab7f169d6ce1dd3c498451d8d56829bda81e7c46dbb63c9e1e9485555b509e8
Opcode Fuzzy Hash: 65ca0c2dc067e8dd7b604a56fa9051946c2790ea55eaf7037d4eae63aaf6ad7c
Instruction Fuzzy Hash: 57A1B071504385DFDB21DF68C190AAABBE1BF15300F54887FE58AAB781D338A954CB1A

Function 00419C39 Relevance: 1.7, APIs: 1, Instructions: 229COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00419C3E

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 814c2577e94aeeae8925f0f2e3e4d1bac3cdb935e3642a6643956ec4685baf12
Instruction ID: 1255ca181abffa466eb45554b4903856dd8a335ef0234f0ec3abff0dd25b2713
Opcode Fuzzy Hash: 814c2577e94aeeae8925f0f2e3e4d1bac3cdb935e3642a6643956ec4685baf12
Instruction Fuzzy Hash: F5A1A930A04646AFDB29DF65C4907EEFBF1BF18304F10452EE55AA3291C779AD80CB99

Function 0040ED49 Relevance: 1.7, APIs: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040ED4E

Part of subcall function 0040E825: __EH_prolog.LIBCMT ref: 0040E82A

Part of subcall function 0040C1DC: __EH_prolog.LIBCMT ref: 0040C1E1

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: 1563f0183111ff3756f6a4956a005afc579fd9423b9086b0a952e52ce037ac1c
Instruction ID: f06d9fa28c26d18b38afae9a2a45c1291361f954b2c40a63c05487aefbd1d087
Opcode Fuzzy Hash: 1563f0183111ff3756f6a4956a005afc579fd9423b9086b0a952e52ce037ac1c
Instruction Fuzzy Hash: CF51B570600206AFDB24EF62C891DAEBBB9AF54308F10487FF141B72D1DB78A945CB54

Function 0040F9E0 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040F9E5

Part of subcall function 00403B71: malloc.MSVCRT ref: 00403B84
Part of subcall function 00403B71: _CxxThrowException.MSVCRT(?,0042C1C8), ref: 00403B9E

Part of subcall function 0040FB8E: __EH_prolog.LIBCMT ref: 0040FB93

Part of subcall function 0040F345: __EH_prolog.LIBCMT ref: 0040F34A

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog$ExceptionThrowfreemalloc
String ID:
API String ID: 2423332413-0
Opcode ID: 7218004ae5ef1fe9806936a0f038da38e3923b5432e8bd4cb542ba0030af2ccb
Instruction ID: f917c622738c18646c6016d604920ad8a146ceec9960691556415646441905d3
Opcode Fuzzy Hash: 7218004ae5ef1fe9806936a0f038da38e3923b5432e8bd4cb542ba0030af2ccb
Instruction Fuzzy Hash: C9518131900605DFCB25DFA5C48499EBBB4AF08328F14827FE455B76D2CB38AA45CF54

Function 00417701 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00417706

Part of subcall function 00419F2B: __EH_prolog.LIBCMT ref: 00419F30
Part of subcall function 00419F2B: _CxxThrowException.MSVCRT(?,0042E810), ref: 00419F7B

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog$ExceptionThrow
String ID:
API String ID: 2366012087-0
Opcode ID: 83cab5e49b25565b3939891e45a9a10d77df0106bca05394c1e75b10824dee2a
Instruction ID: bd9aade3164a5327875f6b72e53f7940bc2ea94ed18cba3f1a24b0faa07c9e4a
Opcode Fuzzy Hash: 83cab5e49b25565b3939891e45a9a10d77df0106bca05394c1e75b10824dee2a
Instruction Fuzzy Hash: 1B515D74904249DFCB11DFA8C888BDEBBB4AF49304F1444AEE44AD7341C779AE85DB21

Function 00412ED4 Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412ED9

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9d3f9eba52a6049b96d43d4433ba62f4fc9a9c7786f44eb93216ddbc3de23f8f
Instruction ID: d11674bc6fe02063f26dadcb6afdd03e26e0ef6b4e536af382a12bfe63abda49
Opcode Fuzzy Hash: 9d3f9eba52a6049b96d43d4433ba62f4fc9a9c7786f44eb93216ddbc3de23f8f
Instruction Fuzzy Hash: 82518A74A00606CFCB14CF68C5809ABFBB2FF49304B10895EE5929B750D375E9A2DF94

Function 00416171 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416176

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a997c84d03bd27bc7c58f18df43cd408c6534c18cfdddf53a5232f7de0750d7b
Instruction ID: 8cea611797d63b8bfc20365acd018897896d5ffa812fa3ec194bbb2aa7859777
Opcode Fuzzy Hash: a997c84d03bd27bc7c58f18df43cd408c6534c18cfdddf53a5232f7de0750d7b
Instruction Fuzzy Hash: F541C070A00256EFDB20CF54C488BAABBE0BF15314F1586AED49A97791C774EDC0CB44

Function 0040AF6F Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040AF74

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 99f0c1ea61ba1c17496419a7e591ea91786ec0a304dbe574bacff4d7304d9231
Instruction ID: 5b8ce99cd93288b9b3622ce56f3a952f4719c764294ef63b1931a13ebe5bf3d5
Opcode Fuzzy Hash: 99f0c1ea61ba1c17496419a7e591ea91786ec0a304dbe574bacff4d7304d9231
Instruction Fuzzy Hash: 4211B2B1900B909FD765DF24C48099BBBA4BF84308F44886FE0876B642D738BC04C715

Function 0040B564 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040B569

Part of subcall function 00405C98: __EH_prolog.LIBCMT ref: 00405C9D

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

Part of subcall function 004062C4: GetLastError.KERNEL32(0040CC4F,?,00000001,?,00000010,00000000,00000000), ref: 004062C4

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog$ErrorLastfree
String ID:
API String ID: 683690243-0
Opcode ID: 7e91c0dde115849d1ad0c908fe74a0a5c3d4acead8dbe92c6034b86eb64ab493
Instruction ID: fb4660edd494918f797c6894fe9440a752d3d01a1d336716f1c709085ebbaccd
Opcode Fuzzy Hash: 7e91c0dde115849d1ad0c908fe74a0a5c3d4acead8dbe92c6034b86eb64ab493
Instruction Fuzzy Hash: F901AD726407009EC725FF76D8929DEBBB5EF55314B00463FE883636D2CB78A609CA58

Function 004050AF Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004050B4

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: de6ac51bcd99ab72591421d5a9ffce9123d6af97c8a1c3ffa7523416d85887b9
Instruction ID: 280b33d701c2ecb1cb4dae2fac1941bf42244302b9ad5706c5af4e40132ac7de
Opcode Fuzzy Hash: de6ac51bcd99ab72591421d5a9ffce9123d6af97c8a1c3ffa7523416d85887b9
Instruction Fuzzy Hash: 38014B72B00A219FCB209F9DD4C191EFBE5FB88754761863FE499E7390CAB59C408B58

Function 0040ADA9 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040ADAE

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 179cfd55bd690a9624279460b47188c0f2cab1c0c399eb3132e33efedfce8100
Instruction ID: a45f0e56605284764902bbf4f31209531414a1f933827dee0c0a0f48ea1503d5
Opcode Fuzzy Hash: 179cfd55bd690a9624279460b47188c0f2cab1c0c399eb3132e33efedfce8100
Instruction Fuzzy Hash: E401FC30608344AFC705CF69D084EAABBA9FF45304F4480FEE0059B212C2799844CB65

Function 00413856 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041385B

Part of subcall function 004139DF: __EH_prolog.LIBCMT ref: 004139E4

Part of subcall function 00413989: __EH_prolog.LIBCMT ref: 0041398E

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

Part of subcall function 004138CF: __EH_prolog.LIBCMT ref: 004138D4

Part of subcall function 00413938: __EH_prolog.LIBCMT ref: 0041393D

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: aab47c9550c61e81e4e4e96012b6a7bc3c1ee662ec5293290cb8e2509aa26bae
Instruction ID: e175e7f10f43f6cca05f6be96f189574f0e094f52caf40dd2350f9aae9621fc3
Opcode Fuzzy Hash: aab47c9550c61e81e4e4e96012b6a7bc3c1ee662ec5293290cb8e2509aa26bae
Instruction Fuzzy Hash: D0F0D170914A60DEEB19EF68D81639CBBE0AF04308F50429FE092622D2CBBC2B04874D

Function 004061C1 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004061C6

Part of subcall function 00405C98: __EH_prolog.LIBCMT ref: 00405C9D

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4a6112fb950159eaf5e83c92a170fb4a182376475d04aa02fba525872de66c1e
Instruction ID: e5ddfb142680ed3c69e4bb472637a6dcbd7afa6831621fbacd83d8a3cc0fb80d
Opcode Fuzzy Hash: 4a6112fb950159eaf5e83c92a170fb4a182376475d04aa02fba525872de66c1e
Instruction Fuzzy Hash: 2CF08932D415049ADB15EB94E991BEEB374DF1535DF10016FE852771C2CB396E09CA18

Function 0040649E Relevance: 1.5, APIs: 1, Instructions: 34timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNEL32(00000018,00000000,000000FF,00000000,00000013,80000000,00000000,?,?,?,00000018,00000018,?,00406515,?,00000013), ref: 004064E9

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: 59be36acff0148b2a6399661b1d03899d1d288337076d1e5c4a00da86c42ff5d
Instruction ID: 49423b807954fbf5132eddd10db361c8cf6ef33813656f7b93e5a35af05f7635
Opcode Fuzzy Hash: 59be36acff0148b2a6399661b1d03899d1d288337076d1e5c4a00da86c42ff5d
Instruction Fuzzy Hash: 1CF0F630100248BFEF228F14CD05BEA3FA8AB05324F14426EF9A6622E1C375DE20C758

Function 00416DC8 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416DCD

Part of subcall function 00416E44: __aulldiv.LIBCMT ref: 00416ECD

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog__aulldiv
String ID:
API String ID: 4125985754-0
Opcode ID: 8bf19885dd5ea0e2f94d69bfacb549f2fcc5b7e4eebcd9df4adba7efa0999e04
Instruction ID: f8137897850cfe31c0c95d7590cf4b9d67ad1fbb95bcf970c06535ca175f3cf8
Opcode Fuzzy Hash: 8bf19885dd5ea0e2f94d69bfacb549f2fcc5b7e4eebcd9df4adba7efa0999e04
Instruction Fuzzy Hash: FD0146B1A01BA0DFC325DF64D4A12DAFBE4FB04308F808A5FD5DA53601C7B8A504CB98

Function 004122DD Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00412322

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 7513ca34129e98510f3681b072cb7c0b6c5abb15b675a2f96db53ad422757b1f
Instruction ID: 84edb9678b7a745c0b725e3e0dbbada79bae0bb88cc8bfe653711e49ff3b59e2
Opcode Fuzzy Hash: 7513ca34129e98510f3681b072cb7c0b6c5abb15b675a2f96db53ad422757b1f
Instruction Fuzzy Hash: 1AF027312007078AF7305B31DD01BDBB7D09F61318F14462EE8A9D3250EBBC98A4C769

Function 00402292 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402297

Part of subcall function 00403B71: malloc.MSVCRT ref: 00403B84
Part of subcall function 00403B71: _CxxThrowException.MSVCRT(?,0042C1C8), ref: 00403B9E

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: ExceptionH_prologThrowmalloc
String ID:
API String ID: 3978722251-0
Opcode ID: 63cdaece89f50c39978ce6c8850528780203bdae850baeecadb4c7eacae8e156
Instruction ID: 5b325d54a320dae1f17efd6f96a645c63fb9c4f6f7ddd04e3403ca5b45223fd6
Opcode Fuzzy Hash: 63cdaece89f50c39978ce6c8850528780203bdae850baeecadb4c7eacae8e156
Instruction Fuzzy Hash: 20F0E2307001009FDB08CF58D146BADB7E0EF08304F00867FA40AE3380CBB869008A58

Function 00416FA9 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416FAE

Part of subcall function 00417899: __EH_prolog.LIBCMT ref: 0041789E

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: eb0fa4d0185cf915b7e1cd56f291fcce4e57fc542e8566139852d541875939b9
Instruction ID: 410289a83d4ed025744fd943b1f64dcfed9d5ec8ab00e327c3d154e98af9d3b0
Opcode Fuzzy Hash: eb0fa4d0185cf915b7e1cd56f291fcce4e57fc542e8566139852d541875939b9
Instruction Fuzzy Hash: 82F0BE31901A20DBC322AF14D906ADEB7F4FF04324F00465FE4D263691CBB8AA408B88

Function 0040E7DB Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040E7E0

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 573a2cf2bc836b99d9609f8487cba32822be38598a2facaf8ebd2ea7fbb3612e
Instruction ID: 1b364a8ab76887425b7e3a6f64e7fe538d72e94d07a99577154da66e0cac4a81
Opcode Fuzzy Hash: 573a2cf2bc836b99d9609f8487cba32822be38598a2facaf8ebd2ea7fbb3612e
Instruction Fuzzy Hash: 7AE06D76B04204EFC700EF99D445F9EB7A8FF48314F40855EB00A97241C7389900CA68

Function 004062E1 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040631A: CloseHandle.KERNELBASE(00000000,000000FF,004062EC,?,?,0040612D,?,00000000,00000001,00000003,02000000,?,?,?,004060AB), ref: 00406325

CreateFileW.KERNELBASE(004060AB,?,?,00000000,?,02000000,00000000,?,?,0040612D,?,00000000,00000001,00000003,02000000), ref: 00406303

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: 019bf48367bcf98dcb756a2f82181cd61b9fe9e8a00531e4bac9db3451219804
Instruction ID: adc6e9f92411e864d9c6c7b87d178177d260d9e0db269cc12a015677b2bab9cc
Opcode Fuzzy Hash: 019bf48367bcf98dcb756a2f82181cd61b9fe9e8a00531e4bac9db3451219804
Instruction Fuzzy Hash: 4CE086321002197BCF215F649C01BCE3B55AF19370F100126FE15AA1E1D772C871AF98

Function 004065C6 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 004065E9

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: fe5bcde431ae922a75e4756504e17ece85435cb636739ef29d2279dd80125517
Instruction ID: da683ac8c70a974cc3f8237807a5398f2218d9b128b4c0510ef96a262ff81173
Opcode Fuzzy Hash: fe5bcde431ae922a75e4756504e17ece85435cb636739ef29d2279dd80125517
Instruction Fuzzy Hash: 63E0E575600208FBCB11CFA5D801F8E7BB9AB08358F20C16AF919AA290D739DA10DF54

Function 00415BE9 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00415BEE

Part of subcall function 00415FA4: __EH_prolog.LIBCMT ref: 00415FA9

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 80e3150f7c2d9fd7c4f1173715c9fe5ffee53762babf6db31bc0c1742898919b
Instruction ID: ce869e3aab6ace1ce8533568d57fd8f5675fbc5f5a758563eac7a77371b3ba82
Opcode Fuzzy Hash: 80e3150f7c2d9fd7c4f1173715c9fe5ffee53762babf6db31bc0c1742898919b
Instruction Fuzzy Hash: 62E09AB1A10920CADB19EB64E4127EDB7A4EF44708F00065EA08393281CBB82A04C799

Function 00412E95 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412E9A

Part of subcall function 00412ED4: __EH_prolog.LIBCMT ref: 00412ED9

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ad06726d17add293a3b597e3220079d2e7ba6869ca03fb404eef0c1873daa0e0
Instruction ID: 69d3665519c70779c744395f10d9950b652281d112e39adaa058e3f3ba64c18f
Opcode Fuzzy Hash: ad06726d17add293a3b597e3220079d2e7ba6869ca03fb404eef0c1873daa0e0
Instruction Fuzzy Hash: B6D01271A14218AFD718DB45D947BEEB778EB41758F10465FF001A1240C3B95E008668

Function 00406526 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0040653C

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7b95e35fa55aa0e0c3428753206580943a288fc2de83e1cadcb6ea6cb1f466f9
Instruction ID: aa511b6798c59930b0405c074b109464cadd0f08f127264607b407b712c08231
Opcode Fuzzy Hash: 7b95e35fa55aa0e0c3428753206580943a288fc2de83e1cadcb6ea6cb1f466f9
Instruction Fuzzy Hash: 97E0EC75600208FBCB11CF90CD01FCE7BBAAB49754F208158E90596160C375AA14EB54

Function 0041A2A6 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041A2AB

Part of subcall function 00403B71: malloc.MSVCRT ref: 00403B84
Part of subcall function 00403B71: _CxxThrowException.MSVCRT(?,0042C1C8), ref: 00403B9E

Part of subcall function 00416DC8: __EH_prolog.LIBCMT ref: 00416DCD

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog$ExceptionThrowmalloc
String ID:
API String ID: 3744649731-0
Opcode ID: c9e71ed1f5ae39a151610ad1d4401ee0482bbc4c59b442a92ca8ff4e7376cbdb
Instruction ID: bffb35fe6662f17f768acfd319c4c1181e1a9fa832d6402326a06ee7331dc0b5
Opcode Fuzzy Hash: c9e71ed1f5ae39a151610ad1d4401ee0482bbc4c59b442a92ca8ff4e7376cbdb
Instruction Fuzzy Hash: 9DD05E71B01514AFCB4CEFB8A447BADB6E0EB44348F50467FA012E2781EF7899408629

Function 00405A6D Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,00405A9E), ref: 00405A78

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 771ecb549d2df5e9db96aaaa111c166b5f13e32054afe09ecd2ab3c97690b28b
Instruction ID: fa3dde25846cff55b07d37752d80c8345f1936d69bcc94e9975f1054c5fe9f6f
Opcode Fuzzy Hash: 771ecb549d2df5e9db96aaaa111c166b5f13e32054afe09ecd2ab3c97690b28b
Instruction Fuzzy Hash: 81D012312045214ADA745E7C78849E333D89A12330321076AF4B4D32E0D3748C834E98

Function 00403D5E Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00403D74

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: fputs
String ID:
API String ID: 1795875747-0
Opcode ID: c078ba7b642f1437405dd27f64575dd6badec6b4367417118eb25951d77006ff
Instruction ID: 1fba68da9fe9ae202432a53fb8ce6af3c3a1bc415edf3b5a9342c634e64c5272
Opcode Fuzzy Hash: c078ba7b642f1437405dd27f64575dd6badec6b4367417118eb25951d77006ff
Instruction Fuzzy Hash: 92D0C7361082519FE6155F16EC09C87FFA5FFD5321B11082FF450511609B726C26DA64

Function 00403CEE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00403CF5

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: fputc
String ID:
API String ID: 1992160199-0
Opcode ID: ca0c3902a19e84967535e1b89705d167b4bdcf58c56db1bb82e36f2fb91b2edc
Instruction ID: bdcaa610731fbb92d061b186abac76fc107d3a3afa5d30b62c2ee034d17f0ff1
Opcode Fuzzy Hash: ca0c3902a19e84967535e1b89705d167b4bdcf58c56db1bb82e36f2fb91b2edc
Instruction Fuzzy Hash: 7FB092323082209BE7281A99BC0AA946794EB0D721F25006BF544C21909A911C528A99

Function 004065A9 Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,?,?,?,0040AEEE,00000000,00000000,?,00000000,?,?,?,?,?,0040B26E,?), ref: 004065B7

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: c1faabe7ee04c17a3e9dedf9d691a06c13326f8eaf91e6cc6540484f6927ee96
Instruction ID: dd5313f992c8f3caee4660e88009fcd1fa651df6d34ad12b859f3340a0bd94a5
Opcode Fuzzy Hash: c1faabe7ee04c17a3e9dedf9d691a06c13326f8eaf91e6cc6540484f6927ee96
Instruction Fuzzy Hash: 4DC04C36158105FF8F120F70CC04D1ABBB2BB95315F10D918B155C5070C7328424EB02

Function 004055CD Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE ref: 004055CF

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: dabda50b76c128f6b582b6eece111edba8ad408e96a23e841a2b7badc71f8a96
Instruction ID: 414952e8fe1a2e075d93a374d6099bf3f4316265d06550280dff1d114576109c
Opcode Fuzzy Hash: dabda50b76c128f6b582b6eece111edba8ad408e96a23e841a2b7badc71f8a96
Instruction Fuzzy Hash: 53A002A0312216DBAA241B329E09A2F256DAEC1AD1B45C96C7401C5170DA2DCC515535

Function 00406645 Relevance: 1.5, APIs: 1, Instructions: 6fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,0040668A,00000000,?,00000000,?,?,?,?,0040AE79,?,80004004,?,00000000,?), ref: 00406647

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: dbc56d001a548cd5070795bd2d90de6a3695ba147366a044821af2c85d996497
Instruction ID: 86e43d1d87ccd767641ce6018b972dd42dd26830d60569e3cf728c40a3797de3
Opcode Fuzzy Hash: dbc56d001a548cd5070795bd2d90de6a3695ba147366a044821af2c85d996497
Instruction Fuzzy Hash: CFA002703E502FCB8F211F34DC098243AA6AB96707B6057B4B103D95F4DF224819AA15

Function 00405C89 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00405FE7,?,?,0000002A,?,?,00000000,?,00000001), ref: 00405C8A

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 79a2f7dced282e2fb32e550a1d2b0904197e204eb4e7884ebd859e13ad972910
Instruction ID: 880e6c9350023c768339967658fda1199bc4c9145147cf13f7093929cf76d2ce
Opcode Fuzzy Hash: 79a2f7dced282e2fb32e550a1d2b0904197e204eb4e7884ebd859e13ad972910
Instruction Fuzzy Hash: 91A001A0A26A04469A341B346C4899A29A5A996736BA00B75F132D01E4DB79C881A919

Function 004084F5 Relevance: 1.5, APIs: 1, Instructions: 205COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?,?), ref: 004086B9

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 4549de4e085ce23c5d742228b4179348cb2073e1a461e3f40e03bd9db6ea1aff
Instruction ID: e6815487489208ab39f33fed76fb0e7ab78d55a9c6f4cab8f9f9bf2c978d5583
Opcode Fuzzy Hash: 4549de4e085ce23c5d742228b4179348cb2073e1a461e3f40e03bd9db6ea1aff
Instruction Fuzzy Hash: F2814171D002499FDF14CFA8C680AAEB7B1AB48304F24447FD581B7781DB39A980CF59

Function 00407B7E Relevance: 1.3, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00407BAB

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 8c18664cc0e2afd8735706c9fad17548e6b9e64cdc38ad65294e7055b2357f7f
Instruction ID: 540c822f5f08825451efabc7153c463d8467db7d585d389fc5b2ba1f3b10f2b9
Opcode Fuzzy Hash: 8c18664cc0e2afd8735706c9fad17548e6b9e64cdc38ad65294e7055b2357f7f
Instruction Fuzzy Hash: 53F04471A0820B9BCB14DE54DC40AB777B9FF44318B14843AAD17EB290D379FC119B9A

Function 0041E080 Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041E092

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 4f3d972a2cc645180b03ab5989da7a7abdbb96092aef46b131a3a4169954ef89
Instruction ID: 6a611e0c24855a470b21982780ef0240856e0dbfab85deb95be053ee113d5378
Opcode Fuzzy Hash: 4f3d972a2cc645180b03ab5989da7a7abdbb96092aef46b131a3a4169954ef89
Instruction Fuzzy Hash: A3D0A774A5251146CF8486328949B9735A83F04306F58857EEC13CE681FB6EC497C708

Function 0040631A Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,000000FF,004062EC,?,?,0040612D,?,00000000,00000001,00000003,02000000,?,?,?,004060AB), ref: 00406325

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 63bd52484c3e27620c52f78d23f88a666e8d75c923b48dba9752bb41ea792720
Instruction ID: 37909153597268066c058ee49dc1832c7f7ed1a892d8ea3123e2061e027ab4fe
Opcode Fuzzy Hash: 63bd52484c3e27620c52f78d23f88a666e8d75c923b48dba9752bb41ea792720
Instruction Fuzzy Hash: 23D0123160417157DA741E3C7D455C233D85E1237032207AAF4B5D32E0D3748C9346D4

Function 0041E043 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 0041E051

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f56809b49086c6ed513efbd4586875a7e0a01cfb318715d2f5b7dbd5dc263cde
Instruction ID: 37d545aa3dd278780438cb9abc06a095e6c0b675cb82c61b18e0c7a60c84fb8a
Opcode Fuzzy Hash: f56809b49086c6ed513efbd4586875a7e0a01cfb318715d2f5b7dbd5dc263cde
Instruction Fuzzy Hash: D2C09BE1E4E290DFDF0657109C55B603F319F97741F4A10C5E4445B0D3D5551D19C727

Function 0041E010 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041E018

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 896ef36176023112d6443d1c7dbb081b3f05f1399666896d001e6a3ed2194474
Instruction ID: 2cf01b38eb4ee948cf265c98e74a8636803a57433c2cd1d462a5ffe318260026
Opcode Fuzzy Hash: 896ef36176023112d6443d1c7dbb081b3f05f1399666896d001e6a3ed2194474
Instruction Fuzzy Hash: CDA012CDE1001100994411322C41053101221E16057C8C479A80144104FF2DC804700A

Function 0041DFA0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041DFA8

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: db257ee4f71baae5e6f327627217561a0c71f3babe6a0257f2be35a8eab85669
Instruction ID: 769eb2c9eb345b6015b8715d85aee880fb048f10648ae35f76c4dfcca9cb3a5f
Opcode Fuzzy Hash: db257ee4f71baae5e6f327627217561a0c71f3babe6a0257f2be35a8eab85669
Instruction Fuzzy Hash: 6BA024D5F3100100DD5C31313C01457100111D03077C044FD7407C0100F71DC514500F

Function 0041E063 Relevance: 1.3, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000), ref: 0041E06C

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: b969455fa2f22fc73ea04ac6af0352f9a8db9e597e97f0f7f8fcdc9855555cef
Instruction ID: e16472afc0667f0882427de6cdc1df0a5e98d7cfee31e37e763c24b0fda5beb4
Opcode Fuzzy Hash: b969455fa2f22fc73ea04ac6af0352f9a8db9e597e97f0f7f8fcdc9855555cef
Instruction Fuzzy Hash: 71A00278F80714B6ED7467306D4FF6525246784F01F60C594B241681D49DE464459A2C

Function 0041E030 Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0041E031

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 215540552cff86145e4461e69ebfb5076cc52fc8c4b4bc72fa675cccf62c4148
Instruction ID: 317c144e9e448446760cd229ef9c40f20c29eefaa629672554263170cc7ba9b1
Opcode Fuzzy Hash: 215540552cff86145e4461e69ebfb5076cc52fc8c4b4bc72fa675cccf62c4148
Instruction Fuzzy Hash:

Function 00403BA5 Relevance: 1.3, APIs: 1, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

APIs

free.MSVCRT ref: 00403BA9

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c77b473b94ae96f42027579122339939922c3ef578ecea1100068d67e2cb92de
Instruction ID: 8a4addd67d1395683a601ebee97e0ac27b042bf7b24b100f5c4dc94180559340
Opcode Fuzzy Hash: c77b473b94ae96f42027579122339939922c3ef578ecea1100068d67e2cb92de
Instruction Fuzzy Hash: 83A00271105101DBDB551B91ED0D55A7B61FB84652F654469F04B405708B314C31FA05

Function 0041DFC0 Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0041DFC1

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d0ffa420d5295d2d66e13c681143ce4ee7e28d14a99b9877e117c45ff1c9cee4
Instruction ID: aa35c656e66cb15e5c91bcce4ec064c5ed426d125c34c476f51aa09ca71418e3
Opcode Fuzzy Hash: d0ffa420d5295d2d66e13c681143ce4ee7e28d14a99b9877e117c45ff1c9cee4
Instruction Fuzzy Hash:

Non-executed Functions

Function 0040704D Relevance: 4.7, APIs: 3, Instructions: 225timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00407091
FileTimeToSystemTime.KERNEL32(?,?,?,?), ref: 004070A3
__aullrem.LIBCMT ref: 00407205

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: Time$File$LocalSystem__aullrem
String ID:
API String ID: 2417234408-0
Opcode ID: e2ea9a577c3c03632edbf28e011eeb485c98ebec837ccdf391d33486ad268604
Instruction ID: 097ebb133b43d6c75499fc9ab10b51d9df6370fde1c7953e3ae636fd5b3e94c1
Opcode Fuzzy Hash: e2ea9a577c3c03632edbf28e011eeb485c98ebec837ccdf391d33486ad268604
Instruction Fuzzy Hash: 4271BC71E09345DBD711CF6984C06EEFBF69F79314F14806EE884A3282D27A5D5AC721

Function 004194A9 Relevance: 3.5, APIs: 2, Instructions: 509COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004194AE

Part of subcall function 004191A2: __EH_prolog.LIBCMT ref: 004191A7

_CxxThrowException.MSVCRT(?,0042E810), ref: 00419986

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog$ExceptionThrow
String ID:
API String ID: 2366012087-0
Opcode ID: 800fb9f3c2d82f9e2b0987539adecd0ab6a29e1bc71cd275f5283ebc7644eb9a
Instruction ID: 3bae86e87b3cf8b9d8377ed57d25004214f6e4a97d94b5689226fb05ce5736f1
Opcode Fuzzy Hash: 800fb9f3c2d82f9e2b0987539adecd0ab6a29e1bc71cd275f5283ebc7644eb9a
Instruction Fuzzy Hash: 10325A7090424ADFCF14DF65C5A0AEEBBB1BF05308F14806EE449AB252D738AE95CF95

Function 00425360 Relevance: 1.7, Strings: 1, Instructions: 419COMMON

Download Yara Rule

Strings

@, xrefs: 004257ED

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 387d9f5b0d722e16858b989fb5cf058498023d896b5906e39b88b724edac5b15
Instruction ID: c4327a5b03a4357bab17156b007e5d35fc2f343ba8ec6b5de1daa222e62ab7b1
Opcode Fuzzy Hash: 387d9f5b0d722e16858b989fb5cf058498023d896b5906e39b88b724edac5b15
Instruction Fuzzy Hash: E8020AB16083058FC358DF4AD88045BF7E2BFC8314F58892EF59997315DB70A95ACB86

Function 004253EC Relevance: 1.6, Strings: 1, Instructions: 380COMMON

Download Yara Rule

Strings

@, xrefs: 004257ED

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 20fb1e679b1ea7c9bc9397992702f5c06c27ebda3db9de964d82a84f63a00d7a
Instruction ID: a5a46c98ad045cca7d8d22a35470739b0e600e8396af2da8c62bd07726d085e0
Opcode Fuzzy Hash: 20fb1e679b1ea7c9bc9397992702f5c06c27ebda3db9de964d82a84f63a00d7a
Instruction Fuzzy Hash: B3E11BB160C3058FC358DF4AD88045BF7E2BFC8314F58892DF59983356DB70A95ACA8A

Function 0040736E Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 0040735B: GetCurrentProcess.KERNEL32(?,?,0040737C), ref: 00407360
Part of subcall function 0040735B: GetProcessAffinityMask.KERNEL32(00000000), ref: 00407367

GetSystemInfo.KERNEL32(?), ref: 00407392

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: Process$AffinityCurrentInfoMaskSystem
String ID:
API String ID: 3251479945-0
Opcode ID: 12424a63e269e0877277bfdfa86892c8ee2fc88c8c4c8b17476209747d2dff76
Instruction ID: 37ac09f4e8775b3dc7db151483154f559ecac358ef485f747e15dc97df7041dd
Opcode Fuzzy Hash: 12424a63e269e0877277bfdfa86892c8ee2fc88c8c4c8b17476209747d2dff76
Instruction Fuzzy Hash: F2D01270E0420997DF54E7F5D44699E77785E44348F0400799C01F21D0DB78F945D65A

Function 00426040 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 00426043

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: a8b240aa1cb2597892d2c620267438a9b7ed24a8c987694d8ca527b9fca9a5f6
Instruction ID: 1a04f80bb725c75d3dd7a7d213ed030404e6ca71b9454b7eb32c971da4491ff5
Opcode Fuzzy Hash: a8b240aa1cb2597892d2c620267438a9b7ed24a8c987694d8ca527b9fca9a5f6
Instruction Fuzzy Hash: 55D05E71E5042443DB04B72CD94A12933E2F741300FC608EAD498C5226E92DAA16D64B

Function 00407455 Relevance: 1.5, APIs: 1, Instructions: 3timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,004059CA,00000000,00000000,?,?,?,?,?,?,?,?,?,0040C681,?,00000010), ref: 00407456

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: dd4d65d4735ecad5eff269bcc9c5ffcae217ccde2733e6e548aead3813e70d00
Instruction ID: 03b31f416222a043bea4c947158f1946739afe019085366f262c6bff39aea67e
Opcode Fuzzy Hash: dd4d65d4735ecad5eff269bcc9c5ffcae217ccde2733e6e548aead3813e70d00
Instruction Fuzzy Hash:

Function 0041DDB0 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

PbB, xrefs: 004251A4, 004251AB

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID:
String ID: PbB
API String ID: 0-1558502971
Opcode ID: 47ff404f096a15f6be07cdd7ff47f7c3a4c0280c46258968b647365bbcb83ffc
Instruction ID: a90cc3db49980fd9bdf7688ba4c454fc12f945e6fdca8d25ef6de79eb1c97d35
Opcode Fuzzy Hash: 47ff404f096a15f6be07cdd7ff47f7c3a4c0280c46258968b647365bbcb83ffc
Instruction Fuzzy Hash: 4D41E432F10A3006B34CCE3AAC851662BC3DBC9382785D739D565C66D9D9BDC413D1A8

Function 004226B0 Relevance: .7, Instructions: 740COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveObjectSingleWait
String ID:
API String ID: 1001467830-0
Opcode ID: c2e93f49e507dd83a320957035e7cc1bd384210c5e44b5caa0bc2a24e808fe7a
Instruction ID: a07709ed0249790d25947c5d4043c77be657826ad63f2b176fd792c5173063d6
Opcode Fuzzy Hash: c2e93f49e507dd83a320957035e7cc1bd384210c5e44b5caa0bc2a24e808fe7a
Instruction Fuzzy Hash: 8A621771A083519FCB24CF19D68052BFBE1BFC8740F948A2EE89597315D7B8E845CB46

Function 00420CA9 Relevance: .5, Instructions: 519COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
Instruction ID: 6779b2a74973eff395bcc09e7ec8ee8c4b47229ef48312d7df48326998885e9a
Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
Instruction Fuzzy Hash: 60022A73B0836047D718CE19DD80229B7E3FBD0380FAA492FF89647395DAB49946C799

Function 004212C0 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
Instruction ID: 5fbcdf7e76c78e01b99a8ca8083e79c7bf9a59bce4f2b0593f3807deda067ad1
Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
Instruction Fuzzy Hash: 18024A32B043218BD708CE28D58027DBBE3FBE4345F550A3FE896976A4D7789845CB89

Function 004240A0 Relevance: .5, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
Instruction ID: 2dae5d15b16d92ed7caafcb73801ff926bcdae23959ce8009c2e2d6f19409047
Opcode Fuzzy Hash: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
Instruction Fuzzy Hash: 2A028C706047208FC328CF2EE49422AFBE1EFC5301F548A6EE5DA87791D23AE559CB55

Function 00424AB0 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec21f2bc10a4140bfded27c6d5d1301f13af393237b8a6ab6090c49201403264
Instruction ID: 9dbdf3cc36c0871e00d70d1cf73c890cd0849f4c1b349caee6c3423430388a93
Opcode Fuzzy Hash: ec21f2bc10a4140bfded27c6d5d1301f13af393237b8a6ab6090c49201403264
Instruction Fuzzy Hash: 95E1F6729043AA4FD31CEF58EC91635B7A1FF88380F09457DCA560B3B2D6746A01DB94

Function 0041E1E0 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
Instruction ID: 180b3774adec75c40f857ab56fa67e51ed4644e1aa4a0a04af6b9390553663a5
Opcode Fuzzy Hash: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
Instruction Fuzzy Hash: D2B192766012118FC750CF2EC8801597BA2BFC532977997AEC8A48F746D33AE857CB94

Function 0041E9A0 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
Instruction ID: 586f8480fd11126397f6699f5bfc9f0ef5ac81eadabf3b744486f71cccb0705d
Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
Instruction Fuzzy Hash: 3231277B600A054EF620852B89883E77213FFD63A0F19C727DD16873E8CA399DC6814D

Function 00426620 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b992da0320ec3f814fb582ec4cb6330d05488eb9d43a721a90b87cbfbd9ca5c7
Instruction ID: 8a31634d1fb8d893b677315f844586136606d247691434bc821e591bcdba7911
Opcode Fuzzy Hash: b992da0320ec3f814fb582ec4cb6330d05488eb9d43a721a90b87cbfbd9ca5c7
Instruction Fuzzy Hash: FA5186315102399BC782EF5DF8D4AEA73E5FB4434EFD34A26DE8257141C624E826D6A0

Function 00402866 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8755404496fa14fc5fc9ac73b9f104171496fa033ba51e4f77bd0a7ed76c6b
Instruction ID: cec01148624ff6002e8d78b3abb26f3a7b04ecb4e699d004dc871b06b6aa27d5
Opcode Fuzzy Hash: fc8755404496fa14fc5fc9ac73b9f104171496fa033ba51e4f77bd0a7ed76c6b
Instruction Fuzzy Hash: 69217137AA0D1707D70C8A28EC37AB93281E744305F89567EE94BCB3D1DEAC8800C648

Function 004248E0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e3b7086b35622f3edc5cc23a5ba1f7ddd0fc26d22bb20063e423d6306cc5fe
Instruction ID: 3f22e8bbf1c80f18dc348f81ee196079cd90f877339ced02ae457c1f152bd803
Opcode Fuzzy Hash: 77e3b7086b35622f3edc5cc23a5ba1f7ddd0fc26d22bb20063e423d6306cc5fe
Instruction Fuzzy Hash: C8214BB1B043BA07E310BE7CDC8027777E6EBC1301F884276D9948F646D679889297A4

Function 00426100 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
Instruction ID: 9e775abeed684ca77467d17cca6977048c68fff2285a19e0a564aa4dd6adc1c9
Opcode Fuzzy Hash: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
Instruction Fuzzy Hash: 27C002F6609606AF970CCF1FA480415FBE9FAD8321324C23FA02DC3700C77198258B64

Function 004185F9 Relevance: 28.5, APIs: 13, Strings: 3, Instructions: 452COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004185FE

Part of subcall function 00417D89: _CxxThrowException.MSVCRT(?,0042E810), ref: 00417DAC

memcpy.MSVCRT(?,?,?,?,?,?,?,?,0000000B,00000000,?,?), ref: 004189F0
_CxxThrowException.MSVCRT(?,0042E810), ref: 00418A8C
_CxxThrowException.MSVCRT(?,0042E810), ref: 00418AA0
_CxxThrowException.MSVCRT(?,0042E810), ref: 00418AB4
_CxxThrowException.MSVCRT(?,0042E810), ref: 00418AC8
_CxxThrowException.MSVCRT(?,0042E810), ref: 00418ADC
_CxxThrowException.MSVCRT(?,0042E810), ref: 00418AF0
_CxxThrowException.MSVCRT(?,0042E810), ref: 00418B04
_CxxThrowException.MSVCRT(?,0042E810), ref: 00418B18
_CxxThrowException.MSVCRT(?,0042E810), ref: 00418B2C
_CxxThrowException.MSVCRT(?,0042E810), ref: 00418B40
_CxxThrowException.MSVCRT(?,0042E810), ref: 00418B54

Part of subcall function 00417BB2: _CxxThrowException.MSVCRT(?,0042E7D0), ref: 00417BC5

Strings

, xrefs: 004187DC
@, xrefs: 004187D2
!, xrefs: 004187FE

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: ExceptionThrow$H_prologmemcpy
String ID: $!$@
API String ID: 3273695820-2517134481
Opcode ID: 86ab02d0ed812b2bc682d74ebd8090e91257ed431655c286634e8f5cefe57a90
Instruction ID: a8af2338d33f97ab3af66800fc8919b7e7d9159ea038428e72aaae9fbbebb504
Opcode Fuzzy Hash: 86ab02d0ed812b2bc682d74ebd8090e91257ed431655c286634e8f5cefe57a90
Instruction Fuzzy Hash: 92126C74E05249EFCF04DFA5C981AEEBBB1BF09304F54845EE445AB352DB38A981CB58

Function 0041078C Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410791
fputs.MSVCRT ref: 004107AE
fputs.MSVCRT ref: 004107B7

Part of subcall function 00403EB1: __EH_prolog.LIBCMT ref: 00403EB6

Part of subcall function 00403CEE: fputc.MSVCRT ref: 00403CF5

fputs.MSVCRT ref: 004107FD
fputs.MSVCRT ref: 00410806
fputs.MSVCRT ref: 0041080D

Part of subcall function 00403BA5: free.MSVCRT ref: 00403BA9

fputs.MSVCRT ref: 0041083F
fputs.MSVCRT ref: 00410848
fputs.MSVCRT ref: 00410850

Strings

Modified: , xrefs: 00410843
Size: , xrefs: 00410801
Path: , xrefs: 004107B2

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: fputs$H_prolog$fputcfree
String ID: Modified: $Path: $Size:
API String ID: 2632947726-3207571042
Opcode ID: dad6ea9b37028dc7d9b6d66f9ca6d710003fafdbd0f38657ec1ce368b28c369f
Instruction ID: b65d724bde5c915c69112c2f50a2259a5a42bfe36314ecb7860c7f1e00933a31
Opcode Fuzzy Hash: dad6ea9b37028dc7d9b6d66f9ca6d710003fafdbd0f38657ec1ce368b28c369f
Instruction Fuzzy Hash: 5121C431A00014ABCF11BFA6DC81AAE7F36EF44354F54402BF805662A1EB7A49A1DF95

Function 0040822B Relevance: 16.4, APIs: 13, Instructions: 196COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,0042BB50,00000010), ref: 00408244
memcmp.MSVCRT(?,004293D8,00000010), ref: 00408261
memcmp.MSVCRT(?,004294C8,00000010), ref: 00408274

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 8910d6305239276ff3f7db42ecd347003804e214d9e1dbdd8d8a49be33777170
Instruction ID: e96827f4b63efecacfe58e3eea22b3fe6ab2bc99bd733a1cd9902dd8c249a16e
Opcode Fuzzy Hash: 8910d6305239276ff3f7db42ecd347003804e214d9e1dbdd8d8a49be33777170
Instruction Fuzzy Hash: 1951AA72B00625ABE7105A15ED41FA733AC9E20754B40412EFD86E7381FB38FE05CA99

Function 0041EBC0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 67libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0041EBC7
GetModuleHandleW.KERNEL32(kernel32.dll,SetDefaultDllDirectories), ref: 0041EBDD
GetProcAddress.KERNEL32(00000000), ref: 0041EBE4
GetSystemDirectoryW.KERNEL32(?,00000106), ref: 0041EC07
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0041EC8D

Strings

SetDefaultDllDirectories, xrefs: 0041EBD3
\, xrefs: 0041EC24
kernel32.dll, xrefs: 0041EBD8
\, xrefs: 0041EC1C

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemVersion
String ID: SetDefaultDllDirectories$\$\$kernel32.dll
API String ID: 2515194075-2532076501
Opcode ID: 82f5796dbf9e0cdcb216b5097f80af6bf4f1409dd4f72cd67fc1d0562e83a76e
Instruction ID: 913686e8244bd061a2bcb12ad3078c3bbff088274ca3bb4e53c0d7fdda3888e6
Opcode Fuzzy Hash: 82f5796dbf9e0cdcb216b5097f80af6bf4f1409dd4f72cd67fc1d0562e83a76e
Instruction Fuzzy Hash: 2321C3346043159AE7349F59EC08F97BBE4AF40700F58942AD984D72A0F77998C5C79E

Function 00411D49 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 37COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00411D6F
fputs.MSVCRT ref: 00411D74
fputs.MSVCRT ref: 00411D7D
fputs.MSVCRT ref: 00411D93

Strings

: Cannot open the file as [, xrefs: 00411D78
ERROR, xrefs: 00411D5B, 00411D73
] archive, xrefs: 00411D8E
WARNING, xrefs: 00411D54
Open , xrefs: 00411D6A

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: fputs
String ID: : Cannot open the file as [$ERROR$Open $WARNING$] archive
API String ID: 1795875747-657955069
Opcode ID: 64877689ad02330c930da7756644846f4b0a693915e548a7d511e3b40fd6094c
Instruction ID: 9c73f5e0e90770f140b12c62cfba92fc1376db5acbc4535256ac5aafa418b3ee
Opcode Fuzzy Hash: 64877689ad02330c930da7756644846f4b0a693915e548a7d511e3b40fd6094c
Instruction Fuzzy Hash: 8FF0E9327001257BD6102766BC40E6FBF1ADF89761F600027FD0493241EB3E1830DA69

Function 00402576 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 137COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040257B

Strings

Unknown switch:, xrefs: 00402601
Too short switch:, xrefs: 0040264A
Incorrect switch postfix:, xrefs: 0040268A
Too long switch:, xrefs: 004026E3
Multiple instances for switch:, xrefs: 0040262C

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog
String ID: Incorrect switch postfix:$Multiple instances for switch:$Too long switch:$Too short switch:$Unknown switch:
API String ID: 3519838083-2104980125
Opcode ID: 939d9dd5dfe706750911b410f5a9badb0fb4dd8201800066082cbf673cc68056
Instruction ID: 801a60c05f7d27c0b30539d6495d90dca1c7defda93e75e34d4a3a70a0fcaa99
Opcode Fuzzy Hash: 939d9dd5dfe706750911b410f5a9badb0fb4dd8201800066082cbf673cc68056
Instruction Fuzzy Hash: C051B330A002569FCF24DF14CA88AAEBBB1BF11304F5444AFD845BB2D2D7BA9D41CB59

Function 00410623 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00430538), ref: 0041062E
fputs.MSVCRT ref: 0041066D
fputs.MSVCRT ref: 00410692
LeaveCriticalSection.KERNEL32(00430538), ref: 0041072E

Strings

with the file from archive:, xrefs: 0041068D
Would you like to replace the existing file:, xrefs: 00410668

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: CriticalSectionfputs$EnterLeave
String ID: Would you like to replace the existing file:$with the file from archive:
API String ID: 3346953513-686978020
Opcode ID: ff04ac6ed1f533fd7777a74cc65d11423ec9600f7fec2d7fbf7f7cc178b0eb7c
Instruction ID: 8d30f5c3a769b9b05dc9022ead1e570209d6b32d37c02158444c586a9a64ffd4
Opcode Fuzzy Hash: ff04ac6ed1f533fd7777a74cc65d11423ec9600f7fec2d7fbf7f7cc178b0eb7c
Instruction Fuzzy Hash: 2A317F75200204DBDB11AF25D940BDA77E1EF88314F11416BF92A97291CBB9ACE2CF5D

Function 00410FA2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410FA7
fputs.MSVCRT ref: 00410FC0

Part of subcall function 00403E56: __EH_prolog.LIBCMT ref: 00403E5B

Strings

The file is open, xrefs: 0041103B
Cannot open the file, xrefs: 00411016
The archive is open with offset, xrefs: 00410FF5
WARNING:, xrefs: 00410FBB

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog$fputs
String ID: Cannot open the file$The archive is open with offset$The file is open$WARNING:
API String ID: 3822167597-1259944392
Opcode ID: 3769bc2594a60d947f324f43e162f9542d25cae14344e564b9194a4f14147df9
Instruction ID: 2fe33cfd7bd924c02116d12d6cc5e0899d97df651c7911a456f6b34765396213
Opcode Fuzzy Hash: 3769bc2594a60d947f324f43e162f9542d25cae14344e564b9194a4f14147df9
Instruction Fuzzy Hash: 6921C431B00511DFCB14EF65D542AAEBBB4EF48345B80442FE602E7691CB3DADC68B49

Function 0041290F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 0041292A

Part of subcall function 00403CDF: fflush.MSVCRT ref: 00403CE1

GetStdHandle.KERNEL32(000000F6), ref: 0041293C
GetConsoleMode.KERNEL32(00000000,00000000), ref: 0041295E
SetConsoleMode.KERNEL32(00000000,00000000), ref: 0041296F
SetConsoleMode.KERNEL32(00000000,00000000), ref: 0041298F

Strings

Enter password (will not be echoed):, xrefs: 00412925

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: ConsoleMode$Handlefflushfputs
String ID: Enter password (will not be echoed):
API String ID: 108775803-3720017889
Opcode ID: 25c804d01db33c1ab0bc5cb966c29544ee48e5892db4f5b428a53a560feb2906
Instruction ID: 06c9a69e81cbb5c5db69f777e7cc9e6c7d4d2dc80c9e68aa15962718b8ebadc6
Opcode Fuzzy Hash: 25c804d01db33c1ab0bc5cb966c29544ee48e5892db4f5b428a53a560feb2906
Instruction Fuzzy Hash: 21110A76B041196BDB115BA99D056EEBFB9AF81724F14416BE810F32D0CB780D51CB9C

Function 00405B34 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00405B4D
GetProcAddress.KERNEL32(00000000,FindFirstStreamW), ref: 00405B61
GetProcAddress.KERNEL32(00000000,FindNextStreamW), ref: 00405B6E

Strings

kernel32.dll, xrefs: 00405B48
FindNextStreamW, xrefs: 00405B63
FindFirstStreamW, xrefs: 00405B5B

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: FindFirstStreamW$FindNextStreamW$kernel32.dll
API String ID: 667068680-4044117955
Opcode ID: 209bc51a69cd21a9cb9a554d552f349016e7f251f682d818fccc93cde8e55180
Instruction ID: 993e4fd1b4b43a4bdfd4fb802b812d309aec3832960eb3898a326147e7614a50
Opcode Fuzzy Hash: 209bc51a69cd21a9cb9a554d552f349016e7f251f682d818fccc93cde8e55180
Instruction Fuzzy Hash: 74E0C231B043246BD3104BAABC89877FEECEAC4760760017BB509E3260E6F82C028F5D

Function 00407A1B Relevance: 8.8, APIs: 7, Instructions: 90COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,0042BB50,00000010), ref: 00407A34
memcmp.MSVCRT(?,004291F8,00000010), ref: 00407A51
memcmp.MSVCRT(?,004291D8,00000010), ref: 00407A64
memcmp.MSVCRT(?,00429218,00000010), ref: 00407A77

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 1906f6f9a3bc8567207bf16f5b12049dd60c52ce4a1937d7281cae0f19a5e01e
Instruction ID: 09fc6409721d384321c9daad9889d0c59f869200ca07e15681de2c6d8400d0c6
Opcode Fuzzy Hash: 1906f6f9a3bc8567207bf16f5b12049dd60c52ce4a1937d7281cae0f19a5e01e
Instruction Fuzzy Hash: 1721A372B442156BE7008A15AC82F7F33AC9A50754B54852AFD05E7381F678EE009AAB

Function 00410BF5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00430538), ref: 00410C02
fputs.MSVCRT ref: 00410CA2
fputs.MSVCRT ref: 00410CBB
LeaveCriticalSection.KERNEL32(00430538), ref: 00410CFD

Strings

: , xrefs: 00410CB6

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: CriticalSectionfputs$EnterLeave
String ID: :
API String ID: 3346953513-3653984579
Opcode ID: 8b3c42645f9caea0802aa794edd836212cfb1d2fd3be4aacd33e6040b09cc957
Instruction ID: 09d9808faf5bd919de83ef7c98426f172d115119e5f1a576890054117d399c7e
Opcode Fuzzy Hash: 8b3c42645f9caea0802aa794edd836212cfb1d2fd3be4aacd33e6040b09cc957
Instruction Fuzzy Hash: EC319C31500208DFD714EF65D894EDAB7B4FF44318F50826FE81A9B252DB78A980CF58

Function 0041EB90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00411EE8), ref: 0041EB90
GetModuleHandleW.KERNEL32(kernel32.dll,SetDefaultDllDirectories), ref: 0041EBA6
GetProcAddress.KERNEL32(00000000), ref: 0041EBAD

Strings

SetDefaultDllDirectories, xrefs: 0041EB9C
kernel32.dll, xrefs: 0041EBA1

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: AddressHandleModuleProcVersion
String ID: SetDefaultDllDirectories$kernel32.dll
API String ID: 3310240892-2102062458
Opcode ID: 612a3b4ddb9acc66ff93ecbb857bc4bfeff86ee96ca2284e8fffde39a6173eaf
Instruction ID: 0862184ad8ba24335b569b053d5d12c6817f75253087d21a0b209ed3f2b8ea95
Opcode Fuzzy Hash: 612a3b4ddb9acc66ff93ecbb857bc4bfeff86ee96ca2284e8fffde39a6173eaf
Instruction Fuzzy Hash: 27C01234B4421D96DB2417A5AD0DF963666E7C4702FD80062BD03D00E4CF789982C61C

Function 004040B6 Relevance: 7.6, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000), ref: 004040EE
GetLastError.KERNEL32(?,00000000,?,?,?,00000000), ref: 004040F7
_CxxThrowException.MSVCRT(?,0042C050), ref: 00404115
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000001,00000001,?,00000000,?,?), ref: 0040417C
_CxxThrowException.MSVCRT(0000FDE9,0042C050), ref: 004041A4

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: ByteCharExceptionMultiThrowWide$ErrorLast
String ID:
API String ID: 2296236218-0
Opcode ID: cfd6c78358ac07a3c2f5c7783267483c925d2c8b350aec6f244fbd3ed4ca990f
Instruction ID: ddf483936085a76ef41ae3a6c868e145893958370a6de898f5c65fa482b2d003
Opcode Fuzzy Hash: cfd6c78358ac07a3c2f5c7783267483c925d2c8b350aec6f244fbd3ed4ca990f
Instruction Fuzzy Hash: 8631E3B1604205BFDB11CFA4CC85BBEBBF8AF55344F10806AE544EB280C7789D85CBA4

Function 00414792 Relevance: 7.6, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,0042BB50,00000010), ref: 004147AB
memcmp.MSVCRT(?,004293D8,00000010), ref: 004147C8
memcmp.MSVCRT(?,004294A8,00000010), ref: 004147DB

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: d1d27eebe698f95dafb466b7f552e0a33d146d414f17f5489ccea16cbcc13696
Instruction ID: ab4dab2fae12ce32b20b6cfbf363ba4071ac0056bfb13e88cb7f35a40cc3fbe5
Opcode Fuzzy Hash: d1d27eebe698f95dafb466b7f552e0a33d146d414f17f5489ccea16cbcc13696
Instruction Fuzzy Hash: B221C576B00215ABE700AE15EC82FBB73A89BA07A4F14412AFD05DB341E678DD4146AA

Function 004059A9 Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 00407455: GetSystemTimeAsFileTime.KERNEL32(?,004059CA,00000000,00000000,?,?,?,?,?,?,?,?,?,0040C681,?,00000010), ref: 00407456

SetLastError.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,0040C681,?,00000010,00000000), ref: 004059E8
GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,?,0040C681,?,00000010,00000000,00000000), ref: 004059EC
GetFileInformationByHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040C681,?,00000010,00000000,00000000), ref: 00405A00
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0040C681,?,00000010,00000000,00000000), ref: 00405A58
SetLastError.KERNEL32(00000006,?,?,?,?,?,?,?,?,0040C681,?,00000010,00000000,00000000), ref: 00405A64

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: ErrorLast$FileHandleTime$InformationSystem
String ID:
API String ID: 1030185623-0
Opcode ID: 491123aa0d19b53963d0ba5624d9c6b6f027d198acf0d456067b5beaa04c73dd
Instruction ID: 43247151832c92c783002a763622c32ca72b9f62b1d40b072dcd93f988fba4cd
Opcode Fuzzy Hash: 491123aa0d19b53963d0ba5624d9c6b6f027d198acf0d456067b5beaa04c73dd
Instruction Fuzzy Hash: 9421F774A00B059FCB20DF69D885A5BBBF4FF08320B10462AE569E3790E734E905CF54

Function 00411C2A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00411C2F
fputs.MSVCRT ref: 00411C98
fputs.MSVCRT ref: 00411CAF

Strings

= , xrefs: 00411CAA

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: fputs$H_prolog
String ID: =
API String ID: 2614055831-2525689732
Opcode ID: 6c471a2ef6530a59ec5113148ca7b72510f446cde176fcdeb89754153c16460e
Instruction ID: 1b0edf4538b9036d1089c6cef4bedea74b82e6cb5f1a31546f15677c97918bcb
Opcode Fuzzy Hash: 6c471a2ef6530a59ec5113148ca7b72510f446cde176fcdeb89754153c16460e
Instruction Fuzzy Hash: EA219F32900118AFDF05EB95D842BEDBBB5AF44319F20402FE401721A1EB792E81CB98

Function 0040FC60 Relevance: 6.3, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,0042BB50,00000010), ref: 0040FC76
memcmp.MSVCRT(?,00429278,00000010), ref: 0040FC91
memcmp.MSVCRT(?,004292A8,00000010), ref: 0040FCA5

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: a693b106da1646162e2325d0c3da7007423092edf42d73c4806106454a0f5857
Instruction ID: b4b8cbf5b466e02db0d24476debb83d958eff9c092edf636f16ca7dc42c6bbb7
Opcode Fuzzy Hash: a693b106da1646162e2325d0c3da7007423092edf42d73c4806106454a0f5857
Instruction Fuzzy Hash: 75112932740209A7E7204A15EC43FBA33A45F54710F54453BFD46EB3C1F679E804569E

Function 00404001 Relevance: 6.3, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 0040402D
GetLastError.KERNEL32(?,?,00000000,00000000), ref: 00404036
_CxxThrowException.MSVCRT(?,0042C050), ref: 00404050
MultiByteToWideChar.KERNEL32(?,00000000,?,?,?,?,?,?,00000000,00000000), ref: 00404075
_CxxThrowException.MSVCRT(?,0042C050), ref: 0040408B

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: ByteCharExceptionMultiThrowWide$ErrorLast
String ID:
API String ID: 2296236218-0
Opcode ID: bdd5df10d88c5e80083a4577c3421ebdd7ddd51eeeca16ae066f61805f11393e
Instruction ID: 4ac132360325015ebd2c62f9aad36c2b8b5ce9f4421ab3691f6160e0cd77abd7
Opcode Fuzzy Hash: bdd5df10d88c5e80083a4577c3421ebdd7ddd51eeeca16ae066f61805f11393e
Instruction Fuzzy Hash: 49110DB5200505BFD720DF65DC81E6BB7EDFF88384B50812AEA19E7240D775AD418BA8

Function 00405B7B Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00405A6D: FindClose.KERNELBASE(00000000,000000FF,00405A9E), ref: 00405A78

SetLastError.KERNEL32(00000078), ref: 00405B9B
SetLastError.KERNEL32(00000000), ref: 00405BA5
FindFirstStreamW.KERNELBASE(?,00000000,?,00000000), ref: 00405BB9
GetLastError.KERNEL32 ref: 00405BC6

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: ErrorLast$Find$CloseFirstStream
String ID:
API String ID: 4071060300-0
Opcode ID: 2749851167958df2b69f257e2b4f0fabe59ec9884642ac4421954b3e0dc01f9e
Instruction ID: 8b1c33bf5c767727a663e7b38ed12da21a1870170c7a8d394256995f507f3ca5
Opcode Fuzzy Hash: 2749851167958df2b69f257e2b4f0fabe59ec9884642ac4421954b3e0dc01f9e
Instruction Fuzzy Hash: B8F08C30104A099BCB306F24DC09BAB3375EB10325F204276E552BA1E0EA78BD86CF69

Function 00408F7C Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,00409399,?,00413510,?,?), ref: 00424723
GetLastError.KERNEL32(?,00413510,?,?), ref: 00424730
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,00409399,?,00413510,?,?), ref: 0042474B

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: Event$CreateErrorLastReset
String ID:
API String ID: 3053278375-0
Opcode ID: ad2609b926203c852762c17253ddc8a92b970ffd877e63c396e861917d5cc8ee
Instruction ID: 69587264c1ca5cd8272a9dfa6d0881f87e04865dcef00d1d77fbe5789d4fff4d
Opcode Fuzzy Hash: ad2609b926203c852762c17253ddc8a92b970ffd877e63c396e861917d5cc8ee
Instruction Fuzzy Hash: 0BF030743003159BE7305F34AD08B633994EBC2B42FD0047AB915DA2D0EB6DC842DA5C

Function 0040E400 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 204COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040E405

Part of subcall function 00406F66: VariantClear.OLEAUT32(?), ref: 00406F88

Strings

Unknown error, xrefs: 0040E521, 0040E526
Unknown warning, xrefs: 0040E582, 0040E587

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: ClearH_prologVariant
String ID: Unknown error$Unknown warning
API String ID: 1166855276-4291957651
Opcode ID: b83380f3ee18b6f9f934a345221d735d3a38ddd69aefc5361ffd61519bd1e1f7
Instruction ID: e2c51ea3c9d5ff53c368fc9fea119ca8137ad16915fe70a45aa60a70686436fe
Opcode Fuzzy Hash: b83380f3ee18b6f9f934a345221d735d3a38ddd69aefc5361ffd61519bd1e1f7
Instruction Fuzzy Hash: C58147B1A00709DBCB10DFA6C5809EEB7F0FF58308F50896EE456A7290D779AE14CB58

Function 00404F8E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

wcscmp.MSVCRT ref: 00404FE8
wcscmp.MSVCRT ref: 00404FFD

Strings

UNC, xrefs: 00405021

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: wcscmp
String ID: UNC
API String ID: 3392835482-337201128
Opcode ID: 0f50e1a4b89f9bb1c8fdf0474285ed29ed5cb079e505af0e673f1010bac49f26
Instruction ID: d4f1103d63d9ba93538f6336bbde5048e2c91832e0775446ecdb83d365754428
Opcode Fuzzy Hash: 0f50e1a4b89f9bb1c8fdf0474285ed29ed5cb079e505af0e673f1010bac49f26
Instruction Fuzzy Hash: E9215CB53006019FD724CE48D984A2AB3E5EB85350B64847BE645AF3D1C63AEC42CF88

Function 00412442 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00412489
strlen.MSVCRT ref: 004124AF

Strings

M, xrefs: 0041249D

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: __aulldivstrlen
String ID: M
API String ID: 1892184250-3664761504
Opcode ID: 5cb360c24d34eea26afc0b9a41df7248fd98ee7fc509eed417d6c7d163f83f1e
Instruction ID: 4c523177f86cd1d8441d7e59bba430fadbe405382aa8792db896841e4d0aaa05
Opcode Fuzzy Hash: 5cb360c24d34eea26afc0b9a41df7248fd98ee7fc509eed417d6c7d163f83f1e
Instruction Fuzzy Hash: 41113D323006546BDF25DAA5C945FBF77E99B88314F14482FE287D71C1D9B8AC458328

Function 00410EE2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410EE7

Strings

0, xrefs: 00410F54
x, xrefs: 00410F58

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: H_prolog
String ID: 0$x
API String ID: 3519838083-1948001322
Opcode ID: 22b041c608f5a5e13fb34e29759c105454cba705c22a6f84aeb62827a4a014bc
Instruction ID: e1ee27c14022c3c4861809de81e0fb68f5ccf3bdc354b16ac99790b939c913b1
Opcode Fuzzy Hash: 22b041c608f5a5e13fb34e29759c105454cba705c22a6f84aeb62827a4a014bc
Instruction Fuzzy Hash: 99218E32D0011A9BCF04EB99D6866EEB7B5EF48308F50006FE401772C1DBB95E45CBA9

Function 00411E0B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00411E5B

Strings

Cannot open the file as archive, xrefs: 00411E56
Cannot open encrypted archive. Wrong password?, xrefs: 00411E1E

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: fputs
String ID: Cannot open encrypted archive. Wrong password?$Cannot open the file as archive
API String ID: 1795875747-1623556331
Opcode ID: 903e6ea9d750758cf79017287e50944535a56994a1adf74cb8bda59e51e8e830
Instruction ID: 0cf7914edf2aa8e7341596000c12c1df42a57dbecb04f7ec900b94d22c574bf8
Opcode Fuzzy Hash: 903e6ea9d750758cf79017287e50944535a56994a1adf74cb8bda59e51e8e830
Instruction Fuzzy Hash: C9012B313043004BDA14ABA6D494BBEB3ABEFC8305F54442FE90297691DB79A841CB49

Function 004119E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00411A13
fputs.MSVCRT ref: 00411A1C

Strings

= , xrefs: 00411A17

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: fputs
String ID: =
API String ID: 1795875747-2525689732
Opcode ID: 0147c7e87789d73289e91d10756a9f56ae187d6ee00c8b5ffa58ce0ff1850403
Instruction ID: fd7b5fc4074da5f726c61a76c532ff66209f63a2db578f74099ff53049078f53
Opcode Fuzzy Hash: 0147c7e87789d73289e91d10756a9f56ae187d6ee00c8b5ffa58ce0ff1850403
Instruction Fuzzy Hash: F9E06832B001165BDF00A7A9DC048BE3F29EB803407800833E92083240E734D821CBD9

Function 00409589 Relevance: 5.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,0042BB50,00000010), ref: 0040959F
memcmp.MSVCRT(?,00429298,00000010), ref: 004095B3
memcmp.MSVCRT(?,004293A8,00000010), ref: 004095D1
memcmp.MSVCRT(?,004293C8,00000010), ref: 004095EF

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 80e00aac9ef1727003516d7c20b7c01282fa0a3255e32e4d8766d31eaa877d50
Instruction ID: c938bc79dae6d3baf006416a7562a1e2610761fca94207467e88f97749ed857f
Opcode Fuzzy Hash: 80e00aac9ef1727003516d7c20b7c01282fa0a3255e32e4d8766d31eaa877d50
Instruction Fuzzy Hash: 7111E132740305ABD7048A15EC42FAA33A45B94711F15493AFD45EB3C2E6B9ED10969D

Function 00401C3F Relevance: 5.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,0042BB50,00000010), ref: 00401C55
memcmp.MSVCRT(?,00429598,00000010), ref: 00401C70
memcmp.MSVCRT(?,004295A8,00000010), ref: 00401C84

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 6d1a407f022db9f2e5c143e4d34420cd98d487bfa406f32ca3a087a793df4ed1
Instruction ID: 1bb52f204ec3132851ce200ba376ef9f6e02923974aa5b90121e92a54bb61859
Opcode Fuzzy Hash: 6d1a407f022db9f2e5c143e4d34420cd98d487bfa406f32ca3a087a793df4ed1
Instruction Fuzzy Hash: 0C01E1327803156BE7104A15DC82FBA33A48B54761F54453EFE45FB392E2B8E840969D

Function 0040BDB1 Relevance: 5.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,0042BB50,00000010), ref: 0040BDC7
memcmp.MSVCRT(?,004291F8,00000010), ref: 0040BDE2
memcmp.MSVCRT(?,004291D8,00000010), ref: 0040BDF6
memcmp.MSVCRT(?,00429218,00000010), ref: 0040BE0A

Memory Dump Source

Source File: 00000003.00000002.2153346139.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2153201879.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153885828.0000000000429000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154328143.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2154371891.0000000000437000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_99e5df4d8.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 2f98c186718bde587d544e52970a976abc0dd2256160a2195ffc1d90ca2aabb8
Instruction ID: e040212cbf1a7ccb1c558fc37de72ae02c15694fc619d7ee7d70c4cf786e1ef4
Opcode Fuzzy Hash: 2f98c186718bde587d544e52970a976abc0dd2256160a2195ffc1d90ca2aabb8
Instruction Fuzzy Hash: 8F01D63274030666D7100A15EC43FBA73A48B54750F54443EFE84EB382E7B8D410469E

Analysis Process: svaulpzg.exePID: 4052, Parent PID: 4972COMMON

Execution Graph

Execution Coverage:	0.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.6%
Total number of Nodes:	142
Total number of Limit Nodes:	3

Executed Functions

Function 00007FF7E3BE1C60 Relevance: 10.6, APIs: 7, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7E3BE1C84
__scrt_release_startup_lock.LIBCMT ref: 00007FF7E3BE1CF2
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7E3BE1D40
__scrt_get_show_window_mode.LIBCMT ref: 00007FF7E3BE1D45
_get_wide_winmain_command_line.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7E3BE1D4D
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7E3BE1D76
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7E3BE1DCB

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_get_show_window_mode__scrt_release_startup_lock_cexit_exit_get_wide_winmain_command_line_register_thread_local_exe_atexit_callback
String ID:
API String ID: 2671446237-0
Opcode ID: ec5abd4061dcf22de5515a52abec68c9ce79071f04010aeef17c3c0f92359f81
Instruction ID: 36709dfd571e424d158ea7202aef160c3c3e7c681a541fbebcec8f29df1a6220
Opcode Fuzzy Hash: ec5abd4061dcf22de5515a52abec68c9ce79071f04010aeef17c3c0f92359f81
Instruction Fuzzy Hash: 91311A21E0920A45EAD4BB6ED4523B9BB919F81344FD44636D58FEB2D3DE7CA4048223

Function 00007FFD944E8560 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFD944E8603
_CxxThrowException.VCRUNTIME140 ref: 00007FFD944E8614

Strings

ios_base::eofbit set, xrefs: 00007FFD944E85DE
ios_base::failbit set, xrefs: 00007FFD944E85D7
ios_base::badbit set, xrefs: 00007FFD944E85CC

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 3922031971dd58f53ba93548a128d67857b803b0b7c7b7364a86a24539dcf903
Instruction ID: c24567d4aafe53d830d4e55fda2edc2e4dc9b0e8898003c29e6e5a48aaa74abc
Opcode Fuzzy Hash: 3922031971dd58f53ba93548a128d67857b803b0b7c7b7364a86a24539dcf903
Instruction Fuzzy Hash: 0C21B062B0864692EE658B90E5A13BB2360FB527C4F848431E64D47A9BDF7CE1A1C340

Function 00007FF7E3BDF710 Relevance: 7.5, APIs: 5, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.COMBASE ref: 00007FF7E3BDF718
GetCommandLineW.KERNEL32 ref: 00007FF7E3BDF736
CommandLineToArgvW.SHELL32 ref: 00007FF7E3BDF744
LocalFree.KERNEL32 ref: 00007FF7E3BDF75F
CoUninitialize.COMBASE ref: 00007FF7E3BDF765

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CommandLine$ArgvFreeInitializeLocalUninitialize
String ID:
API String ID: 414636379-0
Opcode ID: 9a8f806c77a32fb40d03d2c5a65f5961ac5affaeb25bfab2df8612784e8540e9
Instruction ID: e8ad6c5c27a1d949ce4e1cb4ab2d98a923517553794d999f1474da11b64dac19
Opcode Fuzzy Hash: 9a8f806c77a32fb40d03d2c5a65f5961ac5affaeb25bfab2df8612784e8540e9
Instruction Fuzzy Hash: 92F06225F1864183DB40BB26E84422AB7A1FF98781FC40136D9CF97718DF3CD0048611

Function 00007FFD944F1860 Relevance: 3.0, APIs: 2, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E455B,?,?,?,00007FFD944E5C51), ref: 00007FFD944F1874

Part of subcall function 00007FFD944E4F00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD944F1894,?,?,?,00007FFD944E455B,?,?,?,00007FFD944E5C51), ref: 00007FFD944E4F22
Part of subcall function 00007FFD944E4F00: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD944F1894,?,?,?,00007FFD944E455B,?,?,?,00007FFD944E5C51), ref: 00007FFD944E4F48
Part of subcall function 00007FFD944E4F00: memcpy.VCRUNTIME140(?,?,?,00007FFD944F1894,?,?,?,00007FFD944E455B,?,?,?,00007FFD944E5C51), ref: 00007FFD944E4F60

setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E455B,?,?,?,00007FFD944E5C51), ref: 00007FFD944F189E

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: setlocale$freemallocmemcpy
String ID:
API String ID: 1663771476-0
Opcode ID: 8d6757bba07d167be6db75c39264780bdcd379d6cb1bae6446b4cf5204bdf0b0
Instruction ID: 7316087ad570dabda34ed905a74e76759129bc51748e2df3bec3809adc4a598c
Opcode Fuzzy Hash: 8d6757bba07d167be6db75c39264780bdcd379d6cb1bae6446b4cf5204bdf0b0
Instruction Fuzzy Hash: B5F09621B0464292EF6A8FD2E5E40B69352EF45B80B8CC4398A0D4775AFE2CE054C300

Function 00007FFD944E3A64 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFD94515FB0: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFD944E3966,?,?,?,7FFFFFFFFFFFFFFF), ref: 00007FFD94515FBF

std::_Facet_Register.LIBCPMT ref: 00007FFD944E3B3F

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: Facet_Register_lock_localesstd::_
String ID:
API String ID: 3986400115-0
Opcode ID: 389548114120814b7aa6b6b53f58aa35cad2e99b738acfb6396b45dc8f77983f
Instruction ID: e1e4664c2bb6317c7283056fd1e5da088cb2a169ad95044476eb8960dbf8a57c
Opcode Fuzzy Hash: 389548114120814b7aa6b6b53f58aa35cad2e99b738acfb6396b45dc8f77983f
Instruction Fuzzy Hash: 2331B361B09A4585EA76DBD5E4E027B6361EF46BA0F488131DE0D0739BDFBCE442C700

Function 00007FFDA358F054 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FFDA358CE76,?,?,?,00007FFDA358EF69,?,?,?,?,00007FFDA358E1FC), ref: 00007FFDA358F0A9

Memory Dump Source

Source File: 00000005.00000002.2189862502.00007FFDA3561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA3560000, based on PE: true

Associated: 00000005.00000002.2189849486.00007FFDA3560000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189887154.00007FFDA359D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189902000.00007FFDA35A9000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189916777.00007FFDA35AC000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189916777.00007FFDA35AF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189942387.00007FFDA35B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189955378.00007FFDA35B3000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2190056184.00007FFDA373C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda3560000_svaulpzg.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: aa91aeab73d5e836095c1d7a866754a155a1d392816a509f502024a330992be0
Instruction ID: 2d8339afa00e67d5d68616a93cc3b0459d4bb1dd837415b03d7214bc3acf59d1
Opcode Fuzzy Hash: aa91aeab73d5e836095c1d7a866754a155a1d392816a509f502024a330992be0
Instruction Fuzzy Hash: B2F06245F1B2038BFE5756AEA9353B552925F4CB80F8C4436C90FA63D3ED1EE4406259

Non-executed Functions

Function 00007FF7E3BDBC40 Relevance: 58.1, APIs: 26, Strings: 7, Instructions: 308
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF7E3BDBC99
RegQueryInfoKeyW.ADVAPI32 ref: 00007FF7E3BDBCED
RegCloseKey.ADVAPI32 ref: 00007FF7E3BDBCFC

Strings

Software\Nico Mak Computing\Common\ZipSend\AppId, xrefs: 00007FF7E3BDBC8B, 00007FF7E3BDBFC9
Software\Nico Mak Computing\Common\ZipSend, xrefs: 00007FF7E3BDBEF4
/REGSERVER, xrefs: 00007FF7E3BDBFFA
AppId, xrefs: 00007FF7E3BDBFE6
Advapi32.dll, xrefs: 00007FF7E3BDBF96
RegDeleteKeyExW, xrefs: 00007FF7E3BDBFAB
/UNREGSERVER, xrefs: 00007FF7E3BDBEBA

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CloseInfoOpenQuery
String ID: /REGSERVER$/UNREGSERVER$Advapi32.dll$AppId$RegDeleteKeyExW$Software\Nico Mak Computing\Common\ZipSend$Software\Nico Mak Computing\Common\ZipSend\AppId
API String ID: 2142960691-1184628555
Opcode ID: a79cefbbe6a3561b31b1dfadd2e3866cd81819ca879f3cc7d5dc76d7e8797abf
Instruction ID: 22e4b9861cb61011259cd95350eb51ee3fd27ffb78b655769bf06d56c903246f
Opcode Fuzzy Hash: a79cefbbe6a3561b31b1dfadd2e3866cd81819ca879f3cc7d5dc76d7e8797abf
Instruction Fuzzy Hash: C7D17336B08B4586EB90EF26E4503AABBA0FB84784F844136DA8F97758DF3CD545CB11

Function 00007FF7E3BDF400 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 176registryCOMMON

Download Yara Rule

APIs

_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E3BDF444
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E3BDF463
GetModuleFileNameW.KERNEL32 ref: 00007FF7E3BDF47E
LoadTypeLibEx.OLEAUT32 ref: 00007FF7E3BDF493
UnRegisterTypeLib.OLEAUT32 ref: 00007FF7E3BDF4DB
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E3BDF51B
UnRegisterTypeLib.OLEAUT32 ref: 00007FF7E3BDF546
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E3BDF55B
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E3BDF587
GetModuleFileNameW.KERNEL32 ref: 00007FF7E3BDF5C1
RegCreateKeyExW.ADVAPI32 ref: 00007FF7E3BDF611
RegSetValueExW.ADVAPI32 ref: 00007FF7E3BDF645
RegCloseKey.ADVAPI32 ref: 00007FF7E3BDF652
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E3BDF681
RegOpenKeyExW.ADVAPI32 ref: 00007FF7E3BDF6C5
RegDeleteValueW.ADVAPI32 ref: 00007FF7E3BDF6DC
RegCloseKey.ADVAPI32 ref: 00007FF7E3BDF6E9

Part of subcall function 00007FF7E3BDF160: InitializeCriticalSection.KERNEL32 ref: 00007FF7E3BDF1BC
Part of subcall function 00007FF7E3BDF160: InitializeCriticalSection.KERNEL32 ref: 00007FF7E3BDF213
Part of subcall function 00007FF7E3BDF160: InitializeCriticalSection.KERNEL32 ref: 00007FF7E3BDF21D
Part of subcall function 00007FF7E3BDF160: CoRegisterClassObject.OLE32 ref: 00007FF7E3BDF2F2
Part of subcall function 00007FF7E3BDF160: GetMessageW.USER32 ref: 00007FF7E3BDF335
Part of subcall function 00007FF7E3BDF160: WaitForSingleObject.KERNEL32 ref: 00007FF7E3BDF349
Part of subcall function 00007FF7E3BDF160: TranslateMessage.USER32 ref: 00007FF7E3BDF358

Strings

Software\Nico Mak Computing\Common\ZipSend\AppId, xrefs: 00007FF7E3BDF603, 00007FF7E3BDF6B7
/UNREGAPP, xrefs: 00007FF7E3BDF676
/REGAPP, xrefs: 00007FF7E3BDF57C
/REGSERVER, xrefs: 00007FF7E3BDF458
/REPAIR, xrefs: 00007FF7E3BDF550
-Embedding, xrefs: 00007FF7E3BDF439
/UNREGSERVER, xrefs: 00007FF7E3BDF510

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: _wcsicmp$CriticalInitializeRegisterSectionType$CloseFileMessageModuleNameObjectValue$ClassCreateDeleteLoadOpenSingleTranslateWait
String ID: -Embedding$/REGAPP$/REGSERVER$/REPAIR$/UNREGAPP$/UNREGSERVER$Software\Nico Mak Computing\Common\ZipSend\AppId
API String ID: 2880039950-3586265033
Opcode ID: 234d11face9fdba306429f545c22b24f333ecc2bed0f17e943854f28972a5889
Instruction ID: 1c3aff724cb304356b44c020f2f9d40836fb000d0da74b2fb635169348b1d9df
Opcode Fuzzy Hash: 234d11face9fdba306429f545c22b24f333ecc2bed0f17e943854f28972a5889
Instruction Fuzzy Hash: CA818231A0C64682EBA0AB26E85437ABB61FF84748FC04133D9CF97665DF7CE5458722

Function 00007FF7E3BDF160 Relevance: 16.6, APIs: 11, Instructions: 143windowsynchronizationCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF7E3BDF1BC

Part of subcall function 00007FF7E3BDFB80: CreateMutexW.KERNEL32 ref: 00007FF7E3BDFB91
Part of subcall function 00007FF7E3BDFB80: WaitForSingleObject.KERNEL32 ref: 00007FF7E3BDFBA2
Part of subcall function 00007FF7E3BDFB80: CreateWzExtensionsManager.WXFMANAGER64 ref: 00007FF7E3BDFBB2
Part of subcall function 00007FF7E3BDFB80: RegOpenKeyExW.ADVAPI32 ref: 00007FF7E3BDFBE0
Part of subcall function 00007FF7E3BDFB80: RegCloseKey.ADVAPI32 ref: 00007FF7E3BDFBEF
Part of subcall function 00007FF7E3BDFB80: Init.WXFMANAGER64 ref: 00007FF7E3BDFC13
Part of subcall function 00007FF7E3BDFB80: ReleaseMutex.KERNEL32 ref: 00007FF7E3BDFC1C
Part of subcall function 00007FF7E3BDFB80: CloseHandle.KERNEL32 ref: 00007FF7E3BDFC25

Part of subcall function 00007FF7E3BDA060: RegOpenKeyExW.ADVAPI32 ref: 00007FF7E3BDA09F
Part of subcall function 00007FF7E3BDA060: RegQueryValueExW.ADVAPI32 ref: 00007FF7E3BDA0D4
Part of subcall function 00007FF7E3BDA060: RegQueryValueExW.ADVAPI32 ref: 00007FF7E3BDA135
Part of subcall function 00007FF7E3BDA060: RegCloseKey.ADVAPI32 ref: 00007FF7E3BDA15A

Part of subcall function 00007FF7E3BE14EC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7E3BE1531,?,?,?,?,00007FF7E3BDC2D3), ref: 00007FF7E3BE1506

InitializeCriticalSection.KERNEL32 ref: 00007FF7E3BDF213
InitializeCriticalSection.KERNEL32 ref: 00007FF7E3BDF21D
CreateEventW.KERNEL32 ref: 00007FF7E3BDF252

Part of subcall function 00007FF7E3BE01A0: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00007FF7E3BD3CE8,?,?,?,?,?,?,?), ref: 00007FF7E3BE01BB
Part of subcall function 00007FF7E3BE01A0: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00007FF7E3BD3CE8,?,?,?,?,?,?,?), ref: 00007FF7E3BE01C5
Part of subcall function 00007FF7E3BE01A0: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00007FF7E3BD3CE8,?,?,?,?,?,?,?), ref: 00007FF7E3BE01D2

CoRegisterClassObject.OLE32 ref: 00007FF7E3BDF2F2
GetMessageW.USER32 ref: 00007FF7E3BDF335
WaitForSingleObject.KERNEL32 ref: 00007FF7E3BDF349
TranslateMessage.USER32 ref: 00007FF7E3BDF358
DispatchMessageW.USER32 ref: 00007FF7E3BDF363
GetMessageW.USER32 ref: 00007FF7E3BDF376
CoRevokeClassObject.OLE32 ref: 00007FF7E3BDF387

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CriticalSection$CloseMessageObject$CreateInitialize$ClassDeleteHandleMutexOpenQuerySingleValueWait$DispatchEventExtensionsInitManagerRegisterReleaseRevokeTranslatemalloc
String ID:
API String ID: 3066366108-0
Opcode ID: edd9724d60c9597930c83f56b2443394b2aaec184fea2a6d385fe4db12993e6e
Instruction ID: 58ec471028439eb16930095f534c43acdb3c4438716bd614dc224b234f97b90f
Opcode Fuzzy Hash: edd9724d60c9597930c83f56b2443394b2aaec184fea2a6d385fe4db12993e6e
Instruction Fuzzy Hash: C361C132A18B4681E790AB25F8503A9B7A4FF94B44FC55236DACF96A90DF3CD544C322

Function 00007FFD94518BF8 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 245COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FFD94518C7A
memchr.VCRUNTIME140 ref: 00007FFD94518CC5
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD94518CE0
memchr.VCRUNTIME140 ref: 00007FFD94518D1B
memchr.VCRUNTIME140 ref: 00007FFD94518D63
isdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD94518E7E
isdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD94518EA6

Strings

0123456789abcdefABCDEF, xrefs: 00007FFD94518C67, 00007FFD94518C8A, 00007FFD94518CD4, 00007FFD94518D28
0, xrefs: 00007FFD94518D0A

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: memchr$isdigit$localeconv
String ID: 0$0123456789abcdefABCDEF
API String ID: 1981154758-1185640306
Opcode ID: 80342a31f141c027b757a1df577f888472fcb55c472049e43c220dbff44cdccc
Instruction ID: 538bcc281306c4b8f17fcf136a77c30b27de204eee11efcd80487e2cf7fd924a
Opcode Fuzzy Hash: 80342a31f141c027b757a1df577f888472fcb55c472049e43c220dbff44cdccc
Instruction Fuzzy Hash: D9914862B0869646E7B38B90D8B02797B91FB4AB48F48D135DE8E47756DF3CE805C740

Function 00007FFD94517F58 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 234COMMON

Download Yara Rule

APIs

isdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD94517FCF
isdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD94518009
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD9451801C
isdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9451804D
isdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD94518087
isdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD94518188
isdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD945181B0

Strings

0, xrefs: 00007FFD94517FFC
0, xrefs: 00007FFD94518045

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: isdigit$localeconv
String ID: 0$0
API String ID: 3674116420-203156872
Opcode ID: 7eba96e480bafa463126f689b5a476f39e0a1d844de0d60ee0b45b193ba35ca2
Instruction ID: d54371d8fbf2070d709da320264752f2ab509804cc657a4bb3c51be055f3ef9d
Opcode Fuzzy Hash: 7eba96e480bafa463126f689b5a476f39e0a1d844de0d60ee0b45b193ba35ca2
Instruction Fuzzy Hash: 64813D73B0858647E7724FA498B03BA7BE1BB96748F08D034DE8947256DB3CE945D700

Function 00007FFD9451A018 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 225COMMON

Download Yara Rule

APIs

iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9451A08C
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9451A0B9
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD9451A0C3
btowc.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFD9451A0CF
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9451A100
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9451A12E
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9451A242
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9451A26B

Strings

0, xrefs: 00007FFD9451A0F7

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: iswdigit$btowclocaleconv
String ID: 0
API String ID: 240710166-4108050209
Opcode ID: fd26330687f291c5d946141a090314486050d5e6ebaa0dffc5a722ab78f63222
Instruction ID: 92a2deb85becaa8cc0bab773e782b9c0cbac3afbef3e618169b9079a5be2c140
Opcode Fuzzy Hash: fd26330687f291c5d946141a090314486050d5e6ebaa0dffc5a722ab78f63222
Instruction Fuzzy Hash: 43812A72B0854686E7B79FA5D8A02BA73A1FF95B45F049231DE8A46192DF3CED45C300

Function 00007FF7E3BE20F0 Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7E3BE210C
memset.VCRUNTIME140 ref: 00007FF7E3BE2130
RtlCaptureContext.KERNEL32 ref: 00007FF7E3BE2139
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7E3BE2153
RtlVirtualUnwind.KERNEL32 ref: 00007FF7E3BE2194
memset.VCRUNTIME140 ref: 00007FF7E3BE21C7
IsDebuggerPresent.KERNEL32 ref: 00007FF7E3BE21E8
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7E3BE2205
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7E3BE2210

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: ef183cbf577813a1a620a35d3f0e2e4c95b00fe437db806ec9235f47f82a2b15
Instruction ID: 821a3f3e19b363150739cdb0831e9c841e71ba766210959166b8982b2971ad30
Opcode Fuzzy Hash: ef183cbf577813a1a620a35d3f0e2e4c95b00fe437db806ec9235f47f82a2b15
Instruction Fuzzy Hash: 4C316476704B8585EBA0AF66E8403ED7B60FB44704F84413ADA8E9B794DF3CC548C711

Function 00007FFD9451A718 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 236COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD9451A7B6
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9451A99E
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9451A9C7

Strings

0, xrefs: 00007FFD9451A7E0
0, xrefs: 00007FFD9451A780
0, xrefs: 00007FFD9451A7D0
0123456789abcdefABCDEF, xrefs: 00007FFD9451A789, 00007FFD9451A7E6

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: iswdigit$localeconv
String ID: 0$0$0$0123456789abcdefABCDEF
API String ID: 2634821343-4215698122
Opcode ID: 5017de796c2376dee23f9bf8171388842aa81307c3636573ac8da977c0875b13
Instruction ID: 8d3490fcf76f25b9fa079533da14916922e275bd38157e8e8677dd709b6f372a
Opcode Fuzzy Hash: 5017de796c2376dee23f9bf8171388842aa81307c3636573ac8da977c0875b13
Instruction Fuzzy Hash: FE810C62F0819686EBB75BE4D8A067976A0FB49B44F05D231DE8947786EB3CED81C340

Function 00007FF7E3BD23C0 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

__RTDynamicCast.VCRUNTIME140(?,?,?,?,0000000100000000,?,?,?), ref: 00007FF7E3BD244A
memcpy.VCRUNTIME140(?,?,?,?,0000000100000000,?,?,?), ref: 00007FF7E3BD2461

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CastDynamicmemcpy
String ID:
API String ID: 4110239763-0
Opcode ID: a71736c638eb58bc321c3975b81aae3ac09700c9d8e2de536e11ea61703a745b
Instruction ID: 1f046e597a49f0efa982ad7f362103afa2ba21727babdf30cb0c3793e5afd8a4
Opcode Fuzzy Hash: a71736c638eb58bc321c3975b81aae3ac09700c9d8e2de536e11ea61703a745b
Instruction Fuzzy Hash: 3A91D172A08B8585E750EB26E84039EBBB4FB88B88F804132EE8E57B55DF3CD555C711

Function 00007FFD944EA3A0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FFD944EA446
FindClose.KERNEL32 ref: 00007FFD944EA4A7
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD944EA562
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD944EA587

Strings

., xrefs: 00007FFD944EA465

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: Find$CloseFileFirst_invalid_parameter_noinfo_noreturnwcscpy_s
String ID: .
API String ID: 1484651601-248832578
Opcode ID: 79aeddcc7cdf35ead3b018189b5d5a46bf5efa5be6d1b8723a80d4c44f1814be
Instruction ID: 4ff37fe1bf00dea3e244938ad3b1666c97f98b80e7061b37f3e604f8bebae65b
Opcode Fuzzy Hash: 79aeddcc7cdf35ead3b018189b5d5a46bf5efa5be6d1b8723a80d4c44f1814be
Instruction Fuzzy Hash: A951E862B1864185EA70DBA5E4A537F6360FB867A0F409331EA7E166DADFBCD480C700

Function 00007FF7E3BDB970 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00007FF7E3BDB9B2
GetModuleFileNameW.KERNEL32 ref: 00007FF7E3BDB9CD

Strings

REGISTRY, xrefs: 00007FF7E3BDB9F5
MODULE, xrefs: 00007FF7E3BDB9E0

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CreateFileInstanceModuleName
String ID: MODULE$REGISTRY
API String ID: 2726553136-981620220
Opcode ID: 6b8004f2ee8dfa7b600045a1ffaa58c294321d90986e8fdd59d76948e1a97889
Instruction ID: 32d5859874ad5ef366282651e3becdc512c276f90b9389eba5f7e060719f9c09
Opcode Fuzzy Hash: 6b8004f2ee8dfa7b600045a1ffaa58c294321d90986e8fdd59d76948e1a97889
Instruction Fuzzy Hash: 21212122718A4A82EB90DB2AE45436ABB70FB84B84FC15133DA8F97755DE3DD508C711

Function 00007FF7E3BE24C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7E3BE2521
IsDebuggerPresent.KERNEL32 ref: 00007FF7E3BE2539
OutputDebugStringW.KERNEL32 ref: 00007FF7E3BE254A

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF7E3BE2543

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: 61e457aee29548682dd6cad434e7485474c69e4d2668bfedc6d7b3c81a43c635
Instruction ID: 8a1308de2af64a24f3d8ec1b35184b880c871089da2c4cef1e72aeb56e05f81c
Opcode Fuzzy Hash: 61e457aee29548682dd6cad434e7485474c69e4d2668bfedc6d7b3c81a43c635
Instruction Fuzzy Hash: EB118232A14B4596EB84AB2BD65037977A4FF04301F80423AC68E97A50EF7CE064C722

Function 00007FFD944F207C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32 ref: 00007FFD944F20A2
FormatMessageA.KERNEL32 ref: 00007FFD944F20D5

Strings

!x-sys-default-locale, xrefs: 00007FFD944F2095

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: 54718cadd4bdb1b305c9a9b90ae8675dfddda27c22b0e41b56190c434a35652b
Instruction ID: 07c81b5c0202ca2b71863e526f8347f415adcd0d05749da0008080b06f08707a
Opcode Fuzzy Hash: 54718cadd4bdb1b305c9a9b90ae8675dfddda27c22b0e41b56190c434a35652b
Instruction Fuzzy Hash: A201D672B08B8182E7768B91F5B077A67A1FB8A794F44C035DA4946B9ACF7DD501CB00

Function 00007FFD944EA880 Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNEL32 ref: 00007FFD944EA96A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD944EA9D4

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: DiskFreeSpace_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2170103895-0
Opcode ID: f0b5db2a13a97756e3b9d7573d921f61e74b285c7bddbdc73987eb0850326121
Instruction ID: 92f32303b01cebdae89838fb9ba4d4874ed787f39b62c5b4117924ad706ca59c
Opcode Fuzzy Hash: f0b5db2a13a97756e3b9d7573d921f61e74b285c7bddbdc73987eb0850326121
Instruction Fuzzy Hash: A4416D62F00B4188FB10CBE5D4A02AE27B1F759BA8F559625CE5E23A9DDF789095C340

Function 00007FFD9450D830 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FFD94511333), ref: 00007FFD9450D834
GetLocaleInfoEx.KERNEL32 ref: 00007FFD9450D857

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: InfoLocale___lc_locale_name_func
String ID:
API String ID: 3366915261-0
Opcode ID: 1df46b44e570eacb70458f3e3d459a2b441d0bc39d25a1c4aabdfadd61c49cb4
Instruction ID: 7e7db46725692ce1bead8cd983e473614b9c11a00d22c34c764bb051e44a8600
Opcode Fuzzy Hash: 1df46b44e570eacb70458f3e3d459a2b441d0bc39d25a1c4aabdfadd61c49cb4
Instruction Fuzzy Hash: C2F03A6AF3D14282E6FE4AD894F47781360EF46700F808535E50F5269ACE1CE849C741

Function 00007FF7E3BE22D0 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebbba7fb9e0e50eda0c8ee338e6b29b5ab33eae1f617f09dbd9ba1ac74871385
Instruction ID: 97b88f3c63a57a6e85d79641c4600d9942b87b0235b0ffed47b7a54fd667c2ab
Opcode Fuzzy Hash: ebbba7fb9e0e50eda0c8ee338e6b29b5ab33eae1f617f09dbd9ba1ac74871385
Instruction Fuzzy Hash: 2CA00125E0880AE0EA85AB0AA850220BB24AB64340B810232D08EA90A09E7CA5419226

Function 00007FFDA4337B88 Relevance: 58.1, APIs: 4, Strings: 29, Instructions: 382
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDA43380ED
DName::operator+.LIBVCRUNTIME ref: 00007FFDA4338125
DName::operator+.LIBVCRUNTIME ref: 00007FFDA433815F

Strings

short, xrefs: 00007FFDA4337C51
float, xrefs: 00007FFDA4337CE5
decltype(auto), xrefs: 00007FFDA4337FD3
wchar_t, xrefs: 00007FFDA433801A
<unknown>, xrefs: 00007FFDA4337E9E
const, xrefs: 00007FFDA4337F5D
volatile, xrefs: 00007FFDA4337FA2
__int16, xrefs: 00007FFDA4337D97
double, xrefs: 00007FFDA4337CB9
auto, xrefs: 00007FFDA4337EBF
__int8, xrefs: 00007FFDA4337DA9
char16_t, xrefs: 00007FFDA4337E8C
char, xrefs: 00007FFDA4337C63
this , xrefs: 00007FFDA433803E
__w64 , xrefs: 00007FFDA4337DD0
char8_t, xrefs: 00007FFDA4337EAD
long, xrefs: 00007FFDA4337C2D
__int128, xrefs: 00007FFDA4337E24
__int64, xrefs: 00007FFDA4337E33
int, xrefs: 00007FFDA4337C3F
long , xrefs: 00007FFDA4337CA2
signed , xrefs: 00007FFDA43380BD
char32_t, xrefs: 00007FFDA4338076
UNKNOWN, xrefs: 00007FFDA4337FFF
void, xrefs: 00007FFDA4337CF7
bool, xrefs: 00007FFDA4337E54
volatile, xrefs: 00007FFDA4337F78
__int32, xrefs: 00007FFDA4337E42
unsigned , xrefs: 00007FFDA43380AD

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: Name::operator+
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $this $unsigned $void$volatile$wchar_t
API String ID: 2943138195-1482988683
Opcode ID: 48bfad7f18ff3c061c92d68e79d849bf1ef7807b8258b4cd0edd992179487da2
Instruction ID: 136947d567f3901e8c0558df077be3ba51226e11f1ebeb9f37156a0d6fe205a2
Opcode Fuzzy Hash: 48bfad7f18ff3c061c92d68e79d849bf1ef7807b8258b4cd0edd992179487da2
Instruction Fuzzy Hash: 71027F72F9AE1298FB18AB64C8F42BC27A0BB06744F504535DA0D16BBADF7DB544C348

Function 00007FF7E3BD9540 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 178windowthreadmemoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000,?,?,00000000), ref: 00007FF7E3BD9594
MessageBoxA.USER32 ref: 00007FF7E3BD95EC
GetCurrentThreadId.KERNEL32 ref: 00007FF7E3BD959C

Part of subcall function 00007FF7E3BE0C90: __stdio_common_vsprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7E3BE0CD3

GetCurrentProcessId.KERNEL32(?,?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000,?,?,00000000), ref: 00007FF7E3BD95F9
GetCurrentThreadId.KERNEL32 ref: 00007FF7E3BD9601
MessageBoxA.USER32 ref: 00007FF7E3BD9651
GetCurrentProcessId.KERNEL32(?,?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000,?,?,00000000), ref: 00007FF7E3BD965C
GetCurrentThreadId.KERNEL32 ref: 00007FF7E3BD9664
MessageBoxA.USER32 ref: 00007FF7E3BD96B4
EnterCriticalSection.KERNEL32(?,?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000,?,?,00000000), ref: 00007FF7E3BD96C1
SysAllocString.OLEAUT32 ref: 00007FF7E3BD9718
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000,?,?,00000000), ref: 00007FF7E3BD972C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000,?,?,00000000), ref: 00007FF7E3BD97FA

Strings

D:\a\Courier\Courier\ZipSendService\ZipSendService\GlobalUploadQueue.cpp, xrefs: 00007FF7E3BD811B, 00007FF7E3BD8471, 00007FF7E3BD88AF, 00007FF7E3BD8A46, 00007FF7E3BD8CF6, 00007FF7E3BD8FD6, 00007FF7E3BD92C6, 00007FF7E3BD9586
!key.empty(), xrefs: 00007FF7E3BD8194, 00007FF7E3BD8AD4, 00007FF7E3BD8D84, 00007FF7E3BD9064, 00007FF7E3BD9354, 00007FF7E3BD9614
option != nullptr, xrefs: 00007FF7E3BD93B7
result != nullptr, xrefs: 00007FF7E3BD88BB, 00007FF7E3BD8DE7
!appid.empty(), xrefs: 00007FF7E3BD8135, 00007FF7E3BD849A, 00007FF7E3BD8A6F, 00007FF7E3BD8D1F, 00007FF7E3BD8FFF, 00007FF7E3BD92EF, 00007FF7E3BD95AF
Assert Error, xrefs: 00007FF7E3BD816B, 00007FF7E3BD81CA, 00007FF7E3BD84C2, 00007FF7E3BD851D, 00007FF7E3BD8578, 00007FF7E3BD85D3, 00007FF7E3BD88E3, 00007FF7E3BD8A9B, 00007FF7E3BD8B00, 00007FF7E3BD8B63, 00007FF7E3BD8D4B, 00007FF7E3BD8DB0, 00007FF7E3BD8E13, 00007FF7E3BD902B, 00007FF7E3BD9090, 00007FF7E3BD90F3, 00007FF7E3BD931B, 00007FF7E3BD9380, 00007FF7E3BD93E3, 00007FF7E3BD95DB, 00007FF7E3BD9640, 00007FF7E3BD96A3
status != nullptr, xrefs: 00007FF7E3BD8550, 00007FF7E3BD8B37
errorDesc != nullptr, xrefs: 00007FF7E3BD9677
filename != nullptr, xrefs: 00007FF7E3BD90C7
Pid: %d Tid: %dExpr: %sFile: %sLine: %d, xrefs: 00007FF7E3BD8149, 00007FF7E3BD81A8, 00007FF7E3BD84AC, 00007FF7E3BD8507, 00007FF7E3BD8562, 00007FF7E3BD85BD, 00007FF7E3BD88CD, 00007FF7E3BD8A81, 00007FF7E3BD8AE6, 00007FF7E3BD8B49, 00007FF7E3BD8D31, 00007FF7E3BD8D96, 00007FF7E3BD8DF9, 00007FF7E3BD9011, 00007FF7E3BD9076, 00007FF7E3BD90D9, 00007FF7E3BD9301, 00007FF7E3BD9366, 00007FF7E3BD93C9, 00007FF7E3BD95C1, 00007FF7E3BD9626, 00007FF7E3BD9689
results != nullptr, xrefs: 00007FF7E3BD85AB
keys != nullptr, xrefs: 00007FF7E3BD84F5

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: Current$MessageProcessThread$CriticalSection$AllocEnterLeaveString__stdio_common_vsprintf_s_invalid_parameter_noinfo_noreturn
String ID: !appid.empty()$!key.empty()$Assert Error$D:\a\Courier\Courier\ZipSendService\ZipSendService\GlobalUploadQueue.cpp$Pid: %d Tid: %dExpr: %sFile: %sLine: %d$errorDesc != nullptr$filename != nullptr$keys != nullptr$option != nullptr$result != nullptr$results != nullptr$status != nullptr
API String ID: 1368387527-3554853540
Opcode ID: f48d30e5b353a16eb4cd060553c7ad3274f9474d83a072f1c0084df61406bdfc
Instruction ID: dabd10a6a49ccf363588b66c506499466cfd9c4ef596a8e117284386c7c9f58e
Opcode Fuzzy Hash: f48d30e5b353a16eb4cd060553c7ad3274f9474d83a072f1c0084df61406bdfc
Instruction Fuzzy Hash: 16717171B08B8995EAA0AF2AF4543AABB60FB44784FC00136DACF97654DF7CD544C312

Function 00007FF7E3BD71B0 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 284windowthreadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,00000000,?,00007FF7E3BD7A05), ref: 00007FF7E3BD7221
MessageBoxA.USER32 ref: 00007FF7E3BD7273
GetCurrentThreadId.KERNEL32 ref: 00007FF7E3BD7229

Part of subcall function 00007FF7E3BE0C90: __stdio_common_vsprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7E3BE0CD3

GetCurrentProcessId.KERNEL32(?,?,?,00000000,?,00007FF7E3BD7A05), ref: 00007FF7E3BD7280
GetCurrentThreadId.KERNEL32 ref: 00007FF7E3BD7288
MessageBoxA.USER32 ref: 00007FF7E3BD72D2
GetCurrentProcessId.KERNEL32(?,?,?,00000000,?,00007FF7E3BD7A05), ref: 00007FF7E3BD72DD
GetCurrentThreadId.KERNEL32 ref: 00007FF7E3BD72E5
MessageBoxA.USER32 ref: 00007FF7E3BD732F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FF7E3BD7A05), ref: 00007FF7E3BD73FA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FF7E3BD7A05), ref: 00007FF7E3BD7401
EnterCriticalSection.KERNEL32(?,?,?,?,?,00000000,00007FF7E3BE0237,?,?,?,?,?,?,?,?,00007FF7E3BD3CE8), ref: 00007FF7E3BD7423
SetEvent.KERNEL32(?,?,?,?,?,?,00007FF7E3BD7A05), ref: 00007FF7E3BD7505
Deinit.WXFMANAGER64(?,?,?,?,?,?,00007FF7E3BD7A05), ref: 00007FF7E3BD7548
DeleteWzExtensionsManager.WXFMANAGER64(?,?,?,?,?,?,00007FF7E3BD7A05), ref: 00007FF7E3BD7555
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,00007FF7E3BE0237,?,?,?,?,?,?,?,?,00007FF7E3BD3CE8), ref: 00007FF7E3BD755F
DeleteCriticalSection.KERNEL32(?,?,?,?,?,00000000,00007FF7E3BE0237,?,?,?,?,?,?,?,?,00007FF7E3BD3CE8), ref: 00007FF7E3BD7569
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00000000,00007FF7E3BE0237,?,?,?,?,?,?,?,?,00007FF7E3BD3CE8), ref: 00007FF7E3BD7607

Strings

D:\a\Courier\Courier\ZipSendService\ZipSendService\GlobalUploadQueue.cpp, xrefs: 00007FF7E3BD7213
!key.empty(), xrefs: 00007FF7E3BD729B
!appid.empty(), xrefs: 00007FF7E3BD723C
Assert Error, xrefs: 00007FF7E3BD7265, 00007FF7E3BD72C4, 00007FF7E3BD7321
task != nullptr, xrefs: 00007FF7E3BD72F8
Pid: %d Tid: %dExpr: %sFile: %sLine: %d, xrefs: 00007FF7E3BD724E, 00007FF7E3BD72AD, 00007FF7E3BD730A

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: Current$CriticalMessageProcessSectionThread_invalid_parameter_noinfo_noreturn$Delete$DeinitEnterEventExtensionsLeaveManager__stdio_common_vsprintf_s
String ID: !appid.empty()$!key.empty()$Assert Error$D:\a\Courier\Courier\ZipSendService\ZipSendService\GlobalUploadQueue.cpp$Pid: %d Tid: %dExpr: %sFile: %sLine: %d$task != nullptr
API String ID: 3459848528-618188071
Opcode ID: 8999bedaa8aaab2f1b8e02414bb1be42c70c5f777a03f97c457e45901fb7406f
Instruction ID: 706a12bd988c4989649f76f65022201ea8f658956f9f2931cf109dae1dc39911
Opcode Fuzzy Hash: 8999bedaa8aaab2f1b8e02414bb1be42c70c5f777a03f97c457e45901fb7406f
Instruction Fuzzy Hash: 34C19532A18B4582EAA0AF26F4543A9BB60FB44794FC04237DACF57A94DF3DE544C712

Function 00007FF7E3BD9C50 Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 261registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,00000000,00007FF7E3BD7A4F), ref: 00007FF7E3BD9C73
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,00000000,00007FF7E3BD7A4F), ref: 00007FF7E3BD9D27
memmove.VCRUNTIME140(?,?,?,?,?,00000000,?,00000000,?,00000000,00007FF7E3BD7A4F), ref: 00007FF7E3BD9D95
memmove.VCRUNTIME140(?,?,?,?,?,00000000,?,00000000,?,00000000,00007FF7E3BD7A4F), ref: 00007FF7E3BD9DE6
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,00000000,00007FF7E3BD7A4F), ref: 00007FF7E3BD9E54
RegCreateKeyExW.ADVAPI32 ref: 00007FF7E3BD9F87
RegSetValueExW.ADVAPI32 ref: 00007FF7E3BD9FB7
RegCloseKey.ADVAPI32 ref: 00007FF7E3BD9FC7
GetLastError.KERNEL32 ref: 00007FF7E3BD9FD1

Part of subcall function 00007FF7E3BE0DB0: GetCurrentProcessId.KERNEL32(00000000,00000000,?,00007FF7E3BD9C00), ref: 00007FF7E3BE0DEE
Part of subcall function 00007FF7E3BE0DB0: GetCurrentThreadId.KERNEL32 ref: 00007FF7E3BE0DF6
Part of subcall function 00007FF7E3BE0DB0: __stdio_common_vsprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0(?,00007FF7E3BD9C00), ref: 00007FF7E3BE0E27
Part of subcall function 00007FF7E3BE0DB0: OutputDebugStringA.KERNEL32(?,00007FF7E3BD9C00), ref: 00007FF7E3BE0E59

GetLastError.KERNEL32 ref: 00007FF7E3BD9FE5

Part of subcall function 00007FF7E3BE0CF0: GetCurrentProcessId.KERNEL32(00000000,?,00007FF7E3BD9C0F), ref: 00007FF7E3BE0D2D
Part of subcall function 00007FF7E3BE0CF0: GetCurrentThreadId.KERNEL32 ref: 00007FF7E3BE0D35
Part of subcall function 00007FF7E3BE0CF0: __stdio_common_vsprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0(?,00007FF7E3BD9C0F), ref: 00007FF7E3BE0D7B
Part of subcall function 00007FF7E3BE0CF0: MessageBoxA.USER32 ref: 00007FF7E3BE0D90

Strings

false, xrefs: 00007FF7E3BD9E70
No enough memory when Write Task Queue, xrefs: 00007FF7E3BD9EEC
Software\Nico Mak Computing\Common\ZipSend, xrefs: 00007FF7E3BD9F79
Write Task Queue Step 1 Fail, xrefs: 00007FF7E3BD9EF5, 00007FF7E3BD9F01
Write Registry failed %08x, xrefs: 00007FF7E3BD9FD9, 00007FF7E3BD9FED
Write Task Queue Step 2 Fail, xrefs: 00007FF7E3BD9F30
No enough memory when prepare for Write Task Queue, xrefs: 00007FF7E3BD9D0C, 00007FF7E3BD9D18
Queue, xrefs: 00007FF7E3BD9FA8
D:\a\Courier\Courier\ZipSendService\Utils\Serialize.h, xrefs: 00007FF7E3BD9E69

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: Current$CriticalSection$ErrorLastLeaveProcessThread__stdio_common_vsprintf_smemmove$CloseCreateDebugEnterMessageOutputStringValue
String ID: D:\a\Courier\Courier\ZipSendService\Utils\Serialize.h$No enough memory when Write Task Queue$No enough memory when prepare for Write Task Queue$Queue$Software\Nico Mak Computing\Common\ZipSend$Write Registry failed %08x$Write Task Queue Step 1 Fail$Write Task Queue Step 2 Fail$false
API String ID: 1692961011-2236933153
Opcode ID: 739d04aa620992f2d4f4bff2e8a8c46c15cdabce62537b207310b718f14a91ba
Instruction ID: 13f8f4f7eceda950947c304427118627dbde45fb66974e010eaf8c40c6ffd1f7
Opcode Fuzzy Hash: 739d04aa620992f2d4f4bff2e8a8c46c15cdabce62537b207310b718f14a91ba
Instruction Fuzzy Hash: 60B18226B0864A81EAA0AF16E5403A9BB51FF45B90FC44233CA9F67795DF3CE545C322

Function 00007FFDA433B47C Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 290COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDA433B50D
DName::operator+.LIBVCRUNTIME ref: 00007FFDA433B546
DName::operator+.LIBVCRUNTIME ref: 00007FFDA433B61A
DName::operator+.LIBVCRUNTIME ref: 00007FFDA433B62B
DName::operator+.LIBVCRUNTIME ref: 00007FFDA433B68E
DName::operator+.LIBVCRUNTIME ref: 00007FFDA433B69E
DName::operator+.LIBVCRUNTIME ref: 00007FFDA433B6EA
DName::operator+.LIBVCRUNTIME ref: 00007FFDA433B6FC
DName::operator+.LIBVCRUNTIME ref: 00007FFDA433B871

Part of subcall function 00007FFDA433D480: Replicator::operator[].LIBVCRUNTIME ref: 00007FFDA433D4DA

DName::operator+.LIBVCRUNTIME ref: 00007FFDA433B8F3
DName::operator+.LIBVCRUNTIME ref: 00007FFDA433B902

Strings

`anonymous namespace', xrefs: 00007FFDA433B7CE

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: Name::operator+$Replicator::operator[]
String ID: `anonymous namespace'
API String ID: 3863519203-3062148218
Opcode ID: 4d6a53c72438a8ea40c1e6d7c2b24d169bbac4952f94ac9fbbbf341f1eafdc4b
Instruction ID: d8b2481b5dc2f9ab1c63deef82c9769bd398d9be48ee641c17f4ff969daab225
Opcode Fuzzy Hash: 4d6a53c72438a8ea40c1e6d7c2b24d169bbac4952f94ac9fbbbf341f1eafdc4b
Instruction Fuzzy Hash: 37E12672A4AF8299EB20AF25D4E01AC77A0FB46789F408135EA4D17BB6DF3CE554C704

Function 00007FF7E3BDD790 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 121threadwindowCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 00007FF7E3BDD7C4
EnterCriticalSection.KERNEL32 ref: 00007FF7E3BDD7CF
GetCurrentProcessId.KERNEL32 ref: 00007FF7E3BDD7DC
GetCurrentThreadId.KERNEL32 ref: 00007FF7E3BDD7E4

Part of subcall function 00007FF7E3BE0C90: __stdio_common_vsprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7E3BE0CD3

MessageBoxA.USER32 ref: 00007FF7E3BDD835
LeaveCriticalSection.KERNEL32 ref: 00007FF7E3BDD861
EnterCriticalSection.KERNEL32 ref: 00007FF7E3BDD890
LeaveCriticalSection.KERNEL32 ref: 00007FF7E3BDD8DF
LeaveCriticalSection.KERNEL32 ref: 00007FF7E3BDD8EF
DeleteCriticalSection.KERNEL32 ref: 00007FF7E3BDD91A
CoUninitialize.OLE32 ref: 00007FF7E3BDD932

Strings

D:\a\Courier\Courier\ZipSendService\ZipSendService\UploadEventDispatcher.h, xrefs: 00007FF7E3BDD7F2
Assert Error, xrefs: 00007FF7E3BDD827
Pid: %d Tid: %dExpr: %sFile: %sLine: %d, xrefs: 00007FF7E3BDD810
S, xrefs: 00007FF7E3BDD7EA
!commands_.empty(), xrefs: 00007FF7E3BDD7FE

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CriticalSection$Leave$CurrentEnter$DeleteInitializeMessageProcessThreadUninitialize__stdio_common_vsprintf_s
String ID: !commands_.empty()$Assert Error$D:\a\Courier\Courier\ZipSendService\ZipSendService\UploadEventDispatcher.h$Pid: %d Tid: %dExpr: %sFile: %sLine: %d$S
API String ID: 83914183-2615395679
Opcode ID: b13968904d6309a2723b6f6a05d243e36fd4b864acde68270730b44ec8e438bc
Instruction ID: cefd33572f56d315d15b766dcb9c26ed8851507b7bd8281601e326aa18da3ad7
Opcode Fuzzy Hash: b13968904d6309a2723b6f6a05d243e36fd4b864acde68270730b44ec8e438bc
Instruction Fuzzy Hash: 89519136A14A4582DB54EF2AE4543697BA1FB84F94F804236CD8FA7354DF3DD441C311

Function 00007FF7E3BD9A20 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 129registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,00000000,?,?,?,00000000,?,?,?,00000000,00000000), ref: 00007FF7E3BD9A32
RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,?,?,00000000,00000000,?,00000000), ref: 00007FF7E3BD9A59
LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,?,?,00000000,00000000,?,00000000), ref: 00007FF7E3BD9A69
RegQueryInfoKeyW.ADVAPI32 ref: 00007FF7E3BD9AD0
RegCloseKey.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,?,?,00000000,00000000,?,00000000), ref: 00007FF7E3BD9ADF
LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,?,?,00000000,00000000,?,00000000), ref: 00007FF7E3BD9AE9

Strings

Create UploadQueue %S failed, xrefs: 00007FF7E3BD9BF4, 00007FF7E3BD9C03
Software\Nico Mak Computing\Common\ZipSend\AppId, xrefs: 00007FF7E3BD9A4B

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CriticalSection$Leave$CloseEnterInfoOpenQuery
String ID: Create UploadQueue %S failed$Software\Nico Mak Computing\Common\ZipSend\AppId
API String ID: 2639298367-1457088679
Opcode ID: e4b1de9ad63966c568374af1339d70bfb53778290a5ca6c8a3a5e1c3b8e0435d
Instruction ID: bf9fbc57f11bf1bc910b668323a8a34046f08f6753514e567d8035a0715aca68
Opcode Fuzzy Hash: e4b1de9ad63966c568374af1339d70bfb53778290a5ca6c8a3a5e1c3b8e0435d
Instruction Fuzzy Hash: CF513432A08B8682EBA0EF25F45036AB7A4FB85755F800132DACF67A58DF3CD585C711

Function 00007FFDA433C2E4 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 359COMMONLIBRARYCODE

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FFDA43377BC), ref: 00007FFDA433C74A
DName::DName.LIBVCRUNTIME ref: 00007FFDA433C789
swprintf_s.PGOCR ref: 00007FFDA433C7A9
DName::DName.LIBVCRUNTIME ref: 00007FFDA433C7B9
DName::operator+.LIBVCRUNTIME ref: 00007FFDA433C809

Strings

`generic-class-parameter-, xrefs: 00007FFDA433C81A
`template-type-parameter-, xrefs: 00007FFDA433C82A
NULL, xrefs: 00007FFDA433C3B1
`generic-method-parameter-, xrefs: 00007FFDA433C7D6
nullptr, xrefs: 00007FFDA433C4CD
lambda, xrefs: 00007FFDA433C6A8

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: NameName::$Name::operator+atolswprintf_s
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$lambda$nullptr
API String ID: 2331677841-2441609178
Opcode ID: 1337080a8712cf2b186886f982200b7f95fea8318008cd2a99218dd623351aeb
Instruction ID: 7d003193e4f03c4abafa44dda8cbadd478aec8af7c90b647fe6adf4120b496eb
Opcode Fuzzy Hash: 1337080a8712cf2b186886f982200b7f95fea8318008cd2a99218dd623351aeb
Instruction Fuzzy Hash: 05F14A23F8AE1284FA15BB7585F81FC27A1AF47744F540136CA0E66BB7DE2CB544A348

Function 00007FF7E3BDE030 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 69threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00007FF7E3BD4D19), ref: 00007FF7E3BDE069
GetCurrentThreadId.KERNEL32 ref: 00007FF7E3BDE071

Part of subcall function 00007FF7E3BE0C90: __stdio_common_vsprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7E3BE0CD3

MessageBoxA.USER32 ref: 00007FF7E3BDE0C2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00007FF7E3BD4D19), ref: 00007FF7E3BDE109
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00007FF7E3BD4D19), ref: 00007FF7E3BDE113
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00007FF7E3BD4D19), ref: 00007FF7E3BDE11D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00007FF7E3BD4D19), ref: 00007FF7E3BDE127
DeleteCriticalSection.KERNEL32(?,00007FF7E3BD4D19), ref: 00007FF7E3BDE13E

Strings

*, xrefs: 00007FF7E3BDE07E
D:\a\Courier\Courier\ZipSendService\ZipSendService\UploadTask.cpp, xrefs: 00007FF7E3BDE077
task_ == nullptr, xrefs: 00007FF7E3BDE092
Assert Error, xrefs: 00007FF7E3BDE0B4
Pid: %d Tid: %dExpr: %sFile: %sLine: %d, xrefs: 00007FF7E3BDE08B

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: free$Current$CriticalDeleteMessageProcessSectionThread__stdio_common_vsprintf_s
String ID: *$Assert Error$D:\a\Courier\Courier\ZipSendService\ZipSendService\UploadTask.cpp$Pid: %d Tid: %dExpr: %sFile: %sLine: %d$task_ == nullptr
API String ID: 2364920510-3495599304
Opcode ID: 39fb82197aba7a65d09682cc9219dc9e2dfbbd46141805dbf253b7286f854d0c
Instruction ID: edb60416453f31d71dd958fde7b044a0f5878e63980db5717f7d31d916f2313a
Opcode Fuzzy Hash: 39fb82197aba7a65d09682cc9219dc9e2dfbbd46141805dbf253b7286f854d0c
Instruction Fuzzy Hash: 02315331A04A4582EB90AF2AE4543A9B770FB84B84FC40237DA9FA7655DF3CD549C711

Function 00007FFD944E2740 Relevance: 21.2, APIs: 14, Instructions: 239COMMON

Download Yara Rule

APIs

__strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD944E278A
__strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD944E27AF
GetCPInfo.KERNEL32 ref: 00007FFD944E27EF
MultiByteToWideChar.KERNEL32 ref: 00007FFD944E288B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944E28F9
MultiByteToWideChar.KERNEL32 ref: 00007FFD944E2935
MultiByteToWideChar.KERNEL32 ref: 00007FFD944E295F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944E29C7
MultiByteToWideChar.KERNEL32 ref: 00007FFD944E2A08
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944E2A1F
CompareStringEx.KERNEL32 ref: 00007FFD944E2A56
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944E2A6B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944E2A79
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944E2A8F

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: ByteCharMultiWidefree$__strncntmalloc$CompareInfoString
String ID:
API String ID: 413445966-0
Opcode ID: b56ee1bed11420737cedf5a4c9bd6d08f938309ea2ccd9fa2f4a42ac3f352b01
Instruction ID: 948d52eef1f882b9dae69e8514ca96547125cf9b5b8d3993367008698e1b0d2a
Opcode Fuzzy Hash: b56ee1bed11420737cedf5a4c9bd6d08f938309ea2ccd9fa2f4a42ac3f352b01
Instruction Fuzzy Hash: 3AA1CE62B0868286EB718FA194B437B6792FF46BA4F448631CA5D076CADFBCD545C340

Function 00007FF7E3BDA060 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 209registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF7E3BDA09F
RegQueryValueExW.ADVAPI32 ref: 00007FF7E3BDA0D4
RegQueryValueExW.ADVAPI32 ref: 00007FF7E3BDA135
RegCloseKey.ADVAPI32 ref: 00007FF7E3BDA15A

Part of subcall function 00007FF7E3BD48F0: InitializeCriticalSection.KERNEL32 ref: 00007FF7E3BD4963

Part of subcall function 00007FF7E3BD71B0: GetCurrentProcessId.KERNEL32(?,?,?,00000000,?,00007FF7E3BD7A05), ref: 00007FF7E3BD7221
Part of subcall function 00007FF7E3BD71B0: GetCurrentThreadId.KERNEL32 ref: 00007FF7E3BD7229
Part of subcall function 00007FF7E3BD71B0: MessageBoxA.USER32 ref: 00007FF7E3BD7273
Part of subcall function 00007FF7E3BD71B0: GetCurrentProcessId.KERNEL32(?,?,?,00000000,?,00007FF7E3BD7A05), ref: 00007FF7E3BD7280
Part of subcall function 00007FF7E3BD71B0: GetCurrentThreadId.KERNEL32 ref: 00007FF7E3BD7288
Part of subcall function 00007FF7E3BD71B0: MessageBoxA.USER32 ref: 00007FF7E3BD72D2
Part of subcall function 00007FF7E3BD71B0: GetCurrentProcessId.KERNEL32(?,?,?,00000000,?,00007FF7E3BD7A05), ref: 00007FF7E3BD72DD
Part of subcall function 00007FF7E3BD71B0: GetCurrentThreadId.KERNEL32 ref: 00007FF7E3BD72E5
Part of subcall function 00007FF7E3BD71B0: MessageBoxA.USER32 ref: 00007FF7E3BD732F

EnterCriticalSection.KERNEL32 ref: 00007FF7E3BDA2D7
LeaveCriticalSection.KERNEL32 ref: 00007FF7E3BDA302
RegCloseKey.ADVAPI32 ref: 00007FF7E3BDA35A
RegCloseKey.ADVAPI32 ref: 00007FF7E3BDA37A

Strings

Create TaskInfo failed, xrefs: 00007FF7E3BDA2B1, 00007FF7E3BDA2BD
Software\Nico Mak Computing\Common\ZipSend, xrefs: 00007FF7E3BDA091
Queue, xrefs: 00007FF7E3BDA0C9, 00007FF7E3BDA12E
Create UploadTaskInternal failed, xrefs: 00007FF7E3BDA22B, 00007FF7E3BDA237

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: Current$CloseCriticalMessageProcessSectionThread$QueryValue$EnterInitializeLeaveOpen
String ID: Create TaskInfo failed$Create UploadTaskInternal failed$Queue$Software\Nico Mak Computing\Common\ZipSend
API String ID: 755602007-698671834
Opcode ID: 5881cc4b403839b988e2d522605f3728b198d00f26011ecaa7c2b48f509e50a4
Instruction ID: 6b7eec9e8705ca87b18c36c98b70533142e199cc03ff1b296f54e1e57cbbbcfc
Opcode Fuzzy Hash: 5881cc4b403839b988e2d522605f3728b198d00f26011ecaa7c2b48f509e50a4
Instruction Fuzzy Hash: 9A91A022B09A4685EB90EF66E4403ADBBA1FF44794FC54133D98E67A95DF3CE504C322

Function 00007FF7E3BD9810 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 137threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 00007FF7E3BD984A
GetCurrentThreadId.KERNEL32 ref: 00007FF7E3BD9852

Part of subcall function 00007FF7E3BE0C90: __stdio_common_vsprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7E3BE0CD3

MessageBoxA.USER32 ref: 00007FF7E3BD98A3
EnterCriticalSection.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 00007FF7E3BD98AD
_wcsnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 00007FF7E3BD98E2
LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 00007FF7E3BD98FE
LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 00007FF7E3BD99CB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 00007FF7E3BD9A16

Part of subcall function 00007FF7E3BDA3A0: EnterCriticalSection.KERNEL32 ref: 00007FF7E3BDA3BD

Strings

D:\a\Courier\Courier\ZipSendService\ZipSendService\GlobalUploadQueue.cpp, xrefs: 00007FF7E3BD9860
!appid.empty(), xrefs: 00007FF7E3BD986C
Assert Error, xrefs: 00007FF7E3BD9895
Pid: %d Tid: %dExpr: %sFile: %sLine: %d, xrefs: 00007FF7E3BD987E

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeave$MessageProcessThread__stdio_common_vsprintf_s_invalid_parameter_noinfo_noreturn_wcsnicmp
String ID: !appid.empty()$Assert Error$D:\a\Courier\Courier\ZipSendService\ZipSendService\GlobalUploadQueue.cpp$Pid: %d Tid: %dExpr: %sFile: %sLine: %d
API String ID: 1472907134-2436460847
Opcode ID: e61ed493d8ce1d74ad241842819e8b3e4405a1651b2332a4a7ab3718ea4acdbd
Instruction ID: 998d64d3b42c00a41ea1bfa6ace7d8c7973395b89dbd24a6143717f9f54fc8c9
Opcode Fuzzy Hash: e61ed493d8ce1d74ad241842819e8b3e4405a1651b2332a4a7ab3718ea4acdbd
Instruction Fuzzy Hash: 0F51B672B08A4596EB94EB2AE4443AD7B61FB44B84FC00237D68FA3694DF3CE484C351

Function 00007FFDA433994C Relevance: 19.9, APIs: 13, Instructions: 361COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDA433999D
DName::operator+.LIBVCRUNTIME ref: 00007FFDA4339A66
DName::operator+.LIBVCRUNTIME ref: 00007FFDA4339AAF
DName::operator+.LIBVCRUNTIME ref: 00007FFDA4339AC0

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: b5cdb839dd03f35b6a53839e10f9b05876287b9c2dfd2f9f107b53bcec25dd50
Instruction ID: e69d980dc44f012b997a2d9cfc1570a2dbccf1ff872e044b888f3649d111f430
Opcode Fuzzy Hash: b5cdb839dd03f35b6a53839e10f9b05876287b9c2dfd2f9f107b53bcec25dd50
Instruction Fuzzy Hash: FDF16A76B4AA8299E710EF64D4F11EC37A0EB0674CB404435DA4E57BBADE3CE519C348

Function 00007FFD944E2B80 Relevance: 19.7, APIs: 13, Instructions: 206COMMONLIBRARYCODE

Download Yara Rule

APIs

__strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD944E2BC4
MultiByteToWideChar.KERNEL32 ref: 00007FFD944E2BF1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944E2C5B
MultiByteToWideChar.KERNEL32 ref: 00007FFD944E2C90
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944E2CA8
LCMapStringEx.KERNEL32 ref: 00007FFD944E2CFA
LCMapStringEx.KERNEL32 ref: 00007FFD944E2D4C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944E2DAA
LCMapStringEx.KERNEL32 ref: 00007FFD944E2DF2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944E2E0B
WideCharToMultiByte.KERNEL32 ref: 00007FFD944E2E4D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944E2E61
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944E2E73

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: free$ByteCharMultiStringWide$malloc$__strncnt
String ID:
API String ID: 1617860942-0
Opcode ID: 4bf190d9ba59b1640d96bc5a8d070e7247b9b25b7a8258eacc3250c70f990771
Instruction ID: df8075ea7510768dcde84bef7660916ffa9204a68974da63ce6f79419232c2fa
Opcode Fuzzy Hash: 4bf190d9ba59b1640d96bc5a8d070e7247b9b25b7a8258eacc3250c70f990771
Instruction Fuzzy Hash: E491BF72B0874286EB748FA5E4A026A73A1FF45BA8F148631DA5E43BD9DF7CD445C700

Function 00007FF7E3BD4FE0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 99threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000), ref: 00007FF7E3BD5016
GetCurrentThreadId.KERNEL32 ref: 00007FF7E3BD501E

Part of subcall function 00007FF7E3BE0C90: __stdio_common_vsprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7E3BE0CD3

MessageBoxA.USER32 ref: 00007FF7E3BD506F
__RTDynamicCast.VCRUNTIME140(?,00000000), ref: 00007FF7E3BD50C5
__RTDynamicCast.VCRUNTIME140(?,00000000), ref: 00007FF7E3BD50F3
memcpy.VCRUNTIME140(?,00000000), ref: 00007FF7E3BD5107

Strings

D:\a\Courier\Courier\ZipSendService\ZipSendService\Serialize.h, xrefs: 00007FF7E3BD5024
Assert Error, xrefs: 00007FF7E3BD5061
., xrefs: 00007FF7E3BD502B
Pid: %d Tid: %dExpr: %sFile: %sLine: %d, xrefs: 00007FF7E3BD5038
value != nullptr, xrefs: 00007FF7E3BD503F

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CastCurrentDynamic$MessageProcessThread__stdio_common_vsprintf_smemcpy
String ID: .$Assert Error$D:\a\Courier\Courier\ZipSendService\ZipSendService\Serialize.h$Pid: %d Tid: %dExpr: %sFile: %sLine: %d$value != nullptr
API String ID: 575956159-1840405654
Opcode ID: f996dc371ab87fdcd71f99c761a75a5fcd5face911d4bf0904db97e658dd252d
Instruction ID: 4e1d1f8130587d9090c6abbbbeeba23e76f5d0e90720d9f473d36141ff37d233
Opcode Fuzzy Hash: f996dc371ab87fdcd71f99c761a75a5fcd5face911d4bf0904db97e658dd252d
Instruction Fuzzy Hash: 2341A421B0864681EA60AF5AE4442AABB60FF847A4FC04233D6DFA7694DF7CE545C312

Function 00007FF7E3BDBAC0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 84processsynchronizationCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7E3BDBB17
swprintf_s.MSPDB140-MSVCRT ref: 00007FF7E3BDBB3E
CreateProcessW.KERNEL32 ref: 00007FF7E3BDBBAF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7E3BDBBBC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7E3BDBBC6
WaitForSingleObject.KERNEL32 ref: 00007FF7E3BDBBD6
GetExitCodeProcess.KERNEL32 ref: 00007FF7E3BDBBE9
CloseHandle.KERNEL32 ref: 00007FF7E3BDBC08
CloseHandle.KERNEL32 ref: 00007FF7E3BDBC13

Strings

"%s" %s, xrefs: 00007FF7E3BDBB31
h, xrefs: 00007FF7E3BDBB46

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CloseHandleProcessfree$CodeCreateExitObjectSingleWaitmallocswprintf_s
String ID: "%s" %s$h
API String ID: 1113467762-3731297023
Opcode ID: e3cce38a4b51c42112672d9d994e7f7bb1c271f888f7ce85837f47653211b863
Instruction ID: 816a7b89bf6f1bc401aad62857d83b7ea065b9ba58c1d6f168459d80ab0d1602
Opcode Fuzzy Hash: e3cce38a4b51c42112672d9d994e7f7bb1c271f888f7ce85837f47653211b863
Instruction Fuzzy Hash: 2941C622908BC586D7A0DB15E44036AFBA0FB99B90F858332EADE93754DF7CD184C711

Function 00007FF7E3BDFB80 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 39synchronizationregistryCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32 ref: 00007FF7E3BDFB91
WaitForSingleObject.KERNEL32 ref: 00007FF7E3BDFBA2
CreateWzExtensionsManager.WXFMANAGER64 ref: 00007FF7E3BDFBB2
RegOpenKeyExW.ADVAPI32 ref: 00007FF7E3BDFBE0
RegCloseKey.ADVAPI32 ref: 00007FF7E3BDFBEF
Init.WXFMANAGER64 ref: 00007FF7E3BDFC13
ReleaseMutex.KERNEL32 ref: 00007FF7E3BDFC1C
CloseHandle.KERNEL32 ref: 00007FF7E3BDFC25

Strings

Software\Nico Mak Computing\WinZip\WXF, xrefs: 00007FF7E3BDFBC8, 00007FF7E3BDFBF5
Software\Nico Mak Computing\WinZip Express\Outlook\WXF, xrefs: 00007FF7E3BDFBFE
WXFManagerHolder, xrefs: 00007FF7E3BDFB86

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CloseCreateMutex$ExtensionsHandleInitManagerObjectOpenReleaseSingleWait
String ID: Software\Nico Mak Computing\WinZip Express\Outlook\WXF$Software\Nico Mak Computing\WinZip\WXF$WXFManagerHolder
API String ID: 910357124-2105400318
Opcode ID: f577e7643938d562cf6d8ce8f179c5352a2064b40baa9df84b6bf8e04e12685c
Instruction ID: 515083f188c8914e303fa1acfe0d76e88ed958fd2f8bf77ff9ef5f8e63931c06
Opcode Fuzzy Hash: f577e7643938d562cf6d8ce8f179c5352a2064b40baa9df84b6bf8e04e12685c
Instruction Fuzzy Hash: 21118624E18B0A81EA80AB2BB810375BB61BF44755FC00737C89FA73A4DF3CD144C222

Function 00007FFDA43319D4 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 311COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FFDA4331A31

Part of subcall function 00007FFDA4333E04: __GetUnwindTryBlock.LIBCMT ref: 00007FFDA4333E47
Part of subcall function 00007FFDA4333E04: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FFDA4333E6C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFDA4331B09
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4331B16
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FFDA4331D59
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4331D87

Part of subcall function 00007FFDA4335508: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDA433108E), ref: 00007FFDA4335516

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4331E4E
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDA4331E83

Strings

csm, xrefs: 00007FFDA4331A4B
csm, xrefs: 00007FFDA4331AB2
csm, xrefs: 00007FFDA4331B2E

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: BlockFrameHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 4223619315-393685449
Opcode ID: 28d9fe0dc564746e1165c302fc55894f033c11c1e4b232c9a3c91503718a418f
Instruction ID: 7f02b580788e4fa1df47b18635ed3f9c104eb01ac78d59d03868d9732d8d9692
Opcode Fuzzy Hash: 28d9fe0dc564746e1165c302fc55894f033c11c1e4b232c9a3c91503718a418f
Instruction Fuzzy Hash: BAD17C22A49B4186EB60AB6594A03AD77A0FB46798F140135EB8D57BB6DF3CF091C704

Function 00007FFDA433D480 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 192COMMONLIBRARYCODE

Download Yara Rule

APIs

Replicator::operator[].LIBVCRUNTIME ref: 00007FFDA433D4DA

Strings

template-parameter-, xrefs: 00007FFDA433D53C
`template-parameter-, xrefs: 00007FFDA433D56F
generic-type-, xrefs: 00007FFDA433D583
`generic-type-, xrefs: 00007FFDA433D5B6

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: Replicator::operator[]
String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
API String ID: 3676697650-3207858774
Opcode ID: 64820509464fd6ff4b84ea6475a10b49d6616995939ea767522a00fbe31f1ef7
Instruction ID: c4c70d5e480958d415093b38266a6da8759473005199eb729cb703c1a652a473
Opcode Fuzzy Hash: 64820509464fd6ff4b84ea6475a10b49d6616995939ea767522a00fbe31f1ef7
Instruction Fuzzy Hash: 94916C22B8AE8699FB10AF20D4B02FC27A1AB56748F945131DA4E077B6DF3CF545C748

Function 00007FFD94518A10 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FFD944F00EB), ref: 00007FFD94518A4D
tolower.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FFD944F00EB), ref: 00007FFD94518AEA
memchr.VCRUNTIME140(?,?,?,?,?,?,00007FFD944F00EB), ref: 00007FFD94518AFC
tolower.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FFD944F00EB), ref: 00007FFD94518B37
memchr.VCRUNTIME140(?,?,?,?,?,?,00007FFD944F00EB), ref: 00007FFD94518B45
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00007FFD944F00EB), ref: 00007FFD94518BB1

Strings

0, xrefs: 00007FFD94518A94
0, xrefs: 00007FFD94518ACB
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00007FFD94518AF3, 00007FFD94518B06
0, xrefs: 00007FFD94518A84

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: memchrtolower$_errnoisspace
String ID: 0$0$0$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3508154992-176538734
Opcode ID: 70c141f73bae999968ebe817ac045cfe7e20f056ce18028f1a7eb433e8a8acf6
Instruction ID: b9d7c9a5ee48427354cb8b75e9ccefbbbb915c64f900f966e8cbfeb74a85ba84
Opcode Fuzzy Hash: 70c141f73bae999968ebe817ac045cfe7e20f056ce18028f1a7eb433e8a8acf6
Instruction Fuzzy Hash: 3151A652B0D6D64BEBB78AE094B477966906F4BBA4F1CC531CD9D06396DE3CE942C300

Function 00007FF7E3BDE170 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 128threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,00007FF7E3BD40DD), ref: 00007FF7E3BDE1AE
GetCurrentThreadId.KERNEL32 ref: 00007FF7E3BDE1B6

Part of subcall function 00007FF7E3BE0C90: __stdio_common_vsprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7E3BE0CD3

MessageBoxA.USER32 ref: 00007FF7E3BDE207
SysStringLen.OLEAUT32 ref: 00007FF7E3BDE210
__RTDynamicCast.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E3BD40DD), ref: 00007FF7E3BDE315

Strings

info_ == nullptr, xrefs: 00007FF7E3BDE1D0
B, xrefs: 00007FF7E3BDE1BC
D:\a\Courier\Courier\ZipSendService\ZipSendService\UploadTask.cpp, xrefs: 00007FF7E3BDE1C4
Assert Error, xrefs: 00007FF7E3BDE1F9
Pid: %d Tid: %dExpr: %sFile: %sLine: %d, xrefs: 00007FF7E3BDE1E2

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: Current$CastDynamicMessageProcessStringThread__stdio_common_vsprintf_s
String ID: Assert Error$B$D:\a\Courier\Courier\ZipSendService\ZipSendService\UploadTask.cpp$Pid: %d Tid: %dExpr: %sFile: %sLine: %d$info_ == nullptr
API String ID: 2158136681-2391666810
Opcode ID: 18e653fa6f169c3ee023c9e6997143602141e330465365e98096114a40a402db
Instruction ID: 622085f005b58acecba70570318aa02ff05b6d049c867774e712f2fc4dbb85d0
Opcode Fuzzy Hash: 18e653fa6f169c3ee023c9e6997143602141e330465365e98096114a40a402db
Instruction Fuzzy Hash: 4D51A432A08B8586E750EF66E4403B97BA0FB84B84FC5423ADA8E67755DF3CE551C311

Function 00007FFD944F6FEC Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD94519A10: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A30
Part of subcall function 00007FFD94519A10: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A38
Part of subcall function 00007FFD94519A10: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A41
Part of subcall function 00007FFD94519A10: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A5D

_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FFD944FEACE), ref: 00007FFD944F7036
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FFD944FEACE), ref: 00007FFD944F7056
_Maklocstr.LIBCPMT ref: 00007FFD944F7070
_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FFD944FEACE), ref: 00007FFD944F7079
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FFD944FEACE), ref: 00007FFD944F7099
_Maklocstr.LIBCPMT ref: 00007FFD944F70B3
_Maklocstr.LIBCPMT ref: 00007FFD944F70C8

Part of subcall function 00007FFD944E4F00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD944F1894,?,?,?,00007FFD944E455B,?,?,?,00007FFD944E5C51), ref: 00007FFD944E4F22
Part of subcall function 00007FFD944E4F00: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD944F1894,?,?,?,00007FFD944E455B,?,?,?,00007FFD944E5C51), ref: 00007FFD944E4F48
Part of subcall function 00007FFD944E4F00: memcpy.VCRUNTIME140(?,?,?,00007FFD944F1894,?,?,?,00007FFD944E455B,?,?,?,00007FFD944E5C51), ref: 00007FFD944E4F60

Strings

:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFD944F7060
:AM:am:PM:pm, xrefs: 00007FFD944F70C1
:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFD944F70A3

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: Maklocstrfree$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 2460671452-35662545
Opcode ID: dc0739515a7a86576b90c3e1a96f00c17ae4e5f85a1d68a3c4b3782ed53e0a0e
Instruction ID: 1196cb97a74baf2cef2842f9c9748855f4230422261c9bfeab5c1e988e0fbc02
Opcode Fuzzy Hash: dc0739515a7a86576b90c3e1a96f00c17ae4e5f85a1d68a3c4b3782ed53e0a0e
Instruction Fuzzy Hash: F5314F62B08B45C6EB21DFA1E8A02A977A5FB8AF80F458531DB4D0375ADF3CE181C340

Function 00007FFDA4337834 Relevance: 16.7, APIs: 11, Instructions: 158COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDA433789C
DName::operator+.LIBVCRUNTIME ref: 00007FFDA4337999
DName::operator+.LIBVCRUNTIME ref: 00007FFDA43379F2
DName::operator+.LIBVCRUNTIME ref: 00007FFDA4337A1E
DName::operator+.LIBVCRUNTIME ref: 00007FFDA4337A30
DName::operator+.LIBVCRUNTIME ref: 00007FFDA4337A5F

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 4f3cdc343292aa6b77b4444b2aafc50e0404cdfcccec85b8854ab0fec35406c3
Instruction ID: 9181cd9655eab96af7d269c993d0f0fc5bafe5a9fb0c39d1a528a86b37407476
Opcode Fuzzy Hash: 4f3cdc343292aa6b77b4444b2aafc50e0404cdfcccec85b8854ab0fec35406c3
Instruction Fuzzy Hash: 03713D72B49A4299EB10EF65D0A11FC23B1EB0678CB809431DA0D57BBADF38E615C394

Function 00007FFD94528F50 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 229COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFD9452915E
_CxxThrowException.VCRUNTIME140 ref: 00007FFD9452916F
std::ios_base::failure::failure.LIBCPMT ref: 00007FFD945291B2
_CxxThrowException.VCRUNTIME140 ref: 00007FFD945291C3
std::ios_base::failure::failure.LIBCPMT ref: 00007FFD9452923D
_CxxThrowException.VCRUNTIME140 ref: 00007FFD9452924E

Strings

ios_base::eofbit set, xrefs: 00007FFD94529139, 00007FFD9452918D, 00007FFD94529218
ios_base::failbit set, xrefs: 00007FFD94529132, 00007FFD94529186, 00007FFD94529211
ios_base::badbit set, xrefs: 00007FFD94529126, 00007FFD9452917A, 00007FFD945291D0, 00007FFD94529204, 00007FFD94529260

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 2900850eaf5c161de94a61c1d1de97a83468921e5b23e2bace5ef4ad86228e0b
Instruction ID: e8161adf3e2bd3e13240c8e441a3d8c3d6ed0ed1dd2b20facc6924d3ea26917a
Opcode Fuzzy Hash: 2900850eaf5c161de94a61c1d1de97a83468921e5b23e2bace5ef4ad86228e0b
Instruction Fuzzy Hash: 76919E22B18A4A81EAB68BD5D4F13BD2760FB42F84F44C432DA4D477AAEF6DD546C340

Function 00007FF7E3BD1C80 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 167timeCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7E3BD1D82
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7E3BD1DD1
GetTimeFormatW.KERNEL32 ref: 00007FF7E3BD1E14
GetDateFormatW.KERNEL32 ref: 00007FF7E3BD1E3C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7E3BD1EC7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7E3BD1F1F

Part of subcall function 00007FF7E3BD2F40: memcpy.VCRUNTIME140 ref: 00007FF7E3BD3065
Part of subcall function 00007FF7E3BD2F40: memcpy.VCRUNTIME140 ref: 00007FF7E3BD3075

Part of subcall function 00007FF7E3BD2E90: memmove.VCRUNTIME140 ref: 00007FF7E3BD2EEA

Strings

HHmmss, xrefs: 00007FF7E3BD1E00
yyyyMMdd, xrefs: 00007FF7E3BD1E2B
ZipShare\, xrefs: 00007FF7E3BD1DDD

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Formatmemcpy$DateTimememmove
String ID: HHmmss$ZipShare\$yyyyMMdd
API String ID: 1648391657-1071675722
Opcode ID: 7ce1f77e4bf02c550869ebc7c276b33e708c188194edd653b4dfc4ef8a2fca41
Instruction ID: 55e5f99a504592d081e056221bc8a3b55cd0afa9689d3250469af8fedb0cc533
Opcode Fuzzy Hash: 7ce1f77e4bf02c550869ebc7c276b33e708c188194edd653b4dfc4ef8a2fca41
Instruction Fuzzy Hash: 7E71A562E08B8581EA40AB29E4443ADB761FB847A4FD05333EADE167A9DF7CD184C711

Function 00007FF7E3BD21B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7E3BD222F
_localtime64_s.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7E3BD2244
memset.VCRUNTIME140 ref: 00007FF7E3BD2261
wcsftime.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7E3BD227C
memmove.VCRUNTIME140 ref: 00007FF7E3BD232D
memcpy.VCRUNTIME140 ref: 00007FF7E3BD2341
memcpy.VCRUNTIME140 ref: 00007FF7E3BD2360

Part of subcall function 00007FF7E3BD3250: memcpy.VCRUNTIME140(?,?,?,?,?,0000000100000000,?,00007FF7E3BD238C), ref: 00007FF7E3BD337E
Part of subcall function 00007FF7E3BD3250: memcpy.VCRUNTIME140(?,?,?,?,?,0000000100000000,?,00007FF7E3BD238C), ref: 00007FF7E3BD3391
Part of subcall function 00007FF7E3BD3250: memcpy.VCRUNTIME140(?,?,?,?,?,0000000100000000,?,00007FF7E3BD238C), ref: 00007FF7E3BD33A2

Strings

%Y%m%d%H%M%S, xrefs: 00007FF7E3BD2270
., xrefs: 00007FF7E3BD2219

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: memcpy$_localtime64_s_time64memmovememsetwcsftime
String ID: %Y%m%d%H%M%S$.
API String ID: 3043386550-1074938333
Opcode ID: ce0e66ffbd78282ba408a55e13192fdd390516edaef0b52b2e0ed409794bc42a
Instruction ID: 4e4f0af7928bab4875865abd1e8870d5d114e0ccfbb1b41f17e4f5bb1bed34df
Opcode Fuzzy Hash: ce0e66ffbd78282ba408a55e13192fdd390516edaef0b52b2e0ed409794bc42a
Instruction Fuzzy Hash: 1051B232A08B8995DA50EF16E4402EEB761FB84B80FC40133DA9E5BB95EF3CE645C711

Function 00007FF7E3BDE390 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 126threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,00007FF7E3BD443A), ref: 00007FF7E3BDE3D1
GetCurrentThreadId.KERNEL32 ref: 00007FF7E3BDE3D9

Part of subcall function 00007FF7E3BE0C90: __stdio_common_vsprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7E3BE0CD3

MessageBoxA.USER32 ref: 00007FF7E3BDE42A
__RTDynamicCast.VCRUNTIME140 ref: 00007FF7E3BDE4D7

Strings

info_ == nullptr, xrefs: 00007FF7E3BDE3F3
X, xrefs: 00007FF7E3BDE3DF
D:\a\Courier\Courier\ZipSendService\ZipSendService\UploadTask.cpp, xrefs: 00007FF7E3BDE3E7
Assert Error, xrefs: 00007FF7E3BDE41C
Pid: %d Tid: %dExpr: %sFile: %sLine: %d, xrefs: 00007FF7E3BDE405

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: Current$CastDynamicMessageProcessThread__stdio_common_vsprintf_s
String ID: Assert Error$D:\a\Courier\Courier\ZipSendService\ZipSendService\UploadTask.cpp$Pid: %d Tid: %dExpr: %sFile: %sLine: %d$X$info_ == nullptr
API String ID: 4188797845-2801632222
Opcode ID: f55abef53e0bc20ec4f2caf995eb7d79e851d4a7d16796457d1b3cb19d31598e
Instruction ID: d6464d3149b04280b170694edaf2605610a0d795b9027a2531c63ddb24c0318b
Opcode Fuzzy Hash: f55abef53e0bc20ec4f2caf995eb7d79e851d4a7d16796457d1b3cb19d31598e
Instruction Fuzzy Hash: ED51C232A14B8586E790EF66E4403A9BBA0FB88B84FC54236DB8E97751DF3CE554C311

Function 00007FFDA4339194 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDA43391EE
DName::operator+.LIBVCRUNTIME ref: 00007FFDA4339324

Strings

enum , xrefs: 00007FFDA4339301
struct , xrefs: 00007FFDA4339348
coclass , xrefs: 00007FFDA43392DD
cointerface , xrefs: 00007FFDA43392CB
`unknown ecsu', xrefs: 00007FFDA43391BA
class , xrefs: 00007FFDA4339339
union , xrefs: 00007FFDA4339351

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: Name::operator+
String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
API String ID: 2943138195-1464470183
Opcode ID: a60277abc839728db8185859493b15a67fd6e22878adca3a0fa986c140fcfaf3
Instruction ID: d42c7656d7558b55b1256fa9d5c27302ad5561186cc07e2877e0bdcefb7e5caa
Opcode Fuzzy Hash: a60277abc839728db8185859493b15a67fd6e22878adca3a0fa986c140fcfaf3
Instruction Fuzzy Hash: FA513462F9AE16C8FB10EB64E8F05AC37B4BF06354F500035EA0E56BBADF2DA5448704

Function 00007FFD94517D00 Relevance: 15.2, APIs: 10, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD94518690: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD94517AD2), ref: 00007FFD945186BC
Part of subcall function 00007FFD94518690: isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD94517AD2), ref: 00007FFD9451871C

_FXp_setw.LIBCPMT ref: 00007FFD94517D9E
_FXp_setw.LIBCPMT ref: 00007FFD94517DB1
_FXp_setn.LIBCPMT ref: 00007FFD94517DF5
_FXp_addx.LIBCPMT ref: 00007FFD94517E07
_FXp_setw.LIBCPMT ref: 00007FFD94517E5E
_FXp_setw.LIBCPMT ref: 00007FFD94517E71
_FXp_setn.LIBCPMT ref: 00007FFD94517DBC

Part of subcall function 00007FFD9450F2EC: _FXp_setw.LIBCPMT ref: 00007FFD9450F325

_FXp_setn.LIBCPMT ref: 00007FFD94517E7C
_FXp_setn.LIBCPMT ref: 00007FFD94517EB5
_FXp_addx.LIBCPMT ref: 00007FFD94517EC7

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: Xp_setw$Xp_setn$Xp_addx$isspaceisxdigit
String ID:
API String ID: 2501290797-0
Opcode ID: 8cddcad3a3d6d4a1350eb31ea6c80334170057116226202367b8ca936c2e9a4c
Instruction ID: a74b37141953ebfa72ff7d74995d2dcdb03581a31251263948be3ddb36b78c79
Opcode Fuzzy Hash: 8cddcad3a3d6d4a1350eb31ea6c80334170057116226202367b8ca936c2e9a4c
Instruction Fuzzy Hash: E661E726F085029AE772DFE5D4E01FD3761AB5A748F508636DE0D2769BDE38E90AC700

Function 00007FFD94519DC0 Relevance: 15.2, APIs: 10, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD9451A558: iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD94519B92), ref: 00007FFD9451A585
Part of subcall function 00007FFD9451A558: iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD94519B92), ref: 00007FFD9451A5FA

_FXp_setw.LIBCPMT ref: 00007FFD94519E5E
_FXp_setw.LIBCPMT ref: 00007FFD94519E71
_FXp_setn.LIBCPMT ref: 00007FFD94519EB5
_FXp_addx.LIBCPMT ref: 00007FFD94519EC7
_FXp_setw.LIBCPMT ref: 00007FFD94519F1E
_FXp_setw.LIBCPMT ref: 00007FFD94519F31
_FXp_setn.LIBCPMT ref: 00007FFD94519E7C

Part of subcall function 00007FFD9450F2EC: _FXp_setw.LIBCPMT ref: 00007FFD9450F325

_FXp_setn.LIBCPMT ref: 00007FFD94519F3C
_FXp_setn.LIBCPMT ref: 00007FFD94519F75
_FXp_addx.LIBCPMT ref: 00007FFD94519F87

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: Xp_setw$Xp_setn$Xp_addx$iswspaceiswxdigit
String ID:
API String ID: 3781602613-0
Opcode ID: 23ec25c14a62ac7a7091776c9814259c8478145b1004428f4984c21b260187c7
Instruction ID: 3f721a79c1147de0aef759e13ea285f328555b3416cd1bf06e6f40c87277aa7a
Opcode Fuzzy Hash: 23ec25c14a62ac7a7091776c9814259c8478145b1004428f4984c21b260187c7
Instruction Fuzzy Hash: BD61A626F085029AE772DEE1D4E01FD3761AB5A758F508635DE0D67A8EEE38E50AC700

Function 00007FFDA54B1130 Relevance: 15.1, APIs: 10, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA54B11EA
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA54B1209
memmove.VCRUNTIME140 ref: 00007FFDA54B122A
__AdjustPointer.LIBCMT ref: 00007FFDA54B124A
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA54B1257
__AdjustPointer.LIBCMT ref: 00007FFDA54B1293
memmove.VCRUNTIME140 ref: 00007FFDA54B12A1
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA54B12A8
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA54B12ED
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA54B12F4

Memory Dump Source

Source File: 00000005.00000002.2190160805.00007FFDA54B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA54B0000, based on PE: true

Associated: 00000005.00000002.2190144253.00007FFDA54B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190175865.00007FFDA54B5000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190190132.00007FFDA54B8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190204054.00007FFDA54B9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda54b0000_svaulpzg.jbxd

Similarity

API ID: abort$AdjustPointermemmove
String ID:
API String ID: 338301193-0
Opcode ID: bafb7092c6ea717c5b51bdfcc7bb64ec8c03cae7c73241a87bd8c5609a40f506
Instruction ID: 83bef234d413521cade96e8fdd3d558ed8ff239695a36dd94fcc3aa1ea7415b2
Opcode Fuzzy Hash: bafb7092c6ea717c5b51bdfcc7bb64ec8c03cae7c73241a87bd8c5609a40f506
Instruction Fuzzy Hash: 4751B032F0BA4A81EF6D8B5194A47386394AF47F80F0B9535CE4D56787DEACE4428308

Function 00007FFDA4331E9C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFDA433203A
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4332047

Part of subcall function 00007FFDA4335508: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDA433108E), ref: 00007FFDA4335516

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA43322FB
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4332346
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDA433237B

Strings

csm, xrefs: 00007FFDA4332063
csm, xrefs: 00007FFDA4331F81
csm, xrefs: 00007FFDA4331FE3

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 211107550-393685449
Opcode ID: d68ba9ae6053e55c1f6dd5e81b00418c15c30b3383d366199ac7c5e764c2f6d1
Instruction ID: 11e63b4e759457bcd688399b6a6c77e804097ca40ded40f8766276bd07fb4e3f
Opcode Fuzzy Hash: d68ba9ae6053e55c1f6dd5e81b00418c15c30b3383d366199ac7c5e764c2f6d1
Instruction Fuzzy Hash: F8E1AF72A0AA828AE750AF24D4A03AC7BA0FB46758F144235DA9D57776CF3CF485CB04

Function 00007FFDA54B14B0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFDA54B164A
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA54B1657

Part of subcall function 00007FFDA54B3298: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA54B32A6

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA54B190B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA54B1956
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDA54B198B

Strings

csm, xrefs: 00007FFDA54B1591
csm, xrefs: 00007FFDA54B15F3
csm, xrefs: 00007FFDA54B1673

Memory Dump Source

Source File: 00000005.00000002.2190160805.00007FFDA54B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA54B0000, based on PE: true

Associated: 00000005.00000002.2190144253.00007FFDA54B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190175865.00007FFDA54B5000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190190132.00007FFDA54B8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190204054.00007FFDA54B9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda54b0000_svaulpzg.jbxd

Similarity

API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 211107550-393685449
Opcode ID: c6ba75de018d68ffaf235a95367a862bb3cf87cd3e6af993e41b71dbc63c26de
Instruction ID: d5f5a19d1007f0c72e8c6fdd6439a896d501a5eb0b88b08dd74836ae9278f51b
Opcode Fuzzy Hash: c6ba75de018d68ffaf235a95367a862bb3cf87cd3e6af993e41b71dbc63c26de
Instruction Fuzzy Hash: 9FE1D132A0978A8AEF109F25D4A03AD77A0FB46B48F161235EA8D57757DF78E181C704

Function 00007FFDA358C9A0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FFDA358C970,?,?,00000000,00007FFDA359094F,?,?,00000001,00007FFDA358AC69), ref: 00007FFDA358CB1C
GetProcAddress.KERNEL32(?,?,?,00007FFDA358C970,?,?,00000000,00007FFDA359094F,?,?,00000001,00007FFDA358AC69), ref: 00007FFDA358CB28

Strings

MZx, xrefs: 00007FFDA358C9BF, 00007FFDA358CAA5, 00007FFDA358CB05
api-ms-, xrefs: 00007FFDA358CA66
ext-ms-, xrefs: 00007FFDA358CA79

Memory Dump Source

Source File: 00000005.00000002.2189862502.00007FFDA3561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA3560000, based on PE: true

Associated: 00000005.00000002.2189849486.00007FFDA3560000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189887154.00007FFDA359D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189902000.00007FFDA35A9000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189916777.00007FFDA35AC000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189916777.00007FFDA35AF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189942387.00007FFDA35B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189955378.00007FFDA35B3000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2190056184.00007FFDA373C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda3560000_svaulpzg.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: MZx$api-ms-$ext-ms-
API String ID: 3013587201-2431898299
Opcode ID: c0e430e080f2dc4e6cb9873d1b29f96695d8ce874c8e5368cb0b8f85829fe244
Instruction ID: 70b49361fd4908c8b4413c6b0aef3b884335f22804de5fd347071a3901493b30
Opcode Fuzzy Hash: c0e430e080f2dc4e6cb9873d1b29f96695d8ce874c8e5368cb0b8f85829fe244
Instruction Fuzzy Hash: 85412D62B1BA4242FB13CF1EA8245B66392BF467D0F484535DD0D67786EE3EE405A308

Function 00007FFDA433AEB8 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDA433B06C

Part of subcall function 00007FFDA4337B88: DName::operator+.LIBVCRUNTIME ref: 00007FFDA43380ED
Part of subcall function 00007FFDA4337B88: DName::operator+.LIBVCRUNTIME ref: 00007FFDA4338125

DName::operator+.LIBVCRUNTIME ref: 00007FFDA433B01E

Strings

cli::pin_ptr<, xrefs: 00007FFDA433B035
cli::array<, xrefs: 00007FFDA433AFEB
std::nullptr_t, xrefs: 00007FFDA433AF97
void, xrefs: 00007FFDA433AF02
std::nullptr_t , xrefs: 00007FFDA433AFAA
void , xrefs: 00007FFDA433AF2A

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: Name::operator+
String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
API String ID: 2943138195-2239912363
Opcode ID: cdcca47889ab1cdae99d1bd304091cebbbe9ed3589e22fdf6d8f6cc6a4ab66a2
Instruction ID: 328704e7b7e4bf45496dc9fc24ca5c7283890f240dc5fa1b4a3dbcd5f2b774f7
Opcode Fuzzy Hash: cdcca47889ab1cdae99d1bd304091cebbbe9ed3589e22fdf6d8f6cc6a4ab66a2
Instruction Fuzzy Hash: E9514BA2F5AF5198FB11EB60D8A12BC77B0BB06745F444135EA4D12BB6DF7CA184C708

Function 00007FFD944E6CE0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFD944E6D34
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFD944E67C0,?,?,?,00007FFD944E857D), ref: 00007FFD944E6D45
_CxxThrowException.VCRUNTIME140 ref: 00007FFD944E6D72
std::ios_base::failure::failure.LIBCPMT ref: 00007FFD944E6DB5
_CxxThrowException.VCRUNTIME140 ref: 00007FFD944E6DC6

Strings

ios_base::eofbit set, xrefs: 00007FFD944E6D0F, 00007FFD944E6D90
ios_base::failbit set, xrefs: 00007FFD944E6CE0, 00007FFD944E6D08, 00007FFD944E6D89
ios_base::badbit set, xrefs: 00007FFD944E6CFC, 00007FFD944E6D50, 00007FFD944E6D7D

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: ExceptionThrow$std::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1099746521-1866435925
Opcode ID: 489d4bd0c01e22102b5730e69c1f066659ec9a10ac6b87fa36b8611991938bf0
Instruction ID: b3afbaf013561aa6700a44ace12bac5e5a373cc627e85cd25c93e0583aadf188
Opcode Fuzzy Hash: 489d4bd0c01e22102b5730e69c1f066659ec9a10ac6b87fa36b8611991938bf0
Instruction Fuzzy Hash: 6321D651F1850A91FAB587C0E4F16FB1321AF52780FD8C431D54D465ABEF6CE246C380

Function 00007FFD9451AA30 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FFD9451AA3D
GetProcAddress.KERNEL32 ref: 00007FFD9451AA50
GetProcAddress.KERNEL32 ref: 00007FFD9451AA67
GetProcAddress.KERNEL32 ref: 00007FFD9451AA7E

Strings

GetTempPath2W, xrefs: 00007FFD9451AA6D
GetSystemTimePreciseAsFileTime, xrefs: 00007FFD9451AA56
GetCurrentPackageId, xrefs: 00007FFD9451AA46
kernel32.dll, xrefs: 00007FFD9451AA36

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 1841e991687c70b8216430fa606aaaa9ee9f598abd87b0542e277fc463e639c5
Instruction ID: 9229471034b84f4d0844360b5a63792957710c2ff24eebb57c39dc9baf21c58c
Opcode Fuzzy Hash: 1841e991687c70b8216430fa606aaaa9ee9f598abd87b0542e277fc463e639c5
Instruction Fuzzy Hash: D3F0DA60B09E07D1EBA69FE1BCF40642360BF4A751B90D935C80E43326EF7DA499C380

Function 00007FF7E3BDDBF0 Relevance: 13.7, APIs: 9, Instructions: 191COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,00007FF7E3BDD9B3,?,?,00000002,00007FF7E3BDCBF2), ref: 00007FF7E3BDDCFD
memmove.VCRUNTIME140(?,?,?,?,00007FF7E3BDD9B3,?,?,00000002,00007FF7E3BDCBF2), ref: 00007FF7E3BDDD14
memset.VCRUNTIME140(?,?,?,?,00007FF7E3BDD9B3,?,?,00000002,00007FF7E3BDCBF2), ref: 00007FF7E3BDDD29
memmove.VCRUNTIME140(?,?,?,?,00007FF7E3BDD9B3,?,?,00000002,00007FF7E3BDCBF2), ref: 00007FF7E3BDDD41
memmove.VCRUNTIME140(?,?,?,?,00007FF7E3BDD9B3,?,?,00000002,00007FF7E3BDCBF2), ref: 00007FF7E3BDDD5A
memset.VCRUNTIME140(?,?,?,?,00007FF7E3BDD9B3,?,?,00000002,00007FF7E3BDCBF2), ref: 00007FF7E3BDDD68
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF7E3BDD9B3,?,?,00000002,00007FF7E3BDCBF2), ref: 00007FF7E3BDDDCC
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7E3BDDDD3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FF7E3BDD9B3,?,?,00000002,00007FF7E3BDCBF2), ref: 00007FF7E3BDDE68

Part of subcall function 00007FF7E3BE14EC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7E3BE1531,?,?,?,?,00007FF7E3BDC2D3), ref: 00007FF7E3BE1506

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: memmove$_invalid_parameter_noinfo_noreturnmemset$Concurrency::cancel_current_taskmalloc
String ID:
API String ID: 851562609-0
Opcode ID: 5ad273a4b8a43f6855b986b7a8ebd12d0e00e73eb1cdece1767ea2c4f93ca41c
Instruction ID: 4a2c528c65a6152c1aea88b2ae5ed4ec212cd6f34ce23019369825e1789d8436
Opcode Fuzzy Hash: 5ad273a4b8a43f6855b986b7a8ebd12d0e00e73eb1cdece1767ea2c4f93ca41c
Instruction Fuzzy Hash: 0B712621B19A8581EE40AB59E4403BCBBA0EF44BD4FD44636DAEE1BB99DF7CD041C311

Function 00007FFD94528CD0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 171COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFD94528EDE
_CxxThrowException.VCRUNTIME140 ref: 00007FFD94528EEF
std::ios_base::failure::failure.LIBCPMT ref: 00007FFD94528F32
_CxxThrowException.VCRUNTIME140 ref: 00007FFD94528F43

Strings

ios_base::eofbit set, xrefs: 00007FFD94528EB9, 00007FFD94528F0D
ios_base::failbit set, xrefs: 00007FFD94528EB2, 00007FFD94528F06
ios_base::badbit set, xrefs: 00007FFD94528EA6, 00007FFD94528EFA

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: c539f59753844d1dc98f1ffe19b1b6ae9f13422cc828e2e910c28957e3180997
Instruction ID: beafb34ae481ebab030c4eb76719ee35b5cee9a6de73e8ccdd43fa381715b44b
Opcode Fuzzy Hash: c539f59753844d1dc98f1ffe19b1b6ae9f13422cc828e2e910c28957e3180997
Instruction Fuzzy Hash: 68618F22708A4A86EAB58BD5D4F13BD6760FB82F84F45C536CA4D477AADF2CD446C340

Function 00007FFD944F3AB0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 165fileCOMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFD944F3B54
_CxxThrowException.VCRUNTIME140 ref: 00007FFD944F3B65
fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD944F3C41
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD944F3CC5

Strings

ios_base::eofbit set, xrefs: 00007FFD944F3B2F
ios_base::failbit set, xrefs: 00007FFD944F3B28
ios_base::badbit set, xrefs: 00007FFD944F3B1D

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: ExceptionThrowfputwcfwritestd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1428583292-1866435925
Opcode ID: 711b0c6146fb416d12d36fe88960480654ddd48872be59a4ba01784264a13ef8
Instruction ID: f0c7024d105d0e70f038e515210db114a513536bc97e4bd7c111701288c52bdb
Opcode Fuzzy Hash: 711b0c6146fb416d12d36fe88960480654ddd48872be59a4ba01784264a13ef8
Instruction Fuzzy Hash: C161C033718A86D5EB60CFA5D0E02A933A0FF05B88F858032EA4D4776ADF79D595C740

Function 00007FFD94528A70 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 160COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFD94528C63
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD9451ACB4), ref: 00007FFD94528C74
std::ios_base::failure::failure.LIBCPMT ref: 00007FFD94528CB7
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD9451ACB4), ref: 00007FFD94528CC8

Strings

ios_base::eofbit set, xrefs: 00007FFD94528C3E, 00007FFD94528C92
ios_base::failbit set, xrefs: 00007FFD94528C37, 00007FFD94528C8B
ios_base::badbit set, xrefs: 00007FFD94528C2B, 00007FFD94528C7F

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 328fc347e3c8245754ed9a7b60baaced4898e4347a34f50d9ec979a59ade1ed2
Instruction ID: 684d11a7bf8f8a4b2e3098d33fa805af542763d935014475843c86ca8dc4328f
Opcode Fuzzy Hash: 328fc347e3c8245754ed9a7b60baaced4898e4347a34f50d9ec979a59ade1ed2
Instruction Fuzzy Hash: C7619D62B08A4981EAB68BD5D4F03BD2760FB81F94F49C536CA4D477A6DF6CD44AC340

Function 00007FFD94518820 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9451886A
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD945188FB
memchr.VCRUNTIME140 ref: 00007FFD9451890D
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD94518942
memchr.VCRUNTIME140 ref: 00007FFD94518950
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD945189BD

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00007FFD94518904, 00007FFD9451891A

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: memchrtolower$_errnoisspace
String ID: 0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3508154992-4256519037
Opcode ID: 40463b482985df8b9f757077bc510e2cc07557704a9b012572fbb0a3e9f59514
Instruction ID: 9d3e7e25bcfeccd79081c0ae889a27e5db24f5dbce343113d9464618480e197e
Opcode Fuzzy Hash: 40463b482985df8b9f757077bc510e2cc07557704a9b012572fbb0a3e9f59514
Instruction Fuzzy Hash: 4F51E616F0C68695E7B79EE598B03797A90AB4AB94F088934CD8D42396DE3CE842C701

Function 00007FFD944EB2A0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFD944EB331
_CxxThrowException.VCRUNTIME140 ref: 00007FFD944EB342

Strings

ios_base::eofbit set, xrefs: 00007FFD944EB30C, 00007FFD944EB45D
ios_base::failbit set, xrefs: 00007FFD944EB305, 00007FFD944EB456
ios_base::badbit set, xrefs: 00007FFD944EB2FA, 00007FFD944EB44A

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: bf7e3dd04ae35c8ed02a2fbfcd15c175d785d4dfe41701edacc95d7798bd3ac8
Instruction ID: 11f3213330a510e58f945898ee2daf98b53ded71ab578cb53ef99ec8adfa34ff
Opcode Fuzzy Hash: bf7e3dd04ae35c8ed02a2fbfcd15c175d785d4dfe41701edacc95d7798bd3ac8
Instruction Fuzzy Hash: F851BE22B08A8981EB61CB99D4E12BA6360FF86B88F94C531DA4D477BADF7CD445C740

Function 00007FF7E3BDB490 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 90threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,00007FF7E3BD55C9), ref: 00007FF7E3BDB4D1
GetCurrentThreadId.KERNEL32 ref: 00007FF7E3BDB4D9

Part of subcall function 00007FF7E3BE0C90: __stdio_common_vsprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7E3BE0CD3

MessageBoxA.USER32 ref: 00007FF7E3BDB52A

Strings

D:\a\Courier\Courier\ZipSendService\ZipSendService\Serialize.h, xrefs: 00007FF7E3BDB4DF
info != nullptr, xrefs: 00007FF7E3BDB4FA
Assert Error, xrefs: 00007FF7E3BDB51C
Pid: %d Tid: %dExpr: %sFile: %sLine: %d, xrefs: 00007FF7E3BDB4F3

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: Current$MessageProcessThread__stdio_common_vsprintf_s
String ID: Assert Error$D:\a\Courier\Courier\ZipSendService\ZipSendService\Serialize.h$Pid: %d Tid: %dExpr: %sFile: %sLine: %d$info != nullptr
API String ID: 982897249-766901785
Opcode ID: eb5298d06cc181e687fa8e02a9dd405bfebed12163c5587bc25a2aa1536b8f5d
Instruction ID: f29d24de2786092eea1b0a198c44517740c4610ecf1d2caae544040a2f8b59d5
Opcode Fuzzy Hash: eb5298d06cc181e687fa8e02a9dd405bfebed12163c5587bc25a2aa1536b8f5d
Instruction Fuzzy Hash: DC31E461B0868681EB64EB1AF4603FABB60AB157D8FC04237CADF67785DE3CD1448711

Function 00007FFDA43356A4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FFDA4335863,?,?,00000000,00007FFDA4335694,?,?,?,?,00007FFDA43353D1), ref: 00007FFDA4335729
GetLastError.KERNEL32(?,?,?,00007FFDA4335863,?,?,00000000,00007FFDA4335694,?,?,?,?,00007FFDA43353D1), ref: 00007FFDA4335737
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDA4335863,?,?,00000000,00007FFDA4335694,?,?,?,?,00007FFDA43353D1), ref: 00007FFDA4335750
LoadLibraryExW.KERNEL32(?,?,?,00007FFDA4335863,?,?,00000000,00007FFDA4335694,?,?,?,?,00007FFDA43353D1), ref: 00007FFDA4335762
FreeLibrary.KERNEL32(?,?,?,00007FFDA4335863,?,?,00000000,00007FFDA4335694,?,?,?,?,00007FFDA43353D1), ref: 00007FFDA43357D0
GetProcAddress.KERNEL32(?,?,?,00007FFDA4335863,?,?,00000000,00007FFDA4335694,?,?,?,?,00007FFDA43353D1), ref: 00007FFDA43357DC

Strings

api-ms-, xrefs: 00007FFDA4335749

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
String ID: api-ms-
API String ID: 916704608-2084034818
Opcode ID: e684dc1ea15019c11da8b5489464cae19cb3925c8f7c5ac0dd2cd0c8e7a31cf1
Instruction ID: c206a09f666aaf79d275a3827e978602bd3ad76d36643b490191e7b2e85a4a14
Opcode Fuzzy Hash: e684dc1ea15019c11da8b5489464cae19cb3925c8f7c5ac0dd2cd0c8e7a31cf1
Instruction Fuzzy Hash: 9231A121B5BE02D1EE25BB12A8B45B562A4BF16BA1F590535DD2E073B2DF3CF5448308

Function 00007FFDA54B3434 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FFDA54B35F3,?,?,00000000,00007FFDA54B3424,?,?,?,?,00007FFDA54B319D), ref: 00007FFDA54B34B9
GetLastError.KERNEL32(?,?,?,00007FFDA54B35F3,?,?,00000000,00007FFDA54B3424,?,?,?,?,00007FFDA54B319D), ref: 00007FFDA54B34C7
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDA54B35F3,?,?,00000000,00007FFDA54B3424,?,?,?,?,00007FFDA54B319D), ref: 00007FFDA54B34E0
LoadLibraryExW.KERNEL32(?,?,?,00007FFDA54B35F3,?,?,00000000,00007FFDA54B3424,?,?,?,?,00007FFDA54B319D), ref: 00007FFDA54B34F2
FreeLibrary.KERNEL32(?,?,?,00007FFDA54B35F3,?,?,00000000,00007FFDA54B3424,?,?,?,?,00007FFDA54B319D), ref: 00007FFDA54B3560
GetProcAddress.KERNEL32(?,?,?,00007FFDA54B35F3,?,?,00000000,00007FFDA54B3424,?,?,?,?,00007FFDA54B319D), ref: 00007FFDA54B356C

Strings

api-ms-, xrefs: 00007FFDA54B34D9

Memory Dump Source

Source File: 00000005.00000002.2190160805.00007FFDA54B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA54B0000, based on PE: true

Associated: 00000005.00000002.2190144253.00007FFDA54B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190175865.00007FFDA54B5000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190190132.00007FFDA54B8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190204054.00007FFDA54B9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda54b0000_svaulpzg.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
String ID: api-ms-
API String ID: 916704608-2084034818
Opcode ID: 4bec6726948007d4728554b5fde2ad41efbaba757065dfdcd168b9413cec3b88
Instruction ID: 6bc3562e67d120963be205feb6882f9b7baa0671f96e3066785d0c2ac276c4d4
Opcode Fuzzy Hash: 4bec6726948007d4728554b5fde2ad41efbaba757065dfdcd168b9413cec3b88
Instruction Fuzzy Hash: 2A31A131B1BB4A91EE12DB16B8207B96398FF46FA5F4A4534DD1D07342EEBCE5458304

Function 00007FFD9451016C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD94519A10: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A30
Part of subcall function 00007FFD94519A10: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A38
Part of subcall function 00007FFD94519A10: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A41
Part of subcall function 00007FFD94519A10: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A5D

_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FFD9451132E), ref: 00007FFD945101B6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FFD9451132E), ref: 00007FFD945101D6
_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FFD9451132E), ref: 00007FFD945101F9
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FFD9451132E), ref: 00007FFD94510219

Part of subcall function 00007FFD944E4F00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD944F1894,?,?,?,00007FFD944E455B,?,?,?,00007FFD944E5C51), ref: 00007FFD944E4F22
Part of subcall function 00007FFD944E4F00: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD944F1894,?,?,?,00007FFD944E455B,?,?,?,00007FFD944E5C51), ref: 00007FFD944E4F48
Part of subcall function 00007FFD944E4F00: memcpy.VCRUNTIME140(?,?,?,00007FFD944F1894,?,?,?,00007FFD944E455B,?,?,?,00007FFD944E5C51), ref: 00007FFD944E4F60

Strings

:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFD945101E0
:AM:am:PM:pm, xrefs: 00007FFD94510241
:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFD94510223

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 1539549574-35662545
Opcode ID: a676f0e7c2d71a14bdd62c4bfe13086be4823ae6ed3ee90dedd35561346ae13b
Instruction ID: 1ac4a632e2f75dd69e7fab2d8bf22f4491d79faf3ad8e92d3245f77bce7499b5
Opcode Fuzzy Hash: a676f0e7c2d71a14bdd62c4bfe13086be4823ae6ed3ee90dedd35561346ae13b
Instruction Fuzzy Hash: 5B312F62B08B45C6EB25DFA1E8A02A977A5FB8AF80F45C531DA4D0376ADF3CE141C740

Function 00007FFD944F70F0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD94519A10: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A30
Part of subcall function 00007FFD94519A10: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A38
Part of subcall function 00007FFD94519A10: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A41
Part of subcall function 00007FFD94519A10: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A5D

_W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD944FEBBE), ref: 00007FFD944F7132
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD944FEBBE), ref: 00007FFD944F7152
_W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD944FEBBE), ref: 00007FFD944F7170
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD944FEBBE), ref: 00007FFD944F7190

Part of subcall function 00007FFD944E4F80: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD944F718D,?,?,?,?,?,?,?,?,?,00007FFD944FEBBE), ref: 00007FFD944E4FA9
Part of subcall function 00007FFD944E4F80: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD944F718D,?,?,?,?,?,?,?,?,?,00007FFD944FEBBE), ref: 00007FFD944E4FD8
Part of subcall function 00007FFD944E4F80: memcpy.VCRUNTIME140(?,?,00000000,00007FFD944F718D,?,?,?,?,?,?,?,?,?,00007FFD944FEBBE), ref: 00007FFD944E4FEF

Strings

:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFD944F715C
:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFD944F719A
:AM:am:PM:pm, xrefs: 00007FFD944F71AA

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 1539549574-3743323925
Opcode ID: 298cfb4e410774fa577b2ea169d7dc88918803f9a8023e5866419453c1425580
Instruction ID: a241ce5eaf2ff9a42681afd0935988997ea3672360f3716fb19d1b10b06328a7
Opcode Fuzzy Hash: 298cfb4e410774fa577b2ea169d7dc88918803f9a8023e5866419453c1425580
Instruction Fuzzy Hash: BE213E22B09B4586DA61DFA1E5A026973B0EB9AB80F449130DA4E0375AEF7CE484C740

Function 00007FF7E3BD2B90 Relevance: 12.2, APIs: 8, Instructions: 202COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,?,00000000,?,?,?,00000000), ref: 00007FF7E3BD2BFB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000,00000000,?,00000000,?,?,?,00000000), ref: 00007FF7E3BD2C81
memcpy.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,?,00000000,?,?,?,00000000), ref: 00007FF7E3BD2CA7
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7E3BD2CD3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,?), ref: 00007FF7E3BD2DC2

Part of subcall function 00007FF7E3BE14EC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7E3BE1531,?,?,?,?,00007FF7E3BDC2D3), ref: 00007FF7E3BE1506

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,?), ref: 00007FF7E3BD2DE7

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskmalloc
String ID:
API String ID: 1888007232-0
Opcode ID: d36b9c1caab3303d327bff716c038a1d9a06cc36c6624c85828ceee40fea196e
Instruction ID: 0a4f7d615028bf1729af6b0ac669bea0ca7ddaf23cc988d44f24572d0927d6c2
Opcode Fuzzy Hash: d36b9c1caab3303d327bff716c038a1d9a06cc36c6624c85828ceee40fea196e
Instruction Fuzzy Hash: 94710862B09B8581EA94EB15E50036CB6A0EB44BF0FE84732DABE5B7D5DF3CD4918311

Function 00007FFDA43314BC Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4331576
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4331595
__AdjustPointer.LIBCMT ref: 00007FFDA43315D6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA43315E3
__AdjustPointer.LIBCMT ref: 00007FFDA433161F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4331634
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4331679
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4331680

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: 98a416edc45a5e95c36baca34e5d44da6672747cfa60eeb2456210e7a9bbe22a
Instruction ID: 0f3e1f5deb2134ab872859cef67905ade0da13b3df1f8e47864d2e0aa95e6430
Opcode Fuzzy Hash: 98a416edc45a5e95c36baca34e5d44da6672747cfa60eeb2456210e7a9bbe22a
Instruction Fuzzy Hash: B551C022B8BE4281FE65EF4094F46786394AF16B81B098535DF5E067B7CF2CF8418708

Function 00007FFDA43312D8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4331390
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA43313AE
__AdjustPointer.LIBCMT ref: 00007FFDA43313EF
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA43313FC
__AdjustPointer.LIBCMT ref: 00007FFDA4331438
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA433144D
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4331492
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4331499

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: 22208570b95ea64dd9b2aa500690151811944e6dc4ced560c8c87b5655b6ed86
Instruction ID: 0e5551f8e5cc84c51a46d5094360a159dc36778f74222958918d2fc41227f537
Opcode Fuzzy Hash: 22208570b95ea64dd9b2aa500690151811944e6dc4ced560c8c87b5655b6ed86
Instruction Fuzzy Hash: D751B321B8BE4281EEA5BF1190F467C63A4AF56B95F154435CB8E06BB7DF2CF4418308

Function 00007FF7E3BD3250 Relevance: 12.1, APIs: 8, Instructions: 127COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,0000000100000000,?,00007FF7E3BD238C), ref: 00007FF7E3BD337E
memcpy.VCRUNTIME140(?,?,?,?,?,0000000100000000,?,00007FF7E3BD238C), ref: 00007FF7E3BD3391
memcpy.VCRUNTIME140(?,?,?,?,?,0000000100000000,?,00007FF7E3BD238C), ref: 00007FF7E3BD33A2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,0000000100000000,?,00007FF7E3BD238C), ref: 00007FF7E3BD33DA
memcpy.VCRUNTIME140(?,?,?,?,?,0000000100000000,?,00007FF7E3BD238C), ref: 00007FF7E3BD33E4
memcpy.VCRUNTIME140(?,?,?,?,?,0000000100000000,?,00007FF7E3BD238C), ref: 00007FF7E3BD33F7
memcpy.VCRUNTIME140(?,?,?,?,?,0000000100000000,?,00007FF7E3BD238C), ref: 00007FF7E3BD3406
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7E3BD3439

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 0f2a9c3ad0a1f8abc1fc031ffe795402e0328c1c48188ed335372d23b1476403
Instruction ID: c2dcf3aa5c5e49626eaabaea961953373cb05114f298a9c0988b1e7eb7193741
Opcode Fuzzy Hash: 0f2a9c3ad0a1f8abc1fc031ffe795402e0328c1c48188ed335372d23b1476403
Instruction Fuzzy Hash: 4651A172709A8580DA90EB16E1443ADBB61EB44BE0FD44332DEAE57BDADE3CE145C311

Function 00007FFD944EB4C8 Relevance: 10.9, APIs: 7, Instructions: 392stringCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFD944EB511
memset.VCRUNTIME140 ref: 00007FFD944EB57C
strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD944EB63E
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD944EB651
strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD944EB666
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD944EB9C4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD944EBA0F

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemsetstrcspn$localeconv
String ID:
API String ID: 4135771353-0
Opcode ID: 8dab499b34ffeabe5bf8aa86c3ce950b0a8127b366956c4d513acc89633725b8
Instruction ID: b705465fce1e8230b271e2ca3d02204e9485d02f9b3992dde1e74ecf53400ee3
Opcode Fuzzy Hash: 8dab499b34ffeabe5bf8aa86c3ce950b0a8127b366956c4d513acc89633725b8
Instruction Fuzzy Hash: FFF1C022F08AC589FB22CFE5D4A02BE6371EB46B98F548531DE4D1779ADE78D446C340

Function 00007FF7E3BDCB00 Relevance: 10.7, APIs: 7, Instructions: 177COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000038,?,?,00000000,00007FF7E3BDA57C), ref: 00007FF7E3BDCB56
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000038,?,?,00000000,00007FF7E3BDA57C), ref: 00007FF7E3BDCBD9
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000038,?,?,00000000,00007FF7E3BDA57C), ref: 00007FF7E3BDCBF6
QueueUserWorkItem.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000038,?,?,00000000,00007FF7E3BDA57C), ref: 00007FF7E3BDCC12
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000038,?,?,00000000,00007FF7E3BDA57C), ref: 00007FF7E3BDCC2D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000038,?,?,00000000,00007FF7E3BDA57C), ref: 00007FF7E3BDCC6D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000038,?,?,00000000,00007FF7E3BDA57C), ref: 00007FF7E3BDCCF3

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CriticalSection$EnterLeave_invalid_parameter_noinfo_noreturn$ItemQueueUserWork
String ID:
API String ID: 3867203677-0
Opcode ID: b1d420479618e54f2758523f1ce81a6509be0f65fc7cc3866eee72a0a40e8747
Instruction ID: 53555c1ab9cebc0506ba3a4d9980346280bfdca00c800c649a839f71d10b8abe
Opcode Fuzzy Hash: b1d420479618e54f2758523f1ce81a6509be0f65fc7cc3866eee72a0a40e8747
Instruction Fuzzy Hash: AE71CE62A08A4192EA90EF16E44436ABBA0FB88BD0FC94132DB8E67B55DF3CD441C751

Function 00007FF7E3BDCA80 Relevance: 10.7, APIs: 7, Instructions: 173COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF7E3BDDE88,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF7E3BDCAEB
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000038,?,?,00000000,00007FF7E3BDA57C), ref: 00007FF7E3BDCB56
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000038,?,?,00000000,00007FF7E3BDA57C), ref: 00007FF7E3BDCBD9
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000038,?,?,00000000,00007FF7E3BDA57C), ref: 00007FF7E3BDCBF6
QueueUserWorkItem.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000038,?,?,00000000,00007FF7E3BDA57C), ref: 00007FF7E3BDCC12
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000038,?,?,00000000,00007FF7E3BDA57C), ref: 00007FF7E3BDCC2D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000038,?,?,00000000,00007FF7E3BDA57C), ref: 00007FF7E3BDCC6D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000038,?,?,00000000,00007FF7E3BDA57C), ref: 00007FF7E3BDCCF3

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CriticalSection$_invalid_parameter_noinfo_noreturn$EnterLeave$ItemQueueUserWork
String ID:
API String ID: 380606389-0
Opcode ID: bf0ba21900bd0f492281c8739eb7739aec2d99d14466a480d607af6ee46b4fba
Instruction ID: 7c9539c03906c330e5d6f4091970909949abf590a83e90b7d7469eff353ac0aa
Opcode Fuzzy Hash: bf0ba21900bd0f492281c8739eb7739aec2d99d14466a480d607af6ee46b4fba
Instruction Fuzzy Hash: 5261CD72B08A4181EA90EB2AE44436DBBA0FB48B84FD40133DB9E57B55DF3CD485C751

Function 00007FFDA4334CEA Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA43351D0: RtlPcToFileHeader.KERNEL32 ref: 00007FFDA4335220
Part of subcall function 00007FFDA43351D0: RaiseException.KERNEL32 ref: 00007FFDA4335261

RtlPcToFileHeader.KERNEL32 ref: 00007FFDA4334D87

Strings

Bad dynamic_cast!, xrefs: 00007FFDA4334E52
Attempted a typeid of nullptr pointer!, xrefs: 00007FFDA4334EC5
Bad read pointer - no RTTI data!, xrefs: 00007FFDA4334EE8
Access violation - no RTTI data!, xrefs: 00007FFDA4334CEA, 00007FFDA4334F0B

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: FileHeader$ExceptionRaise
String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
API String ID: 3685223789-928371585
Opcode ID: 4f73c46b7be505823b8c23bdf2e01a106e3a134808b8006f3c7a9710838bb3a8
Instruction ID: b760bb35c07a2e77bf1f4100b3fe70e86ae7e24f45836bb60d734f5637bd2ce9
Opcode Fuzzy Hash: 4f73c46b7be505823b8c23bdf2e01a106e3a134808b8006f3c7a9710838bb3a8
Instruction Fuzzy Hash: AD518C22B5AE46A2DE20EB10E4F05B96360FF65B85F604531DA8E07776EE3CF545C704

Function 00007FFDA433D274 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDA433D2E8
DName::operator+.LIBVCRUNTIME ref: 00007FFDA433D2F7

Part of subcall function 00007FFDA433B47C: DName::operator+.LIBVCRUNTIME ref: 00007FFDA433B50D
Part of subcall function 00007FFDA433B47C: DName::operator+.LIBVCRUNTIME ref: 00007FFDA433B546
Part of subcall function 00007FFDA433B47C: DName::operator+.LIBVCRUNTIME ref: 00007FFDA433B871

DName::operator+.LIBVCRUNTIME ref: 00007FFDA433D397
DName::operator+.LIBVCRUNTIME ref: 00007FFDA433D3A7
DName::operator+.LIBVCRUNTIME ref: 00007FFDA433D453

Strings

{for , xrefs: 00007FFDA433D320

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: Name::operator+
String ID: {for
API String ID: 2943138195-864106941
Opcode ID: e28e9d1f3631d4fb5693f2a073767a0cc6dff7d4d31713262684a28cd151016f
Instruction ID: 36bd7dd1896e9ba0b2c99889e9ecd2b2ea884af378c262ad62674420ea1d15d0
Opcode Fuzzy Hash: e28e9d1f3631d4fb5693f2a073767a0cc6dff7d4d31713262684a28cd151016f
Instruction Fuzzy Hash: DE514D72B4AE85A9E711AF25D4A13EC63A0EB46748F808031EA4D47BB6DF7CE554C308

Function 00007FFD944EDF7C Relevance: 10.6, APIs: 7, Instructions: 110COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,00000000,?,00007FFD944F15AF,?,?,?,?,00000000,00007FFD944EB801), ref: 00007FFD944EE04C
memset.VCRUNTIME140(?,00000000,?,00007FFD944F15AF,?,?,?,?,00000000,00007FFD944EB801), ref: 00007FFD944EE05C
memcpy.VCRUNTIME140(?,00000000,?,00007FFD944F15AF,?,?,?,?,00000000,00007FFD944EB801), ref: 00007FFD944EE071
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,00007FFD944F15AF,?,?,?,?,00000000,00007FFD944EB801), ref: 00007FFD944EE0A5
memcpy.VCRUNTIME140(?,00000000,?,00007FFD944F15AF,?,?,?,?,00000000,00007FFD944EB801), ref: 00007FFD944EE0AF
memset.VCRUNTIME140(?,00000000,?,00007FFD944F15AF,?,?,?,?,00000000,00007FFD944EB801), ref: 00007FFD944EE0BF
memcpy.VCRUNTIME140(?,00000000,?,00007FFD944F15AF,?,?,?,?,00000000,00007FFD944EB801), ref: 00007FFD944EE0CF

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: memcpy$memset$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 700262077-0
Opcode ID: b2bdcbd8606280514bc66d9d2951ba0696e1817c0948a1094c7d34a125e20018
Instruction ID: 94f788e5ce4da1d6f24daa9e51c92e1c988b61df337a675db3f454d4e742c133
Opcode Fuzzy Hash: b2bdcbd8606280514bc66d9d2951ba0696e1817c0948a1094c7d34a125e20018
Instruction Fuzzy Hash: D741C662B08A9181EE24EFA6E4A42AF6351FB45BD4F548532EF5D0BB9BDE7CD041C300

Function 00007FFD944F5030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFD944F50D4
_CxxThrowException.VCRUNTIME140 ref: 00007FFD944F50E5
setvbuf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD944F511E

Strings

ios_base::eofbit set, xrefs: 00007FFD944F50AF
ios_base::failbit set, xrefs: 00007FFD944F50A8
ios_base::badbit set, xrefs: 00007FFD944F509D, 00007FFD944F50F0

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: ExceptionThrowsetvbufstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2924853686-1866435925
Opcode ID: 2c39280db052db23b3fddc9d3f67106f8d8e22556bd84a42786215674899bd93
Instruction ID: a0699bd961eb0f03eaecf0e40b879ee22199de67265f3a7b730eb2874c8a11fc
Opcode Fuzzy Hash: 2c39280db052db23b3fddc9d3f67106f8d8e22556bd84a42786215674899bd93
Instruction Fuzzy Hash: A041E072B04B4696EB68CFA0E1A03A933A0FF16B88F408131DA4C4765BDF7CE194C780

Function 00007FFD9450218C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD945021BA

Part of subcall function 00007FFD94519A10: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A30
Part of subcall function 00007FFD94519A10: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A38
Part of subcall function 00007FFD94519A10: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A41
Part of subcall function 00007FFD94519A10: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A5D

_Maklocstr.LIBCPMT ref: 00007FFD94502233
_Maklocstr.LIBCPMT ref: 00007FFD94502249
_Getvals.LIBCPMT ref: 00007FFD945022EE

Strings

true, xrefs: 00007FFD94502242
false, xrefs: 00007FFD9450222C

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: Maklocstr$Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
String ID: false$true
API String ID: 2626534690-2658103896
Opcode ID: e8ddeff9f44de4f8fb278b4ead688765334a09998f0b454b1657f4843fedeccf
Instruction ID: 0ba8b1da3663300636fe2d34479f8e744ea38feefe510b3fcbba131d6f9557a2
Opcode Fuzzy Hash: e8ddeff9f44de4f8fb278b4ead688765334a09998f0b454b1657f4843fedeccf
Instruction Fuzzy Hash: 69415D26B08A81DAE721CFF4E4501ED33B1FB59748B409626EE4D27A5AEF38D596C340

Function 00007FFDA433C834 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA433BF2D), ref: 00007FFDA433C8F8
DName::DName.LIBVCRUNTIME ref: 00007FFDA433C917

Strings

void, xrefs: 00007FFDA433C87A
`template-parameter, xrefs: 00007FFDA433C925

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: NameName::atol
String ID: `template-parameter$void
API String ID: 2130343216-4057429177
Opcode ID: 59493a6d2a7aae2ddd4956f52367a67dab7b15104d6997a8396ea259485d124f
Instruction ID: 3704a202ac30f4f98836f43fab80ec26968499e54b92d53864a621528482f0ad
Opcode Fuzzy Hash: 59493a6d2a7aae2ddd4956f52367a67dab7b15104d6997a8396ea259485d124f
Instruction Fuzzy Hash: 41414A22F4AF5188FB00ABA0D8A52FC2371BB0A788F554135DE0D2A7B6DF7CA1458344

Function 00007FFDA433757C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFDA43373F8: Replicator::operator[].LIBVCRUNTIME ref: 00007FFDA43374B9

DName::operator+.LIBVCRUNTIME ref: 00007FFDA433762E

Strings

,<ellipsis>, xrefs: 00007FFDA433760C
,..., xrefs: 00007FFDA43375FC
<ellipsis>, xrefs: 00007FFDA433767B
void, xrefs: 00007FFDA43376A0
..., xrefs: 00007FFDA433766B

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: Name::operator+Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 1405650943-2211150622
Opcode ID: 9f024d171a3f47a800bb80ab550b9114fa76043a2d4a8103672545ca5466c7ea
Instruction ID: cce7cd343359b2de719d316959377ff92bbdd48f78d46b0d3d8e74e13f208f6d
Opcode Fuzzy Hash: 9f024d171a3f47a800bb80ab550b9114fa76043a2d4a8103672545ca5466c7ea
Instruction Fuzzy Hash: 374138A2F4AF4698F701AB68D8B42FC37A0BB0A348F549535CA4D163B6DF7CA540C748

Function 00007FFDA4339390 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDA4339473

Strings

short , xrefs: 00007FFDA4339410
int , xrefs: 00007FFDA4339401
long , xrefs: 00007FFDA43393F2
char , xrefs: 00007FFDA4339419
unsigned , xrefs: 00007FFDA4339447

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: Name::operator+
String ID: char $int $long $short $unsigned
API String ID: 2943138195-3894466517
Opcode ID: 3c3afed22fbae0bd15e2fc1efda1da40bd840b4d73e0681f55d3c70b90d1d654
Instruction ID: d5feab33ba5e29bafce852f3d2bbc98a0fa20508cd5bd40639a973e559eac66f
Opcode Fuzzy Hash: 3c3afed22fbae0bd15e2fc1efda1da40bd840b4d73e0681f55d3c70b90d1d654
Instruction Fuzzy Hash: 67312972F5AE51C9E701AB68D8F41AC27B1BB0A748F548135DA4E16BBADE3CE504C708

Function 00007FFD945170A0 Relevance: 9.2, APIs: 6, Instructions: 235COMMONLIBRARYCODE

Download Yara Rule

APIs

_Dunscale.LIBCPMT ref: 00007FFD945170DB
_Dunscale.LIBCPMT ref: 00007FFD9451718F

Part of subcall function 00007FFD9450E930: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFD9450D814), ref: 00007FFD9450E939

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: Dunscale$_errno
String ID:
API String ID: 2900277114-0
Opcode ID: 5ce02b36a2e3a1ba29bfa6ab94e8b9aef83d290c33b12981f784d2203041673d
Instruction ID: 6e85b5940b9fd402c6ff3a9c834910779470ffe84ffdc3ef03e89d04a09b67fc
Opcode Fuzzy Hash: 5ce02b36a2e3a1ba29bfa6ab94e8b9aef83d290c33b12981f784d2203041673d
Instruction Fuzzy Hash: 04A1B316B18E4A89D7B2DEF884E01BD5362FF5B794F50C231EA4E165A6DF38E496C300

Function 00007FFD9450EB24 Relevance: 9.2, APIs: 6, Instructions: 235COMMONLIBRARYCODE

Download Yara Rule

APIs

_FDunscale.LIBCPMT ref: 00007FFD9450EB5F
_FDunscale.LIBCPMT ref: 00007FFD9450EC12

Part of subcall function 00007FFD9450E930: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFD9450D814), ref: 00007FFD9450E939

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: Dunscale$_errno
String ID:
API String ID: 2900277114-0
Opcode ID: c63ac688d4028622990a585cde29c4c7eee12cff14747b8683a601da36398575
Instruction ID: 09f83e90d3162d77301815683a0d8e09c58ea62f7bfc2f9e12482d60ad99f8aa
Opcode Fuzzy Hash: c63ac688d4028622990a585cde29c4c7eee12cff14747b8683a601da36398575
Instruction Fuzzy Hash: 89A1E63BF0868A9AE7B6DEE685D10BC6311FF56745F64C230E60D1619ADF38B096D700

Function 00007FFD944E90B0 Relevance: 9.2, APIs: 6, Instructions: 180COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD944E9160

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: fgetc
String ID:
API String ID: 2807381905-0
Opcode ID: da38ef9a5443db732ee562a96ebe53d1638a1f0b2d79e2a09f6e4dc9d3da73e8
Instruction ID: f4d654c5320aba0c3261e203c03294802bf52a3ff3e5d41013d680fbeaa77869
Opcode Fuzzy Hash: da38ef9a5443db732ee562a96ebe53d1638a1f0b2d79e2a09f6e4dc9d3da73e8
Instruction Fuzzy Hash: 59818B73709A81C9EF61CFA5D0E03AE73A0FB49748F448532EA5E46A9AEF78D454C300

Function 00007FFD94517A80 Relevance: 9.2, APIs: 6, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD94518690: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD94517AD2), ref: 00007FFD945186BC
Part of subcall function 00007FFD94518690: isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD94517AD2), ref: 00007FFD9451871C

_Xp_setn.LIBCPMT ref: 00007FFD94517B46
_Xp_setn.LIBCPMT ref: 00007FFD94517B81
_Xp_addx.LIBCPMT ref: 00007FFD94517B94
_Xp_setn.LIBCPMT ref: 00007FFD94517C12
_Xp_setn.LIBCPMT ref: 00007FFD94517C4D
_Xp_addx.LIBCPMT ref: 00007FFD94517C61

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: Xp_setn$Xp_addx$isspaceisxdigit
String ID:
API String ID: 2908567333-0
Opcode ID: 3e9e61286455fa8b0d4477d2a82ac41f9d5538707f36af545e6a498fbf202ff1
Instruction ID: da44e3f1a1a816c5f2d96ff66ee138ceadf1310c8f1fd56f96eae6d465c2e0a3
Opcode Fuzzy Hash: 3e9e61286455fa8b0d4477d2a82ac41f9d5538707f36af545e6a498fbf202ff1
Instruction Fuzzy Hash: 0661C522B1854282E7B2DFE5E4E05AE6760FB9A744F508532EE4E136A7DF3CD549CB00

Function 00007FFD94519B40 Relevance: 9.2, APIs: 6, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD9451A558: iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD94519B92), ref: 00007FFD9451A585
Part of subcall function 00007FFD9451A558: iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD94519B92), ref: 00007FFD9451A5FA

_Xp_setn.LIBCPMT ref: 00007FFD94519C06
_Xp_setn.LIBCPMT ref: 00007FFD94519C41
_Xp_addx.LIBCPMT ref: 00007FFD94519C54
_Xp_setn.LIBCPMT ref: 00007FFD94519CD2
_Xp_setn.LIBCPMT ref: 00007FFD94519D0D
_Xp_addx.LIBCPMT ref: 00007FFD94519D21

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
String ID:
API String ID: 3490103321-0
Opcode ID: 6fd54ea143c9a280b0c11a3813756671dd877181ce86f25af51dd73d28c2cfcb
Instruction ID: 7c8d883447f73f0764221a4347aa0a2041e0226ef6592f95e53cea5472d6eba0
Opcode Fuzzy Hash: 6fd54ea143c9a280b0c11a3813756671dd877181ce86f25af51dd73d28c2cfcb
Instruction Fuzzy Hash: D061CB26B1C94292E7A2EED5D4E05BE6760FB8A744F508132EE4E1369BEF3CD545CB00

Function 00007FFD94518300 Relevance: 9.2, APIs: 6, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD94518690: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD94517AD2), ref: 00007FFD945186BC
Part of subcall function 00007FFD94518690: isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD94517AD2), ref: 00007FFD9451871C

_Xp_setn.LIBCPMT ref: 00007FFD945183C6
_Xp_setn.LIBCPMT ref: 00007FFD94518401
_Xp_addx.LIBCPMT ref: 00007FFD94518414
_Xp_setn.LIBCPMT ref: 00007FFD94518492
_Xp_setn.LIBCPMT ref: 00007FFD945184CD
_Xp_addx.LIBCPMT ref: 00007FFD945184E1

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: Xp_setn$Xp_addx$isspaceisxdigit
String ID:
API String ID: 2908567333-0
Opcode ID: d7605cebda99171b709e74a24857eaa706f155c27f07d91b9a12433e6d831dfc
Instruction ID: dadd03b14b7bcc6654e8cbaadcf2e158a4fdb7c98020872cedac12877abf383c
Opcode Fuzzy Hash: d7605cebda99171b709e74a24857eaa706f155c27f07d91b9a12433e6d831dfc
Instruction Fuzzy Hash: 9961D422B1854293E7B2DEE5E4E05AE6720FB8A344F508132EE4E13A97DE7CE506C700

Function 00007FFD9451A2E0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD9451A558: iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD94519B92), ref: 00007FFD9451A585
Part of subcall function 00007FFD9451A558: iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD94519B92), ref: 00007FFD9451A5FA

_Xp_setn.LIBCPMT ref: 00007FFD9451A3A6
_Xp_setn.LIBCPMT ref: 00007FFD9451A3E1
_Xp_addx.LIBCPMT ref: 00007FFD9451A3F4
_Xp_setn.LIBCPMT ref: 00007FFD9451A472
_Xp_setn.LIBCPMT ref: 00007FFD9451A4AD
_Xp_addx.LIBCPMT ref: 00007FFD9451A4C1

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
String ID:
API String ID: 3490103321-0
Opcode ID: d7eed582d395bd3741fee58c62c1966e5a70bade292dc389d8de865f8368d023
Instruction ID: 95adb553987a1fd362b9151790b763d61b170c0128aaa1862b32b5f24a05b261
Opcode Fuzzy Hash: d7eed582d395bd3741fee58c62c1966e5a70bade292dc389d8de865f8368d023
Instruction Fuzzy Hash: 7D61B822B1C54243D6A3EED5E4E05BE6760FB8A744F508132EE4E53A97DE7CD945C700

Function 00007FFDA43394B8 Relevance: 9.2, APIs: 6, Instructions: 161COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFDA433956A
DName::operator+.LIBVCRUNTIME ref: 00007FFDA433957A
DName::operator+.LIBVCRUNTIME ref: 00007FFDA4339597
DName::operator+.LIBVCRUNTIME ref: 00007FFDA433960A
DName::operator+.LIBVCRUNTIME ref: 00007FFDA4339633

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID:
API String ID: 168861036-0
Opcode ID: 324be46c7699672607354ffe77b7e62202c9aa6b193d4e3f36b0da409810ee66
Instruction ID: 6dc866518ad8ac85748e03233e313120ccd74588b25c7c259cc5258de9e33d7a
Opcode Fuzzy Hash: 324be46c7699672607354ffe77b7e62202c9aa6b193d4e3f36b0da409810ee66
Instruction Fuzzy Hash: 68713572B4AE92C9FB10ABA4D8A02AC37A1BB46754F548131DA0E177B6DF7DE441C704

Function 00007FF7E3BD6CF0 Relevance: 9.2, APIs: 6, Instructions: 158COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00000000,00000000,00000000,0000001F,?,?,00007FF7E3BD5E63), ref: 00007FF7E3BD6DE7
memset.VCRUNTIME140(?,?,?,?,?,?,?,00000000,00000000,00000000,0000001F,?,?,00007FF7E3BD5E63), ref: 00007FF7E3BD6DF0
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000000,00000000,00000000,0000001F,?,?,00007FF7E3BD5E63), ref: 00007FF7E3BD6DF5
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000000,00000000,00000000,0000001F,?,?,00007FF7E3BD5E63), ref: 00007FF7E3BD6E01
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000000,00000000,00000000,0000001F,?,?,00007FF7E3BD5E63), ref: 00007FF7E3BD6E8C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000000,00000000,00000000,0000001F,?,?,00007FF7E3BD5E63), ref: 00007FF7E3BD6EEB

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$_errno_invalid_parameter_noinfomemcpymemset
String ID:
API String ID: 3291378255-0
Opcode ID: 6a47b394aab36d93c049cfc821bcc7ec04938c3c2aad8afe9587cca9a65e85d4
Instruction ID: 688bf61b0825d5c124100ba8f55ab7d0de632eeecd133e2db183b52743e903f2
Opcode Fuzzy Hash: 6a47b394aab36d93c049cfc821bcc7ec04938c3c2aad8afe9587cca9a65e85d4
Instruction Fuzzy Hash: C851D662E0864A42FE90BB19E504379BA55EB447F4FD54333DABE2A7D5DE3CE4408312

Function 00007FF7E3BE11C5 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7E3BE1140: _wcsdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E3BE1176

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7E3BE1319
_wcsdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E3BE1322
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7E3BE1330
_wcsdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E3BE1339
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7E3BE1347
_wcsdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E3BE1350

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: _wcsdup$free
String ID:
API String ID: 2821050141-0
Opcode ID: 0a30ed8b38fdc64fe2349363889bf2098842113576166af62a13b061307e7fc4
Instruction ID: b0ca55c19a157dda9befc659f7e0f674be3045a442ea5f61722d52f00a34ed51
Opcode Fuzzy Hash: 0a30ed8b38fdc64fe2349363889bf2098842113576166af62a13b061307e7fc4
Instruction Fuzzy Hash: E9518525B19B4986EA80FB16E00426EBB94FF85BC4F940236EE8F57B54DE3CE544C712

Function 00007FF7E3BD7410 Relevance: 9.1, APIs: 6, Instructions: 122COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00000000,00007FF7E3BE0237,?,?,?,?,?,?,?,?,00007FF7E3BD3CE8), ref: 00007FF7E3BD7423
Deinit.WXFMANAGER64(?,?,?,?,?,?,00007FF7E3BD7A05), ref: 00007FF7E3BD7548
DeleteWzExtensionsManager.WXFMANAGER64(?,?,?,?,?,?,00007FF7E3BD7A05), ref: 00007FF7E3BD7555
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,00007FF7E3BE0237,?,?,?,?,?,?,?,?,00007FF7E3BD3CE8), ref: 00007FF7E3BD755F
DeleteCriticalSection.KERNEL32(?,?,?,?,?,00000000,00007FF7E3BE0237,?,?,?,?,?,?,?,?,00007FF7E3BD3CE8), ref: 00007FF7E3BD7569
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00000000,00007FF7E3BE0237,?,?,?,?,?,?,?,?,00007FF7E3BD3CE8), ref: 00007FF7E3BD7607

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CriticalSection$Delete$DeinitEnterExtensionsLeaveManager_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1609876981-0
Opcode ID: e80ae5a2692c9f82ceb8dd8b5c5ffda72f4e3df09b3e5e635b72ea5c17da2f3e
Instruction ID: 8bc0afab042718d0d7f07be068ccf6b2f1cec14676ac2bb57d49c45f29ea57c2
Opcode Fuzzy Hash: e80ae5a2692c9f82ceb8dd8b5c5ffda72f4e3df09b3e5e635b72ea5c17da2f3e
Instruction Fuzzy Hash: 25516E32615A4582DAA1AF26F4413AAFB61FB44B94FC44236DBDF57A94CF3CE440C712

Function 00007FFD944EA070 Relevance: 9.1, APIs: 6, Instructions: 94fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FFD944EA0E8
GetFileInformationByHandle.KERNEL32 ref: 00007FFD944EA0FE
CloseHandle.KERNEL32 ref: 00007FFD944EA10D
CreateFileW.KERNEL32 ref: 00007FFD944EA137
GetFileInformationByHandle.KERNEL32 ref: 00007FFD944EA14D
CloseHandle.KERNEL32 ref: 00007FFD944EA15C

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: FileHandle$CloseCreateInformation
String ID:
API String ID: 1240749428-0
Opcode ID: e0acb6e887bb951a0835afe1ec8fe70009cf8879c6c8ed950f02717f605faf88
Instruction ID: 9cfffa2c5cd93be059a22cc1d50666878539d1c06ab1490e4c2241a00497567f
Opcode Fuzzy Hash: e0acb6e887bb951a0835afe1ec8fe70009cf8879c6c8ed950f02717f605faf88
Instruction Fuzzy Hash: 9141E232F08641CAF761CFB1E8A03AE33A0EB59798F409735EE1D52A99DF389595C700

Function 00007FFD944F27A0 Relevance: 9.1, APIs: 6, Instructions: 92threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FFD944F27C9
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,00007FFD944F1EE2), ref: 00007FFD944F27E8
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,00007FFD944F1EE2), ref: 00007FFD944F280A
sys_get_time.LIBCPMT ref: 00007FFD944F2825
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,00007FFD944F1EE2), ref: 00007FFD944F284B
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,00007FFD944F1EE2), ref: 00007FFD944F2863

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThreadsys_get_time
String ID:
API String ID: 184115430-0
Opcode ID: 11a15157c385787f894d150ae291b78bf2f3a54f076f7b340c30771fcdeb6fe5
Instruction ID: 58d39056b0b2d735b17ad3e932efe721f243410c25566a9dba022fcab7d208d7
Opcode Fuzzy Hash: 11a15157c385787f894d150ae291b78bf2f3a54f076f7b340c30771fcdeb6fe5
Instruction Fuzzy Hash: BC412C32B18A06D6E7748F91D4A027973A0FF52B44FC08675D64E8269ADF7EE891CB01

Function 00007FF7E3BD5220 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF7E3BD5252
__RTDynamicCast.VCRUNTIME140 ref: 00007FF7E3BD52CC
__RTDynamicCast.VCRUNTIME140 ref: 00007FF7E3BD52FE
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7E3BD5309
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7E3BD5315
memcpy.VCRUNTIME140 ref: 00007FF7E3BD532B

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CastDynamic$_errno_invalid_parameter_noinfomemcpymemset
String ID:
API String ID: 2153630693-0
Opcode ID: 5d509c29bebb33a4b0074b62644f6fda2cfd391f415c591955fd2fa19a0f65d7
Instruction ID: e3db66e6ba88bdbfc13fa4938ecd9d44cfc2b5b5ddaba9f75aea7048e076ff54
Opcode Fuzzy Hash: 5d509c29bebb33a4b0074b62644f6fda2cfd391f415c591955fd2fa19a0f65d7
Instruction Fuzzy Hash: CF319362B0CA8291EA61EB56E4043AAFB64FB84754FC14133DA8F63744DF3CE605D622

Function 00007FFDA43350B0 Relevance: 9.1, APIs: 6, Instructions: 83stringCOMMON

Download Yara Rule

APIs

__unDName.LIBVCRUNTIME ref: 00007FFDA4335103
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA4335146
strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA4335170
InterlockedPushEntrySList.KERNEL32 ref: 00007FFDA433518D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA4335199
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA43351A2

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
String ID:
API String ID: 3741236498-0
Opcode ID: 866ea2b764558c050a0cc0a8bbb3401513b7e8aca2bfba0586f224786ad82dc5
Instruction ID: 80b8c05039443306a2b01f6b8faac0b395f27ba150242acce974a7d1d083b31c
Opcode Fuzzy Hash: 866ea2b764558c050a0cc0a8bbb3401513b7e8aca2bfba0586f224786ad82dc5
Instruction Fuzzy Hash: CF31C622B57F5151EE11EB15A8685A923A0BF1ABD4B554531DD2E033A2EE3DE842C344

Function 00007FFD944F21D0 Relevance: 9.1, APIs: 6, Instructions: 62threadCOMMON

Download Yara Rule

APIs

SleepConditionVariableSRW.KERNEL32 ref: 00007FFD944F2210
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD944F221A
sys_get_time.LIBCPMT ref: 00007FFD944F2226
SleepConditionVariableSRW.KERNEL32 ref: 00007FFD944F224C
sys_get_time.LIBCPMT ref: 00007FFD944F225B
GetCurrentThreadId.KERNEL32 ref: 00007FFD944F2277

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: ConditionSleepVariablesys_get_time$CurrentThreadabort
String ID:
API String ID: 330701040-0
Opcode ID: 0fdbf4683e24fee20d2a60a7c231d24d24362fbfc9649aa6435325675bbe1770
Instruction ID: f66b20b52b4ed2d725d1bc86a3fa52986d36f0c064fb8ab3f3519e5f1d78306d
Opcode Fuzzy Hash: 0fdbf4683e24fee20d2a60a7c231d24d24362fbfc9649aa6435325675bbe1770
Instruction Fuzzy Hash: B011F6B371460286FB75DBA5E4A15696360FF86B94F808631DD1D8369AEF3DC542C700

Function 00007FFDA358CE14 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFDA358EF69,?,?,?,?,00007FFDA358E1FC), ref: 00007FFDA358CE23
FlsSetValue.KERNEL32(?,?,?,00007FFDA358EF69,?,?,?,?,00007FFDA358E1FC), ref: 00007FFDA358CE59
FlsSetValue.KERNEL32(?,?,?,00007FFDA358EF69,?,?,?,?,00007FFDA358E1FC), ref: 00007FFDA358CE86
FlsSetValue.KERNEL32(?,?,?,00007FFDA358EF69,?,?,?,?,00007FFDA358E1FC), ref: 00007FFDA358CE97
FlsSetValue.KERNEL32(?,?,?,00007FFDA358EF69,?,?,?,?,00007FFDA358E1FC), ref: 00007FFDA358CEA8
SetLastError.KERNEL32(?,?,?,00007FFDA358EF69,?,?,?,?,00007FFDA358E1FC), ref: 00007FFDA358CEC3

Memory Dump Source

Source File: 00000005.00000002.2189862502.00007FFDA3561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA3560000, based on PE: true

Associated: 00000005.00000002.2189849486.00007FFDA3560000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189887154.00007FFDA359D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189902000.00007FFDA35A9000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189916777.00007FFDA35AC000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189916777.00007FFDA35AF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189942387.00007FFDA35B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189955378.00007FFDA35B3000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2190056184.00007FFDA373C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda3560000_svaulpzg.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 94517cf9672c66fc30c61a9200baee077cc0c8df5f6e0ce772c0e82fdb4e8889
Instruction ID: 192287a515418fa1cdf1fc692fad526bd62c1e55b7e6fe11eb8870c7acbc03e0
Opcode Fuzzy Hash: 94517cf9672c66fc30c61a9200baee077cc0c8df5f6e0ce772c0e82fdb4e8889
Instruction Fuzzy Hash: 4C114F22F0B68243FA579339557503992939F457B0F840A34D92E677D7DE2EB441A308

Function 00007FFD944E2FA0 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFD944E60B6), ref: 00007FFD944E2FA9
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD944E60B6), ref: 00007FFD944E2FBB
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFD944E60B6), ref: 00007FFD944E2FCA
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFD944E60B6), ref: 00007FFD944E3030
___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFD944E60B6), ref: 00007FFD944E303E
_wcsdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFD944E60B6), ref: 00007FFD944E3051

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: __pctype_func$___lc_codepage_func___lc_locale_name_func_wcsdupcalloc
String ID:
API String ID: 490008815-0
Opcode ID: 883c42097863d2430cc01175ace05e63b8581df211ad2e3c91a792b828fdf2a8
Instruction ID: c06bc86b6c387ac6c9faeebafc5f7551b4f5b543dda42c17b7bc26ec08602b1b
Opcode Fuzzy Hash: 883c42097863d2430cc01175ace05e63b8581df211ad2e3c91a792b828fdf2a8
Instruction Fuzzy Hash: 27215162E08B85C3E7168FB8C5612787360FBAAB48F15E620CE8C06217DF79E1D5C340

Function 00007FFDA4332604 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA4335508: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDA433108E), ref: 00007FFDA4335516

EncodePointer.KERNEL32 ref: 00007FFDA4332674
_CallSETranslator.LIBVCRUNTIME ref: 00007FFDA43326BF
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA43328F2

Strings

RCC, xrefs: 00007FFDA4332690
MOC, xrefs: 00007FFDA4332688

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 73384d943c82023c9b92037721da8eb0cad5d5e78b685c30dae3c1ceff46f5e3
Instruction ID: f19d3eb62ca6325580501073c946c21b7859f9b11b882feb18cb6f3f5e350c7d
Opcode Fuzzy Hash: 73384d943c82023c9b92037721da8eb0cad5d5e78b685c30dae3c1ceff46f5e3
Instruction Fuzzy Hash: 95919273B09B918AE710EB64E4A02AD77B0FB45788F108125EA8D57776DF3CE195C704

Function 00007FFDA54B19A4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA54B3374: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFDA54B1082), ref: 00007FFDA54B33B4

EncodePointer.KERNEL32 ref: 00007FFDA54B1A14
_CallSETranslator.LIBVCRUNTIME ref: 00007FFDA54B1A5F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA54B1C92

Strings

MOC, xrefs: 00007FFDA54B1A28
RCC, xrefs: 00007FFDA54B1A30

Memory Dump Source

Source File: 00000005.00000002.2190160805.00007FFDA54B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA54B0000, based on PE: true

Associated: 00000005.00000002.2190144253.00007FFDA54B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190175865.00007FFDA54B5000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190190132.00007FFDA54B8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190204054.00007FFDA54B9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda54b0000_svaulpzg.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: e219486185c9a6c876cb8926008b3bded5c074c836f53f255e0545f36a685c03
Instruction ID: 219b3d92c7b9170f3c8826f37f9192c46ab591a145495d40b7325545cff08e46
Opcode Fuzzy Hash: e219486185c9a6c876cb8926008b3bded5c074c836f53f255e0545f36a685c03
Instruction Fuzzy Hash: 5C91D373B09B898AEB10CF65E8503AD77B0FB46B88F114129EA8C17756DF78E195C704

Function 00007FFDA433AC00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDA433AEA0

Strings

std::nullptr_t, xrefs: 00007FFDA433AE59
volatile , xrefs: 00007FFDA433AC67, 00007FFDA433AD98
std::nullptr_t , xrefs: 00007FFDA433AE30
volatile, xrefs: 00007FFDA433AC76, 00007FFDA433ADA7

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: Name::operator+
String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
API String ID: 2943138195-757766384
Opcode ID: dd1429a5ed7d4145acb9ee615fdcef798bfb655970b58e36f34b395a959dc1bb
Instruction ID: 4850342f9d4b2bcd1b5f7c621bed3b2f44392807910e956a87543f5eca78c3a6
Opcode Fuzzy Hash: dd1429a5ed7d4145acb9ee615fdcef798bfb655970b58e36f34b395a959dc1bb
Instruction Fuzzy Hash: 2E713A72B8AE4284EB14BB6498B00BC77A5BB07B85F444535DA4E56BB6DF7CB150C308

Function 00007FFDA4332DB0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 163COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFDA4332DDA

Part of subcall function 00007FFDA4335508: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDA433108E), ref: 00007FFDA4335516

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4332F2F

Strings

csm, xrefs: 00007FFDA4332DFF
, xrefs: 00007FFDA4332E80
csm, xrefs: 00007FFDA4332F69

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: abort$__except_validate_context_record
String ID: $csm$csm
API String ID: 3000080923-1512788406
Opcode ID: a6e101957fe1e77dd933d7c2405cc9f0679c2286e7cee33148c3554897acf41d
Instruction ID: 77ab0a5ff3fa72a46f4318f368ba05d47bfa8edb3def4ba50a777c95392aed1b
Opcode Fuzzy Hash: a6e101957fe1e77dd933d7c2405cc9f0679c2286e7cee33148c3554897acf41d
Instruction Fuzzy Hash: C771A332A0AA8186D761AF1190B07797BA0FB06F85F149135EA5D57BBACB3CE491C704

Function 00007FFDA54B1F28 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 163COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFDA54B1F52

Part of subcall function 00007FFDA54B3374: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFDA54B1082), ref: 00007FFDA54B33B4

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA54B20A7

Strings

csm, xrefs: 00007FFDA54B1F77
, xrefs: 00007FFDA54B1FF8
csm, xrefs: 00007FFDA54B20E1

Memory Dump Source

Source File: 00000005.00000002.2190160805.00007FFDA54B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA54B0000, based on PE: true

Associated: 00000005.00000002.2190144253.00007FFDA54B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190175865.00007FFDA54B5000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190190132.00007FFDA54B8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190204054.00007FFDA54B9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda54b0000_svaulpzg.jbxd

Similarity

API ID: abort$__except_validate_context_record
String ID: $csm$csm
API String ID: 3000080923-1512788406
Opcode ID: 971032131d011c8ceed9186027e105cd692b4e6c1ddef89ad5d79e80dbf73767
Instruction ID: 830ec44b473b44a9a2e7869ba971ddd3b912f19c782918e318ec7fe2acdd52e7
Opcode Fuzzy Hash: 971032131d011c8ceed9186027e105cd692b4e6c1ddef89ad5d79e80dbf73767
Instruction Fuzzy Hash: B871AE72B0E68686DF608B2594A077D7BA0FB06F89F158135EB4D07B8ACB7CD491C748

Function 00007FF7E3BDB0A0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?,?,00000000,00007FF7E3BD3FD2,?,?,00000000,00007FF7E3BDB26D), ref: 00007FF7E3BDB0BA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FF7E3BD3FD2,?,?,00000000,00007FF7E3BDB26D), ref: 00007FF7E3BDB10C
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,?), ref: 00007FF7E3BDB201
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,?), ref: 00007FF7E3BDB31A

Strings

false, xrefs: 00007FF7E3BDB360
D:\a\Courier\Courier\ZipSendService\Utils\Serialize.h, xrefs: 00007FF7E3BDB359

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CriticalSection_invalid_parameter_noinfo_noreturn$DeleteInitialize
String ID: D:\a\Courier\Courier\ZipSendService\Utils\Serialize.h$false
API String ID: 827790545-1469131792
Opcode ID: fa32023aa47d9daf4aa97d8131ae0bbb6f5b01df7f1709e596794da2fbb631c5
Instruction ID: b61c72a669197555fb977f29b5a94d43a48fc21414db0c5a5a53042940312236
Opcode Fuzzy Hash: fa32023aa47d9daf4aa97d8131ae0bbb6f5b01df7f1709e596794da2fbb631c5
Instruction Fuzzy Hash: BF41E662B0964581EA44EB2AE40436DBBA0EF44BE8FD44233DFAE177D4DE7CD4918312

Function 00007FFDA4332B88 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFDA4332BB0

Part of subcall function 00007FFDA4335508: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDA433108E), ref: 00007FFDA4335516

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4332C7F
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFDA4332C8F

Strings

csm, xrefs: 00007FFDA4332CE1
csm, xrefs: 00007FFDA4332BD2

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: Frameabort$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 1245442199-3733052814
Opcode ID: 03e2a13ccd19e9d954db063dad7120f2276b320a18aa339786b3d5ef8d3b8248
Instruction ID: 503037e4d511d789fe038d45f188786218b6cf4c1e3258448257bf543730b3de
Opcode Fuzzy Hash: 03e2a13ccd19e9d954db063dad7120f2276b320a18aa339786b3d5ef8d3b8248
Instruction Fuzzy Hash: F861B236749A828AEB64AF1290B436877A0FB56B85F148135DA6D43BF6CF3CF451C708

Function 00007FFDA4332394 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA4335508: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDA433108E), ref: 00007FFDA4335516

EncodePointer.KERNEL32 ref: 00007FFDA43323F3
_CallSETranslator.LIBVCRUNTIME ref: 00007FFDA433243F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA43325FB

Strings

RCC, xrefs: 00007FFDA433240F
MOC, xrefs: 00007FFDA4332407

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 412ae4e05827d5c660a41158829c13d418b7430c0a058c8386c48240e8dbe5b4
Instruction ID: b7565159fdc6a75320c9e84291dcbed956339622c5d72f2d68198669dcd051d3
Opcode Fuzzy Hash: 412ae4e05827d5c660a41158829c13d418b7430c0a058c8386c48240e8dbe5b4
Instruction Fuzzy Hash: 4C619432A09F8581E7609B15E4A03AAB7A0FB86794F048225EB9D43776DF3CE190CB04

Function 00007FFDA43342F0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 135COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFDA43343C2

Strings

RCC, xrefs: 00007FFDA433433C
MOC, xrefs: 00007FFDA4334330
csm, xrefs: 00007FFDA433447F
csm, xrefs: 00007FFDA4334352

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: FileHeader
String ID: MOC$RCC$csm$csm
API String ID: 104395404-1441736206
Opcode ID: 2f7819a6e7334cd80d7289c252f885002fdbf5779c1e806f6eb8d82655ad3f9b
Instruction ID: 0948624822cb40c5a7c3f650ba392868da1172ea86809605acd496497db7bb27
Opcode Fuzzy Hash: 2f7819a6e7334cd80d7289c252f885002fdbf5779c1e806f6eb8d82655ad3f9b
Instruction Fuzzy Hash: 1B519D26B4AE4296EA60EF1191B017D2AA0FF56798F240135EE8D43773DF3CF8618709

Function 00007FFD94518690 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD94517AD2), ref: 00007FFD945186BC
isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD94517AD2), ref: 00007FFD9451871C

Strings

0, xrefs: 00007FFD945186FE
(, xrefs: 00007FFD945187BA

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: isspaceisxdigit
String ID: ($0
API String ID: 2593999819-506339136
Opcode ID: e2ef1f78d7ac0f0247cf27d29176a06a3da0d91fe8ad8e2b8a2eac6abd7fdfaf
Instruction ID: b03c1001ba2394df8d170c5a2cd891282fa68e0300e9b19adb67d56abf609379
Opcode Fuzzy Hash: e2ef1f78d7ac0f0247cf27d29176a06a3da0d91fe8ad8e2b8a2eac6abd7fdfaf
Instruction Fuzzy Hash: B641865AF0C6C645FBF64EF254B02B96B919B1BB84F0DD471CAD90B247DA1EE842D310

Function 00007FFD9451A558 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD94519B92), ref: 00007FFD9451A585
iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD94519B92), ref: 00007FFD9451A5FA

Strings

0, xrefs: 00007FFD9451A5D6
(, xrefs: 00007FFD9451A6C2

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: iswspaceiswxdigit
String ID: ($0
API String ID: 1229460652-506339136
Opcode ID: bdef79badc771c1f0ff5e8a20c9d4d2ce4eb6723a0feef1680779b9e07fe3076
Instruction ID: d343cb8388adec6abc042d9c99b8a7ca8b341e39a435db0b10d0fe65f6afb07a
Opcode Fuzzy Hash: bdef79badc771c1f0ff5e8a20c9d4d2ce4eb6723a0feef1680779b9e07fe3076
Instruction Fuzzy Hash: E6419456F1815784EBB76FE594B01B976A0EB09BD4B45C131DE8A4B1D6FB3CEC81C220

Function 00007FFD94502044 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD94519A10: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A30
Part of subcall function 00007FFD94519A10: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A38
Part of subcall function 00007FFD94519A10: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A41
Part of subcall function 00007FFD94519A10: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A5D

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD944FE478), ref: 00007FFD94502086

Part of subcall function 00007FFD944EBD64: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD945101F5,?,?,?,?,?,?,?,?,00000000,00007FFD9451132E), ref: 00007FFD944EBD8F
Part of subcall function 00007FFD944EBD64: memcpy.VCRUNTIME140(?,?,00000000,00007FFD945101F5,?,?,?,?,?,?,?,?,00000000,00007FFD9451132E), ref: 00007FFD944EBDAB

_Getvals.LIBCPMT ref: 00007FFD945020C3

Strings

+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v, xrefs: 00007FFD945020FC
$+xv, xrefs: 00007FFD945020F5
$+xv, xrefs: 00007FFD9450216C

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
API String ID: 3848194746-3573081731
Opcode ID: 1ec5abaf6d247c21dd65d46c1376d9a6c6ce35e130d675db4465f8a48783e3d9
Instruction ID: bef28411fb4a9e6a115553ee37a49bea7cf9009078672902f0f728add7a6e9fa
Opcode Fuzzy Hash: 1ec5abaf6d247c21dd65d46c1376d9a6c6ce35e130d675db4465f8a48783e3d9
Instruction Fuzzy Hash: 3241B176A08B8187E772CBA5D0A036E7BA0FB56B41F148235D78E43A56DB3CF455CB00

Function 00007FFD94502318 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD94502346

Part of subcall function 00007FFD94519A10: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A30
Part of subcall function 00007FFD94519A10: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A38
Part of subcall function 00007FFD94519A10: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A41
Part of subcall function 00007FFD94519A10: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A5D

_Maklocstr.LIBCPMT ref: 00007FFD945023BF
_Maklocstr.LIBCPMT ref: 00007FFD945023D5

Strings

true, xrefs: 00007FFD945023CE
false, xrefs: 00007FFD945023B8

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
String ID: false$true
API String ID: 309754672-2658103896
Opcode ID: 8420a7fc07adde042e9aa853236ff2f15139374f13f4dc885c891cff135176ba
Instruction ID: ddd0fc03aa55cf2c138180192778d5659141bbf049c5509fac3b8fc9e3244239
Opcode Fuzzy Hash: 8420a7fc07adde042e9aa853236ff2f15139374f13f4dc885c891cff135176ba
Instruction Fuzzy Hash: 41415C22B18B55DAE721CFB0E4A01ED33B0FB49748B409126EE4D27B5AEF38D595C394

Function 00007FF7E3BE0DB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,00000000,?,00007FF7E3BD9C00), ref: 00007FF7E3BE0DEE
GetCurrentThreadId.KERNEL32 ref: 00007FF7E3BE0DF6
__stdio_common_vsprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0(?,00007FF7E3BD9C00), ref: 00007FF7E3BE0E27

Part of subcall function 00007FF7E3BE0C90: __stdio_common_vsprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7E3BE0CD3

OutputDebugStringA.KERNEL32(?,00007FF7E3BD9C00), ref: 00007FF7E3BE0E59

Strings

(Pid:%d Tid:%d) %s, xrefs: 00007FF7E3BE0E3D

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: Current__stdio_common_vsprintf_s$DebugOutputProcessStringThread
String ID: (Pid:%d Tid:%d) %s
API String ID: 160427554-3798064394
Opcode ID: 857a4afaca7148da064c214dea17dd104c927150d8877efe671ed6d275088f4a
Instruction ID: 01a778384ca3a6a72ccc9651545e7f7228946bffe78903fcdce151ca2059acb1
Opcode Fuzzy Hash: 857a4afaca7148da064c214dea17dd104c927150d8877efe671ed6d275088f4a
Instruction Fuzzy Hash: 9511B632A18B8581E660EB16F44479ABB74FB847C4F800236EACE53769DF3CD555CB11

Function 00007FF7E3BE0CF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,00007FF7E3BD9C0F), ref: 00007FF7E3BE0D2D
GetCurrentThreadId.KERNEL32 ref: 00007FF7E3BE0D35

Part of subcall function 00007FF7E3BE0E80: __stdio_common_vsprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7E3BE0EC3

__stdio_common_vsprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0(?,00007FF7E3BD9C0F), ref: 00007FF7E3BE0D7B
MessageBoxA.USER32 ref: 00007FF7E3BE0D90

Strings

Log (Pid:%d Tid:%d), xrefs: 00007FF7E3BE0D3E

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: Current__stdio_common_vsprintf_s$MessageProcessThread
String ID: Log (Pid:%d Tid:%d)
API String ID: 2381413097-233322029
Opcode ID: 7b0c2db81a119c7272ae00332ae729ab3a4f3be0ebd202792762320b74d3949a
Instruction ID: b5a18755bed05598b5593ddf074311c0b90314f370baa34bcabecf1d67a1a81e
Opcode Fuzzy Hash: 7b0c2db81a119c7272ae00332ae729ab3a4f3be0ebd202792762320b74d3949a
Instruction Fuzzy Hash: BA118632A18B8581E760AB25F44079ABB60FB98784FC00237E5CE57658DF7CD145CB51

Function 00007FF7E3BE0BF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,00000000,?,00007FF7E3BDB36C), ref: 00007FF7E3BE0C20
GetCurrentThreadId.KERNEL32 ref: 00007FF7E3BE0C28

Part of subcall function 00007FF7E3BE0C90: __stdio_common_vsprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7E3BE0CD3

MessageBoxA.USER32 ref: 00007FF7E3BE0C67

Strings

Assert Error, xrefs: 00007FF7E3BE0C59
Pid: %d Tid: %dExpr: %sFile: %sLine: %d, xrefs: 00007FF7E3BE0C32

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: Current$MessageProcessThread__stdio_common_vsprintf_s
String ID: Assert Error$Pid: %d Tid: %dExpr: %sFile: %sLine: %d
API String ID: 982897249-2518543418
Opcode ID: e0909f1a76138fb62ef89ea4caa9beb96132be26d373f8b136845926e9534370
Instruction ID: 69878dfc8274a0b047ea59bd8413432280af4db71f3967f66e2dd7cd968b4a34
Opcode Fuzzy Hash: e0909f1a76138fb62ef89ea4caa9beb96132be26d373f8b136845926e9534370
Instruction Fuzzy Hash: C3016531A18A8982E760AB2AF44439ABB64BB487C4FC00236EACE97755DE7CD5458B11

Function 00007FFD944E8E90 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFD944E8EE7
_CxxThrowException.VCRUNTIME140 ref: 00007FFD944E8EF8

Strings

ios_base::eofbit set, xrefs: 00007FFD944E8EC2
ios_base::failbit set, xrefs: 00007FFD944E8EBB
ios_base::badbit set, xrefs: 00007FFD944E8EAF

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 65f2a329a35e87765cd5ea0f00b2bfb6ac6d7c9b9a83f26788299c5baf829f51
Instruction ID: b0b7ab24a65345b4ef607ab62638cb12e3e9391cc3e8969ba9408c2aa4c17756
Opcode Fuzzy Hash: 65f2a329a35e87765cd5ea0f00b2bfb6ac6d7c9b9a83f26788299c5baf829f51
Instruction Fuzzy Hash: A9F0DF22B1850AC6FEB5C784E4E16AA2321FB51784F94C830D10D475ABEF7CE146C381

Function 00007FFDA358ABF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FFDA358AC15
GetProcAddress.KERNEL32 ref: 00007FFDA358AC2B
FreeLibrary.KERNEL32 ref: 00007FFDA358AC52

Strings

CorExitProcess, xrefs: 00007FFDA358AC24
mscoree.dll, xrefs: 00007FFDA358AC0C

Memory Dump Source

Source File: 00000005.00000002.2189862502.00007FFDA3561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA3560000, based on PE: true

Associated: 00000005.00000002.2189849486.00007FFDA3560000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189887154.00007FFDA359D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189902000.00007FFDA35A9000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189916777.00007FFDA35AC000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189916777.00007FFDA35AF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189942387.00007FFDA35B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189955378.00007FFDA35B3000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2190056184.00007FFDA373C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda3560000_svaulpzg.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 6db8ab84d2048a8725801e3fb6eb5a638b76bc0903a28801e32ec6b4e6f5ca1e
Instruction ID: b3d316128648bd423ba25a687412bb0f092fa5f872d24b923866d637386e132f
Opcode Fuzzy Hash: 6db8ab84d2048a8725801e3fb6eb5a638b76bc0903a28801e32ec6b4e6f5ca1e
Instruction Fuzzy Hash: 79F0C861F1AA4682EE164B2CE46C3395361FF44761F540635D66E573E1CF2ED048E308

Function 00007FFD944F5668 Relevance: 7.8, APIs: 5, Instructions: 310stringCOMMON

Download Yara Rule

APIs

strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD944F5704
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD944F5718
strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD944F572F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD944F5A61
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD944F5AB1

Part of subcall function 00007FFD9450D404: memmove.VCRUNTIME140(?,?,?,?,?,00007FFD944F58CE), ref: 00007FFD9450D468

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
String ID:
API String ID: 1326169664-0
Opcode ID: 9e953c61862c5e7527a7cb08348f2cd9b6a06e1682f4418f765966c58fce3f4b
Instruction ID: be580027302ada7fde8fe7f4fc9596fdaa108a94290573514e1918b7ec83c7f3
Opcode Fuzzy Hash: 9e953c61862c5e7527a7cb08348f2cd9b6a06e1682f4418f765966c58fce3f4b
Instruction Fuzzy Hash: A5D19E72F08F8586EB25CBA5D4A02AC23B1FB4AB88F409526DE4D17B5ADF78D455C340

Function 00007FFD944F5AE8 Relevance: 7.8, APIs: 5, Instructions: 310stringCOMMON

Download Yara Rule

APIs

strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD944F5B84
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD944F5B98
strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD944F5BAF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD944F5EE1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD944F5F31

Part of subcall function 00007FFD9450D404: memmove.VCRUNTIME140(?,?,?,?,?,00007FFD944F58CE), ref: 00007FFD9450D468

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
String ID:
API String ID: 1326169664-0
Opcode ID: b5fa3a302d77243ae51deb93482cff022fd2aa1abbcd85ace62c26dc06459625
Instruction ID: b5a0e23e73025032ef34d2769e0d63a99615ba9eeca02aa70c1e6f853ef5cec3
Opcode Fuzzy Hash: b5fa3a302d77243ae51deb93482cff022fd2aa1abbcd85ace62c26dc06459625
Instruction Fuzzy Hash: 1ED1AD72B09B858AFB25CFA5D4A42AC2371FB4AB88F409532DE8D17B5ADF78D445C340

Function 00007FF7E3BD7E30 Relevance: 7.7, APIs: 5, Instructions: 180COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7E3BD7E7C
LeaveCriticalSection.KERNEL32 ref: 00007FF7E3BD7F53
LeaveCriticalSection.KERNEL32 ref: 00007FF7E3BD8001
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7E3BD80CE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7E3BD80D5

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CriticalSection$Leave_invalid_parameter_noinfo_noreturn$Enter
String ID:
API String ID: 1321135880-0
Opcode ID: 5335fc93e7284b94112b2c5e59369550a45d55f97ad4d5e78d17f1db379e1eee
Instruction ID: 0eff36e679c6ed8c0e76bc63aacb0e445bfd5629d549987e3f19e2b64e2d8f34
Opcode Fuzzy Hash: 5335fc93e7284b94112b2c5e59369550a45d55f97ad4d5e78d17f1db379e1eee
Instruction Fuzzy Hash: B071A1B2A04B8581EAA4AF16E0443BDB7A1FB44B85FC04033DB8E67A55DF7DD894C351

Function 00007FFD944F4120 Relevance: 7.7, APIs: 5, Instructions: 179COMMON

Download Yara Rule

APIs

fgetwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD944F41D8

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: fgetwc
String ID:
API String ID: 2948136663-0
Opcode ID: 701cd75bf637ca5d98b2670aa6c63f8087bebde6221e7ec323a85e0cd14916ad
Instruction ID: 05cb9dd609d4dd9ac92f859351cde35e5c8e0393e85fcbebd0306fe92a075dad
Opcode Fuzzy Hash: 701cd75bf637ca5d98b2670aa6c63f8087bebde6221e7ec323a85e0cd14916ad
Instruction Fuzzy Hash: 24914B73705A81C9DB358FA6C4E42AC33A1FB59B88F519232EA4D47B8ADF79D454C340

Function 00007FF7E3BD7B60 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7E3BD7BAC
LeaveCriticalSection.KERNEL32 ref: 00007FF7E3BD7D50
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7E3BD7E1D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7E3BD7E24

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CriticalSection_invalid_parameter_noinfo_noreturn$EnterLeave
String ID:
API String ID: 4256121347-0
Opcode ID: 188fddb25781ebedb87022b21ba6229f6f0ad0d34a7937f8a505f5e2544429e0
Instruction ID: 45dde25c3a87a4c96e7e138cf5047b9f5ba2e3324ba8b252e5acb671b33baf8c
Opcode Fuzzy Hash: 188fddb25781ebedb87022b21ba6229f6f0ad0d34a7937f8a505f5e2544429e0
Instruction Fuzzy Hash: 0951C2A2A04B4582EAA4EF1AE0553BCB7A0FB05B84FC44533CB9E67685DF3DD894C311

Function 00007FFD944EDE20 Relevance: 7.6, APIs: 5, Instructions: 101COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFD944EDEE7
memset.VCRUNTIME140 ref: 00007FFD944EDEF5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD944EDF2E
memcpy.VCRUNTIME140 ref: 00007FFD944EDF38
memset.VCRUNTIME140 ref: 00007FFD944EDF46

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: memcpymemset$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 530858481-0
Opcode ID: fc8d300648ea8525804c2f8217ee1ec0008b30274db60c0014fca066bc4e0402
Instruction ID: 80686a422c77e80f081ff93dce8c2da9826733b643929dab325f7105116f7326
Opcode Fuzzy Hash: fc8d300648ea8525804c2f8217ee1ec0008b30274db60c0014fca066bc4e0402
Instruction Fuzzy Hash: 3531F861B18A9681EE35DF9699A83AF6351FB46BC0F548531EE5D0B79BCEBCE041C300

Function 00007FF7E3BDEBE0 Relevance: 7.6, APIs: 5, Instructions: 95COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7E3BDEC27
EnterCriticalSection.KERNEL32 ref: 00007FF7E3BDEC87
LeaveCriticalSection.KERNEL32 ref: 00007FF7E3BDECA2
QueueUserWorkItem.KERNEL32 ref: 00007FF7E3BDECBE
LeaveCriticalSection.KERNEL32 ref: 00007FF7E3BDECDB

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ItemQueueUserWork
String ID:
API String ID: 584243675-0
Opcode ID: 97a3bf7205502b4f90b0206b247d2cd4569c3649e9a2e3ef6bbb124b2f7188ab
Instruction ID: 76588488078f785a757e33382bdbfab1799c57305ccb5c70d783e0f4f1e5dd03
Opcode Fuzzy Hash: 97a3bf7205502b4f90b0206b247d2cd4569c3649e9a2e3ef6bbb124b2f7188ab
Instruction Fuzzy Hash: E7318F26604B4682EA94EF16E414229BBA0FF89F91BCD5532DE8F67714DF3CD446C312

Function 00007FF7E3BD4EA0 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7E3BD4EF4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7E3BD4EFE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7E3BD4F08
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7E3BD4F12
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7E3BD4FD7

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: free$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1497960986-0
Opcode ID: db7573e215f22a3b806bd3e3102c887c95087c7f29d563968c276aae7f7ea7fa
Instruction ID: 5199bda4d2d4294f0af6c043eca3f6de789ebed84e9919b6d8433074b77f5160
Opcode Fuzzy Hash: db7573e215f22a3b806bd3e3102c887c95087c7f29d563968c276aae7f7ea7fa
Instruction Fuzzy Hash: 83318862B0468581EB84AB29D54437CB761EB44FC5FD04133DB9E5BA65CF3CD894C312

Function 00007FF7E3BDEE00 Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7E3BDEE20
EnterCriticalSection.KERNEL32 ref: 00007FF7E3BDEE6D
LeaveCriticalSection.KERNEL32 ref: 00007FF7E3BDEE88
QueueUserWorkItem.KERNEL32 ref: 00007FF7E3BDEEA4
LeaveCriticalSection.KERNEL32 ref: 00007FF7E3BDEEBD

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ItemQueueUserWork
String ID:
API String ID: 584243675-0
Opcode ID: 24c307da3dd24607d0a6f87ddf0488c674735f325de97e864aceef75d83bbc92
Instruction ID: 60528abaff3133df026b73335129054b9d08cc520ae4510d7ed990beb052dc46
Opcode Fuzzy Hash: 24c307da3dd24607d0a6f87ddf0488c674735f325de97e864aceef75d83bbc92
Instruction Fuzzy Hash: 16217422A1460582E690AB16B800279BB60FB84B91FC50132DE8F97B51DF3CE446C312

Function 00007FF7E3BDED20 Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7E3BDED40
EnterCriticalSection.KERNEL32 ref: 00007FF7E3BDED8D
LeaveCriticalSection.KERNEL32 ref: 00007FF7E3BDEDA8
QueueUserWorkItem.KERNEL32 ref: 00007FF7E3BDEDC4
LeaveCriticalSection.KERNEL32 ref: 00007FF7E3BDEDDD

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ItemQueueUserWork
String ID:
API String ID: 584243675-0
Opcode ID: f65b1761e145a531782616168f752e7e9cc756b31f917af7792742647df9e54f
Instruction ID: 4824d28ae81ceb41c610ff05e63fd5dca1c773c97c394c10e0a3d6c47e0c19a7
Opcode Fuzzy Hash: f65b1761e145a531782616168f752e7e9cc756b31f917af7792742647df9e54f
Instruction Fuzzy Hash: 06217122A18A0582E690AB16F800279BB60FB84B85FC50132DE8F57B55DF3CE446C312

Function 00007FF7E3BDE690 Relevance: 7.5, APIs: 5, Instructions: 43threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00000000,00007FF7E3BDA51E), ref: 00007FF7E3BDE6A1
CreateThread.KERNEL32 ref: 00007FF7E3BDE6DB
LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,00007FF7E3BDA51E), ref: 00007FF7E3BDE6E5
LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,00007FF7E3BDA51E), ref: 00007FF7E3BDE6FC
LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,00007FF7E3BDA51E), ref: 00007FF7E3BDE716

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CriticalSection$Leave$CreateEnterThread
String ID:
API String ID: 2283434278-0
Opcode ID: 6eaf334f81def733ccc5755083f5a6f4ce26222943d9c790da9387a2592bbcbb
Instruction ID: 1d514e9474392ae9ca8a783903d4a636d476621cff1db27fc738255419aec094
Opcode Fuzzy Hash: 6eaf334f81def733ccc5755083f5a6f4ce26222943d9c790da9387a2592bbcbb
Instruction Fuzzy Hash: 34117023A08A4193EB90AF29F4043A9B760FB84744FC50236DB8E975A4DF3CD5E5C712

Function 00007FFD944E4DD0 Relevance: 7.5, APIs: 6, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD944F18D0: setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FFD944E4DDE,?,?,00000000,00007FFD944E5C7B), ref: 00007FFD944F18DF

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD944E5C7B), ref: 00007FFD944E4DE7
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD944E5C7B), ref: 00007FFD944E4DFB
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD944E5C7B), ref: 00007FFD944E4E0F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD944E5C7B), ref: 00007FFD944E4E23
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD944E5C7B), ref: 00007FFD944E4E37
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD944E5C7B), ref: 00007FFD944E4E4B

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: free$setlocale
String ID:
API String ID: 294139027-0
Opcode ID: d2e7043e20252bd936750b43ac23fb4c184814c266dbd0621457d1dd4fc7f9af
Instruction ID: fd602acf1fa2824bf3775e0e0063d6fc771cd70b2a72aef682c1b9aae6709466
Opcode Fuzzy Hash: d2e7043e20252bd936750b43ac23fb4c184814c266dbd0621457d1dd4fc7f9af
Instruction Fuzzy Hash: 4511C222B06A0589FB7A9FE580F573A6360EF45F08F189534C90E0954ACFADA894C280

Function 00007FFD944EA6B0 Relevance: 7.5, APIs: 5, Instructions: 38fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FFD944EA6DF
GetLastError.KERNEL32 ref: 00007FFD944EA6EE
SetFileInformationByHandle.KERNEL32 ref: 00007FFD944EA70D
CloseHandle.KERNEL32 ref: 00007FFD944EA718
GetLastError.KERNEL32 ref: 00007FFD944EA722

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: ErrorFileHandleLast$CloseCreateInformation
String ID:
API String ID: 1345328482-0
Opcode ID: 05425886c993fc501ae495a8fdb29354356a31b840f8f0bd33e2b840dcbfb4c1
Instruction ID: 672eadcee5e55ab681ff239dd64cd84763b89fed8a5c309241f9ce32e8317041
Opcode Fuzzy Hash: 05425886c993fc501ae495a8fdb29354356a31b840f8f0bd33e2b840dcbfb4c1
Instruction Fuzzy Hash: FD01D271B08744C3E7548BA6F9A411EB7A0FB85BE0F048631DB69437A5DFB8E815C700

Function 00007FFD944F2760 Relevance: 7.5, APIs: 5, Instructions: 15COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD944F276E
fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD944F277A
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD944F2785
fputc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD944F2793
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD944F2799

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: __acrt_iob_func$abortfputcfputs
String ID:
API String ID: 2697642930-0
Opcode ID: 0fbbf0fef8b9dc84a3477e26ebb6aa8fc61991af6b0e094d9110ef42f1854896
Instruction ID: f2b62f66163b31737641c1837440c12e35867c4ffa5e283b79311ae8f7243c8a
Opcode Fuzzy Hash: 0fbbf0fef8b9dc84a3477e26ebb6aa8fc61991af6b0e094d9110ef42f1854896
Instruction Fuzzy Hash: A6E01290B0461AC2E6AD17E1ECBC33452569F4EB62F00A838C90F47352CD1C6444C311

Function 00007FFDA433E530 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFDA433E55B
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FFDA433E5F2
RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFDA433E2F5), ref: 00007FFDA433E64C

Strings

csm, xrefs: 00007FFDA433E5D9

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 96c56ec7d8cc293d62316485b9ebe4bcfbdb4d099f55161506c53fe0a434f69e
Instruction ID: fd08a1fc8e34fd5c085e88aaab4f394f071bd29a37c2a680e110889fbec40397
Opcode Fuzzy Hash: 96c56ec7d8cc293d62316485b9ebe4bcfbdb4d099f55161506c53fe0a434f69e
Instruction Fuzzy Hash: 9951C032B5AA028AEB94AB15E0B5A783391EF55B88F504130EA4E477B6DF7CF841C704

Function 00007FFDA43334E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA4335508: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDA433108E), ref: 00007FFDA4335516

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFDA433358A
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFDA43335B3
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4333611

Strings

csm, xrefs: 00007FFDA43336B7

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: abort$CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 444109036-1018135373
Opcode ID: 3dd928b7c3049e9f6d6a7e0485469c82e72a83be9bf96436503cdb34a153642a
Instruction ID: 8b006120299acdbc80f3870fa47ccb9fd9422806f71eac6981bcbaa0f650c585
Opcode Fuzzy Hash: 3dd928b7c3049e9f6d6a7e0485469c82e72a83be9bf96436503cdb34a153642a
Instruction Fuzzy Hash: 87514D3375AB4186E660AB15E5A426D7BA4FB8AB90F101535EB8D07B76CF3CF450CB04

Function 00007FFDA54B2460 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA54B3374: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFDA54B1082), ref: 00007FFDA54B33B4

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFDA54B250A
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFDA54B2533
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA54B2591

Strings

csm, xrefs: 00007FFDA54B2636

Memory Dump Source

Source File: 00000005.00000002.2190160805.00007FFDA54B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA54B0000, based on PE: true

Associated: 00000005.00000002.2190144253.00007FFDA54B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190175865.00007FFDA54B5000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190190132.00007FFDA54B8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190204054.00007FFDA54B9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda54b0000_svaulpzg.jbxd

Similarity

API ID: abort$CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 444109036-1018135373
Opcode ID: d162b4603133bf800387f962ef13f6d5d9079899ac8f32fc4e33d67874740c9a
Instruction ID: 7aafbebc3b324e404a31a0d16b6500cf5aa57f3c3f3d39e1d20490ca72094ebe
Opcode Fuzzy Hash: d162b4603133bf800387f962ef13f6d5d9079899ac8f32fc4e33d67874740c9a
Instruction Fuzzy Hash: FB516A3271A74986EA60DB26E45036E77A4FB8AF90F111235EB8D07B56CF7CE460CB04

Function 00007FFD944E2560 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140 ref: 00007FFD944E25A2
RaiseException.KERNEL32 ref: 00007FFD944E26B8
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD944E26DD

Strings

csm, xrefs: 00007FFD944E2606

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: Exception$RaiseThrowabort
String ID: csm
API String ID: 3758033050-1018135373
Opcode ID: 8519cbd4643cf92263e7e99b7e375c9fca1cb8890e42fe543ea236e958cb777b
Instruction ID: 1b86bf001b919e9a1fba93cb74f4c8a2e5071d92bb192f3dabb6852d4d429413
Opcode Fuzzy Hash: 8519cbd4643cf92263e7e99b7e375c9fca1cb8890e42fe543ea236e958cb777b
Instruction Fuzzy Hash: 02518F22A04B89C6EB65CF68C4A02A93360FB59B5CF15D321DA5D0779ADF39E5D6C300

Function 00007FFD944EF1C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD944EF144
setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD944EF156
setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD944EF1DB

Part of subcall function 00007FFD944E4F00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD944F1894,?,?,?,00007FFD944E455B,?,?,?,00007FFD944E5C51), ref: 00007FFD944E4F22
Part of subcall function 00007FFD944E4F00: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD944F1894,?,?,?,00007FFD944E455B,?,?,?,00007FFD944E5C51), ref: 00007FFD944E4F48
Part of subcall function 00007FFD944E4F00: memcpy.VCRUNTIME140(?,?,?,00007FFD944F1894,?,?,?,00007FFD944E455B,?,?,?,00007FFD944E5C51), ref: 00007FFD944E4F60

Strings

bad locale name, xrefs: 00007FFD944EF1A5

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: setlocale$freemallocmemcpy
String ID: bad locale name
API String ID: 1663771476-1405518554
Opcode ID: 220187c5690fcbf4f8dd213c6c71a1c00fc1a50971ecb65bb71238da8f289664
Instruction ID: f8a5565800e4a23b038d327cf81c434a45a0cdd5a704caef0177d182c5486b5c
Opcode Fuzzy Hash: 220187c5690fcbf4f8dd213c6c71a1c00fc1a50971ecb65bb71238da8f289664
Instruction Fuzzy Hash: 0E31C562F0868691FB758FD5E4A017BA291EF86BC0F48C035DA4D4779ADEADE881C340

Function 00007FFD94501EFC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD94519A10: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A30
Part of subcall function 00007FFD94519A10: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A38
Part of subcall function 00007FFD94519A10: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A41
Part of subcall function 00007FFD94519A10: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A5D

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD944FE2C8), ref: 00007FFD94501F3E

Part of subcall function 00007FFD944EBD64: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD945101F5,?,?,?,?,?,?,?,?,00000000,00007FFD9451132E), ref: 00007FFD944EBD8F
Part of subcall function 00007FFD944EBD64: memcpy.VCRUNTIME140(?,?,00000000,00007FFD945101F5,?,?,?,?,?,?,?,?,00000000,00007FFD9451132E), ref: 00007FFD944EBDAB

Part of subcall function 00007FFD944F6E70: _Maklocstr.LIBCPMT ref: 00007FFD944F6EA0
Part of subcall function 00007FFD944F6E70: _Maklocstr.LIBCPMT ref: 00007FFD944F6EBF
Part of subcall function 00007FFD944F6E70: _Maklocstr.LIBCPMT ref: 00007FFD944F6EDE

Strings

+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v, xrefs: 00007FFD94501FB4
$+xv, xrefs: 00007FFD94501FAD
$+xv, xrefs: 00007FFD94502024

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
API String ID: 2904694926-3573081731
Opcode ID: defede8f075050fc822dce0c0fa22958d0bd6f69e457ddebf30ac2eacdb70a1a
Instruction ID: 1bca428e529c9d04ce91eaf36625dacbd6cca54c5ace0727a2cc0ba19c420692
Opcode Fuzzy Hash: defede8f075050fc822dce0c0fa22958d0bd6f69e457ddebf30ac2eacdb70a1a
Instruction Fuzzy Hash: 2C417C66A08B818BE771CFA1D0A076E7BA0FB56B81F048225D78E43A56DB39F555CB00

Function 00007FFD94512C48 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD94519A10: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A30
Part of subcall function 00007FFD94519A10: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A38
Part of subcall function 00007FFD94519A10: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A41
Part of subcall function 00007FFD94519A10: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A5D

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD94511168), ref: 00007FFD94512C8A

Part of subcall function 00007FFD944EBD64: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD945101F5,?,?,?,?,?,?,?,?,00000000,00007FFD9451132E), ref: 00007FFD944EBD8F
Part of subcall function 00007FFD944EBD64: memcpy.VCRUNTIME140(?,?,00000000,00007FFD945101F5,?,?,?,?,?,?,?,?,00000000,00007FFD9451132E), ref: 00007FFD944EBDAB

Strings

+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v, xrefs: 00007FFD94512D00
$+xv, xrefs: 00007FFD94512CF9
$+xv, xrefs: 00007FFD94512D70

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
API String ID: 3376215315-3573081731
Opcode ID: 2af0ff666ab270944890a569ef3d4b8a35c965d2adbf646579e3d4d016b84006
Instruction ID: e7c259348620ffd10ad45b9c473d701cc608797c467ca92519363b56155d94ee
Opcode Fuzzy Hash: 2af0ff666ab270944890a569ef3d4b8a35c965d2adbf646579e3d4d016b84006
Instruction Fuzzy Hash: 63419372A08B859BE771CB65D0A036E7BA0FB4AB45F048235D78953A52DF3CF556CB00

Function 00007FFDA43397E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFDA433983E

Strings

%lf, xrefs: 00007FFDA4339879, 00007FFDA43398AD, 00007FFDA43398DD

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: NameName::
String ID: %lf
API String ID: 1333004437-2891890143
Opcode ID: be338f3a3db10e9858707f145352c81abeba358ae89b312f9819554b5fcef1be
Instruction ID: 2b06d42ce383e047c682455c62144ed42c5afba6d423164bb3a18b3c13700a0a
Opcode Fuzzy Hash: be338f3a3db10e9858707f145352c81abeba358ae89b312f9819554b5fcef1be
Instruction Fuzzy Hash: 2D31A562F4EE8685E610EB21A4B00FA6350BF57B85F448131EA8F577B2DE2CF141C708

Function 00007FFD944EA590 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32 ref: 00007FFD944EA5C2
FindNextFileW.KERNEL32 ref: 00007FFD944EA5F3
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD944EA612

Strings

., xrefs: 00007FFD944EA5CC

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: FileFindNext$wcscpy_s
String ID: .
API String ID: 544952861-248832578
Opcode ID: 716860af65acf47e417f37e93fd7edbc51e3725a7b7e3a6786a5fcad46b417ae
Instruction ID: 17ad7895290e6b01d45f0b53c7e020fa720021df8a1384385dd16c9687fef6b8
Opcode Fuzzy Hash: 716860af65acf47e417f37e93fd7edbc51e3725a7b7e3a6786a5fcad46b417ae
Instruction Fuzzy Hash: B0219662B0C681C1FB709FA1E8A43B763A0EB56794F44C231DA8E56689DF7CD45ACB40

Function 00007FF7E3BDDF50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

?_Xlength_error@std@@YAXPEBD@Z.MSVCP140(?,?,?,?,00007FF7E3BDDDDE,?,?,?,?,00007FF7E3BDD9B3,?,?,00000002,00007FF7E3BDCBF2), ref: 00007FF7E3BDDF5B
SysStringLen.OLEAUT32 ref: 00007FF7E3BDDF99
SysAllocStringLen.OLEAUT32 ref: 00007FF7E3BDDFA5

Strings

deque<T> too long, xrefs: 00007FF7E3BDDF54

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: String$AllocXlength_error@std@@
String ID: deque<T> too long
API String ID: 2781488754-309773918
Opcode ID: 561f06699cc290121a499b0a5518529f723fcd6cf11ecefa87cb0a2ace427721
Instruction ID: 7ad2250cdc9f6e7f69692fbae1e626e53888a8bc469db545cab81edcd27e2b5d
Opcode Fuzzy Hash: 561f06699cc290121a499b0a5518529f723fcd6cf11ecefa87cb0a2ace427721
Instruction Fuzzy Hash: 6CF09665F1494582EF48DB1BF594229B7A1EF88B90F948136DE5F8B728DE3CC8D18301

Function 00007FFD944E6CC0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140 ref: 00007FFD944E6D72
std::ios_base::failure::failure.LIBCPMT ref: 00007FFD944E6DB5
_CxxThrowException.VCRUNTIME140 ref: 00007FFD944E6DC6

Strings

ios_base::badbit set, xrefs: 00007FFD944E6D50, 00007FFD944E6D7D

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: ExceptionThrow$std::ios_base::failure::failure
String ID: ios_base::badbit set
API String ID: 1099746521-3882152299
Opcode ID: 9747cd74c217981d7daf45f5586b8cec7677d6dc2ad07acec38f9bfb06e3ade7
Instruction ID: 5f2f0e05839a041e8771d1cfff53857334d19a5fd61a6d83c74d9b20981d9075
Opcode Fuzzy Hash: 9747cd74c217981d7daf45f5586b8cec7677d6dc2ad07acec38f9bfb06e3ade7
Instruction Fuzzy Hash: C901A222F2C90A91FA788AA5D4F19BF1312AF92784FD4C531E50D0A99FDEADE506C240

Function 00007FF7E3BE2FB8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__current_exception.VCRUNTIME140 ref: 00007FF7E3BE2FED
__current_exception_context.VCRUNTIME140 ref: 00007FF7E3BE3001
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7E3BE3009

Strings

csm, xrefs: 00007FF7E3BE2FD9

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: __current_exception__current_exception_contextterminate
String ID: csm
API String ID: 2542180945-1018135373
Opcode ID: bf2d0a00859b47aab0760f73fe020dcb5bd6b5009f6e0c1c400aae04700dd751
Instruction ID: 07b76fb73e8ca76c9c4b330819981c6518551b275a357523745f2c7f08068684
Opcode Fuzzy Hash: bf2d0a00859b47aab0760f73fe020dcb5bd6b5009f6e0c1c400aae04700dd751
Instruction Fuzzy Hash: EFF04937505B48CAC754AF26EC902AC3B64F748B88F895232FA8E9B715CF38C890C711

Function 00007FFDA43310F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA4335508: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDA433108E), ref: 00007FFDA4335516

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA433112E

Strings

csm, xrefs: 00007FFDA4331110
MOC, xrefs: 00007FFDA4331108
RCC, xrefs: 00007FFDA4331100

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: abortterminate
String ID: MOC$RCC$csm
API String ID: 661698970-2671469338
Opcode ID: 1e1d061888eb5ed8958d1a3f543fee4a516cb38e8faaed4a66704169c3245728
Instruction ID: 64e060a492f7e1899d4acb4af5711e128e99caaaaa8f33ac66535c83fa7bc0f7
Opcode Fuzzy Hash: 1e1d061888eb5ed8958d1a3f543fee4a516cb38e8faaed4a66704169c3245728
Instruction Fuzzy Hash: C7F03C36A5AA0681EB507B51A1E50AC3774EB49B41F095031D75907377CF3CF890CB05

Function 00007FFDA54B10C8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA54B3374: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFDA54B1082), ref: 00007FFDA54B33B4

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA54B1106

Strings

RCC, xrefs: 00007FFDA54B10D8
MOC, xrefs: 00007FFDA54B10E0
csm, xrefs: 00007FFDA54B10E8

Memory Dump Source

Source File: 00000005.00000002.2190160805.00007FFDA54B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA54B0000, based on PE: true

Associated: 00000005.00000002.2190144253.00007FFDA54B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190175865.00007FFDA54B5000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190190132.00007FFDA54B8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190204054.00007FFDA54B9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda54b0000_svaulpzg.jbxd

Similarity

API ID: abortterminate
String ID: MOC$RCC$csm
API String ID: 661698970-2671469338
Opcode ID: ca51088715bf3844d48b5c06903f8b8eb823dd269a3803ff4c574b3ed0b2560c
Instruction ID: f87f958225173623efbc4719853796ac7cb2056bda6b0d8640505e2685e91fb9
Opcode Fuzzy Hash: ca51088715bf3844d48b5c06903f8b8eb823dd269a3803ff4c574b3ed0b2560c
Instruction Fuzzy Hash: A7F06232E1964AC2EF505F25E19526DB6A4FF4AF84F0A6231D74846353CFBCE4A0CB45

Function 00007FFDA4338D04 Relevance: 6.2, APIs: 4, Instructions: 193COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFDA433B47C: DName::operator+.LIBVCRUNTIME ref: 00007FFDA433B50D
Part of subcall function 00007FFDA433B47C: DName::operator+.LIBVCRUNTIME ref: 00007FFDA433B546
Part of subcall function 00007FFDA433B47C: DName::operator+.LIBVCRUNTIME ref: 00007FFDA433B871

DName::operator+.LIBVCRUNTIME ref: 00007FFDA4338E5F
DName::operator+.LIBVCRUNTIME ref: 00007FFDA4338EBE
DName::operator+.LIBVCRUNTIME ref: 00007FFDA4338EF0
DName::operator+.LIBVCRUNTIME ref: 00007FFDA4338F00

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 19b161106a3369107c0e03fa813edb52c834a35bcb1cd88136b61b6fcda9d079
Instruction ID: 735d2d905745a44b9ad126de1460b106104569b8e2131fbad72a8a67800698f5
Opcode Fuzzy Hash: 19b161106a3369107c0e03fa813edb52c834a35bcb1cd88136b61b6fcda9d079
Instruction Fuzzy Hash: 5D918E26F4AE5289FB14AB60D8B03AC37A1BB16748F548035DA4D177B6DFBCB845C344

Function 00007FF7E3BDA3A0 Relevance: 6.2, APIs: 4, Instructions: 175COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7E3BDA3BD

Part of subcall function 00007FF7E3BD9810: GetCurrentProcessId.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 00007FF7E3BD984A
Part of subcall function 00007FF7E3BD9810: GetCurrentThreadId.KERNEL32 ref: 00007FF7E3BD9852
Part of subcall function 00007FF7E3BD9810: MessageBoxA.USER32 ref: 00007FF7E3BD98A3
Part of subcall function 00007FF7E3BD9810: EnterCriticalSection.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 00007FF7E3BD98AD
Part of subcall function 00007FF7E3BD9810: _wcsnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 00007FF7E3BD98E2
Part of subcall function 00007FF7E3BD9810: LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 00007FF7E3BD98FE

SetEvent.KERNEL32 ref: 00007FF7E3BDA5DD
SetEvent.KERNEL32 ref: 00007FF7E3BDA614

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CriticalSection$CurrentEnterEvent$LeaveMessageProcessThread_wcsnicmp
String ID:
API String ID: 1791567320-0
Opcode ID: 5ddb726781f3ecf8bd8e66973cf05188ad89204ba0090ad3b48b34ace03343a8
Instruction ID: 336c962812cc38b472aeb523dfb03c0acdc13156ef9288e364587cb2a58eee67
Opcode Fuzzy Hash: 5ddb726781f3ecf8bd8e66973cf05188ad89204ba0090ad3b48b34ace03343a8
Instruction Fuzzy Hash: C8819232A0864286EBA0AB15D544379BBB1FB84744FC48137CA8FA7685CF3CE451C752

Function 00007FF7E3BD6F40 Relevance: 6.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7E3BD2B90: memcpy.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,?,00000000,?,?,?,00000000), ref: 00007FF7E3BD2BFB

Part of subcall function 00007FF7E3BD2B90: memcpy.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,?,00000000,?,?,?,00000000), ref: 00007FF7E3BD2CA7
Part of subcall function 00007FF7E3BD2B90: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7E3BD2CD3

wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E3BD70AD
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E3BD70D1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7E3BD7119
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7E3BD716D

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemcpywcscpy_s$Concurrency::cancel_current_task
String ID:
API String ID: 2602432049-0
Opcode ID: ae660a2dca2fbb32ed2d38d729118612c5d603f18326a872d53dd6d4371359f9
Instruction ID: 82cc77e50b70f202a2ee793bcfe34ba06025c364557aba6876fc7091dcb568c6
Opcode Fuzzy Hash: ae660a2dca2fbb32ed2d38d729118612c5d603f18326a872d53dd6d4371359f9
Instruction Fuzzy Hash: C261AF62B04A5694FB40EFA5E4453EDBBB1AB44798FD00532CE9E66A88DE39E045C312

Function 00007FF7E3BD4680 Relevance: 6.2, APIs: 4, Instructions: 156COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF7E3BD46FF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7E3BD48D0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7E3BD48D7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7E3BD48DE

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CriticalInitializeSection
String ID:
API String ID: 4074537433-0
Opcode ID: 7a62151007dbf306daeb6640956b7bfd05e3adb4e00a292b69a8167b885ed84a
Instruction ID: fc54a1a2681f9f7648d1f5830f7898d466eada4696d5438edc27d38c9e2715f2
Opcode Fuzzy Hash: 7a62151007dbf306daeb6640956b7bfd05e3adb4e00a292b69a8167b885ed84a
Instruction Fuzzy Hash: 9851BE72A04BC495EA40DF19E8487AEB7A9FB48B84FD14036DA8D5B754EF3DD484C301

Function 00007FF7E3BDC8F0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,?,?,00007FF7E3BDAA21,?,?,?,?,?,?,?,00000000), ref: 00007FF7E3BDC960
LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,00007FF7E3BDAA21,?,?,?,?,?,?,?,00000000), ref: 00007FF7E3BDC992
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,?,00007FF7E3BDAA21,?,?,?,?,?,?,?,00000000), ref: 00007FF7E3BDC9E3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,?,00007FF7E3BDAA21,?,?,?,?,?,?,?,00000000), ref: 00007FF7E3BDCA6E

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CriticalSection_invalid_parameter_noinfo_noreturn$EnterLeave
String ID:
API String ID: 4256121347-0
Opcode ID: f8c14e5b29ba14d1cb6cd29f75e041db3b3fb8e103da75009c28ebfe8af2e0e2
Instruction ID: 1f788ef7d041901d3cbfa28286f95e650a7253ba8bb691bc91941bb51c0f38a0
Opcode Fuzzy Hash: f8c14e5b29ba14d1cb6cd29f75e041db3b3fb8e103da75009c28ebfe8af2e0e2
Instruction Fuzzy Hash: BC419E62B09B8181EA84EB2AE45432DBB61FB85FD1FD45132DA8F67B58DF3CD8418311

Function 00007FF7E3BDB600 Relevance: 6.1, APIs: 4, Instructions: 120COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,?,00000000,00000000,?,00000000,?,?,?,00000000), ref: 00007FF7E3BDB701
memmove.VCRUNTIME140(?,?,?,?,?,?,?,00000000,00000000,?,00000000,?,?,?,00000000), ref: 00007FF7E3BDB714
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000000,00000000,?,00000000,?,?,?,00000000), ref: 00007FF7E3BDB787
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7E3BDB794

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: ccff0db430de2e3805d70e3db2c75d5f26908b08c0ac9edc04c1d2c782fcfc11
Instruction ID: bd3ff2eadae55f8c10824f553c76dadcb63a0942a3b7997d1585a4316bd8bb1c
Opcode Fuzzy Hash: ccff0db430de2e3805d70e3db2c75d5f26908b08c0ac9edc04c1d2c782fcfc11
Instruction Fuzzy Hash: E441B122B04A8982DE54EB66D4443A9B760FB48BE4FD44636DBAE277C5CF3CE091C311

Function 00007FF7E3BD548D Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: a2214095b1861897e84e4c847000920349271a397e259a4d4b9396febdf6c71f
Instruction ID: 17dc714f3b622eb31e63c203059f99da7cf28ecfa983f1ba5e16cfeddb071583
Opcode Fuzzy Hash: a2214095b1861897e84e4c847000920349271a397e259a4d4b9396febdf6c71f
Instruction Fuzzy Hash: F5419851F0958541FDA1BA1591143BEFA629F01BF8FD84733D9BF2A2C1DE3CE4458222

Function 00007FFD944FB9CC Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFD944FBAA6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD944FBAFA
memcpy.VCRUNTIME140 ref: 00007FFD944FBB04
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFD944FBB48

Part of subcall function 00007FFD94531B5C: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD944E5C18), ref: 00007FFD94531B76

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: c738188da5cfe384b6bd0d97a1f7eb18b877b82b574a0dbff08e6b31618e263c
Instruction ID: 067ab43333d216507223f60713e35b034fd248a8743213b7c68ed2c051157ab5
Opcode Fuzzy Hash: c738188da5cfe384b6bd0d97a1f7eb18b877b82b574a0dbff08e6b31618e263c
Instruction Fuzzy Hash: 9C414622B08A9181E924DF96E0A417A6654FF06FE4F548631EE7C07BDEEEBCD041C300

Function 00007FF7E3BD2F40 Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7E3BD303A

Part of subcall function 00007FF7E3BE14EC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7E3BE1531,?,?,?,?,00007FF7E3BDC2D3), ref: 00007FF7E3BE1506

memcpy.VCRUNTIME140 ref: 00007FF7E3BD3065
memcpy.VCRUNTIME140 ref: 00007FF7E3BD3075
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7E3BD30A6

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: a20fff99b7b240ae7cd13c59c0fbb6b1b47120c295fc59deeb36b105bf3e74f0
Instruction ID: 3fd51d038455ed096e5280a85fcae0682efd1cce8e5a1b5a8985cb40f5d2ff74
Opcode Fuzzy Hash: a20fff99b7b240ae7cd13c59c0fbb6b1b47120c295fc59deeb36b105bf3e74f0
Instruction Fuzzy Hash: E431D522B05A4581EA90EB12E400369B6A4FB44BF4FD54732DEBE5B7D5EE3CE181C311

Function 00007FFD9450E6D0 Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

_FXp_setw.LIBCPMT ref: 00007FFD9450E72F
_FXp_movx.LIBCPMT ref: 00007FFD9450E73F

Part of subcall function 00007FFD9450EFCC: memcpy.VCRUNTIME140(?,?,00000004,00007FFD9450E744), ref: 00007FFD9450EFE2

Part of subcall function 00007FFD9450EF54: ldexp.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,00007FFD9450E754), ref: 00007FFD9450EF88

_FXp_movx.LIBCPMT ref: 00007FFD9450E786
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9450E7FF

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: Xp_movx$Xp_setw_errnoldexpmemcpy
String ID:
API String ID: 2233944734-0
Opcode ID: e30d48e6140432e959ccec004b3f231757e6d9c53087eac7292650d316a6c3d3
Instruction ID: 535d74f822937d73bee58655f45730428fe80669291b163c559bb6ddface502c
Opcode Fuzzy Hash: e30d48e6140432e959ccec004b3f231757e6d9c53087eac7292650d316a6c3d3
Instruction Fuzzy Hash: FE41CA2AB0C68686E6B39BD594F11B96350AF9A740F64C631EA5D1339BDF3CE906C600

Function 00007FFD944E31B0 Relevance: 6.1, APIs: 4, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD944E31CD
___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD944E31D7
islower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD944E3214
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD944E326E

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcislower
String ID:
API String ID: 2234106055-0
Opcode ID: 59f3949629db58b4166e44a747e06bdadc1b2773ec60b276cd5782dca8858ee3
Instruction ID: 54bd0396b8f3cdf71ead58518e806a7569cd7e150059a72d057499f236cc3eba
Opcode Fuzzy Hash: 59f3949629db58b4166e44a747e06bdadc1b2773ec60b276cd5782dca8858ee3
Instruction Fuzzy Hash: 9731A962B0C74181F7269B56A4A027FA751FB81B91F588035DAC90775FDE7DE444CB10

Function 00007FFD944E3070 Relevance: 6.1, APIs: 4, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD944E3087
___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD944E3091
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD944E30C7
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD944E3127

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcisupper
String ID:
API String ID: 3857474680-0
Opcode ID: 43f0576a5bb13b0c72acb974cb94fa4bda6fe4f460c2490a34e6a1ccf9e01767
Instruction ID: 99b5b46e021479a81932195084cf8c9fd6a9887aabd1168b5650dcfd214c6882
Opcode Fuzzy Hash: 43f0576a5bb13b0c72acb974cb94fa4bda6fe4f460c2490a34e6a1ccf9e01767
Instruction Fuzzy Hash: FE31E772B0C74186F7268B5594E037FA6A1EB81BD1F588035DA8E0779EDEBDE484CB10

Function 00007FFDA433B934 Relevance: 6.1, APIs: 4, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFDA433D480: Replicator::operator[].LIBVCRUNTIME ref: 00007FFDA433D4DA

Part of subcall function 00007FFDA433B47C: DName::operator+.LIBVCRUNTIME ref: 00007FFDA433B50D
Part of subcall function 00007FFDA433B47C: DName::operator+.LIBVCRUNTIME ref: 00007FFDA433B546
Part of subcall function 00007FFDA433B47C: DName::operator+.LIBVCRUNTIME ref: 00007FFDA433B871

DName::operator+.LIBVCRUNTIME ref: 00007FFDA433B9B4
DName::operator+.LIBVCRUNTIME ref: 00007FFDA433B9C3
DName::operator+.LIBVCRUNTIME ref: 00007FFDA433BA40
DName::operator+.LIBVCRUNTIME ref: 00007FFDA433BA4F

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: Name::operator+$Replicator::operator[]
String ID:
API String ID: 3863519203-0
Opcode ID: 01866aae00d41701eefb340061b2b619c817205046dac5a42adf5370d2948f3c
Instruction ID: a1aaeb578c86383c412e6d77a567329cb7ab11496a517976e0c2590c7002e1fb
Opcode Fuzzy Hash: 01866aae00d41701eefb340061b2b619c817205046dac5a42adf5370d2948f3c
Instruction Fuzzy Hash: 29416672B49B8589EB00AFA4C8A13AC37A0FB4AB88F548025DA4D57776DF7CA440C314

Function 00007FFD945198F0 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,00000000,?,?,?,00007FFD9450D174), ref: 00007FFD94519937
memcpy.VCRUNTIME140(?,00000000,?,?,?,00007FFD9450D174), ref: 00007FFD9451995B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFD9450D174), ref: 00007FFD94519968
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFD9450D174), ref: 00007FFD945199DB

Part of subcall function 00007FFD944E2E80: wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD944E2EAA
Part of subcall function 00007FFD944E2E80: LCMapStringEx.KERNEL32 ref: 00007FFD944E2EEE

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: String___lc_locale_name_funcfreemallocmemcpywcsnlen
String ID:
API String ID: 2888714520-0
Opcode ID: 67641bf41084d92b3c967ab0d3a146a93def77804a3b88cee96e63fdebeb0246
Instruction ID: f2ed26d098e75f3c5f98f21df68a239db7e1c09643ddcf860142b4653a8510fe
Opcode Fuzzy Hash: 67641bf41084d92b3c967ab0d3a146a93def77804a3b88cee96e63fdebeb0246
Instruction Fuzzy Hash: DA215921708B9285E6719F93A4A047AAB90FB4AFE0F188631DE9D177DAEF3CD001C340

Function 00007FFD94518F50 Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,00007FFD94513F4B), ref: 00007FFD94518F84
___lc_collate_cp_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,00007FFD94513F4B), ref: 00007FFD94518F8E

Part of subcall function 00007FFD944E2740: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD944E278A
Part of subcall function 00007FFD944E2740: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD944E27AF
Part of subcall function 00007FFD944E2740: GetCPInfo.KERNEL32 ref: 00007FFD944E27EF

memcmp.VCRUNTIME140(?,?,?,?,?,?,00000000,00007FFD94513F4B), ref: 00007FFD94518FB1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000,00007FFD94513F4B), ref: 00007FFD94518FEF

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: __strncnt$Info___lc_collate_cp_func___lc_locale_name_func_errnomemcmp
String ID:
API String ID: 3421985146-0
Opcode ID: 3693cc1dc38747932e88ab34b28703adfef4dff46cfbb96f5da2cfa7dbf71c69
Instruction ID: 7d07b7bd7f1b93d3d3fed910d7299e76418c6bb0c504d4f4da07d1621104b651
Opcode Fuzzy Hash: 3693cc1dc38747932e88ab34b28703adfef4dff46cfbb96f5da2cfa7dbf71c69
Instruction Fuzzy Hash: BA219231B0874286EB758F9A94A0029B6A5FB89FD0F498135EA5D57B9AEF3CE401C700

Function 00007FF7E3BDD490 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7E3BDD4AD
DeleteCriticalSection.KERNEL32 ref: 00007FF7E3BDD4F7
LeaveCriticalSection.KERNEL32 ref: 00007FF7E3BDD51B
LeaveCriticalSection.KERNEL32 ref: 00007FF7E3BDD529

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CriticalSection$Leave$DeleteEnter
String ID:
API String ID: 122283594-0
Opcode ID: 25492621674aae5e867b76885542ee1a2b33ecfc0cd9017919ef95b64a184f0c
Instruction ID: 0d09b755e6c99d4af6a6cc16122c504f706c7578ed2f82cba7641f97da4750a4
Opcode Fuzzy Hash: 25492621674aae5e867b76885542ee1a2b33ecfc0cd9017919ef95b64a184f0c
Instruction Fuzzy Hash: 5111A222628A4582D750EB2AF140339F7A0FB84BA4F900232DB8F57B64CF3CE4458711

Function 00007FF7E3BDEB20 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7E3BDEB3D
DeleteCriticalSection.KERNEL32 ref: 00007FF7E3BDEB87
LeaveCriticalSection.KERNEL32 ref: 00007FF7E3BDEBAB
LeaveCriticalSection.KERNEL32 ref: 00007FF7E3BDEBB9

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CriticalSection$Leave$DeleteEnter
String ID:
API String ID: 122283594-0
Opcode ID: d46c796569298d265d15c05eb6b21ed46c4bc9ef9cf44ba00c050c16ef47a7b7
Instruction ID: 425fd7d0a4cf6277082e014cd1ca09379df08dc7ef5b1d2d70a4ff914a399537
Opcode Fuzzy Hash: d46c796569298d265d15c05eb6b21ed46c4bc9ef9cf44ba00c050c16ef47a7b7
Instruction Fuzzy Hash: FC117232618A4583E740EB2AE58432DB760FB84B91F900632DB9F97B64DF3CE4528752

Function 00007FFD94519A10 Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A30
___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A38
___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A41
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A5D

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_func
String ID:
API String ID: 3203701943-0
Opcode ID: 45e55d3acf2230828d6510e7691de68b154f67769c7b9c90f7c9d5855befa728
Instruction ID: f29480cead23682f8e58aad1cd16077fe3d677056dd072ffdd30b8ff2028a9a7
Opcode Fuzzy Hash: 45e55d3acf2230828d6510e7691de68b154f67769c7b9c90f7c9d5855befa728
Instruction Fuzzy Hash: 9C0148A2F0479582DB5A8FF9D460068B7A0FB59F84B14D232DA0E87315DE3CD0C2C300

Function 00007FF7E3BE13E0 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,00007FF7E3BE0F22), ref: 00007FF7E3BE144B
memset.VCRUNTIME140(?,?,?,?,00007FF7E3BE0F22), ref: 00007FF7E3BE145D
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF7E3BE0F22), ref: 00007FF7E3BE1462
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF7E3BE0F22), ref: 00007FF7E3BE146E

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfomemcpymemset
String ID:
API String ID: 187659361-0
Opcode ID: ebf23ef8b71edef924d49ebb7069060e3e24f74a27f982230615419ca1546f03
Instruction ID: aa0fba3aec75a6adfbad961d0d209031df4256df3ac4b12fa572cfa2ba4306a4
Opcode Fuzzy Hash: ebf23ef8b71edef924d49ebb7069060e3e24f74a27f982230615419ca1546f03
Instruction Fuzzy Hash: 86015162E0560941ED947B1AD5002B8BA60BF887B4FD44732C9BFA73D1DE3C91408623

Function 00007FFD944E24C8 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944E2530

Strings

RCC, xrefs: 00007FFD944E24F2
MOC, xrefs: 00007FFD944E24EA
csm, xrefs: 00007FFD944E24FA

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: malloc
String ID: MOC$RCC$csm
API String ID: 2803490479-2671469338
Opcode ID: 360c7e9538baccfc62aa58613caaaec6b60e65dd6ea867dc3ee0ae363a7b998f
Instruction ID: b4dd5f6be83ddfe1fb08f11c8e9730e2085cff3bdd7e43baa9181232298a0d75
Opcode Fuzzy Hash: 360c7e9538baccfc62aa58613caaaec6b60e65dd6ea867dc3ee0ae363a7b998f
Instruction Fuzzy Hash: 58012562B0850586EBB55E9192F417B62A1FF5AB84F18D035DA0E0769FCE6CE581C702

Function 00007FF7E3BDB3F0 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,00007FF7E3BD6D59,?,?,?,?,?,?,?,00000000,00000000,00000000,0000001F), ref: 00007FF7E3BDB44A
memset.VCRUNTIME140(?,?,?,?,00007FF7E3BD6D59,?,?,?,?,?,?,?,00000000,00000000,00000000,0000001F), ref: 00007FF7E3BDB45E
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF7E3BD6D59,?,?,?,?,?,?,?,00000000,00000000,00000000,0000001F), ref: 00007FF7E3BDB463
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF7E3BD6D59,?,?,?,?,?,?,?,00000000,00000000,00000000,0000001F), ref: 00007FF7E3BDB46F

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfomemcpymemset
String ID:
API String ID: 187659361-0
Opcode ID: e67690b363ce72daef073659b7df3014825dbf5cac14bacb74bde6acf0405626
Instruction ID: 8a777eee2e69201feb53d2aa272ab54fcd75384502989f7a86df7c9f8aa86f00
Opcode Fuzzy Hash: e67690b363ce72daef073659b7df3014825dbf5cac14bacb74bde6acf0405626
Instruction Fuzzy Hash: 7401B561F0570581EE94FF0AD5403687AA1BF85BA4FC80332CAAE2A3C5CF3CE5518B21

Function 00007FF7E3BE233C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7E3BE2368
GetCurrentThreadId.KERNEL32 ref: 00007FF7E3BE2376
GetCurrentProcessId.KERNEL32 ref: 00007FF7E3BE2382
QueryPerformanceCounter.KERNEL32 ref: 00007FF7E3BE2392

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: b536abb6d9712bf97fb487a0f8cba51c41b2271e3d3d5caf7de0eb85f2cb5b90
Instruction ID: 2a41d2e0565cfca3a1688fb68bf3a71206622d894b938382f18db64ec1e3a066
Opcode Fuzzy Hash: b536abb6d9712bf97fb487a0f8cba51c41b2271e3d3d5caf7de0eb85f2cb5b90
Instruction Fuzzy Hash: 3111A026B14F058AEB40DF65E8443B977A0F719718F800F32DAAE967A4DF3CE1548351

Function 00007FFDA3585590 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFDA35855BC
GetCurrentThreadId.KERNEL32 ref: 00007FFDA35855CA
GetCurrentProcessId.KERNEL32 ref: 00007FFDA35855D6
QueryPerformanceCounter.KERNEL32 ref: 00007FFDA35855E6

Memory Dump Source

Source File: 00000005.00000002.2189862502.00007FFDA3561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA3560000, based on PE: true

Associated: 00000005.00000002.2189849486.00007FFDA3560000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189887154.00007FFDA359D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189902000.00007FFDA35A9000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189916777.00007FFDA35AC000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189916777.00007FFDA35AF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189942387.00007FFDA35B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2189955378.00007FFDA35B3000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2190056184.00007FFDA373C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda3560000_svaulpzg.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 483c91bdf6aa179818ca65be3deb0b48645d80d80ba49af5a09b028e55c4579b
Instruction ID: 15e79e1020b1e6e1d37b562bfcc870a98e247904862edf6cf843d1016d099076
Opcode Fuzzy Hash: 483c91bdf6aa179818ca65be3deb0b48645d80d80ba49af5a09b028e55c4579b
Instruction Fuzzy Hash: E6115A22F15F468AEB00CF64E8682B833A4FB58758F441E31DA2D937A5DF3CD1949340

Function 00007FFD94532530 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFD9453255C
GetCurrentThreadId.KERNEL32 ref: 00007FFD9453256A
GetCurrentProcessId.KERNEL32 ref: 00007FFD94532576
QueryPerformanceCounter.KERNEL32 ref: 00007FFD94532586

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 6fc51a19867c61e498e8a0b288e385d7448d9ab26600c32b2e1834bebe01e820
Instruction ID: 16c577c44883eb0f0a66925c10497ac8c3f7e7a989a6752c6f95ecd921c7e632
Opcode Fuzzy Hash: 6fc51a19867c61e498e8a0b288e385d7448d9ab26600c32b2e1834bebe01e820
Instruction Fuzzy Hash: CD113C22B15F058AEB51CFE0E8A42B933A4FB1A768F441E31EE6D867A5DF78D154C340

Function 00007FFDA4340B6C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFDA4340B98
GetCurrentThreadId.KERNEL32 ref: 00007FFDA4340BA6
GetCurrentProcessId.KERNEL32 ref: 00007FFDA4340BB2
QueryPerformanceCounter.KERNEL32 ref: 00007FFDA4340BC2

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: bc35b6ed073f65f8b319c9a0e8033d1cee1b856b8545af56da748e53b0dccc00
Instruction ID: f2a9467d4a4cb14076581fc4b00c1eb4e9f55603b3c324538db39d0ede8445dc
Opcode Fuzzy Hash: bc35b6ed073f65f8b319c9a0e8033d1cee1b856b8545af56da748e53b0dccc00
Instruction Fuzzy Hash: 2B111C26B55F018AEB00DF60E8A42A833A4FB5A759F440E31DA6E467A6DF7CD1688340

Function 00007FFDA54B467C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFDA54B46A8
GetCurrentThreadId.KERNEL32 ref: 00007FFDA54B46B6
GetCurrentProcessId.KERNEL32 ref: 00007FFDA54B46C2
QueryPerformanceCounter.KERNEL32 ref: 00007FFDA54B46D2

Memory Dump Source

Source File: 00000005.00000002.2190160805.00007FFDA54B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA54B0000, based on PE: true

Associated: 00000005.00000002.2190144253.00007FFDA54B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190175865.00007FFDA54B5000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190190132.00007FFDA54B8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190204054.00007FFDA54B9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda54b0000_svaulpzg.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 2c5dffd0f2cc85d270ced0de20c0162c6b2e3c342d3c7386e2897285ed641fe7
Instruction ID: 7d6a7bf8c2a968fab860e135388da7730a6c6a5a969f265a4ef2af7eadb3a337
Opcode Fuzzy Hash: 2c5dffd0f2cc85d270ced0de20c0162c6b2e3c342d3c7386e2897285ed641fe7
Instruction Fuzzy Hash: 5A111C32B15B058AEF408B64E8643A833B4FB1AB58F450E35DA6D467A5EFBCD1588380

Function 00007FFD945178B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FFD945178B9

Strings

invalid random_device value, xrefs: 00007FFD945178CC

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: rand_s
String ID: invalid random_device value
API String ID: 863162693-3926945683
Opcode ID: e484c5abde7d48d606a022d527497e74293cb90d49ae6f96b22294eda17346e0
Instruction ID: 82bdd489cab556cc5a9a33ec1649467e3934189d7deb95fb8dc19e761a739260
Opcode Fuzzy Hash: e484c5abde7d48d606a022d527497e74293cb90d49ae6f96b22294eda17346e0
Instruction Fuzzy Hash: BA51D726F18A46C6E2E39BF844F11BA6354BF1B384F14C732E55E265A7DF28E591C200

Function 00007FFD9450BDB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

swprintf_s.PGOCR ref: 00007FFD9450BE5C

Strings

+, xrefs: 00007FFD9450BDEA
%, xrefs: 00007FFD9450BDD1

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: swprintf_s
String ID: %$+
API String ID: 3896565401-2626897407
Opcode ID: 3983ff7f8527b06e959803e054c32886bd5193924816245db56764c676303a1c
Instruction ID: 842a8eddc0faef9e209aa0f7273f104fc489b57aea8bbcbaac23c2e4c26b6d57
Opcode Fuzzy Hash: 3983ff7f8527b06e959803e054c32886bd5193924816245db56764c676303a1c
Instruction Fuzzy Hash: 6A21C312B087C486F7A28B91E4A53EAA791EB96784F58C135EB8C07B8ADF7CD445C701

Function 00007FFD9450BEC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

swprintf_s.PGOCR ref: 00007FFD9450BF6C

Strings

%, xrefs: 00007FFD9450BEE1
+, xrefs: 00007FFD9450BEFA

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: swprintf_s
String ID: %$+
API String ID: 3896565401-2626897407
Opcode ID: 33f50c9b317098a5be6598ec241270d3e8084a492949c3b9cec7e8738ac1a517
Instruction ID: 7c1211d63434911a4d90f2d94048f2a2d1c5ff85ffd254ca6e9058585e13c37e
Opcode Fuzzy Hash: 33f50c9b317098a5be6598ec241270d3e8084a492949c3b9cec7e8738ac1a517
Instruction Fuzzy Hash: A121D512B0C7C486E7A28B95E4953EAA791EB96784F58C035EF8C07B8ADF7CD445CB01

Function 00007FFD944F0E60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

swprintf_s.PGOCR ref: 00007FFD944F0F12

Strings

%, xrefs: 00007FFD944F0E84
+, xrefs: 00007FFD944F0E9F

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: swprintf_s
String ID: %$+
API String ID: 3896565401-2626897407
Opcode ID: fee8ecfa3f5c0c75fbe5ee01e01a748e99962c5bc3a79a07a219c5158d199638
Instruction ID: 9e13186927fb273514bdae0b1fded009d9d3dceb70ba4c96484c918ef38566d3
Opcode Fuzzy Hash: fee8ecfa3f5c0c75fbe5ee01e01a748e99962c5bc3a79a07a219c5158d199638
Instruction Fuzzy Hash: EF31A0127087C585FB718B95E4A03EBAB51EBDA788F488035DB8C07B8ACB7CD409C741

Function 00007FFD944F0F80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

swprintf_s.PGOCR ref: 00007FFD944F1032

Strings

+, xrefs: 00007FFD944F0FBF
%, xrefs: 00007FFD944F0FA4

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: swprintf_s
String ID: %$+
API String ID: 3896565401-2626897407
Opcode ID: 104804bf455e10cebfe67cad850d6cbd0152893b9332d4fed4827efd08ba701a
Instruction ID: 120a523162f315661ecf3e02b8456ef85ebb3e291c2a8c9917d0f74350eaab2c
Opcode Fuzzy Hash: 104804bf455e10cebfe67cad850d6cbd0152893b9332d4fed4827efd08ba701a
Instruction Fuzzy Hash: C831D1127087C189EB318B95E4A03EBAB51EB96788F58C135EB8C07B8ACB7CD408C751

Function 00007FFD944F0750 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

swprintf_s.PGOCR ref: 00007FFD944F07F6

Strings

%, xrefs: 00007FFD944F077A
+, xrefs: 00007FFD944F078D

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: swprintf_s
String ID: %$+
API String ID: 3896565401-2626897407
Opcode ID: 0d8b807a31d15b51715031f0d1b1e024bee4514540a1948720ad51a1df99f742
Instruction ID: 260e82b13efef8ae12c6dd7169c2760c65f4b7a26c82694664c74ec3c7e4b3c0
Opcode Fuzzy Hash: 0d8b807a31d15b51715031f0d1b1e024bee4514540a1948720ad51a1df99f742
Instruction Fuzzy Hash: A221932270D7C585E7718B95E4903EAA791EBDA798F18C071DA8C07B8ACF7CD446CB41

Function 00007FFD9450B7B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

swprintf_s.PGOCR ref: 00007FFD9450B853

Strings

%, xrefs: 00007FFD9450B7D7
+, xrefs: 00007FFD9450B7EA

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: swprintf_s
String ID: %$+
API String ID: 3896565401-2626897407
Opcode ID: 2579b0c73e0ff24d1b6f575f4cbad154f9ee2200692dddcc3f27c9501e15a005
Instruction ID: 62ea13ec5734ab89a9955d935ca0397aa8f1330f7a9427db4ca14b39301ad130
Opcode Fuzzy Hash: 2579b0c73e0ff24d1b6f575f4cbad154f9ee2200692dddcc3f27c9501e15a005
Instruction Fuzzy Hash: EA21D512B087C485E7728BD5E4903EAA761EBAA784F58C031DA8C07B9EDF3CD445C741

Function 00007FFD944F0860 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

swprintf_s.PGOCR ref: 00007FFD944F0906

Strings

+, xrefs: 00007FFD944F089D
%, xrefs: 00007FFD944F088A

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: swprintf_s
String ID: %$+
API String ID: 3896565401-2626897407
Opcode ID: 2f4393c9c9e5bf2cb57e01531cd8db7fc7b9417217bc379eb2c68939b4944a98
Instruction ID: fe37ef25a17eea1a408fc99e0c8e8e762dbe0ebf58f8c1e7849b13f4ebee5e7c
Opcode Fuzzy Hash: 2f4393c9c9e5bf2cb57e01531cd8db7fc7b9417217bc379eb2c68939b4944a98
Instruction Fuzzy Hash: 07218122B0C7C585E7318B95E4903EBA761EBDA788F588171EA8C07B8ACB7CD445C741

Function 00007FFD9450C250 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

swprintf_s.PGOCR ref: 00007FFD9450C2F3

Strings

%, xrefs: 00007FFD9450C277
+, xrefs: 00007FFD9450C28A

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: swprintf_s
String ID: %$+
API String ID: 3896565401-2626897407
Opcode ID: 43072b9d08070bb552e0b93a083ac2b1bd20d1c490dd43024381f6b0ada664d0
Instruction ID: 68f77c2ddb4474fbf9359d9cb3bd1370069c11c2b948b7ca4d04ba3ffdd6a712
Opcode Fuzzy Hash: 43072b9d08070bb552e0b93a083ac2b1bd20d1c490dd43024381f6b0ada664d0
Instruction Fuzzy Hash: C421C1127087C585E7628AD5E4903EAA791EBAA798F58C031EACC03B8ADF7CD446C701

Function 00007FFD9450C360 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

swprintf_s.PGOCR ref: 00007FFD9450C403

Strings

%, xrefs: 00007FFD9450C387
+, xrefs: 00007FFD9450C39A

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: swprintf_s
String ID: %$+
API String ID: 3896565401-2626897407
Opcode ID: 3a66c90742b035315fd415ed1e3735a2b8f7dc6cdb06a228b2945cf8385c5acb
Instruction ID: 633f86bfd952ad49733707abe85b5cb0d68d7a813bd8ab3eec0bef4109b30f89
Opcode Fuzzy Hash: 3a66c90742b035315fd415ed1e3735a2b8f7dc6cdb06a228b2945cf8385c5acb
Instruction Fuzzy Hash: 9321D5127187C485E7768B95E4903EAA7A1EBAB748F58C031EA8C47B8EDF7CD446C701

Function 00007FFDA4338BF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDA4338CEE

Strings

void, xrefs: 00007FFDA4338C50
void , xrefs: 00007FFDA4338C78

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: Name::operator+
String ID: void$void
API String ID: 2943138195-3746155364
Opcode ID: f30d46f5536ef0c3f3ebc9a4d766d43ef2cbe5712fe6c79626000809cc062bc5
Instruction ID: f9def0e51f5299ec0b3b6290f6ce5078ede5a0345bc7a43e82bf84053c37d107
Opcode Fuzzy Hash: f30d46f5536ef0c3f3ebc9a4d766d43ef2cbe5712fe6c79626000809cc062bc5
Instruction Fuzzy Hash: 3D315E66F5AE5598FB00EB60D8A00FC77B0BB49748B440135DE4E5677ADF7CA144C708

Function 00007FFD944EEA00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFD944EE8E4), ref: 00007FFD944EEA24

Part of subcall function 00007FFD94519A10: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A30
Part of subcall function 00007FFD94519A10: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A38
Part of subcall function 00007FFD94519A10: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A41
Part of subcall function 00007FFD94519A10: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD944E61B3), ref: 00007FFD94519A5D

Strings

true, xrefs: 00007FFD944EEA93
false, xrefs: 00007FFD944EEA7C

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
String ID: false$true
API String ID: 2502581279-2658103896
Opcode ID: e1dc05f66a48970e7ffdf649c319dd4d92df2dbb8d4a814aea9668b504f98174
Instruction ID: dacb3260279ac1b7ebb1a6249974e8c6dec1af5943dc63d4b356783d0c815af2
Opcode Fuzzy Hash: e1dc05f66a48970e7ffdf649c319dd4d92df2dbb8d4a814aea9668b504f98174
Instruction Fuzzy Hash: 20218562708B85C1E731DFA0E0A03AA77A0FB59B94F548536DA8D0736ADF38D155C780

Function 00007FFDA4334E2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA43351D0: RtlPcToFileHeader.KERNEL32 ref: 00007FFDA4335220
Part of subcall function 00007FFDA43351D0: RaiseException.KERNEL32 ref: 00007FFDA4335261

RtlPcToFileHeader.KERNEL32 ref: 00007FFDA4334E9F

Strings

Bad dynamic_cast!, xrefs: 00007FFDA4334E52
Access violation - no RTTI data!, xrefs: 00007FFDA4334E2F

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: FileHeader$ExceptionRaise
String ID: Access violation - no RTTI data!$Bad dynamic_cast!
API String ID: 3685223789-3176238549
Opcode ID: 31c157b8eb2ec39060d8679ded3c8c7a40717f4d930d4d3a676af0386f3d6913
Instruction ID: 255b35563b19808e05f2a934ae7c0555748faf4aab444c476238b66530f03553
Opcode Fuzzy Hash: 31c157b8eb2ec39060d8679ded3c8c7a40717f4d930d4d3a676af0386f3d6913
Instruction Fuzzy Hash: 0F015E61BABE46A1EE40EB10E4F01B86360FFA1B45F605431E64E07776EF6CE505C708

Function 00007FFDA43351D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFDA4335220
RaiseException.KERNEL32 ref: 00007FFDA4335261

Strings

csm, xrefs: 00007FFDA433524E

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 24fc685d9c18a97879a9043e169dd32e9d23318a9617333a79ec660fdc06252e
Instruction ID: bfad133c048e1261e8d8fdc0867e5749a219caa7b949d2e3145e6d1eb81cacc3
Opcode Fuzzy Hash: 24fc685d9c18a97879a9043e169dd32e9d23318a9617333a79ec660fdc06252e
Instruction Fuzzy Hash: 23118B3260AF8082EB218B14F4A0269B7E0FB98B84F184230DE8D4776ADF3CD5518B04

Function 00007FFDA54B3094 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFDA54B30E4
RaiseException.KERNEL32 ref: 00007FFDA54B3125

Strings

csm, xrefs: 00007FFDA54B3112

Memory Dump Source

Source File: 00000005.00000002.2190160805.00007FFDA54B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA54B0000, based on PE: true

Associated: 00000005.00000002.2190144253.00007FFDA54B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190175865.00007FFDA54B5000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190190132.00007FFDA54B8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190204054.00007FFDA54B9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda54b0000_svaulpzg.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 1ac58e26bfc09764eb6bcbbdd6c3602ecce448ff3c9057d3ecc8faea2f5e0755
Instruction ID: edf5da5fc494ace9c6f6667f7fb05dba3e71944cc393c38d548eacfce1906ad2
Opcode Fuzzy Hash: 1ac58e26bfc09764eb6bcbbdd6c3602ecce448ff3c9057d3ecc8faea2f5e0755
Instruction Fuzzy Hash: BC116732609B8882EF218B16F450269B7E0FB88B84F594230EA8C07769EF7CD4518B04

Function 00007FFDA433E2E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA433E530: __except_validate_context_record.LIBVCRUNTIME ref: 00007FFDA433E55B

Part of subcall function 00007FFDA4335508: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDA433108E), ref: 00007FFDA4335516

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA433E31A

Strings

csm, xrefs: 00007FFDA433E2FB
f, xrefs: 00007FFDA433E2F5

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: __except_validate_context_recordabortterminate
String ID: csm$f
API String ID: 339134311-629598281
Opcode ID: 87b715e71dc7a4db9f561d6577bcf3276f84fe0821628dcd164645869c85632a
Instruction ID: fb9e4d20ed81596d49a27923065763382e0e509477448448719219aace870df5
Opcode Fuzzy Hash: 87b715e71dc7a4db9f561d6577bcf3276f84fe0821628dcd164645869c85632a
Instruction Fuzzy Hash: ABE03022E5AA4281E6607B61B2E527C2AA4AF17764F548034DA8907777CE3CF4908609

Function 00007FFD944E6B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFD944E6B1D

Part of subcall function 00007FFD944E4F80: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD944F718D,?,?,?,?,?,?,?,?,?,00007FFD944FEBBE), ref: 00007FFD944E4FA9
Part of subcall function 00007FFD944E4F80: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD944F718D,?,?,?,?,?,?,?,?,?,00007FFD944FEBBE), ref: 00007FFD944E4FD8
Part of subcall function 00007FFD944E4F80: memcpy.VCRUNTIME140(?,?,00000000,00007FFD944F718D,?,?,?,?,?,?,?,?,?,00007FFD944FEBBE), ref: 00007FFD944E4FEF

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944E6B3A

Strings

:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFD944E6B45

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: free$Getdaysmallocmemcpy
String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 1347072587-3283725177
Opcode ID: 6393d89942637662d5866c68ffb09c737c725aeba2fa33456e4fb2950fdb48db
Instruction ID: f388e39843c3ec6d7176ba504c379ffcee05469e991fe8584c5104aee56a47bc
Opcode Fuzzy Hash: 6393d89942637662d5866c68ffb09c737c725aeba2fa33456e4fb2950fdb48db
Instruction Fuzzy Hash: 47E06D62B09B45C5EB659F91E4E436A63B0EF09BA4F94A030DA0D0635AEF3CD884C780

Function 00007FFD944E6B60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFD944E6B6D

Part of subcall function 00007FFD944E4F80: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD944F718D,?,?,?,?,?,?,?,?,?,00007FFD944FEBBE), ref: 00007FFD944E4FA9
Part of subcall function 00007FFD944E4F80: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD944F718D,?,?,?,?,?,?,?,?,?,00007FFD944FEBBE), ref: 00007FFD944E4FD8
Part of subcall function 00007FFD944E4F80: memcpy.VCRUNTIME140(?,?,00000000,00007FFD944F718D,?,?,?,?,?,?,?,?,?,00007FFD944FEBBE), ref: 00007FFD944E4FEF

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944E6B8A

Strings

:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFD944E6B95

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: free$Getmonthsmallocmemcpy
String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece
API String ID: 1628830074-2030377133
Opcode ID: 88080eb06a95627c39d53d7de312f27508715a5627518dbe34d3c533cb049458
Instruction ID: b3ba3aad8938d5d6545b92b11206b59aa44f11c7473f8fe3c1929527f4439ab2
Opcode Fuzzy Hash: 88080eb06a95627c39d53d7de312f27508715a5627518dbe34d3c533cb049458
Instruction Fuzzy Hash: B9E06D22B09A05C9EBA58F91E5E436A63A4EF09B94F849434DA0E0635ADF3CD8C4C380

Function 00007FFD944E6450 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFD944E645D

Part of subcall function 00007FFD944E4F00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD944F1894,?,?,?,00007FFD944E455B,?,?,?,00007FFD944E5C51), ref: 00007FFD944E4F22
Part of subcall function 00007FFD944E4F00: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD944F1894,?,?,?,00007FFD944E455B,?,?,?,00007FFD944E5C51), ref: 00007FFD944E4F48
Part of subcall function 00007FFD944E4F00: memcpy.VCRUNTIME140(?,?,?,00007FFD944F1894,?,?,?,00007FFD944E455B,?,?,?,00007FFD944E5C51), ref: 00007FFD944E4F60

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944E647A

Strings

:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFD944E6485

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: free$Getmonthsmallocmemcpy
String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December
API String ID: 1628830074-4232081075
Opcode ID: 03d87f0082024f178d2b1371c194030430f53630ea0c12e080eb857d0d6bc8c4
Instruction ID: 88b0475cb4f1fe49d8a36d9f258f6684b4d798c0ec4d1c2cc6d0e02bdf3529ef
Opcode Fuzzy Hash: 03d87f0082024f178d2b1371c194030430f53630ea0c12e080eb857d0d6bc8c4
Instruction Fuzzy Hash: 44E06D62B09A05C1EF6A9F91F4E536A6360EF45F84F849430DA0D0639ADF3CD894C3C0

Function 00007FFD944E63E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFD944E63ED

Part of subcall function 00007FFD944E4F00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD944F1894,?,?,?,00007FFD944E455B,?,?,?,00007FFD944E5C51), ref: 00007FFD944E4F22
Part of subcall function 00007FFD944E4F00: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD944F1894,?,?,?,00007FFD944E455B,?,?,?,00007FFD944E5C51), ref: 00007FFD944E4F48
Part of subcall function 00007FFD944E4F00: memcpy.VCRUNTIME140(?,?,?,00007FFD944F1894,?,?,?,00007FFD944E455B,?,?,?,00007FFD944E5C51), ref: 00007FFD944E4F60

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944E640A

Strings

:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFD944E6415

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: free$Getdaysmallocmemcpy
String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 1347072587-3283725177
Opcode ID: c6f2691f1da384d8993644746fcbeff44511dd7bf06d5a1a74113e135da07c40
Instruction ID: d730dfcae5a90dc86d94d8527ecc0456e0c1ab16ace332df6d20fd93a7c7402b
Opcode Fuzzy Hash: c6f2691f1da384d8993644746fcbeff44511dd7bf06d5a1a74113e135da07c40
Instruction Fuzzy Hash: D8E06511719A45C1DB658F91F4E437A6360EF45F84F88C430DA0D0A35ADF3CD884C350

Function 00007FF7E3BDD310 Relevance: 5.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF7E3BDD38C
EnterCriticalSection.KERNEL32 ref: 00007FF7E3BDD3DD
LeaveCriticalSection.KERNEL32 ref: 00007FF7E3BDD44B

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: de2b700b7462c5f4e6467127e767c4bc04797d0d9bad0eb269c19cca45e7f8bb
Instruction ID: 8ea412b013ec382ff1dedc8aaf8afcf5a98730b3522e537e7dcd9faeed5d5868
Opcode Fuzzy Hash: de2b700b7462c5f4e6467127e767c4bc04797d0d9bad0eb269c19cca45e7f8bb
Instruction Fuzzy Hash: 21417972A08B4592DB90EF2AE44022DB7A0FB84B90BC44136CBCE57B54EF3CE4A5C711

Function 00007FF7E3BDE9A0 Relevance: 5.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF7E3BDEA1C
EnterCriticalSection.KERNEL32 ref: 00007FF7E3BDEA6D
LeaveCriticalSection.KERNEL32 ref: 00007FF7E3BDEADB

Memory Dump Source

Source File: 00000005.00000002.2189694792.00007FF7E3BD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7E3BD0000, based on PE: true

Associated: 00000005.00000002.2189681031.00007FF7E3BD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189725309.00007FF7E3BEC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2189737880.00007FF7E3BEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7e3bd0000_svaulpzg.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: 7c396940b14e45bee96ad5e082efc348c8d0f883345ebc83e979db48e2160e69
Instruction ID: 311bb24fa38afdec2f1e3339bd9af01e34c3356ada4f673dc20517e0eb4f7fee
Opcode Fuzzy Hash: 7c396940b14e45bee96ad5e082efc348c8d0f883345ebc83e979db48e2160e69
Instruction Fuzzy Hash: EE418273A04B4682EB54DF2AE44426DB7A0FB84B84BD44532DB8E97B54DF3CE4A5C311

Function 00007FFDA4335524 Relevance: 5.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFDA43353A9,?,?,?,?,00007FFDA433F44F,?,?,?,?,?), ref: 00007FFDA4335543
SetLastError.KERNEL32(?,?,?,00007FFDA43353A9,?,?,?,?,00007FFDA433F44F,?,?,?,?,?), ref: 00007FFDA43355CC

Memory Dump Source

Source File: 00000005.00000002.2190083038.00007FFDA4331000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000005.00000002.2190069974.00007FFDA4330000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190113951.00007FFDA4349000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.2190129204.00007FFDA434A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda4330000_svaulpzg.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 550cea5c84bc0485e2971ce80c0edd506865995108a692b5126701225aaf57c4
Instruction ID: 6fe64b3db397f032e1d4b067d7d37144033345bcf27ddfa1ff246d2dc3b4cf9b
Opcode Fuzzy Hash: 550cea5c84bc0485e2971ce80c0edd506865995108a692b5126701225aaf57c4
Instruction Fuzzy Hash: FD112420B4BF4241FA14A731A8B81786292AF56BA1F158634D92F063F7DE2CF445C608

Function 00007FFDA54B32B4 Relevance: 5.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFDA54B3175,?,?,?,?,00007FFDA54B4057,?,?,?,?,?), ref: 00007FFDA54B32D3
SetLastError.KERNEL32(?,?,?,00007FFDA54B3175,?,?,?,?,00007FFDA54B4057,?,?,?,?,?), ref: 00007FFDA54B335B

Memory Dump Source

Source File: 00000005.00000002.2190160805.00007FFDA54B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA54B0000, based on PE: true

Associated: 00000005.00000002.2190144253.00007FFDA54B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190175865.00007FFDA54B5000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190190132.00007FFDA54B8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2190204054.00007FFDA54B9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda54b0000_svaulpzg.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: bfb27b7b45ffb3c1d040ad31652f38837651550378899a0c7940be1c99b38e59
Instruction ID: c0b94f23408f89f3a94383b445feced501d96592d1402aa7aa2773a4d6a38cab
Opcode Fuzzy Hash: bfb27b7b45ffb3c1d040ad31652f38837651550378899a0c7940be1c99b38e59
Instruction Fuzzy Hash: 46111D30F0B60E85EE545766B8703796291AF5AFA0F0B5734D92E477D7EEACA4018608

Function 00007FFD94510CA0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD94510CBD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD94510CC7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD94510CD1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD94510CDB

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4a48f1c4d7c03260f7f70a3d97dc08880775d18e037ccc3144df3fe31efa8da6
Instruction ID: a1e00adf31cfd2004aa68bac3df728cee3676c206d7cd0bd33a1f1807fd3ff0f
Opcode Fuzzy Hash: 4a48f1c4d7c03260f7f70a3d97dc08880775d18e037ccc3144df3fe31efa8da6
Instruction Fuzzy Hash: 5AF03121718B45DAD7959F95E5F41287320FF89F80B408431CA4D43B22DF2CD4A5C300

Function 00007FFD944FD8D0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944FD8ED
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944FD8F7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944FD901
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944FD90B

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ffd378a4487c384eca31b3fb56f6a558adced883053d3b0a087f6b06aa324480
Instruction ID: 17c9a2760cd8ea472b84e134eb8f542fe0f97eccbbca68e40f0787850c7e7142
Opcode Fuzzy Hash: ffd378a4487c384eca31b3fb56f6a558adced883053d3b0a087f6b06aa324480
Instruction Fuzzy Hash: 9FF03125718B05DADB958F95E9F41287320FF89B80B449430CA4D43B65DF6CD465C300

Function 00007FFD944FD940 Relevance: 5.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944FD95D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944FD967
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944FD971
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944FD97B

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: eee7fe0f3556fb421fff62f8d28dd5218fae23df9bd88b3103c0db358813fed1
Instruction ID: 426b1e762158d8c1508d6ac49582dc9ed090df10a3d5b4ab22c0c5bb7c0a3a67
Opcode Fuzzy Hash: eee7fe0f3556fb421fff62f8d28dd5218fae23df9bd88b3103c0db358813fed1
Instruction Fuzzy Hash: 82F03121718B05DADB958F95E9F41287320FF89B80B409430CA4D43B66DF6CD465C300

Function 00007FFD944FD6C8 Relevance: 5.0, APIs: 4, Instructions: 16COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944FD6DA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944FD6E4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944FD6EE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944FD6F8

Memory Dump Source

Source File: 00000005.00000002.2189764442.00007FFD944E1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFD944E0000, based on PE: true

Associated: 00000005.00000002.2189751874.00007FFD944E0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189821761.00007FFD94563000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.2189835177.00007FFD94567000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd944e0000_svaulpzg.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4627c1aaf56b1667bf9f68b9fd75585d0c02053b0e3b263439d6d713141ea6bb
Instruction ID: 45c3a576404e312f6f0d7cbe7fb4e0acecd1d24d28cbad789118001c8264d556
Opcode Fuzzy Hash: 4627c1aaf56b1667bf9f68b9fd75585d0c02053b0e3b263439d6d713141ea6bb
Instruction Fuzzy Hash: A7E0BFA2B14A05DAEB699FA1D8F40387330FF89F55B586431CE0E46226CF68D494C300

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report flashcenter_pp_ax_inst78ll_cn.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\76809449335627201121797450\960AD1F5A671F16810.2f9

C:\Users\user\AppData\Local\Temp\76809449335627201121797450\WXFManager64.dll

C:\Users\user\AppData\Local\Temp\76809449335627201121797450\msvcp140.dll

C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe

C:\Users\user\AppData\Local\Temp\76809449335627201121797450\vcruntime140.dll

C:\Users\user\AppData\Local\Temp\76809449335627201121797450\vcruntime140_1.dll

C:\Users\user\AppData\Local\Temp\is-3DAJ2.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp

C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe (copy)

C:\Users\user\AppData\Roaming\9430dad\is-URMQG.tmp

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

Windows Analysis Report
flashcenter_pp_ax_inst78ll_cn.exe

Function 0040100A Relevance: 46.1, APIs: 18, Strings: 8, Instructions: 608
COMMON

Function 0041171E Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 238
COMMON

Function 00425E4C Relevance: 15.1, APIs: 10, Instructions: 74
COMMON

Function 004110B7 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256
COMMON

Function 004114D9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 137
COMMON

Function 0040739D Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47
libraryloaderCOMMON

Function 00401190 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 347
COMMON

Function 00404CBA Relevance: 7.7, APIs: 5, Instructions: 233
COMMON

Function 00417DFD Relevance: 7.7, APIs: 5, Instructions: 165
COMMON

Function 0041086D Relevance: 7.7, APIs: 5, Instructions: 152
COMMON

Function 00405C98 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 319
COMMON

Function 0040EFA5 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 258
COMMON

Function 00411A47 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
COMMON

Function 00424660 Relevance: 6.0, APIs: 4, Instructions: 38
synchronizationCOMMON

Function 004124E9 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 203
COMMON