Edit tour

Windows Analysis Report
duschno.exe

Overview

General Information

Sample name:	duschno.exe
Analysis ID:	1574589
MD5:	c6813da66eba357d0deaa48c2f7032b8
SHA1:	6812e46c51f823ff0b0ee17bfce0af72f857af66
SHA256:	1420f60f053c3ea5605239ee431e5f487245108b1c01be75d16b5246156fa178
Tags:	exeuser-lontze7
Infos:

Detection

CredGrabber, Meduza Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected CredGrabber

Yara detected Meduza Stealer

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Terminates after testing mutex exists (may check infected machine status)

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

duschno.exe (PID: 6856 cmdline: "C:\Users\user\Desktop\duschno.exe" MD5: C6813DA66EBA357D0DEAA48C2F7032B8)

cleanup

Malware Configuration

Threatname: Meduza Stealer

{"C2 url": "193.3.19.151", "grabber_max_size": 4194304, "anti_vm": true, "anti_dbg": true, "self_destruct": false, "extensions": ".txt", "build_name": "hdont", "links": "", "port": 15666}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
duschno.exe	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2420918904.000001F3F07AC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
Process Memory Space: duschno.exe PID: 6856	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
Process Memory Space: duschno.exe PID: 6856	JoeSecurity_CredGrabber	Yara detected CredGrabber	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.duschno.exe.7ff6b5320000.0.unpack	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
0.0.duschno.exe.7ff6b5320000.0.unpack	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security

Suricata Signatures

ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T12:41:07.303709+0100	2049441	1	A Network Trojan was detected	192.168.2.12	49711	193.3.19.151	15666	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: duschno.exe

Malware Configuration Extractor: Meduza Stealer {"C2 url": "193.3.19.151", "grabber_max_size": 4194304, "anti_vm": true, "anti_dbg": true, "self_destruct": false, "extensions": ".txt", "build_name": "hdont", "links": "", "port": 15666}

Multi AV Scanner detection for submitted file

Source: duschno.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for sample

Source: duschno.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5397BA0 CryptUnprotectData,LocalFree,	0_2_00007FF6B5397BA0
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5398440 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,	0_2_00007FF6B5398440
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53983C0 BCryptCloseAlgorithmProvider,_invalid_parameter_noinfo_noreturn,	0_2_00007FF6B53983C0
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5397EC0 CryptProtectData,LocalFree,	0_2_00007FF6B5397EC0
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5398020 BCryptDecrypt,BCryptDecrypt,_invalid_parameter_noinfo_noreturn,	0_2_00007FF6B5398020
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5353A30 BCryptDestroyKey,	0_2_00007FF6B5353A30
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5357C20 CryptUnprotectData,LocalFree,_invalid_parameter_noinfo_noreturn,	0_2_00007FF6B5357C20

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.12:49712 version: TLS 1.2

Source: duschno.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53DB5B0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,		0_2_00007FF6B53DB5B0
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53DB500 FindClose,FindFirstFileExW,GetLastError,		0_2_00007FF6B53DB500

Source: C:\Users\user\Desktop\duschno.exe

Code function: 0_2_00007FF6B53A73F0 GetLogicalDriveStringsW,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6B53A73F0

Source: C:\Users\user\Desktop\duschno.exe	File opened: D:\sources\migration\	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: D:\sources\replacementmanifests\	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: D:\sources\migration\wtr\	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.12:49711 -> 193.3.19.151:15666

Source: global traffic

TCP traffic: 192.168.2.12:49711 -> 193.3.19.151:15666

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 193.3.19.151 193.3.19.151
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: ARNES-NETAcademicandResearchNetworkofSloveniaSI ARNES-NETAcademicandResearchNetworkofSloveniaSI

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\duschno.exe

Code function: 0_2_00007FF6B53A5240 InternetOpenA,InternetOpenUrlA,HttpQueryInfoW,HttpQueryInfoW,InternetQueryDataAvailable,InternetReadFile,InternetQueryDataAvailable,InternetCloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,

0_2_00007FF6B53A5240

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: duschno.exe, 00000000.00000003.2420291452.000001F3F3040000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2420399094.000001F3F3045000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2353152740.000001F3F3031000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2420324106.000001F3F3044000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.a.0/sTy
Source: duschno.exe, 00000000.00000003.2420291452.000001F3F3040000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2420399094.000001F3F3045000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2353152740.000001F3F3031000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2420324106.000001F3F3044000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.c.0/ti
Source: duschno.exe, 00000000.00000003.2420291452.000001F3F3040000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2420399094.000001F3F3045000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2353152740.000001F3F3031000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2420324106.000001F3F3044000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.hotosh
Source: duschno.exe, 00000000.00000003.2420291452.000001F3F3040000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2420399094.000001F3F3045000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2353152740.000001F3F3031000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2420324106.000001F3F3044000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adoraw-se
Source: duschno.exe, 00000000.00000003.2420291452.000001F3F3040000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2420399094.000001F3F3045000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2353152740.000001F3F3031000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2420324106.000001F3F3044000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.photo/
Source: duschno.exe, 00000000.00000003.2354946016.000001F3F3261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: duschno.exe, 00000000.00000002.2420918904.000001F3F07AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: duschno.exe, 00000000.00000002.2420918904.000001F3F07AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/a
Source: duschno.exe, 00000000.00000003.2381064141.000001F3F33BC000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380320290.000001F3F32D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696506299400400001.2&ci=1696506299033.
Source: duschno.exe, 00000000.00000003.2380962493.000001F3F33E5000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2381237342.000001F3F3285000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380817799.000001F3F3281000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2381064141.000001F3F33BC000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380320290.000001F3F32D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696506299400400001.1&ci=1696506299033.12791&cta
Source: duschno.exe, 00000000.00000003.2354946016.000001F3F3261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: duschno.exe, 00000000.00000003.2354946016.000001F3F3261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: duschno.exe, 00000000.00000003.2354946016.000001F3F3261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: duschno.exe, 00000000.00000003.2381064141.000001F3F33BC000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380320290.000001F3F32D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: duschno.exe, 00000000.00000003.2381064141.000001F3F33BC000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380320290.000001F3F32D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: duschno.exe, 00000000.00000003.2354946016.000001F3F3261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: duschno.exe, 00000000.00000003.2354946016.000001F3F3261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: duschno.exe, 00000000.00000003.2354946016.000001F3F3261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: duschno.exe, 00000000.00000003.2380320290.000001F3F32D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4CbmfQq%2B4pbW4pbWfpbX7ReNxR3UIG8zInwYIFIVs9e
Source: duschno.exe, 00000000.00000003.2376253271.000001F3F360C000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2379802179.000001F3F2436000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380020573.000001F3F2570000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2374619093.000001F3F26C6000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380020573.000001F3F2578000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380320290.000001F3F32D5000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2379802179.000001F3F243E000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2379802179.000001F3F2463000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2379475898.000001F3F25D8000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2379802179.000001F3F245B000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2379475898.000001F3F25D0000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2374619093.000001F3F26BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: duschno.exe, 00000000.00000003.2379802179.000001F3F246B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: duschno.exe, 00000000.00000003.2379802179.000001F3F246B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.P9ZDdyXKOWl2
Source: duschno.exe, 00000000.00000003.2380962493.000001F3F33E5000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2381237342.000001F3F3285000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380817799.000001F3F3281000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2381064141.000001F3F33BC000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380320290.000001F3F32D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_cd61a4703a8613be887576f2bd084bcc6f4756dccdbe5062
Source: duschno.exe, 00000000.00000003.2354946016.000001F3F3261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: duschno.exe, 00000000.00000003.2354946016.000001F3F3261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: duschno.exe, 00000000.00000003.2381064141.000001F3F33BC000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380320290.000001F3F32D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: duschno.exe, 00000000.00000003.2376253271.000001F3F360C000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2379802179.000001F3F2436000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380020573.000001F3F2570000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2374619093.000001F3F26C6000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380020573.000001F3F2578000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380320290.000001F3F32D5000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2379802179.000001F3F243E000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2379802179.000001F3F2463000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2379475898.000001F3F25D8000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2379802179.000001F3F245B000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2379475898.000001F3F25D0000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2374619093.000001F3F26BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: duschno.exe, 00000000.00000003.2379802179.000001F3F246B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.5iSPD7jwkDnW
Source: duschno.exe, 00000000.00000003.2379802179.000001F3F246B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.3UfcDFx2ZSAZ
Source: duschno.exe, 00000000.00000003.2379802179.000001F3F246B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: duschno.exe, 00000000.00000003.2374619093.000001F3F26CE000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2378121440.000001F3F3C86000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2379802179.000001F3F2446000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2379475898.000001F3F25DF000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2379802179.000001F3F246B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.12:49712 version: TLS 1.2

Source: C:\Users\user\Desktop\duschno.exe

Code function: 0_2_00007FF6B53A5B70 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SHCreateMemStream,SelectObject,DeleteDC,ReleaseDC,DeleteObject,EnterCriticalSection,LeaveCriticalSection,IStream_Size,IStream_Reset,IStream_Read,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

0_2_00007FF6B53A5B70

Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53AA430 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,_invalid_parameter_noinfo_noreturn,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize,		0_2_00007FF6B53AA430
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53A9D30 GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,		0_2_00007FF6B53A9D30

Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53A76A0	0_2_00007FF6B53A76A0
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53E0658	0_2_00007FF6B53E0658
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B534F730	0_2_00007FF6B534F730
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53DB5B0	0_2_00007FF6B53DB5B0
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B535D570	0_2_00007FF6B535D570
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B535E610	0_2_00007FF6B535E610
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53AC5CB	0_2_00007FF6B53AC5CB
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53A6860	0_2_00007FF6B53A6860
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53A5240	0_2_00007FF6B53A5240
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5365310	0_2_00007FF6B5365310
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53A8330	0_2_00007FF6B53A8330
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53B918C	0_2_00007FF6B53B918C
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5350450	0_2_00007FF6B5350450
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5386350	0_2_00007FF6B5386350
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53C2E3C	0_2_00007FF6B53C2E3C
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B534FE20	0_2_00007FF6B534FE20
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B538D080	0_2_00007FF6B538D080
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53520B0	0_2_00007FF6B53520B0
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53AD050	0_2_00007FF6B53AD050
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53720F6	0_2_00007FF6B53720F6
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5369F80	0_2_00007FF6B5369F80
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B539F020	0_2_00007FF6B539F020
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5385970	0_2_00007FF6B5385970
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B535CA10	0_2_00007FF6B535CA10
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5352CA0	0_2_00007FF6B5352CA0
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B535ECB0	0_2_00007FF6B535ECB0
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5351B90	0_2_00007FF6B5351B90
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53A5B70	0_2_00007FF6B53A5B70
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5354B70	0_2_00007FF6B5354B70
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53C36A8	0_2_00007FF6B53C36A8
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53C8674	0_2_00007FF6B53C8674
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53B666C	0_2_00007FF6B53B666C
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5374720	0_2_00007FF6B5374720
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53C46E4	0_2_00007FF6B53C46E4
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53B5598	0_2_00007FF6B53B5598
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53A6540	0_2_00007FF6B53A6540
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5326610	0_2_00007FF6B5326610
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53BA924	0_2_00007FF6B53BA924
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53598CD	0_2_00007FF6B53598CD
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B539C8E0	0_2_00007FF6B539C8E0
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53AA780	0_2_00007FF6B53AA780
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B537B780	0_2_00007FF6B537B780
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53B579C	0_2_00007FF6B53B579C
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5382750	0_2_00007FF6B5382750
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53BF7E6	0_2_00007FF6B53BF7E6
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53902C0	0_2_00007FF6B53902C0
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B539E2F0	0_2_00007FF6B539E2F0
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5326180	0_2_00007FF6B5326180
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53B3150	0_2_00007FF6B53B3150
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53B6164	0_2_00007FF6B53B6164
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53D7160	0_2_00007FF6B53D7160
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53B1220	0_2_00007FF6B53B1220
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53C71D8	0_2_00007FF6B53C71D8
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B537B480	0_2_00007FF6B537B480
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53CA44F	0_2_00007FF6B53CA44F
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5346510	0_2_00007FF6B5346510
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5345520	0_2_00007FF6B5345520
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53C14E4	0_2_00007FF6B53C14E4
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53B5394	0_2_00007FF6B53B5394
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53963A6	0_2_00007FF6B53963A6
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B539B420	0_2_00007FF6B539B420
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B537C420	0_2_00007FF6B537C420
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53AA430	0_2_00007FF6B53AA430
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53483D0	0_2_00007FF6B53483D0
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53CA3C8	0_2_00007FF6B53CA3C8
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5350E80	0_2_00007FF6B5350E80
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53A0E90	0_2_00007FF6B53A0E90
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5357E70	0_2_00007FF6B5357E70
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5395EF0	0_2_00007FF6B5395EF0
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5325DB0	0_2_00007FF6B5325DB0
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5394D40	0_2_00007FF6B5394D40
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53B8D50	0_2_00007FF6B53B8D50
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53D4E30	0_2_00007FF6B53D4E30
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B537BDD0	0_2_00007FF6B537BDD0
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B535ADD0	0_2_00007FF6B535ADD0
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53D5070	0_2_00007FF6B53D5070
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53CC128	0_2_00007FF6B53CC128
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53C30B8	0_2_00007FF6B53C30B8
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53BF0D8	0_2_00007FF6B53BF0D8
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53270E0	0_2_00007FF6B53270E0
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B537C0F0	0_2_00007FF6B537C0F0
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B535BF40	0_2_00007FF6B535BF40
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53DFFBC	0_2_00007FF6B53DFFBC
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5350A80	0_2_00007FF6B5350A80
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5395AB0	0_2_00007FF6B5395AB0
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B537BAB0	0_2_00007FF6B537BAB0
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53C6A68	0_2_00007FF6B53C6A68
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5398B00	0_2_00007FF6B5398B00
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5380AC0	0_2_00007FF6B5380AC0
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5371AF0	0_2_00007FF6B5371AF0
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5353A30	0_2_00007FF6B5353A30
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53D5C50	0_2_00007FF6B53D5C50
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53B0D14	0_2_00007FF6B53B0D14
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B5377CEB	0_2_00007FF6B5377CEB
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53CBB90	0_2_00007FF6B53CBB90
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53D6C30	0_2_00007FF6B53D6C30

Source: C:\Users\user\Desktop\duschno.exe	Code function: String function: 00007FF6B5356940 appears 41 times
Source: C:\Users\user\Desktop\duschno.exe	Code function: String function: 00007FF6B534E1D0 appears 33 times
Source: C:\Users\user\Desktop\duschno.exe	Code function: String function: 00007FF6B53B8254 appears 34 times
Source: C:\Users\user\Desktop\duschno.exe	Code function: String function: 00007FF6B534BA80 appears 32 times
Source: C:\Users\user\Desktop\duschno.exe	Code function: String function: 00007FF6B53686B0 appears 59 times

Source: classification engine

Classification label: mal100.troj.spyw.winEXE@1/0@1/2

Source: C:\Users\user\Desktop\duschno.exe

Code function: 0_2_00007FF6B53AB9B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,

0_2_00007FF6B53AB9B0

Source: C:\Users\user\Desktop\duschno.exe

Code function: 0_2_00007FF6B535E610 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6B535E610

Source: C:\Users\user\Desktop\duschno.exe

Code function: 0_2_00007FF6B5394EA3 CoCreateInstance,

0_2_00007FF6B5394EA3

Source: C:\Users\user\Desktop\duschno.exe

Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E6963671A6A1E

Source: duschno.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\duschno.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: duschno.exe, 00000000.00000003.2356709912.000001F3F33DC000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2357309036.000001F3F33DD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: duschno.exe

ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\duschno.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\duschno.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\duschno.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: duschno.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: duschno.exe

Static file information: File size 1292800 > 1048576

Source: duschno.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: duschno.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: duschno.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: duschno.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: duschno.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: duschno.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: duschno.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: duschno.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: duschno.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: duschno.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: duschno.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: duschno.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: duschno.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\duschno.exe

Code function: 0_2_00007FF6B535D570 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6B535D570

Source: C:\Users\user\Desktop\duschno.exe

Code function: 0_2_00007FF6B536CAB2 push rdi; retf 0004h

0_2_00007FF6B536CAB5

Source: C:\Users\user\Desktop\duschno.exe

Code function: 0_2_00007FF6B539C600 ExitProcess,OpenMutexA,ExitProcess,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6B539C600

Source: C:\Users\user\Desktop\duschno.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-70596

Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53DB5B0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,		0_2_00007FF6B53DB5B0
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53DB500 FindClose,FindFirstFileExW,GetLastError,		0_2_00007FF6B53DB500

Source: C:\Users\user\Desktop\duschno.exe

Code function: 0_2_00007FF6B53A73F0 GetLogicalDriveStringsW,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6B53A73F0

Source: C:\Users\user\Desktop\duschno.exe

Code function: 0_2_00007FF6B53B9038 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

0_2_00007FF6B53B9038

Source: C:\Users\user\Desktop\duschno.exe	File opened: D:\sources\migration\	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: D:\sources\replacementmanifests\	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: D:\sources\migration\wtr\	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\	Jump to behavior

Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696508427
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696508427
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696508427s
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696508427f
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696508427
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696508427x
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696508427
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696508427}
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696508427u
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696508427d
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696508427t
Source: duschno.exe, 00000000.00000002.2420918904.000001F3F07AC000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000002.2420918904.000001F3F0856000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2353764997.000001F3F0856000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696508427\|UE
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696508427
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696508427p
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696508427n
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696508427x
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696508427~
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427^
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696508427}
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696508427h
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696508427o
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696508427z
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696508427
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696508427
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696508427j
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696508427x
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696508427
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696508427]
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696508427t
Source: duschno.exe, 00000000.00000003.2360684559.000001F3F26A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696508427

Source: C:\Users\user\Desktop\duschno.exe

API call chain: ExitProcess graph end node

graph_0-70444

Source: C:\Users\user\Desktop\duschno.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\duschno.exe

Code function: 0_2_00007FF6B53AA430 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,_invalid_parameter_noinfo_noreturn,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize,

0_2_00007FF6B53AA430

Source: C:\Users\user\Desktop\duschno.exe

Code function: 0_2_00007FF6B53DD804 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF6B53DD804

Source: C:\Users\user\Desktop\duschno.exe

Code function: 0_2_00007FF6B53DD804 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF6B53DD804

Source: C:\Users\user\Desktop\duschno.exe

0_2_00007FF6B535D570

Source: C:\Users\user\Desktop\duschno.exe

Code function: 0_2_00007FF6B53C9EEC GetProcessHeap,

0_2_00007FF6B53C9EEC

Source: C:\Users\user\Desktop\duschno.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53CF2B8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6B53CF2B8
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53CF498 SetUnhandledExceptionFilter,	0_2_00007FF6B53CF498
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53B7F68 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6B53B7F68
Source: C:\Users\user\Desktop\duschno.exe	Code function: 0_2_00007FF6B53CEC08 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6B53CEC08

Source: C:\Users\user\Desktop\duschno.exe

Code function: 0_2_00007FF6B539B420 ShellExecuteW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6B539B420

Source: C:\Users\user\Desktop\duschno.exe

Code function: 0_2_00007FF6B53CDF10 cpuid

0_2_00007FF6B53CDF10

Source: C:\Users\user\Desktop\duschno.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF6B53C964C
Source: C:\Users\user\Desktop\duschno.exe	Code function: GetLocaleInfoW,	0_2_00007FF6B53C9310
Source: C:\Users\user\Desktop\duschno.exe	Code function: GetLocaleInfoEx,FormatMessageA,	0_2_00007FF6B53DB170
Source: C:\Users\user\Desktop\duschno.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF6B53C9468
Source: C:\Users\user\Desktop\duschno.exe	Code function: GetLocaleInfoW,	0_2_00007FF6B53C9518
Source: C:\Users\user\Desktop\duschno.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF6B53C90C8
Source: C:\Users\user\Desktop\duschno.exe	Code function: EnumSystemLocalesW,	0_2_00007FF6B53C8F60
Source: C:\Users\user\Desktop\duschno.exe	Code function: GetLocaleInfoW,	0_2_00007FF6B53BE020
Source: C:\Users\user\Desktop\duschno.exe	Code function: EnumSystemLocalesW,	0_2_00007FF6B53C9030
Source: C:\Users\user\Desktop\duschno.exe	Code function: EnumSystemLocalesW,	0_2_00007FF6B53BDAE0
Source: C:\Users\user\Desktop\duschno.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00007FF6B53C8C04

Source: C:\Users\user\Desktop\duschno.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\duschno.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName

Jump to behavior

Source: C:\Users\user\Desktop\duschno.exe

Code function: 0_2_00007FF6B53CF908 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6B53CF908

Source: C:\Users\user\Desktop\duschno.exe

Code function: 0_2_00007FF6B53A6150 GetUserNameW,

0_2_00007FF6B53A6150

Source: C:\Users\user\Desktop\duschno.exe

Code function: 0_2_00007FF6B53A76A0 GetTimeZoneInformation,

0_2_00007FF6B53A76A0

Stealing of Sensitive Information

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: duschno.exe PID: 6856, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match	File source: duschno.exe, type: SAMPLE
Source: Yara match	File source: 0.2.duschno.exe.7ff6b5320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.duschno.exe.7ff6b5320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2420918904.000001F3F07AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: duschno.exe PID: 6856, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: duschno.exe, 00000000.00000002.2420918904.000001F3F07AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum-LTC\config
Source: duschno.exe, 00000000.00000002.2420918904.000001F3F07AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectronCash\config
Source: duschno.exe, 00000000.00000002.2420918904.000001F3F07AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: duschno.exe, 00000000.00000002.2420918904.000001F3F07AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus\exodus.wallet
Source: duschno.exe, 00000000.00000002.2420918904.000001F3F07AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore
Source: duschno.exe, 00000000.00000002.2420918904.000001F3F07AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\duschno.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\duschno.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\duschno.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\duschno.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Remote Access Functionality

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: duschno.exe PID: 6856, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match	File source: duschno.exe, type: SAMPLE
Source: Yara match	File source: 0.2.duschno.exe.7ff6b5320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.duschno.exe.7ff6b5320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2420918904.000001F3F07AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: duschno.exe PID: 6856, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Access Token Manipulation	1 OS Credential Dumping	12 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	1 Email Collection	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	2 Obfuscated Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Archive Collected Data	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Account Discovery	Distributed Component Object Model	2 Data from Local System	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	34 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
duschno.exe	63%	ReversingLabs	Win64.Trojan.MeduzaStealer
duschno.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://ns.photo/	0%	Avira URL Cloud	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696506299400400001.2&ci=1696506299033.	0%	Avira URL Cloud	safe
http://ns.a.0/sTy	0%	Avira URL Cloud	safe
http://ns.adoraw-se	0%	Avira URL Cloud	safe
http://ns.adobe.hotosh	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	172.67.74.152	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ns.adobe.hotosh	duschno.exe, 00000000.00000003.2420291452.000001F3F3040000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2420399094.000001F3F3045000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2353152740.000001F3F3031000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2420324106.000001F3F3044000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	duschno.exe, 00000000.00000003.2354946016.000001F3F3261000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696506299400400001.2&ci=1696506299033.	duschno.exe, 00000000.00000003.2381064141.000001F3F33BC000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380320290.000001F3F32D9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	duschno.exe, 00000000.00000003.2354946016.000001F3F3261000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ns.adobe.c.0/ti	duschno.exe, 00000000.00000003.2420291452.000001F3F3040000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2420399094.000001F3F3045000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2353152740.000001F3F3031000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2420324106.000001F3F3044000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ns.adoraw-se	duschno.exe, 00000000.00000003.2420291452.000001F3F3040000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2420399094.000001F3F3045000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2353152740.000001F3F3031000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2420324106.000001F3F3044000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696506299400400001.1&ci=1696506299033.12791&cta	duschno.exe, 00000000.00000003.2380962493.000001F3F33E5000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2381237342.000001F3F3285000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380817799.000001F3F3281000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2381064141.000001F3F33BC000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380320290.000001F3F32D9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ns.photo/	duschno.exe, 00000000.00000003.2420291452.000001F3F3040000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2420399094.000001F3F3045000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2353152740.000001F3F3031000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2420324106.000001F3F3044000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	duschno.exe, 00000000.00000003.2354946016.000001F3F3261000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ns.a.0/sTy	duschno.exe, 00000000.00000003.2420291452.000001F3F3040000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2420399094.000001F3F3045000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2353152740.000001F3F3031000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2420324106.000001F3F3044000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_cd61a4703a8613be887576f2bd084bcc6f4756dccdbe5062	duschno.exe, 00000000.00000003.2380962493.000001F3F33E5000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2381237342.000001F3F3285000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380817799.000001F3F3281000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2381064141.000001F3F33BC000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380320290.000001F3F32D9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.P9ZDdyXKOWl2	duschno.exe, 00000000.00000003.2379802179.000001F3F246B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	duschno.exe, 00000000.00000003.2354946016.000001F3F3261000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	duschno.exe, 00000000.00000003.2354946016.000001F3F3261000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	duschno.exe, 00000000.00000003.2354946016.000001F3F3261000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	duschno.exe, 00000000.00000003.2379802179.000001F3F246B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	duschno.exe, 00000000.00000003.2354946016.000001F3F3261000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ipify.org/a	duschno.exe, 00000000.00000002.2420918904.000001F3F07AC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	duschno.exe, 00000000.00000003.2381064141.000001F3F33BC000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380320290.000001F3F32D9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	duschno.exe, 00000000.00000003.2354946016.000001F3F3261000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u	duschno.exe, 00000000.00000003.2381064141.000001F3F33BC000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380320290.000001F3F32D9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4CbmfQq%2B4pbW4pbWfpbX7ReNxR3UIG8zInwYIFIVs9e	duschno.exe, 00000000.00000003.2380320290.000001F3F32D9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	duschno.exe, 00000000.00000003.2381064141.000001F3F33BC000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380320290.000001F3F32D9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org	duschno.exe, 00000000.00000003.2376253271.000001F3F360C000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2379802179.000001F3F2436000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380020573.000001F3F2570000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2374619093.000001F3F26C6000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380020573.000001F3F2578000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2380320290.000001F3F32D5000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2379802179.000001F3F243E000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2379802179.000001F3F2463000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2379475898.000001F3F25D8000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2379802179.000001F3F245B000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2379475898.000001F3F25D0000.00000004.00000020.00020000.00000000.sdmp, duschno.exe, 00000000.00000003.2374619093.000001F3F26BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	duschno.exe, 00000000.00000003.2354946016.000001F3F3261000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.3.19.151	unknown	Denmark		2107	ARNES-NETAcademicandResearchNetworkofSloveniaSI	true
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574589
Start date and time:	2024-12-13 12:40:01 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	duschno.exe
Detection:	MAL
Classification:	mal100.troj.spyw.winEXE@1/0@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 99 Number of non-executed functions: 98
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: duschno.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.3.19.151	1Sj5F6P4nv.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
	5LEXIucyEP.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
	44qLDKzsfO.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
	gP5rh6fa0S.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
	urkOkB0BdX.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
	8F0oMWUhg7.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
172.67.74.152	jgbC220X2U.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=text
	malware.exe	Get hash	malicious	Targeted Ransomware, TrojanRansom	Browse	api.ipify.org/
	Simple1.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Simple2.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	systemConfigChecker.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	systemConfigChecker.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	api.ipify.org/
	67065b4c84713_Javiles.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	chos.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	http://ap2vxmyqxf.ballyentoe.shop	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	104.26.12.205
	installer.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	installer.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	zapret.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	Rockwool-Msg-S9039587897.pdf	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	104.26.12.205
	RFQ-004282A.Teknolojileri A.S.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Employee_Letter.pdf	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	discord.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	jgbC220X2U.exe	Get hash	malicious	Unknown	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ARNES-NETAcademicandResearchNetworkofSloveniaSI	jade.arm.elf	Get hash	malicious	Mirai	Browse	95.87.151.72
	https://u48551708.ct.sendgrid.net/ls/click?upn=u001.ztPEaTmy8WofhPYJ48HDSCunUq5pm5yTGRhe-2B0bVSngC8hMYiy6PgMy1xJOG8JJZaOsK-2FG9SE7UmhEzeQSXDmEf7Z3nlXZDH-2BW1HSMP6c8uYUvXDTaJRyLbPDV6bI3nnDyIlM0OJKevMwAF04rpfLmQEYS641NQTMU227kkOtBQgQK-2FNlHeN6DpPMLDgH6kuMS3X_2vbC1nrAFjePip8HYuHYOlkYXiy7Z-2FrO9MQN7lNoEgxRkovUJGAEvKvTFyRmFsa9AQlcDpFhpJzgHajMOC0yWTZOc2DdmxhrlyPvteyXbl8nlhAtf2p-2FHw4RnlZ8cxDY-2BWJeBsszGnsrXuNOI8LpL5ZYI3ad04OdxC8tHHA5tO-2Be1xS3Z9Z3VrOTM-2FT5ptoYnx5N-2FTYKQ13RZ-2FookVMhAtJ6OV43Zayd1qOmHGLwUI8-3D	Get hash	malicious	Phisher	Browse	193.3.19.55
	https://santa-secret.ru/api/verify?a=NjgyODEwNCw1bWluOHE2MHpuX3J1LC9hY2NvdW50L2JveGVzLHZsYWRpbWlyLmdsdXNoZW5rb0Bob2NobGFuZC5ydSwyNDE0MTYzMg==	Get hash	malicious	Unknown	Browse	193.3.184.46
	la.bot.sparc.elf	Get hash	malicious	Mirai	Browse	95.87.175.59
	file.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	193.3.168.50
	file.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	193.3.168.50
	file.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	193.3.168.50
	botnet.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	193.2.192.103
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	88.200.25.137
	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	178.172.103.122
CLOUDFLARENETUS	Bloxflip Predictor.exe	Get hash	malicious	Njrat	Browse	162.159.137.232
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Xmrig	Browse	172.67.139.78
	file.exe	Get hash	malicious	Unknown	Browse	172.67.192.146
	https://grizzled-overjoyed-bag.glitch.me/#comercial.portugal@eurofred.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://aggttt.z4.web.core.windows.net/?bcda=00-1-234-294-2156	Get hash	malicious	TechSupportScam	Browse	1.1.1.1
	https://idw.soundestlink.com/ce/c/675b7a96903a5335b119c33f/675b7ae33d33226215120f66/675b7afd057112d43b49094d?signature=7e9e7eead1b3f32bbe3709a667795cd47f753f0f46ed5e056831680ea81aa102	Get hash	malicious	Unknown	Browse	172.64.145.78
	https://opof.utackhepr.com/WE76L1u/	Get hash	malicious	Unknown	Browse	104.18.95.41
	taskhost.exe	Get hash	malicious	XWorm	Browse	104.26.2.16
	https://e.trustifi.com/#/fff2a6/34074b/38c75f/bf3fbd/0d1c47/12c665/f3cdcd/c1be48/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/d08b7b/9066d9/86c9f0/b1ff53/224fc1/c5dff5/a64e02/f00a15/3cdbea/a78615/4ddb76/30d9f7/98e1a2/9412cb/8e2651/8d4e63/9d313b/2f0213/ae3252/642e4a/6f0b2e/306b49/fd8e03/84bfef/0da4e6/6224c1/902b5e/e0d84c/badeba/3e52c1/94282a/975221/7a2e92/514659/ae5bab/957b7b/eb9e61/6942c6/d917d9/44a5ae/e58297/02048a/55f177/dca75c/c46e68/ac781c/5b787b/abcd53/568132/1d514a/5290de/d0b524/7d0cb6/e4e8bf/2ff215/1ddb69/add914/7674bb/dc5d9b/8fc829/561052/f5a816/40ee64/a0bcf5/b0cc13/8e70a5/255ef2/b24b8d/81e09f/4c70dd/5bbaa4/7ff26c/f1999b/4a2515/4a3a04/0a188e	Get hash	malicious	Unknown	Browse	104.17.25.14
	smb.ps1	Get hash	malicious	Xmrig	Browse	104.16.231.132

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	AzureConnect.exe	Get hash	malicious	CobaltStrike	Browse	172.67.74.152
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.67.74.152
	x295IO8kqM.exe	Get hash	malicious	Remcos	Browse	172.67.74.152
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	172.67.74.152
	PO_11171111221.Vbs.vbs	Get hash	malicious	FormBook	Browse	172.67.74.152
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	172.67.74.152
	CMR ART009.docx	Get hash	malicious	Unknown	Browse	172.67.74.152
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	172.67.74.152
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	172.67.74.152
	WO-663071 Sabiya Power Station Project.vbs	Get hash	malicious	Remcos	Browse	172.67.74.152

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.519533062327776
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	duschno.exe
File size:	1'292'800 bytes
MD5:	c6813da66eba357d0deaa48c2f7032b8
SHA1:	6812e46c51f823ff0b0ee17bfce0af72f857af66
SHA256:	1420f60f053c3ea5605239ee431e5f487245108b1c01be75d16b5246156fa178
SHA512:	19391c6b12ba8f34a5faf326f8986ef8de4729d614d72bf438c6efa569b3505159ca55f580fe2a02642e5e7a0f1b38a7a9db9f0d66d67ba548d84c230183159e
SSDEEP:	24576:IgAMXnXkciEIMJQZe8Us9Mjemp5wx1wach0lhSMXl5xT+d:x3Xn0ciEIp3Us+egSx+ahpxTK
TLSH:	82555B65195C03E9D8BE9138DEAB8A12F575380903B1E7EB1AD147921FE37E09E3E350
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.7./.d./.d./.d.W.e./.d.W.e./.d...e./.d...e./.d...e./.d...e./.d.W.e8/.d.W.e./.d.W.e./.d./.d...d.W.e./.d...e./.d..>d./.d...e./.

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1400af220
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x673B379D [Mon Nov 18 12:48:29 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	0095cfee1cdfcef936c4c086b6b4fe85

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F01BCB29FB4h
dec eax
add esp, 28h
jmp 00007F01BCB2974Fh
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F01BCB298E2h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F01BCB298E5h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F01BCB298DDh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F01BCB28E86h
int3
and dword ptr [00087639h], 00000000h
ret
dec eax
mov dword ptr [esp+08h], ebx
push ebp
dec eax
lea ebp, dword ptr [esp-000004C0h]
dec eax
sub esp, 000005C0h
mov ebx, ecx
mov ecx, 00000017h
call dword ptr [0002600Eh]
test eax, eax
je 00007F01BCB298D6h
mov ecx, ebx
int 29h
mov ecx, 00000003h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x12df68	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13f000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x138000	0x6c18	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x140000	0xd3c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1183d0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x118580	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x118290	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xd5000	0x778	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xd3290	0xd3400	5dbe528542b2f69c830f0ddd1160738f	False	0.41695636094674554	zlib compressed data	6.322034703392791	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xd5000	0x5a878	0x5aa00	70e76c24e7297aac36ad0a296a4df642	False	0.4009401939655172	data	6.3070531311223075	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x130000	0x7ce4	0x5a00	6bc2f26b443764d2872d13f9d896878b	False	0.08211805555555556	data	4.536476287471787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x138000	0x6c18	0x6e00	c6eecc837e87b0c200a192a62ab8b009	False	0.4799715909090909	data	5.967062390694732	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x13f000	0x1e0	0x200	3bdf73d69c827b52e4eecca5ab7e253d	False	0.533203125	data	4.7176788329467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x140000	0xd3c	0xe00	04965a7aa6d79975008713ed9311fed1	False	0.48604910714285715	data	5.341340137514453	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x13f060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
WS2_32.dll	closesocket, inet_pton, WSAStartup, send, socket, connect, recv, WSACleanup, htons
CRYPT32.dll	CryptUnprotectData, CryptProtectData
WININET.dll	InternetOpenW, InternetCloseHandle, InternetReadFile, InternetQueryDataAvailable, HttpQueryInfoW, InternetOpenUrlA, InternetOpenA
ntdll.dll	NtQuerySystemInformation, RtlInitUnicodeString, LdrEnumerateLoadedModules, RtlAcquirePebLock, RtlReleasePebLock, NtQueryObject, NtAllocateVirtualMemory
RstrtMgr.DLL	RmGetList, RmStartSession, RmEndSession, RmRegisterResources
bcrypt.dll	BCryptCloseAlgorithmProvider, BCryptOpenAlgorithmProvider, BCryptDecrypt, BCryptDestroyKey, BCryptGenerateSymmetricKey, BCryptSetProperty
KERNEL32.dll	GetFileInformationByHandleEx, AreFileApisANSI, FindFirstFileW, FindNextFileW, FindClose, OpenProcess, CreateToolhelp32Snapshot, Process32NextW, LoadLibraryA, Process32FirstW, CloseHandle, GetSystemInfo, GetProcAddress, LocalFree, FreeLibrary, GetLastError, ExitProcess, MultiByteToWideChar, WideCharToMultiByte, VirtualAlloc, ReadFile, WriteFile, CreateFileW, GetFileSize, GetCurrentProcess, VirtualQuery, GetStdHandle, TerminateProcess, CreateMutexA, ReleaseMutex, OpenMutexA, GetModuleFileNameA, GetVolumeInformationW, GetGeoInfoA, HeapFree, EnterCriticalSection, GetModuleFileNameW, GetProcessId, LeaveCriticalSection, SetFilePointer, InitializeCriticalSectionEx, FreeEnvironmentStringsW, GetModuleHandleA, HeapSize, GetLogicalDriveStringsW, GetFinalPathNameByHandleA, GetTimeZoneInformation, lstrcatW, HeapReAlloc, HeapAlloc, GetComputerNameW, GetProcessHeap, GlobalMemoryStatusEx, GetModuleHandleW, lstrcpyW, GetEnvironmentStringsW, SetLastError, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetSystemTimeAsFileTime, VirtualProtect, GetFileSizeEx, SetFilePointerEx, GetCurrentThreadId, GetFileType, GetStartupInfoW, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, GetTempPathW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, InitializeCriticalSectionAndSpinCount, LoadLibraryExW, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, SetEndOfFile, EnumSystemLocalesW, ReadConsoleW, RaiseException, GetModuleHandleExW, SetStdHandle, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetStringTypeW, WriteConsoleW, OutputDebugStringW, SetEnvironmentVariableW, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, QueryPerformanceCounter, InitializeSListHead, RtlUnwindEx, RtlUnwind, RtlPcToFileHeader, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetFileAttributesExW, GetFileAttributesW, FindFirstFileExW, GetCurrentDirectoryW, GetNativeSystemInfo, LCMapStringEx, CompareStringEx, DecodePointer, DeleteCriticalSection, GetCommandLineA, GetCommandLineW, GetUserGeoID, GetUserDefaultLCID, GetLocaleInfoEx, FormatMessageA
USER32.dll	GetWindowRect, ReleaseDC, GetDesktopWindow, EnumDisplayDevicesW, GetSystemMetrics, GetDC
GDI32.dll	BitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetDeviceCaps, DeleteDC, GetObjectW, DeleteObject
ADVAPI32.dll	LookupPrivilegeValueW, AdjustTokenPrivileges, GetCurrentHwProfileW, RegCloseKey, RegGetValueA, RegQueryValueExA, RegOpenKeyExA, GetUserNameW, RegEnumKeyExA, RevertToSelf, ConvertSidToStringSidA, ImpersonateLoggedOnUser, OpenProcessToken, DuplicateTokenEx, GetTokenInformation, CredEnumerateA, CredFree
SHELL32.dll	SHGetKnownFolderPath, ShellExecuteW
ole32.dll	CoTaskMemFree, CoGetObject, CoCreateInstance, CoUninitialize, CoSetProxyBlanket, CoInitializeSecurity, CoInitializeEx
OLEAUT32.dll	SysStringByteLen, SysAllocStringByteLen, SysFreeString
SHLWAPI.dll
gdiplus.dll	GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdiplusShutdown, GdiplusStartup, GdipCloneImage, GdipAlloc, GdipCreateBitmapFromScan0, GdipCreateBitmapFromHBITMAP, GdipSaveImageToStream, GdipGetImageEncoders

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-13T12:41:07.303709+0100	2049441	ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt	1	192.168.2.12	49711	193.3.19.151	15666	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 12:40:59.076744080 CET	49711	15666	192.168.2.12	193.3.19.151
Dec 13, 2024 12:40:59.196599007 CET	15666	49711	193.3.19.151	192.168.2.12
Dec 13, 2024 12:40:59.196712971 CET	49711	15666	192.168.2.12	193.3.19.151
Dec 13, 2024 12:40:59.988456011 CET	49712	443	192.168.2.12	172.67.74.152
Dec 13, 2024 12:40:59.988502979 CET	443	49712	172.67.74.152	192.168.2.12
Dec 13, 2024 12:40:59.988567114 CET	49712	443	192.168.2.12	172.67.74.152
Dec 13, 2024 12:41:00.101619959 CET	49712	443	192.168.2.12	172.67.74.152
Dec 13, 2024 12:41:00.101634026 CET	443	49712	172.67.74.152	192.168.2.12
Dec 13, 2024 12:41:01.316545963 CET	443	49712	172.67.74.152	192.168.2.12
Dec 13, 2024 12:41:01.316622972 CET	49712	443	192.168.2.12	172.67.74.152
Dec 13, 2024 12:41:01.372128010 CET	49712	443	192.168.2.12	172.67.74.152
Dec 13, 2024 12:41:01.372153044 CET	443	49712	172.67.74.152	192.168.2.12
Dec 13, 2024 12:41:01.372509956 CET	443	49712	172.67.74.152	192.168.2.12
Dec 13, 2024 12:41:01.372562885 CET	49712	443	192.168.2.12	172.67.74.152
Dec 13, 2024 12:41:01.373819113 CET	49712	443	192.168.2.12	172.67.74.152
Dec 13, 2024 12:41:01.419336081 CET	443	49712	172.67.74.152	192.168.2.12
Dec 13, 2024 12:41:01.463155985 CET	15666	49711	193.3.19.151	192.168.2.12
Dec 13, 2024 12:41:01.463339090 CET	49711	15666	192.168.2.12	193.3.19.151
Dec 13, 2024 12:41:01.756383896 CET	443	49712	172.67.74.152	192.168.2.12
Dec 13, 2024 12:41:01.756453037 CET	49712	443	192.168.2.12	172.67.74.152
Dec 13, 2024 12:41:01.756454945 CET	443	49712	172.67.74.152	192.168.2.12
Dec 13, 2024 12:41:01.756494045 CET	49712	443	192.168.2.12	172.67.74.152
Dec 13, 2024 12:41:01.756822109 CET	49712	443	192.168.2.12	172.67.74.152
Dec 13, 2024 12:41:01.756839037 CET	443	49712	172.67.74.152	192.168.2.12
Dec 13, 2024 12:41:07.303709030 CET	49711	15666	192.168.2.12	193.3.19.151
Dec 13, 2024 12:41:07.540303946 CET	49711	15666	192.168.2.12	193.3.19.151
Dec 13, 2024 12:41:07.599028111 CET	15666	49711	193.3.19.151	192.168.2.12
Dec 13, 2024 12:41:07.599040031 CET	15666	49711	193.3.19.151	192.168.2.12
Dec 13, 2024 12:41:07.599047899 CET	15666	49711	193.3.19.151	192.168.2.12
Dec 13, 2024 12:41:07.599056959 CET	15666	49711	193.3.19.151	192.168.2.12
Dec 13, 2024 12:41:07.599061012 CET	15666	49711	193.3.19.151	192.168.2.12
Dec 13, 2024 12:41:07.599069118 CET	15666	49711	193.3.19.151	192.168.2.12
Dec 13, 2024 12:41:07.599078894 CET	15666	49711	193.3.19.151	192.168.2.12
Dec 13, 2024 12:41:07.600037098 CET	15666	49711	193.3.19.151	192.168.2.12
Dec 13, 2024 12:41:07.600050926 CET	15666	49711	193.3.19.151	192.168.2.12
Dec 13, 2024 12:41:07.600059986 CET	15666	49711	193.3.19.151	192.168.2.12
Dec 13, 2024 12:41:07.661385059 CET	15666	49711	193.3.19.151	192.168.2.12

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 12:40:59.810297966 CET	64055	53	192.168.2.12	1.1.1.1
Dec 13, 2024 12:40:59.950579882 CET	53	64055	1.1.1.1	192.168.2.12

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 12:40:59.810297966 CET	192.168.2.12	1.1.1.1	0x75a5	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 12:40:59.950579882 CET	1.1.1.1	192.168.2.12	0x75a5	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:40:59.950579882 CET	1.1.1.1	192.168.2.12	0x75a5	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Dec 13, 2024 12:40:59.950579882 CET	1.1.1.1	192.168.2.12	0x75a5	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.12	49712	172.67.74.152	443	6856	C:\Users\user\Desktop\duschno.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 11:41:01 UTC	100	OUT	GET / HTTP/1.1 Accept: text/html; text/plain; / Host: api.ipify.org Cache-Control: no-cache
2024-12-13 11:41:01 UTC	424	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 11:41:01 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8f15aec4f9e3438c-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1852&min_rtt=1773&rtt_var=823&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2819&recv_bytes=738&delivery_rate=1213128&cwnd=245&unsent_bytes=0&cid=0103bcabd923c7d8&ts=449&x=0"
2024-12-13 11:41:01 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Target ID:	0
Start time:	06:40:57
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\duschno.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\duschno.exe"
Imagebase:	0x7ff6b5320000
File size:	1'292'800 bytes
MD5 hash:	C6813DA66EBA357D0DEAA48C2F7032B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MeduzaStealer, Description: Yara detected Meduza Stealer, Source: 00000000.00000002.2420918904.000001F3F07AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17.8%
Total number of Nodes:	1947
Total number of Limit Nodes:	95

Executed Functions

Function 00007FF6B53A8330 Relevance: 50.4, APIs: 19, Strings: 9, Instructions: 1376
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6B53A6540: EnumDisplayDevicesW.USER32 ref: 00007FF6B53A6657
Part of subcall function 00007FF6B53A6540: EnumDisplayDevicesW.USER32 ref: 00007FF6B53A66FB

Part of subcall function 00007FF6B53A6460: RegGetValueA.KERNEL32 ref: 00007FF6B53A64C9

Part of subcall function 00007FF6B53A6150: GetUserNameW.ADVAPI32 ref: 00007FF6B53A6195

Part of subcall function 00007FF6B53A61F0: GetComputerNameW.KERNEL32 ref: 00007FF6B53A6235

Part of subcall function 00007FF6B5361900: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53619D4

Part of subcall function 00007FF6B5363FF0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B536447D

GlobalMemoryStatusEx.KERNEL32 ref: 00007FF6B53A87BC
wcsftime.LIBCMT ref: 00007FF6B53A8FB2
GetModuleFileNameA.KERNEL32 ref: 00007FF6B53A9146
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A9B09
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A9B0F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A9B15
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A9B1B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A9B21
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A9B27
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A9B2D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A9B33
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A9B39
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A9B3F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A9B45
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A9B4B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A9B51
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A9B57
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A9B5D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A9B63

Strings

system, xrefs: 00007FF6B53A8424, 00007FF6B53A8513, 00007FF6B53A8609, 00007FF6B53A8703, 00007FF6B53A884B, 00007FF6B53A8945, 00007FF6B53A8A38, 00007FF6B53A8BBF, 00007FF6B53A8DB0, 00007FF6B53A9031, 00007FF6B53A91F4, 00007FF6B53A940E, 00007FF6B53A95AD, 00007FF6B53A9757, 00007FF6B53A981D
%d-%m-%Y, %H:%M:%S, xrefs: 00007FF6B53A8F9F
timezone, xrefs: 00007FF6B53A9454
gpu, xrefs: 00007FF6B53A8562
user_name, xrefs: 00007FF6B53A846F
ram, xrefs: 00007FF6B53A889B
cpu, xrefs: 00007FF6B53A8658
time, xrefs: 00007FF6B53A9081
computer_name, xrefs: 00007FF6B53A8994

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Name$DevicesDisplayEnum$ComputerFileGlobalMemoryModuleStatusUserValuewcsftime
String ID: %d-%m-%Y, %H:%M:%S$computer_name$cpu$gpu$ram$system$time$timezone$user_name
API String ID: 4122120932-1182675529
Opcode ID: 47549bb9430f832a63f100b11c70c733584b49f47b6301df7131baf4d82ebe30
Instruction ID: 19ffcfe1acc772a0f08d0f37ca0c2bcd3d568c6ca030d30e7ed34dbe44a3a128
Opcode Fuzzy Hash: 47549bb9430f832a63f100b11c70c733584b49f47b6301df7131baf4d82ebe30
Instruction Fuzzy Hash: 57E24023928BC585DB21CF28D8502ED77A1F789B98F405225EB9D47BAEEF38D654C700

Function 00007FF6B5354B70 Relevance: 46.8, APIs: 21, Strings: 5, Instructions: 1343registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32 ref: 00007FF6B535509B
RegQueryValueExA.ADVAPI32 ref: 00007FF6B53550E9
RegCloseKey.ADVAPI32 ref: 00007FF6B5355186
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5356384
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53563A5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53563AB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53563B1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53563B7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53563BD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53563C3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53563C9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53563F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53563F6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5356420
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5356426
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535642C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535644E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5356454
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535645A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5356466
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5356487

Strings

exists, xrefs: 00007FF6B5356398, 00007FF6B53563E3, 00007FF6B535647A
content, xrefs: 00007FF6B53555A3, 00007FF6B5355BF6, 00007FF6B5356120
filename, xrefs: 00007FF6B535549A, 00007FF6B5355A28, 00007FF6B5355F59
status, xrefs: 00007FF6B5356403, 00007FF6B5356413
directory_iterator::directory_iterator, xrefs: 00007FF6B5356441

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseOpenQueryValue
String ID: content$directory_iterator::directory_iterator$exists$filename$status
API String ID: 1254564140-3429737954
Opcode ID: 08d93a35235c194d3b1ca12cb93cd232fe58cb5738402f082269f697cbfc0b25
Instruction ID: 41fe40ad7f160554ca144d1844b808fcf29855f35fcb99f6e07443b0fb565409
Opcode Fuzzy Hash: 08d93a35235c194d3b1ca12cb93cd232fe58cb5738402f082269f697cbfc0b25
Instruction Fuzzy Hash: 0EE26272A29BC189EB618F28D8403ED7365FB45B58F505225EB5C4BB9EEF78D684C300

Function 00007FF6B5386350 Relevance: 46.6, APIs: 20, Strings: 6, Instructions: 1136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

recursive_directory_iterator::operator++, xrefs: 00007FF6B538A678, 00007FF6B538A745, 00007FF6B538A808
exists, xrefs: 00007FF6B538A5DE, 00007FF6B538A6AC, 00007FF6B538A76E, 00007FF6B538A83C
recursive_directory_iterator::recursive_directory_iterator, xrefs: 00007FF6B538A68F, 00007FF6B538A6C9, 00007FF6B538A81F
cannot use push_back() with , xrefs: 00007FF6B538A625, 00007FF6B538A6FE, 00007FF6B538A7B5
directory_iterator::directory_iterator, xrefs: 00007FF6B538A853, 00007FF6B538A875, 00007FF6B538A8AD
status, xrefs: 00007FF6B538A600, 00007FF6B538A6D9, 00007FF6B538A790, 00007FF6B538A863, 00007FF6B538A885, 00007FF6B538A89B, 00007FF6B538A8BD

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: __std_fs_convert_wide_to_narrow$__std_fs_code_page
String ID: cannot use push_back() with $directory_iterator::directory_iterator$exists$recursive_directory_iterator::operator++$recursive_directory_iterator::recursive_directory_iterator$status
API String ID: 3645842244-1862120484
Opcode ID: de5a621f2f067d1123de94e788919e3c44fbe91b6b887da37095cf4d544f4034
Instruction ID: 6172aeb8a1c4338bb6b32b193b84b34d0632a8be24e38191061d35afe7161019
Opcode Fuzzy Hash: de5a621f2f067d1123de94e788919e3c44fbe91b6b887da37095cf4d544f4034
Instruction Fuzzy Hash: 03D20872919BC585D6708B19F4812EAB3A0FBD8B84F405225EBCC97B5AEF7CD654CB00

Function 00007FF6B53A5B70 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 225
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00007FF6B53A5BB1
GetSystemMetrics.USER32 ref: 00007FF6B53A5BBF
GetSystemMetrics.USER32 ref: 00007FF6B53A5BCD
GetSystemMetrics.USER32 ref: 00007FF6B53A5BDB
GetDC.USER32 ref: 00007FF6B53A5BE5
GetDeviceCaps.GDI32 ref: 00007FF6B53A5BFB
GetDeviceCaps.GDI32 ref: 00007FF6B53A5C0B
CreateCompatibleDC.GDI32 ref: 00007FF6B53A5C18
CreateCompatibleBitmap.GDI32 ref: 00007FF6B53A5C30
SelectObject.GDI32 ref: 00007FF6B53A5C46
BitBlt.GDI32 ref: 00007FF6B53A5C7C
SHCreateMemStream.SHLWAPI ref: 00007FF6B53A5CB2
SelectObject.GDI32 ref: 00007FF6B53A5CC8
DeleteDC.GDI32 ref: 00007FF6B53A5CD1
ReleaseDC.USER32 ref: 00007FF6B53A5CDC
DeleteObject.GDI32 ref: 00007FF6B53A5CE5
EnterCriticalSection.KERNEL32 ref: 00007FF6B53A5DDC
LeaveCriticalSection.KERNEL32 ref: 00007FF6B53A5DEE
IStream_Size.SHLWAPI ref: 00007FF6B53A5E25
IStream_Reset.SHLWAPI ref: 00007FF6B53A5E36
IStream_Read.SHLWAPI ref: 00007FF6B53A5EBB
SelectObject.GDI32 ref: 00007FF6B53A5F15
DeleteDC.GDI32 ref: 00007FF6B53A5F1E
ReleaseDC.USER32 ref: 00007FF6B53A5F2B
DeleteObject.GDI32 ref: 00007FF6B53A5F34

Strings

, xrefs: 00007FF6B53A5C51

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Object$DeleteMetricsSystem$CreateSelectStream_$CapsCompatibleCriticalDeviceReleaseSection$BitmapEnterLeaveReadResetSizeStream
String ID:
API String ID: 3214587331-3916222277
Opcode ID: 7f29424d3ead8c8ab7e32e0c66aef27a74aa28fe3180dede61f6c59901bdf73b
Instruction ID: 88f0cfa4b48d7122112b0073adfaee6b2715bb48a0acc837d2c07eb7fa9394f3
Opcode Fuzzy Hash: 7f29424d3ead8c8ab7e32e0c66aef27a74aa28fe3180dede61f6c59901bdf73b
Instruction Fuzzy Hash: D4B13172618BC186E760DB25E8543EEB7A5FB89B80F405535DB8E83B5AEF3CD4448B40

Function 00007FF6B535D570 Relevance: 35.9, APIs: 17, Strings: 3, Instructions: 862
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00007FF6B535D65C
GetProcAddress.KERNEL32 ref: 00007FF6B535D767
GetProcAddress.KERNEL32 ref: 00007FF6B535D829
GetProcAddress.KERNEL32 ref: 00007FF6B535D8A3
GetProcAddress.KERNEL32 ref: 00007FF6B535D925
GetProcAddress.KERNEL32 ref: 00007FF6B535D99F
GetProcAddress.KERNEL32 ref: 00007FF6B535DA23
FreeLibrary.KERNEL32 ref: 00007FF6B535E551
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535E587
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535E5DB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535E5E1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535E5E7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535E5ED
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535E5F3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535E5F9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535E5FF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535E605

Strings

system, xrefs: 00007FF6B535E35D
vault, xrefs: 00007FF6B535E3B3
cannot use push_back() with , xrefs: 00007FF6B535E59F

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$AddressProc$Library$FreeLoad
String ID: cannot use push_back() with $system$vault
API String ID: 2463004387-1741236777
Opcode ID: 959340eb615a1682f845dd131be92ac56e9c315d7ee255850b7a169114a46494
Instruction ID: fc07bd6d355852bb7866a4a30db16c243fcbfb522eadb6800519546789edd246
Opcode Fuzzy Hash: 959340eb615a1682f845dd131be92ac56e9c315d7ee255850b7a169114a46494
Instruction Fuzzy Hash: 38926072619BC589DB618F29E8843ED77A0F749B98F104225DB9C4BB9DEF78D644C300

Function 00007FF6B5352CA0 Relevance: 32.3, APIs: 13, Strings: 5, Instructions: 789
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32 ref: 00007FF6B5353022
RegQueryValueExA.ADVAPI32 ref: 00007FF6B535306A
RegCloseKey.ADVAPI32 ref: 00007FF6B53530F7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53539B0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53539CB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53539D1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53539EA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53539F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5353A06
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5353A0C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5353A12
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5353A1E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5353A24

Strings

exists, xrefs: 00007FF6B53539BE
content, xrefs: 00007FF6B5353694
filename, xrefs: 00007FF6B5353500
status, xrefs: 00007FF6B53539F9
directory_iterator::directory_iterator, xrefs: 00007FF6B53539DD

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseOpenQueryValue
String ID: content$directory_iterator::directory_iterator$exists$filename$status
API String ID: 1254564140-3429737954
Opcode ID: c68d1b0223e9d2953e45b434fa426007baeddbc17e6c4ca0c4c75fbc2e2c51ba
Instruction ID: 7e0a6c76bfe1b63df5fc8439b1fb1041549aab356a680185d1e9fbdcd247ba59
Opcode Fuzzy Hash: c68d1b0223e9d2953e45b434fa426007baeddbc17e6c4ca0c4c75fbc2e2c51ba
Instruction Fuzzy Hash: 18827072A15BC589DB608F38D8403ED73A1FB89B58F505225EB9D47B9AEF38D984C340

Function 00007FF6B53520B0 Relevance: 28.7, APIs: 12, Strings: 4, Instructions: 684
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32 ref: 00007FF6B5352409
RegQueryValueExA.ADVAPI32 ref: 00007FF6B535244E
RegCloseKey.ADVAPI32 ref: 00007FF6B53524F7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5352C2E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5352C4F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5352C55
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5352C71
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5352C77
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5352C7D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5352C83
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5352C8F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5352C95

Strings

exists, xrefs: 00007FF6B5352C42
content, xrefs: 00007FF6B5352915
filename, xrefs: 00007FF6B5352787
directory_iterator::directory_iterator, xrefs: 00007FF6B5352C64

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseOpenQueryValue
String ID: content$directory_iterator::directory_iterator$exists$filename
API String ID: 1254564140-1400943384
Opcode ID: fe0f5a0e777df163b00289a232bc5a8405e57c7a5efa77f273698b9a9cc3fd11
Instruction ID: 1a84cf07b8bd42dfccfbcd0bd6617d9fc46d640d2c06bd7aa4c1767302397711
Opcode Fuzzy Hash: fe0f5a0e777df163b00289a232bc5a8405e57c7a5efa77f273698b9a9cc3fd11
Instruction Fuzzy Hash: E7723072A15BC589DB218F39D8803ED77A0FB49B98F105225EB9D57B9AEF38D580C340

Function 00007FF6B538D080 Relevance: 28.6, APIs: 11, Strings: 5, Instructions: 599
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

prefs.js, xrefs: 00007FF6B538E5E2
exists, xrefs: 00007FF6B538F48D
cannot use push_back() with , xrefs: 00007FF6B538DDD5
status, xrefs: 00007FF6B538DE11, 00007FF6B538DE33, 00007FF6B538DE5B, 00007FF6B538DE83
directory_iterator::directory_iterator, xrefs: 00007FF6B538DE23, 00007FF6B538F4A4

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID: cannot use push_back() with $directory_iterator::directory_iterator$exists$prefs.js$status
API String ID: 0-2713369562
Opcode ID: 3b4f4422a52561bd1ffdc2d0feed999f23c4e58c7e2ed330231bbbadc801fcb0
Instruction ID: d8c533df98a03893af2a2781b1a0ae8767264894ab615e7cd65c14f152aeb6e6
Opcode Fuzzy Hash: 3b4f4422a52561bd1ffdc2d0feed999f23c4e58c7e2ed330231bbbadc801fcb0
Instruction Fuzzy Hash: DF522732519FC584E6B19B19E8813EAB3A4FBC9B40F505625DBCC82B5AEF7CD594CB00

Function 00007FF6B53DB5B0 Relevance: 27.2, APIs: 18, Instructions: 229
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesExW.KERNEL32 ref: 00007FF6B53DB65D
GetLastError.KERNEL32 ref: 00007FF6B53DB667
FindFirstFileW.KERNEL32 ref: 00007FF6B53DB67E
GetLastError.KERNEL32 ref: 00007FF6B53DB68A
FindClose.KERNEL32 ref: 00007FF6B53DB698
__std_fs_open_handle.LIBCPMT ref: 00007FF6B53DB72B
CloseHandle.KERNEL32 ref: 00007FF6B53DB741
CloseHandle.KERNEL32 ref: 00007FF6B53DB8B4

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Close$ErrorFileFindHandleLast$AttributesFirst__std_fs_open_handle
String ID:
API String ID: 2398595512-0
Opcode ID: ae06ef96b620ec177ea6819a3a1ac38214177ad565b87e13f1ccf53398ca1eb7
Instruction ID: b76d77abf3dd061c2f4c21243a234297ef2a84f3680294eddecf331f2e3763d5
Opcode Fuzzy Hash: ae06ef96b620ec177ea6819a3a1ac38214177ad565b87e13f1ccf53398ca1eb7
Instruction Fuzzy Hash: 1C918531A68A4246EA654B2DA4246B522A0AF45FB4F544730DBBDC77DAFF3CEC058B00

Function 00007FF6B535CA10 Relevance: 21.7, APIs: 11, Strings: 1, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CredEnumerateA.ADVAPI32 ref: 00007FF6B535CA72
CredFree.ADVAPI32 ref: 00007FF6B535D496
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535D4CC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535D520
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535D526
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535D52C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535D532
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535D538
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535D53E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535D544
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535D54A

Strings

cannot use push_back() with , xrefs: 00007FF6B535D4E4

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Cred$EnumerateFree
String ID: cannot use push_back() with
API String ID: 1347986415-4122110429
Opcode ID: f3625956b1ff6e516f56da58d55d27a7ac63a458bf1a20c5410d74d164e79c39
Instruction ID: 59f74909b349a33b6475207b5f853ff20070b484688de314480eaca604d30936
Opcode Fuzzy Hash: f3625956b1ff6e516f56da58d55d27a7ac63a458bf1a20c5410d74d164e79c39
Instruction Fuzzy Hash: CC627372A18BC589E7218F28E8403ED7761F749B98F505225EB9C47B9EEF38D694C700

Function 00007FF6B5369F80 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 417
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FF6B536A134
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF6B536A142
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF6B536A3C5
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF6B536A3D3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B536A570
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B536A576
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B536A599
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B536A59F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B536A5A5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B536A5C8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B536A5CE

Strings

value, xrefs: 00007FF6B536A05A, 00007FF6B536A2F3

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy
String ID: value
API String ID: 1346393832-494360628
Opcode ID: 77c398e42319cb3f72657f0fcf0c0d1a16adf19cfbf0f7d3d9d4373457347ef9
Instruction ID: 39683d77232cd29888ea9d8c1b093f2cbe0daf8e725f63d0fd125c8425b144fa
Opcode Fuzzy Hash: 77c398e42319cb3f72657f0fcf0c0d1a16adf19cfbf0f7d3d9d4373457347ef9
Instruction Fuzzy Hash: D902A262A2CBC185EB41CB78D4402ED6760EB85BA4F105235FB9D86BDEEF2CD984C300

Function 00007FF6B539C600 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6B539F820: GetCurrentProcess.KERNEL32 ref: 00007FF6B539F85B
Part of subcall function 00007FF6B539F820: OpenProcessToken.ADVAPI32 ref: 00007FF6B539F86E
Part of subcall function 00007FF6B539F820: GetTokenInformation.KERNELBASE ref: 00007FF6B539F8AA
Part of subcall function 00007FF6B539F820: CloseHandle.KERNEL32 ref: 00007FF6B539F8CB

ExitProcess.KERNEL32 ref: 00007FF6B539C647
OpenMutexA.KERNEL32 ref: 00007FF6B539C762
ExitProcess.KERNEL32 ref: 00007FF6B539C772

Part of subcall function 00007FF6B539FB60: GetModuleFileNameW.KERNEL32 ref: 00007FF6B539FBAA

Part of subcall function 00007FF6B53AA780: CoInitializeEx.OLE32 ref: 00007FF6B53AA7EA

Strings

SeImpersonatePrivilege, xrefs: 00007FF6B539C65A
SeDebugPrivilege, xrefs: 00007FF6B539C64E

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Process$ExitOpenToken$CloseCurrentFileHandleInformationInitializeModuleMutexName
String ID: SeDebugPrivilege$SeImpersonatePrivilege
API String ID: 3348294976-3768118664
Opcode ID: 617da249283f2d9320b64a1b23aee101a8acda4f9b5654c5cc8d1f0bc494ee8f
Instruction ID: 38d22b5f0917eef4cc4e3847999d9e2b307e24a0ff85aba664834acc6f77efca
Opcode Fuzzy Hash: 617da249283f2d9320b64a1b23aee101a8acda4f9b5654c5cc8d1f0bc494ee8f
Instruction Fuzzy Hash: 2A614F6292CB8681EA51AB6CB4552FE6350EF89B80F505535E78EC279FFF2CE8458700

Function 00007FF6B5385970 Relevance: 17.8, Strings: 14, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

prefs.js, xrefs: 00007FF6B538E5E2
., xrefs: 00007FF6B5385C70
chrome_key, xrefs: 00007FF6B538C851, 00007FF6B538C97F
key, xrefs: 00007FF6B538C60E, 00007FF6B538C740
exists, xrefs: 00007FF6B5385F90, 00007FF6B538A58E, 00007FF6B538A5DE, 00007FF6B538A6AC, 00007FF6B538A76E, 00007FF6B538A83C, 00007FF6B538CA70, 00007FF6B538D060, 00007FF6B538F48D, 00007FF6B538F779
recursive_directory_iterator::recursive_directory_iterator, xrefs: 00007FF6B538A68F, 00007FF6B538A6C9, 00007FF6B538A81F
@, xrefs: 00007FF6B5389B9B
cannot use push_back() with , xrefs: 00007FF6B538A625, 00007FF6B538A6FE, 00007FF6B538A7B5, 00007FF6B538DDD5
directory_iterator::directory_iterator, xrefs: 00007FF6B538A5A5, 00007FF6B538A853, 00007FF6B538A875, 00007FF6B538A8AD, 00007FF6B538CA83, 00007FF6B538DE23, 00007FF6B538F4A4, 00007FF6B538F78C
recursive_directory_iterator::operator++, xrefs: 00007FF6B538A678, 00007FF6B538A745, 00007FF6B538A808
content, xrefs: 00007FF6B5386EB7, 00007FF6B53879CA, 00007FF6B538845D, 00007FF6B5388F0A, 00007FF6B53898AE, 00007FF6B538A03E, 00007FF6B538D6B3, 00007FF6B538DB94
@, xrefs: 00007FF6B538A32B
filename, xrefs: 00007FF6B5386D9C, 00007FF6B53878E3, 00007FF6B5388376, 00007FF6B5388E23, 00007FF6B5389793, 00007FF6B5389F35, 00007FF6B538D5FC, 00007FF6B538DAE0
status, xrefs: 00007FF6B538A5B5, 00007FF6B538A600, 00007FF6B538A6D9, 00007FF6B538A790, 00007FF6B538A863, 00007FF6B538A885, 00007FF6B538A89B, 00007FF6B538A8BD, 00007FF6B538CA99, 00007FF6B538DE11, 00007FF6B538DE33, 00007FF6B538DE5B, 00007FF6B538DE83, 00007FF6B538F764

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID: .$@$@$cannot use push_back() with $chrome_key$content$directory_iterator::directory_iterator$exists$filename$key$prefs.js$recursive_directory_iterator::operator++$recursive_directory_iterator::recursive_directory_iterator$status
API String ID: 0-4287193513
Opcode ID: 8adc91dd6644a2bfb7387dc78b72df08f999bd5353c1b7ff9b33895fcf5abe12
Instruction ID: 44ad5dabc259d73000878a760fd8a374393dca132db6d4cd5ff22c8d92563c0d
Opcode Fuzzy Hash: 8adc91dd6644a2bfb7387dc78b72df08f999bd5353c1b7ff9b33895fcf5abe12
Instruction Fuzzy Hash: 7EC1B022A18B8296EB298E29D4841F963A0FB55F94F544231EB5DC378AFF7CEC41C701

Function 00007FF6B53A5240 Relevance: 16.9, APIs: 11, Instructions: 408networkfileCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET ref: 00007FF6B53A540B
InternetOpenUrlA.WININET ref: 00007FF6B53A54E8
HttpQueryInfoW.WININET ref: 00007FF6B53A5549
HttpQueryInfoW.WININET ref: 00007FF6B53A55E2
InternetQueryDataAvailable.WININET ref: 00007FF6B53A5626
InternetReadFile.WININET ref: 00007FF6B53A56E9
InternetQueryDataAvailable.WININET ref: 00007FF6B53A57B4
InternetCloseHandle.WININET ref: 00007FF6B53A585E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A58AF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A58B5
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B53A58BB

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Internet$Query$AvailableDataHttpInfoOpen_invalid_parameter_noinfo_noreturn$CloseConcurrency::cancel_current_taskFileHandleRead
String ID:
API String ID: 1352168858-0
Opcode ID: 58f98962fe06158b31631e628ad7e1738d27d0a2909a2e7e3a0f022cf9efdd7e
Instruction ID: 7df8b25cd10ab0949d65f48602e1949abeb35507c7e88b257e4d93ff73195689
Opcode Fuzzy Hash: 58f98962fe06158b31631e628ad7e1738d27d0a2909a2e7e3a0f022cf9efdd7e
Instruction Fuzzy Hash: 4902A532A28B9585EB10CB69E8403AE77B5FB95B94F100225EF9C57B99EF7CD490C700

Function 00007FF6B535E610 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 328processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6B535E65A
Process32FirstW.KERNEL32 ref: 00007FF6B535E69C
Process32NextW.KERNEL32 ref: 00007FF6B535E893
CloseHandle.KERNEL32 ref: 00007FF6B535EB0A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535EBA3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535EBA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535EBAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535EBB5

Strings

[PID: , xrefs: 00007FF6B535E6DE

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID: [PID:
API String ID: 1946380282-2210602247
Opcode ID: 75960466dfb22bb2a306a6a9d77edd6b0067b15d627c6204e9c6655a97bc35d8
Instruction ID: 35af94510fc47a7b73ac0aaf1e98abc150bb9934eff8e7a23a95ec8701e17849
Opcode Fuzzy Hash: 75960466dfb22bb2a306a6a9d77edd6b0067b15d627c6204e9c6655a97bc35d8
Instruction Fuzzy Hash: BBE1B572A18BC185EB21CB29E4803ED77A1F789B94F505225EB9D47B9EEF38D644C700

Function 00007FF6B535ECB0 Relevance: 15.7, APIs: 10, Instructions: 715COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535F9A1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535F9A7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535F9AD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535F9B3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535F9B9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535F9BF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535F9C5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535F9CB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535F9D1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535F9D7

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 5247411f787a999a7cf2db075e4552cc8a45f43d7f137c5f7f86f5096a64e4da
Instruction ID: 6f12ecceb7effdb160ae374bf78da21601042cfa22ceb45afda4ad8b713c4714
Opcode Fuzzy Hash: 5247411f787a999a7cf2db075e4552cc8a45f43d7f137c5f7f86f5096a64e4da
Instruction Fuzzy Hash: 31725F62A19BC585EB208B69E8403ED73A1F789B98F505325EF9C57B9EEF38D540C700

Function 00007FF6B539F020 Relevance: 14.5, APIs: 4, Strings: 4, Instructions: 451fileCOMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32 ref: 00007FF6B539F261
SetFilePointer.KERNEL32 ref: 00007FF6B539F314
ReadFile.KERNEL32 ref: 00007FF6B539F343
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B539F7D7

Strings

ios_base::eofbit set, xrefs: 00007FF6B539F784
ios_base::failbit set, xrefs: 00007FF6B539F77D
exists, xrefs: 00007FF6B539F7CA
ios_base::badbit set, xrefs: 00007FF6B539F771, 00007FF6B539F7EF

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: File$PointerReadSize_invalid_parameter_noinfo_noreturn
String ID: exists$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2478245620-15404121
Opcode ID: 8cdf98b74691f3bd8b70ec143bc6e60ee69bb8cc810ea23612f5f3421e56b4bf
Instruction ID: 33108a6fd6557c3e8e372c84c8698d1c33ff8da07bf18db9d8c7d002c6756fd7
Opcode Fuzzy Hash: 8cdf98b74691f3bd8b70ec143bc6e60ee69bb8cc810ea23612f5f3421e56b4bf
Instruction Fuzzy Hash: 7A320762A14BC589EB21CF28D8803ED37A1FB45B88F508236DB4D97B5AEF79D945C700

Function 00007FF6B53C2E3C Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 335timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6B53C2E81

Part of subcall function 00007FF6B53C24E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53C24FC

Part of subcall function 00007FF6B53BD3C8: RtlFreeHeap.NTDLL ref: 00007FF6B53BD3DE
Part of subcall function 00007FF6B53BD3C8: GetLastError.KERNEL32 ref: 00007FF6B53BD3E8

Part of subcall function 00007FF6B53B8284: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6B53B8233,?,?,?,?,-2723E8D8DEBC5093,00007FF6B53B811E), ref: 00007FF6B53B828D
Part of subcall function 00007FF6B53B8284: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6B53B8233,?,?,?,?,-2723E8D8DEBC5093,00007FF6B53B811E), ref: 00007FF6B53B82B2

Part of subcall function 00007FF6B53CBA84: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53CB9CF

_get_daylight.LIBCMT ref: 00007FF6B53C2E70

Part of subcall function 00007FF6B53C2548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53C255C

_get_daylight.LIBCMT ref: 00007FF6B53C30E6
_get_daylight.LIBCMT ref: 00007FF6B53C30F7
_get_daylight.LIBCMT ref: 00007FF6B53C3108
GetTimeZoneInformation.KERNEL32(00007FF6B53C33F8), ref: 00007FF6B53C312F

Strings

Eastern Summer Time, xrefs: 00007FF6B53C31ED
Eastern Standard Time, xrefs: 00007FF6B53C31D5

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: d27e707e32a7a668b79f18f39980f86f66c1361dc0c94ac41fd5faca01788e5a
Instruction ID: a54dc65e98f5db2a139418ac3f04b9c772e07708bfab086f58a0cab4fe105f78
Opcode Fuzzy Hash: d27e707e32a7a668b79f18f39980f86f66c1361dc0c94ac41fd5faca01788e5a
Instruction Fuzzy Hash: 7AD18D62A2876286EB24AF2DD8901F96761EF84F94F444135EB5D8778BEF3CEC418740

Function 00007FF6B53E0658 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B53E023C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53E027D
Part of subcall function 00007FF6B53E023C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53E02FB
Part of subcall function 00007FF6B53E023C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53E034C

CreateFileW.KERNEL32 ref: 00007FF6B53E075E
CreateFileW.KERNEL32 ref: 00007FF6B53E07AE
GetLastError.KERNEL32 ref: 00007FF6B53E07DE
GetFileType.KERNEL32 ref: 00007FF6B53E07F3
GetLastError.KERNEL32 ref: 00007FF6B53E07FD
CloseHandle.KERNEL32 ref: 00007FF6B53E0830
CloseHandle.KERNEL32 ref: 00007FF6B53E0993
CreateFileW.KERNEL32 ref: 00007FF6B53E09C8
GetLastError.KERNEL32 ref: 00007FF6B53E09D7

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 9219a76bbf5b0a68fd8075754a2c2160bfaa822f6e476498c8a23ea95eed312f
Instruction ID: 1c70c53ab177eb98d4c2651f2db87097b7118635a8af0fc01fe6053cc255d504
Opcode Fuzzy Hash: 9219a76bbf5b0a68fd8075754a2c2160bfaa822f6e476498c8a23ea95eed312f
Instruction Fuzzy Hash: 45C1B132B34A4685EB11DFA9C4806EC37A1EB49F98F011235DB1E9739AEF38E851C310

Function 00007FF6B53C30B8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6B53C30E6

Part of subcall function 00007FF6B53C2548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53C255C

_get_daylight.LIBCMT ref: 00007FF6B53C30F7

Part of subcall function 00007FF6B53C24E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53C24FC

_get_daylight.LIBCMT ref: 00007FF6B53C3108

Part of subcall function 00007FF6B53C2518: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53C252C

Part of subcall function 00007FF6B53BD3C8: RtlFreeHeap.NTDLL ref: 00007FF6B53BD3DE
Part of subcall function 00007FF6B53BD3C8: GetLastError.KERNEL32 ref: 00007FF6B53BD3E8

GetTimeZoneInformation.KERNEL32(00007FF6B53C33F8), ref: 00007FF6B53C312F

Strings

Eastern Summer Time, xrefs: 00007FF6B53C31ED
Eastern Standard Time, xrefs: 00007FF6B53C31D5

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: a0b2f147c5ed72e73a9ba99eccd64d774068bd057930b9dd808764ab5dc4e304
Instruction ID: e8d6cec729c0522d96386dcc6ede800e19ee2b6410641c46df26537982de0e59
Opcode Fuzzy Hash: a0b2f147c5ed72e73a9ba99eccd64d774068bd057930b9dd808764ab5dc4e304
Instruction Fuzzy Hash: 5A510C32A2875286EB20EF29E8915F96760BB48B84F445535EB4DC779BEF3CE8418740

Function 00007FF6B53B918C Relevance: 9.2, APIs: 6, Instructions: 227COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B91AE
_get_daylight.LIBCMT ref: 00007FF6B53B920E
_get_daylight.LIBCMT ref: 00007FF6B53B921F
_get_daylight.LIBCMT ref: 00007FF6B53B9230
_isindst.LIBCMT ref: 00007FF6B53B9281
_isindst.LIBCMT ref: 00007FF6B53B92D4

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
String ID:
API String ID: 1405656091-0
Opcode ID: cd6fea744430340711cd49b3e9bdbfdb1b852b0eb5a7692198664b91c055b650
Instruction ID: 6c5b0ee35035a43eab4a1dd6f2f891e74d46b0170c7d5d8b2d3d9d8f801e29eb
Opcode Fuzzy Hash: cd6fea744430340711cd49b3e9bdbfdb1b852b0eb5a7692198664b91c055b650
Instruction Fuzzy Hash: 0481A2B3B147464BEB589F29C9512E862A5EB54F88F049135DB0D8A78AFF3CE9508B40

Function 00007FF6B53A6860 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 268COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A6C4B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A6C51
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A6C57
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A6C5D

Strings

cores, xrefs: 00007FF6B53A6ABE

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: cores
API String ID: 3668304517-2370456839
Opcode ID: a628815777d8d6e0677710be88961967982185a8745b0d9ccb59981e844e2b87
Instruction ID: 9e25c96ffd2a3940396abb04b3cdcbd8f33ae615166812eb14f429c4dc037774
Opcode Fuzzy Hash: a628815777d8d6e0677710be88961967982185a8745b0d9ccb59981e844e2b87
Instruction Fuzzy Hash: D3C1E263E18B818AFB10CB78D4413EC7761E799BA8F105325EB9C56B9AEF38D581C340

Function 00007FF6B53AB9B0 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6B53AB9FE
OpenProcessToken.ADVAPI32 ref: 00007FF6B53ABA11
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6B53ABA32
AdjustTokenPrivileges.KERNELBASE ref: 00007FF6B53ABA78
CloseHandle.KERNEL32 ref: 00007FF6B53ABA98

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: d2de06470b4ed8e39d37734a47601b9eff7cf65b32299141bc4bcc42cf026e17
Instruction ID: 43fd5498028af3046d34df55629b8ff7f369e625777c81f785d9e078f99e50b4
Opcode Fuzzy Hash: d2de06470b4ed8e39d37734a47601b9eff7cf65b32299141bc4bcc42cf026e17
Instruction Fuzzy Hash: B6216F32628B8186E760CB55F45439AB7A0FB88F80F558135EB8D83B5DEF7CD9458B40

Function 00007FF6B53720F6 Relevance: 5.4, Strings: 4, Instructions: 412COMMON

Download Yara Rule

Strings

object separator, xrefs: 00007FF6B537272E
object, xrefs: 00007FF6B5372679
object key, xrefs: 00007FF6B53727E3
array, xrefs: 00007FF6B53725C4

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID: array$object$object key$object separator
API String ID: 0-2277530871
Opcode ID: 3e03f4fe6082dd8bdd1905404cf0848dc19667640bf96f70ae9083624029563c
Instruction ID: 764edc78285676c635f544233c5492f13da4b8a8ea79856d68c3b8d9d0b93a76
Opcode Fuzzy Hash: 3e03f4fe6082dd8bdd1905404cf0848dc19667640bf96f70ae9083624029563c
Instruction Fuzzy Hash: 10028162E28A8696EA10DF78C4915FD2361FB95B84F405236EB4D8779BEF68E944C300

Function 00007FF6B534F730 Relevance: 4.8, APIs: 3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950a1ac75f399888271c1bcfc662195e87ef4bc118ea6b993eee68fc0321c217
Instruction ID: d13cc2c9c101fef6eab22dbbf7632494a2d77951f7dcf58ca796f5487a4b3181
Opcode Fuzzy Hash: 950a1ac75f399888271c1bcfc662195e87ef4bc118ea6b993eee68fc0321c217
Instruction Fuzzy Hash: 43F15072A19F8489EB208B69E44139D77A0F789798F104325EFDC56B9DEF39C5908700

Function 00007FF6B5350450 Relevance: 4.8, APIs: 3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a47f2d0b512ce9e7f670028296a07e4266ed9dbc5b54f7c97ff352ec49747c77
Instruction ID: 1e9d9f98e035d3ba86fdc7ca3773e9f1d13f4c17b6fb4a49d4836d0e6ebff256
Opcode Fuzzy Hash: a47f2d0b512ce9e7f670028296a07e4266ed9dbc5b54f7c97ff352ec49747c77
Instruction Fuzzy Hash: 5AF16F72A19F848AEB618B69E44039D77A0F78CB98F101325EFDC56B99EF38D5908740

Function 00007FF6B534FE20 Relevance: 4.8, APIs: 3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546c152f43f225051bdbc3a30ff509b75e6cae975be057ce56b515eef410c0ab
Instruction ID: 8d4738beabbf8f205848e4453b3864bfa5562204d107e4befbf5b14101a50d59
Opcode Fuzzy Hash: 546c152f43f225051bdbc3a30ff509b75e6cae975be057ce56b515eef410c0ab
Instruction Fuzzy Hash: 4DF16F72A19F848AEB618B69E44039D77A0F78CB98F105325EFDC56B99EF3CD5908700

Function 00007FF6B53A76A0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32 ref: 00007FF6B53A79D0

Strings

[UTC, xrefs: 00007FF6B53A79A3

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: InformationTimeZone
String ID: [UTC
API String ID: 565725191-1715286942
Opcode ID: 18a376713eb675e677f19022e6b5794e3e33c7ac33213d638e3d988cc9ced565
Instruction ID: 65928e8579a4623a20f903cd34b166d628b7c78ae9c5367d45786f3132320c87
Opcode Fuzzy Hash: 18a376713eb675e677f19022e6b5794e3e33c7ac33213d638e3d988cc9ced565
Instruction Fuzzy Hash: 23B14C32919BC889D7718F29E84129AB7A4F78DB88F105325EBCC57B59EF78D250CB40

Function 00007FF6B53A73F0 Relevance: 3.1, APIs: 2, Instructions: 137COMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNEL32 ref: 00007FF6B53A7461

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: DriveLogicalStrings
String ID:
API String ID: 2022863570-0
Opcode ID: 8e3b062baa65b3adcedbfaa3c8c3a2baafa25a4fda972cf0885935351d305318
Instruction ID: d123dedb7c55fd8a5e0414c67e4b3a605ff3000ffb454b260b41c905cfd6e0cf
Opcode Fuzzy Hash: 8e3b062baa65b3adcedbfaa3c8c3a2baafa25a4fda972cf0885935351d305318
Instruction Fuzzy Hash: B4517332A18B8182EB10CF28E4803AD7775FB85B94F145225EB9C53BA9EF7CE591D740

Function 00007FF6B5397BA0 Relevance: 3.1, APIs: 2, Instructions: 86encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 00007FF6B5397BF8
LocalFree.KERNEL32 ref: 00007FF6B5397C8A

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: 3f0d2640eba4d0f7871c2ec703edcb503dbe0d7ea7d03094cd3af9045bbe76bf
Instruction ID: 02b2bcc5e933a11799bf311465c60c6037e18b05a210be82c1f68abbb9962078
Opcode Fuzzy Hash: 3f0d2640eba4d0f7871c2ec703edcb503dbe0d7ea7d03094cd3af9045bbe76bf
Instruction Fuzzy Hash: 32411932A28B81CAE3208F74D4403ED37A4F759B4CF444635EB8D46E8AEF79D5648754

Function 00007FF6B5351B90 Relevance: 1.8, APIs: 1, Instructions: 283COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5351FD2

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: e270d5c61eaf5cd8cbdd31763e29726b838d3f2bbb78946553259ec46c5a0162
Instruction ID: 29afc45beb768e59d18d89314ffa2b1f0136ba391033b7cb7f4692f660f79aa5
Opcode Fuzzy Hash: e270d5c61eaf5cd8cbdd31763e29726b838d3f2bbb78946553259ec46c5a0162
Instruction Fuzzy Hash: FDD15D62F18B8189F711CB78D4403EC37B2AB59B4CF055225EB8C66B9AEF389590C384

Function 00007FF6B53A6150 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 00007FF6B53A6195

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 543acbdf146a9e7b635a600a3cba3d05f3b2ef6cd278b1f660c9ea2185c3ff0f
Instruction ID: c2fbcab9b09397aa937a8fd5c1d537920d431776ff68a4a8b206eb96735751ab
Opcode Fuzzy Hash: 543acbdf146a9e7b635a600a3cba3d05f3b2ef6cd278b1f660c9ea2185c3ff0f
Instruction Fuzzy Hash: 9F01653291878182EB21CF15E8413EEB3A4FB98B84F441131E78D8274AEFBCD595CB40

Function 00007FF6B53AD050 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

\u%04x, xrefs: 00007FF6B53AD242

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID: \u%04x
API String ID: 0-2916071157
Opcode ID: 9ac3e7affe24433a80f30ef63aa62ecbe97607ee0ab98c7cb77dcaf1733d29dc
Instruction ID: 6094ccac40004b49a5e723892b23372168480036a7b61332ace1d8d04c6bc5f7
Opcode Fuzzy Hash: 9ac3e7affe24433a80f30ef63aa62ecbe97607ee0ab98c7cb77dcaf1733d29dc
Instruction Fuzzy Hash: BA81C462A2868581FE54DB69D5506FE6760FB85F80F848432DB4E8379AFF3CEA15C340

Function 00007FF6B53AC5CB Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

": , xrefs: 00007FF6B53AC6B1, 00007FF6B53AC75E

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID: ":
API String ID: 0-3662656813
Opcode ID: 9785e1fa8e8452fe1f27990b068c258e0a1e89e149615b17a0c92ef7e8177fa0
Instruction ID: ee7977bc6af9c54cabb04490a8cc5708f3f4b606898e240bd724772efc97afc8
Opcode Fuzzy Hash: 9785e1fa8e8452fe1f27990b068c258e0a1e89e149615b17a0c92ef7e8177fa0
Instruction Fuzzy Hash: 29917C76708A8A81DB20DF2AD1942AD73A1F789FC8F449022DF9D47B69DF39D958C700

Function 00007FF6B5365310 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/, xrefs: 00007FF6B5365399

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
API String ID: 0-1713319389
Opcode ID: a7242879f608aa47813c865fc74e262a7c273f84777ad565790803f492419e94
Instruction ID: 65a21fab81abaf54d29400acb92301c69b097110571a7f00503357c193255c07
Opcode Fuzzy Hash: a7242879f608aa47813c865fc74e262a7c273f84777ad565790803f492419e94
Instruction Fuzzy Hash: C541D46362D7E04AD702CB3984112BD7FB2D366F88B1C8162E7D88774BDA2DD616C711

Function 00007FF6B539EBF0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 194
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6B539E970: InitializeCriticalSectionEx.KERNEL32 ref: 00007FF6B539E9C1
Part of subcall function 00007FF6B539E970: GetLastError.KERNEL32 ref: 00007FF6B539E9CB

EnterCriticalSection.KERNEL32 ref: 00007FF6B539EC31
GdiplusStartup.GDIPLUS ref: 00007FF6B539EC58
LeaveCriticalSection.KERNEL32 ref: 00007FF6B539EC66
LeaveCriticalSection.KERNEL32 ref: 00007FF6B539EC94
GdipGetImageEncodersSize.GDIPLUS ref: 00007FF6B539ECA2
GdipGetImageEncoders.GDIPLUS ref: 00007FF6B539ED36
GdipCreateBitmapFromScan0.GDIPLUS ref: 00007FF6B539EE00
GdipSaveImageToStream.GDIPLUS ref: 00007FF6B539EE1E
GdipDisposeImage.GDIPLUS ref: 00007FF6B539EE83
GdipDisposeImage.GDIPLUS ref: 00007FF6B539EE97

Strings

&, xrefs: 00007FF6B539EDFA

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Gdip$Image$CriticalSection$DisposeEncodersLeave$BitmapCreateEnterErrorFromGdiplusInitializeLastSaveScan0SizeStartupStream
String ID: &
API String ID: 1703174404-3042966939
Opcode ID: dd964381881d80bb3d13f7f21f812b9ad7ab8c9b9795b3d442a88d8ae0dd4017
Instruction ID: a26cc16a56237e307fb10644b55aeb920f6c68407f2def5c4159ed1e85a59710
Opcode Fuzzy Hash: dd964381881d80bb3d13f7f21f812b9ad7ab8c9b9795b3d442a88d8ae0dd4017
Instruction Fuzzy Hash: AE918172A14B4299E7208F28D8005E837A0FB48F98F554535DB4E87B9AEF3CED51D340

Function 00007FF6B539FCA0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 226
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6B53A58D0: GetUserGeoID.KERNEL32 ref: 00007FF6B53A58F7
Part of subcall function 00007FF6B53A58D0: GetGeoInfoA.KERNEL32 ref: 00007FF6B53A5911
Part of subcall function 00007FF6B53A58D0: GetGeoInfoA.KERNEL32 ref: 00007FF6B53A5961

Part of subcall function 00007FF6B5361900: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53619D4

WSAStartup.WS2_32 ref: 00007FF6B539FDBE
socket.WS2_32 ref: 00007FF6B539FDDB
htons.WS2_32 ref: 00007FF6B539FE00
inet_pton.WS2_32 ref: 00007FF6B539FE42
connect.WS2_32 ref: 00007FF6B539FE5C
closesocket.WS2_32 ref: 00007FF6B539FE7B
WSACleanup.WS2_32 ref: 00007FF6B539FE81
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A0025
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A002B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A0031

Strings

system, xrefs: 00007FF6B539FD2A
geo, xrefs: 00007FF6B539FD6B

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Info$CleanupStartupUserclosesocketconnecthtonsinet_ptonsocket
String ID: geo$system
API String ID: 2440148987-2364779556
Opcode ID: 02e0bb30d50e4f60a1a390282dc6d7d1ef9c07bed104d2a4ba7a7becf75d310b
Instruction ID: 1644aeeccf4b5dfe57a14c0fa2a6ca92c53d1fadc522c1e479c7abce5ff8a0b7
Opcode Fuzzy Hash: 02e0bb30d50e4f60a1a390282dc6d7d1ef9c07bed104d2a4ba7a7becf75d310b
Instruction Fuzzy Hash: B3B1A062F28B8285FB01DBA8E4402EC2371AB55B98F415236DB5D977AFEE38D945C340

Function 00007FF6B53A4A30 Relevance: 19.9, APIs: 13, Instructions: 417
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

recv.WS2_32 ref: 00007FF6B53A4C0C
recv.WS2_32 ref: 00007FF6B53A50EC
closesocket.WS2_32 ref: 00007FF6B53A50FE
WSACleanup.WS2_32 ref: 00007FF6B53A5104
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A51FC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A5202
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A5208
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A520E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A5214
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A521A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A5226
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A522C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A5232

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$recv$Cleanupclosesocket
String ID:
API String ID: 3402187201-0
Opcode ID: e4049c0f03e734e85074100bd3b76624debaa060f52d0637e420a22afa0280fc
Instruction ID: 1c443b530f00e6a2ee0cb672f75de4c6df909b3e974bf9ab656f4d55ba2b97a6
Opcode Fuzzy Hash: e4049c0f03e734e85074100bd3b76624debaa060f52d0637e420a22afa0280fc
Instruction Fuzzy Hash: 3B125472A28BC141EE619B18E4453EE6751EB89B90F505631D79D86BDFEF7CD880C700

Function 00007FF6B53A7A84 Relevance: 16.9, APIs: 11, Instructions: 356COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A7FE0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A7FE6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A7FEC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A7FF2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A7FF8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A7FFE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A8004
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A800A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A8010
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A8016
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A801C

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: d330a8cb40c11d9bbda9cd3e9dcd861a0136ce310c17c43692026fbbce82bec1
Instruction ID: eddbbf1cb33532c41c3455862ccaba18e98c942b3508df31b9006d06c063cbb7
Opcode Fuzzy Hash: d330a8cb40c11d9bbda9cd3e9dcd861a0136ce310c17c43692026fbbce82bec1
Instruction Fuzzy Hash: 13E1D2A3E28BC145EF119B38C4453ED6711EB99BA4F105721EB6C46BDFEFB895818340

Function 00007FF6B53C092C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53C0D59

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f3fc50aa6c1617f97820c214b6f357f8593fa625a947542fe4ec2dfdbb2d532b
Instruction ID: b4fa5d3b5f6cb7f0471ba367aff91342a265530acf6626e81f4413df0dd0a475
Opcode Fuzzy Hash: f3fc50aa6c1617f97820c214b6f357f8593fa625a947542fe4ec2dfdbb2d532b
Instruction Fuzzy Hash: 6DC1DE22A2CBD281EA62AB5894042FD7BA1FB81F80F554131DB4D8739BEF7CEC458700

Function 00007FF6B53A7151 Relevance: 9.2, APIs: 6, Instructions: 163registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32 ref: 00007FF6B53A7169
RegEnumKeyExA.KERNEL32 ref: 00007FF6B53A71AE
RegCloseKey.ADVAPI32 ref: 00007FF6B53A73A4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A73D7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A73E3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A73E9

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseEnumOpen
String ID:
API String ID: 2177193445-0
Opcode ID: a7c187bf2d3df3035d1c32dd6db5852f892d83f129299faf2889f6e133470741
Instruction ID: e51aa3ad6b6964cb0f1bf4e55652917cfdd915330b2ba698a6a2b037501f3b2d
Opcode Fuzzy Hash: a7c187bf2d3df3035d1c32dd6db5852f892d83f129299faf2889f6e133470741
Instruction Fuzzy Hash: B9717472A18B4685EB10CB69E4843AD6760FB45BA8F100225EFAD57BDAEF7CD481C740

Function 00007FF6B539EA50 Relevance: 9.0, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FF6B539EA93
EnterCriticalSection.KERNEL32 ref: 00007FF6B539EAA5
EnterCriticalSection.KERNEL32 ref: 00007FF6B539EAB5
GdiplusShutdown.GDIPLUS ref: 00007FF6B539EAC3
LeaveCriticalSection.KERNEL32 ref: 00007FF6B539EAD0
LeaveCriticalSection.KERNEL32 ref: 00007FF6B539EADA

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: CriticalSection$EnterLeave$DeleteGdiplusObjectShutdown
String ID:
API String ID: 4268643673-0
Opcode ID: f5a1ecfcc53808b035d0d15b7c47fae7049546fa7d089acffeffd9e0bb2d86bb
Instruction ID: 90a5401d07c77c33b00549cccaf637fbfbe84f7bce4a9e30423a42283485e1f8
Opcode Fuzzy Hash: f5a1ecfcc53808b035d0d15b7c47fae7049546fa7d089acffeffd9e0bb2d86bb
Instruction Fuzzy Hash: BB112B32525B5291EB109F29E8400AD7774FB48F64B684335D76E827BAEF38DC96C340

Function 00007FF6B538F7A0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B538FB09
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B538FB0F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B538FB15
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B538FB1B

Strings

exists, xrefs: 00007FF6B538FAE7, 00007FF6B538FAFC

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: exists
API String ID: 3668304517-2996790960
Opcode ID: e0ca86984dcd63806b142e340e89520d029b4b1e41b0c09aa18580b05522bf4e
Instruction ID: 5c789cc37886c0e82381b26a4ccebedb4f7ce1fd8835502d855c130ef731dc32
Opcode Fuzzy Hash: e0ca86984dcd63806b142e340e89520d029b4b1e41b0c09aa18580b05522bf4e
Instruction Fuzzy Hash: 73A18472A24B8596EB14DF2CD8402ED6361FB84B98F105635EB5C87B9EEF39D981C700

Function 00007FF6B538CAB0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B538CE19
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B538CE1F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B538CE25
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B538CE2B

Strings

exists, xrefs: 00007FF6B538CDF7, 00007FF6B538CE0C

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: exists
API String ID: 3668304517-2996790960
Opcode ID: e207551f326048aa0344b556460f67db7219f5dab07e3a915515719821886c2f
Instruction ID: 57f25be4d461463c32602c025a3ed592fdf1dca14505f7595681fa226de70847
Opcode Fuzzy Hash: e207551f326048aa0344b556460f67db7219f5dab07e3a915515719821886c2f
Instruction Fuzzy Hash: FCA18372A24B8585EB149F2CE8402ED6361FB48B98F145631EB5D87BEEEF38D941C340

Function 00007FF6B53A70E0 Relevance: 7.6, APIs: 5, Instructions: 96registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32 ref: 00007FF6B53A7169
RegEnumKeyExA.KERNEL32 ref: 00007FF6B53A71AE

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: EnumOpen
String ID:
API String ID: 3231578192-0
Opcode ID: 69580b2b5a3aab25ec6d1d344f29727ed6fdfb6e770ce3ab2c6c0fb9dc78db39
Instruction ID: 2b2370c500f64bdff8d0e44a0b1ae6d858940e6985298093304468596114b1f5
Opcode Fuzzy Hash: 69580b2b5a3aab25ec6d1d344f29727ed6fdfb6e770ce3ab2c6c0fb9dc78db39
Instruction Fuzzy Hash: AB31B132A14B8685EB20CFA5E8506EE73A4FB44B98F200225EF9D57B59EF7CD491C700

Function 00007FF6B53A0040 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 333COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A064D

Strings

exists, xrefs: 00007FF6B53A0663
ios_base::badbit set, xrefs: 00007FF6B53A0685, 00007FF6B53A06BC, 00007FF6B53A06FA

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: exists$ios_base::badbit set
API String ID: 3668304517-2074760687
Opcode ID: 8d76c458315178a25db09c9fdcb847d61e55080ddf0c55f8758765ae8eff06c0
Instruction ID: 95ba579b3f14d6a8b7d3fb0e0f56e6a1b97a6dbc2e3ad9239abb8b40f079e738
Opcode Fuzzy Hash: 8d76c458315178a25db09c9fdcb847d61e55080ddf0c55f8758765ae8eff06c0
Instruction Fuzzy Hash: 5EF11072A1D7C691EA61DB18E4943EE6360FBC5B44F404136DB8D82AAEEF7CD905CB00

Function 00007FF6B53A0730 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 325COMMON

Download Yara Rule

Strings

exists, xrefs: 00007FF6B53A0D3B
ios_base::badbit set, xrefs: 00007FF6B53A0D5D, 00007FF6B53A0D94, 00007FF6B53A0DD2

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID: exists$ios_base::badbit set
API String ID: 0-2074760687
Opcode ID: 086b57f9886700431aaf3c7483acab306003d5ac3e84676a1be3477eb7fef4fe
Instruction ID: a8fbedef54e52041556fb32be396106ad55b69319d7db96af6f6f303b20d33df
Opcode Fuzzy Hash: 086b57f9886700431aaf3c7483acab306003d5ac3e84676a1be3477eb7fef4fe
Instruction Fuzzy Hash: 00F11172619BC691EA21DB18E4943EE6360FB84B44F404136DB8D87BAEEF7CD945CB40

Function 00007FF6B5357AA0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B53A73F0: GetLogicalDriveStringsW.KERNEL32 ref: 00007FF6B53A7461

Part of subcall function 00007FF6B5357AA0: FindFirstFileW.KERNEL32 ref: 00007FF6B5356E8F

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5357C0F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5357C15

Strings

content, xrefs: 00007FF6B535755F
filename, xrefs: 00007FF6B535746A

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$DriveFileFindFirstLogicalStrings
String ID: content$filename
API String ID: 3820383557-474635906
Opcode ID: fa5208d88c68d2acc46f28a84c02dd075b818341273278fff3188706dd4d5c7b
Instruction ID: 6dd44b55fb75bd3de36facfc0b120d12a74ed534efbe58bae268ffe51d94bd80
Opcode Fuzzy Hash: fa5208d88c68d2acc46f28a84c02dd075b818341273278fff3188706dd4d5c7b
Instruction Fuzzy Hash: 30416662E2864141ED219B19F0402EEA751EB89FF4F181731EBAD477DFEE6CD9818700

Function 00007FF6B5368560 Relevance: 6.2, APIs: 4, Instructions: 192COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B53686A0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53686A6
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B536879F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53687A5

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: c982040780983701d7c8c68c8f15831c94ac4fcd0ba8b68d463e439d02204967
Instruction ID: b4adbb7d9838145ede69c00ce3733d5ea1df3c1545e1defaa23ce106cdc2789c
Opcode Fuzzy Hash: c982040780983701d7c8c68c8f15831c94ac4fcd0ba8b68d463e439d02204967
Instruction Fuzzy Hash: E451D962B2D74145EE659B19A5003F9A291AB08FE4F580635DF6D877CFFE7CD8918300

Function 00007FF6B539F820 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6B539F85B
OpenProcessToken.ADVAPI32 ref: 00007FF6B539F86E
GetTokenInformation.KERNELBASE ref: 00007FF6B539F8AA
CloseHandle.KERNEL32 ref: 00007FF6B539F8CB

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 1c225c442ed3ae12c114120d81f2afce391d37106ff629cfd40a7a8c2f449ed4
Instruction ID: 7f109c17ae6a7d224b0b712147b778a811bfc1083729d1c459f10287a2ff637f
Opcode Fuzzy Hash: 1c225c442ed3ae12c114120d81f2afce391d37106ff629cfd40a7a8c2f449ed4
Instruction Fuzzy Hash: A2110D72629B8182E7519B15F44039AB7A0FB88F80F545135EB9D87B6DDF3CD845CB40

Function 00007FF6B5361EB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B536209C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53620A2

Strings

, xrefs: 00007FF6B5361F33

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-3916222277
Opcode ID: b0b8d49bc1df27a546c8eec398477bcb107d70757808efc6048da727df17449e
Instruction ID: da2472f720c4ee6d5ef4cd52530dc292f986ada93d9d22c40483306b39fdf38d
Opcode Fuzzy Hash: b0b8d49bc1df27a546c8eec398477bcb107d70757808efc6048da727df17449e
Instruction Fuzzy Hash: 8B519032A18B4686EB158F2AD1902AC7360FB48F90F554635DF4D87BAADF7DE861C300

Function 00007FF6B53A6460 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegGetValueA.KERNEL32 ref: 00007FF6B53A64C9

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00007FF6B53A64BB
ProductName, xrefs: 00007FF6B53A64B4

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Value
String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 3702945584-1787575317
Opcode ID: d87b399df5c9077b40aef7209b4abd77c2f618c6539b482bda78f483f437df22
Instruction ID: 54302e44443562b27b507d1c57e8a50156ae04a9414a32dd128973625a6ea6f7
Opcode Fuzzy Hash: d87b399df5c9077b40aef7209b4abd77c2f618c6539b482bda78f483f437df22
Instruction Fuzzy Hash: 66116032518B8582DB218F25F45039AB3A4FB89B84F504235EB9C43B59DF7CD555CB40

Function 00007FF6B53A4DB7 Relevance: 4.7, APIs: 3, Instructions: 182networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF6B53A50EC
closesocket.WS2_32 ref: 00007FF6B53A50FE
WSACleanup.WS2_32 ref: 00007FF6B53A5104
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A521A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A5226
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A522C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A5232

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Cleanupclosesocketrecv
String ID:
API String ID: 1729841683-0
Opcode ID: 54f43d891644014835c493d497154d131fa72254285a80c0f04bf4e12e8f8f00
Instruction ID: f1e66b5c82d7cc61d3f08079574ffe3aedd0092ff647cb44683d57959efd61ce
Opcode Fuzzy Hash: 54f43d891644014835c493d497154d131fa72254285a80c0f04bf4e12e8f8f00
Instruction Fuzzy Hash: 1E914463E28BC141EE219718E4443EE6761EB85BA0F105335DBAD46BDEEF7CD8809740

Function 00007FF6B534E2A0 Relevance: 4.7, APIs: 3, Instructions: 175COMMON

Download Yara Rule

APIs

__std_fs_directory_iterator_open.LIBCPMT ref: 00007FF6B534E3D3

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: __std_fs_directory_iterator_open
String ID:
API String ID: 4007087469-0
Opcode ID: d4604204593d342e570c4926b62fada30b6957409627625e7c2239f99d44b0cf
Instruction ID: b3dd5d3b6779b761a82af4784350c85a4bd4c6688ae070fc3ad75260ede53cea
Opcode Fuzzy Hash: d4604204593d342e570c4926b62fada30b6957409627625e7c2239f99d44b0cf
Instruction Fuzzy Hash: 5D619362F24A4285EB10DB6DD4802FC23A1EB48BA4F004631DF2D967DAFE3DDD959341

Function 00007FF6B5369450 Relevance: 4.6, APIs: 3, Instructions: 104COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53694FF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5369505
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B536958C

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 1fcdd001bad7e88b769d8549c00ef065f4b371976f5fa0d120353f35bad732bd
Instruction ID: 0d0f8eb19c57a305dbe745e7f2d4c3b4c01cd25c51b387f1b6d69aa0dbc0bec3
Opcode Fuzzy Hash: 1fcdd001bad7e88b769d8549c00ef065f4b371976f5fa0d120353f35bad732bd
Instruction Fuzzy Hash: 7B318BB3A29B8484EF55DE28D4643FCA355EB44F88F540539DB5D8AB9AEF29C8908300

Function 00007FF6B539EED0 Relevance: 4.6, APIs: 3, Instructions: 87COMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32 ref: 00007FF6B539EF29
CoTaskMemFree.OLE32 ref: 00007FF6B539EFEA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B539F012

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: FolderFreeKnownPathTask_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2444108017-0
Opcode ID: ae204a587ab0ef826eab955bf18b5cfd079d10c08874d19813b769850f893d30
Instruction ID: 9005fac86f166d5640b39205b18f729b8f1c4de27ba79dcc5c667acf07bb0066
Opcode Fuzzy Hash: ae204a587ab0ef826eab955bf18b5cfd079d10c08874d19813b769850f893d30
Instruction Fuzzy Hash: 35318A7292878581E620CF29E44025EB761FB99BB4F105335FBAD4379AEF7CD5818740

Function 00007FF6B53CE244 Relevance: 4.6, APIs: 3, Instructions: 78COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6B53CD34F), ref: 00007FF6B53CE25D
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6B53CD34F), ref: 00007FF6B53CE2CF

Part of subcall function 00007FF6B53BE8BC: HeapAlloc.KERNEL32 ref: 00007FF6B53BE8FA

FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6B53CD34F), ref: 00007FF6B53CE32E

Part of subcall function 00007FF6B53BD3C8: RtlFreeHeap.NTDLL ref: 00007FF6B53BD3DE
Part of subcall function 00007FF6B53BD3C8: GetLastError.KERNEL32 ref: 00007FF6B53BD3E8

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: EnvironmentFreeStrings$Heap$AllocErrorLast
String ID:
API String ID: 3331406755-0
Opcode ID: f79ec361922fc1fde17e438abd9a0df1426056f3875ee8e29d5efadf54f3a626
Instruction ID: 8b5eac1162c42c8e01b451eff82e5e906c194d66d19d02ff4180d1a347ed5511
Opcode Fuzzy Hash: f79ec361922fc1fde17e438abd9a0df1426056f3875ee8e29d5efadf54f3a626
Instruction Fuzzy Hash: 5331DB31A2C76281E625AF2964011BD7694BF48FD0F485235EB5E83BDBEF3CE8519300

Function 00007FF6B53A6E1B Relevance: 4.6, APIs: 3, Instructions: 68registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32 ref: 00007FF6B53A6E37
RegQueryValueExA.KERNEL32 ref: 00007FF6B53A6E76
RegCloseKey.ADVAPI32 ref: 00007FF6B53A6F14

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: c76bf7f6fb56c596a02d874e197e6ed852ab18b90a89a93ee840bc8b0d2acff9
Instruction ID: 6da89d90781b4ad2d63da61057c648dca6c13d404c35368584802578a7a47fe1
Opcode Fuzzy Hash: c76bf7f6fb56c596a02d874e197e6ed852ab18b90a89a93ee840bc8b0d2acff9
Instruction Fuzzy Hash: 4021A962E28B8641EE50CB29E4507AEA750FBD5FD4F405235EB8D82B5EEE2CD485C700

Function 00007FF6B53A58D0 Relevance: 4.6, APIs: 3, Instructions: 50COMMON

Download Yara Rule

APIs

GetUserGeoID.KERNEL32 ref: 00007FF6B53A58F7
GetGeoInfoA.KERNEL32 ref: 00007FF6B53A5911
GetGeoInfoA.KERNEL32 ref: 00007FF6B53A5961

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Info$User
String ID:
API String ID: 2017065092-0
Opcode ID: 877c1b4e073b3a87c3d7ac6068cbd316133fc0437c9f32c249d117db553f0db1
Instruction ID: 4ca36f9a070ef809fce401ccbb26950ef2143d7daa486b254e7778ab1822b7b4
Opcode Fuzzy Hash: 877c1b4e073b3a87c3d7ac6068cbd316133fc0437c9f32c249d117db553f0db1
Instruction Fuzzy Hash: 79119032A2878182DB108F65E45075EB3A1FB80FC8F055139EB8947B5AEF7CE8908B44

Function 00007FF6B53C4F60 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF6B53C4F5C), ref: 00007FF6B53C4F71
TerminateProcess.KERNEL32(?,?,?,00007FF6B53C4F5C), ref: 00007FF6B53C4F7C
ExitProcess.KERNEL32 ref: 00007FF6B53C4F8B

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 38c7b4f83e553420579c8e330882a64258dcf8d372290847a19fb81a50e45df1
Instruction ID: d9af55a54f28e8c4f71c321f6062261ec07c6e64fdb08746ea802dd227622dd6
Opcode Fuzzy Hash: 38c7b4f83e553420579c8e330882a64258dcf8d372290847a19fb81a50e45df1
Instruction Fuzzy Hash: 8FD09E10B2871652EF543B7858951FC12555F99F02F411438DA4BC639BFE2DBC494310

Function 00007FF6B53A6C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32 ref: 00007FF6B53A6CAC

Strings

Unknown, xrefs: 00007FF6B53A6D66

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: CurrentProfile
String ID: Unknown
API String ID: 2104809126-1654365787
Opcode ID: 074748e7d716de5a741a71d41128afce1c4a4904971589a04e7448f2158e9804
Instruction ID: ddb1c376897e180a0ad0fd2c7d35c334350d959141f9e280b6fe345faa05733e
Opcode Fuzzy Hash: 074748e7d716de5a741a71d41128afce1c4a4904971589a04e7448f2158e9804
Instruction Fuzzy Hash: A131D322A2CBC186E7118F14E4502EAB770FB99B44F541235EBCD42A5ADF7CD995CB00

Function 00007FF6B53AC190 Relevance: 3.3, APIs: 2, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3bcc4ad50dac9bc57f7f1afbf8202ee64cfbe29c1620eabfb65d15c4670d6b7
Instruction ID: 8bdd44bf73b2a935dcc8e3b810ea3cc127b40270a19a02bceec5bdf97e69db44
Opcode Fuzzy Hash: a3bcc4ad50dac9bc57f7f1afbf8202ee64cfbe29c1620eabfb65d15c4670d6b7
Instruction Fuzzy Hash: 69A16F72A14B8586EB519F29D8443AD77A0F789F94F188135EB4D877AAEF3CC881C740

Function 00007FF6B53AF150 Relevance: 3.2, APIs: 2, Instructions: 189COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53AF394
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B53AF3A0

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: ad4055faee7288f66228d296372c78f9137bed5d5abb172f92ae91a1768b0b61
Instruction ID: 1102cc73c6e6d77f3c10517791ca9d722384ce3fea92c6e4e735a8ba950e5575
Opcode Fuzzy Hash: ad4055faee7288f66228d296372c78f9137bed5d5abb172f92ae91a1768b0b61
Instruction Fuzzy Hash: BE61AC2AA18A8184EF15DA59D1542BD27A1AB04FD8F548631CF5D873DAFF3EEC46D300

Function 00007FF6B539D260 Relevance: 3.2, APIs: 2, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B539D510: RegOpenKeyExA.KERNEL32 ref: 00007FF6B539D561
Part of subcall function 00007FF6B539D510: RegCloseKey.ADVAPI32 ref: 00007FF6B539D573

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B539D4F8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B539D4FE

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseOpen
String ID:
API String ID: 3087652857-0
Opcode ID: 8c278f5547a466ec54e0be15147785784f58f0030a1dc7da1f4e2a7823480ad4
Instruction ID: 291e6fa39091ede676404d3729c36f4dc47f3074eabf04ff166662841dc21bbd
Opcode Fuzzy Hash: 8c278f5547a466ec54e0be15147785784f58f0030a1dc7da1f4e2a7823480ad4
Instruction Fuzzy Hash: 4F718062A18B8185EB20CB68E4403ED77A1F789B94F505225EB9D87B9EEF7CD544C700

Function 00007FF6B5361440 Relevance: 3.1, APIs: 2, Instructions: 142COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53615D2
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B53615DE

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: c46320af81983bf8b7d8a097502b6e08044de0ccd2ffde461da5f276321cfa26
Instruction ID: 1931e6534963cdfdaaebb8e006f71ba0410ab84162d6ed94bca0aee82c994cec
Opcode Fuzzy Hash: c46320af81983bf8b7d8a097502b6e08044de0ccd2ffde461da5f276321cfa26
Instruction Fuzzy Hash: 8051CA72A29B4681EA11DB19E4403B9B3A0FF59F84F544535DB8D8376AEF7CD8918300

Function 00007FF6B5368E80 Relevance: 3.1, APIs: 2, Instructions: 129COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B5369015
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B536901B

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: 48f184e3a50fa740ea764832f58b5c85ec3e3188245a360da0dc6bed7c2c5238
Instruction ID: ce2559ef484048d844c2f94d0c81f8bcf5df1a926252c01c79845f414406cce3
Opcode Fuzzy Hash: 48f184e3a50fa740ea764832f58b5c85ec3e3188245a360da0dc6bed7c2c5238
Instruction Fuzzy Hash: C841B26272CB8281EE109B19E1042EDA692FB09FD4F540635EF6D4B78FEE3CD8519310

Function 00007FF6B5379FB0 Relevance: 3.1, APIs: 2, Instructions: 123COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B537A14B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B537A157

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: ffaf9a7a538868ca1479d97af9205b187dea902369c89d1255280d304756ba1d
Instruction ID: 55446b42d504b612c4e2f0c10c58eaf430867029af0cba21dd37ba879918f8a5
Opcode Fuzzy Hash: ffaf9a7a538868ca1479d97af9205b187dea902369c89d1255280d304756ba1d
Instruction Fuzzy Hash: 1D419472A28B8581EA25CB69E5445BEA7A0FB48FD0F504535DBAD43B8AEF3CD850C300

Function 00007FF6B5369030 Relevance: 3.1, APIs: 2, Instructions: 118COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B53691AC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53691B2

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: 9676c107121d3e70a5adfe4281e7c37e46f938058757e8ddbb0459af90ab29eb
Instruction ID: 5d00ff678da565bf363526dc84844d9fc75a984e2ff7dc1d0e334b64b5bed6db
Opcode Fuzzy Hash: 9676c107121d3e70a5adfe4281e7c37e46f938058757e8ddbb0459af90ab29eb
Instruction Fuzzy Hash: 37411262B2C74281EE219B1AA5143F9A251AB08FD4F544635EF6D8B7CFEE3CD9429700

Function 00007FF6B5364600 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5364745
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B5364751

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: cfc677c0362671b68f402e64f126341eafd3132707cfd2e1d4c22178fd9eeaf6
Instruction ID: 85a0670ef4f93438d817bbf191f55c990a3c519b100d87165847bf46ac22be34
Opcode Fuzzy Hash: cfc677c0362671b68f402e64f126341eafd3132707cfd2e1d4c22178fd9eeaf6
Instruction Fuzzy Hash: 5531E022F2D78244FE55AE19A5803F912819B05FE4F540235CB2D87BCBFE3CE8919340

Function 00007FF6B5368D10 Relevance: 3.1, APIs: 2, Instructions: 109COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B5368E6B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5368E71

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: 0ababa0627008bd160181e784337c41553f7c6b491df3b020ffa885aa2a51f5a
Instruction ID: 192e39dc584face719a0a2122168235a87014eb2afd2fc032890ad6ae94f1101
Opcode Fuzzy Hash: 0ababa0627008bd160181e784337c41553f7c6b491df3b020ffa885aa2a51f5a
Instruction Fuzzy Hash: FF312562B2C78284EE609B19A4043ECA291EB08FD4F580635DF5C8B7CBEE3CE851C300

Function 00007FF6B53A6290 Relevance: 3.1, APIs: 2, Instructions: 107COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNEL32 ref: 00007FF6B53A6320
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A6457

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: InformationVolume_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 4269842375-0
Opcode ID: 9b54662dfc31b99104d5a64d46f481d5e14be556eb9875cdf2309875b13e82c8
Instruction ID: 6bc7a992579721c7e7eebd3721db6d94ec0dc295b9db3a071c13e2b92a08d280
Opcode Fuzzy Hash: 9b54662dfc31b99104d5a64d46f481d5e14be556eb9875cdf2309875b13e82c8
Instruction Fuzzy Hash: F1517F72E28B8185EB11CF68D4402ED7760F799B88F505221EB8D93B9EEF78D985C740

Function 00007FF6B53629B0 Relevance: 3.1, APIs: 2, Instructions: 93COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5362AB2
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B5362AB8

Part of subcall function 00007FF6B534B820: __std_exception_copy.LIBVCRUNTIME ref: 00007FF6B534B868

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Concurrency::cancel_current_task__std_exception_copy_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2371198981-0
Opcode ID: 0c938f5ff597287b413f46e3d76a37b7088594cabf2e2eb79db2830f1b0d95ab
Instruction ID: 444716a9aa682177c815fd5b95163355d86b4c39b0b4d945ea73393d9613c0f1
Opcode Fuzzy Hash: 0c938f5ff597287b413f46e3d76a37b7088594cabf2e2eb79db2830f1b0d95ab
Instruction Fuzzy Hash: 6D21E426A29B4241EA299B19D5403F86290AB44FA4F154635EF6C87BCBFE7CD8D28340

Function 00007FF6B53B4648 Relevance: 3.1, APIs: 2, Instructions: 77COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B466F

Part of subcall function 00007FF6B53B4604: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B461B

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B4723

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 77ff38050bbf038ec147631c291faae903e00292372ea36fba1d268a897535c6
Instruction ID: 74a2840a14e9182d98c70db0cfba12dbbacf061ca2c20a7e656c44fe1f14e53c
Opcode Fuzzy Hash: 77ff38050bbf038ec147631c291faae903e00292372ea36fba1d268a897535c6
Instruction Fuzzy Hash: D5319C22A29E4682EE94FB18E4515F92362AB95F90F550131E75EC73DBFE3CE901C704

Function 00007FF6B539D510 Relevance: 3.1, APIs: 2, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32 ref: 00007FF6B539D561
RegCloseKey.ADVAPI32 ref: 00007FF6B539D573

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: f1dca321947a1367f0d55f51290a78f41f5e328790fa86022a41bb21031095aa
Instruction ID: 50f319fa076c98a2db7f8b161d1e71982c6d7db7a183300a8a7bdd440030ad3b
Opcode Fuzzy Hash: f1dca321947a1367f0d55f51290a78f41f5e328790fa86022a41bb21031095aa
Instruction Fuzzy Hash: 72219661B28A4545FB509B29E4413EAA360EF98FD4F545131EB4E87B9FEF2CD8418700

Function 00007FF6B536AE50 Relevance: 3.1, APIs: 2, Instructions: 66COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B536AEA1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B536AF0A

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 19d8cef9d40cb5f6eec943bdf1482a87d63508befa2c44a48ff5201e4d6f36a8
Instruction ID: 0c9498a209508120f19159abafbfc0bdf32d6f93b31bff139b8f0cdb64131614
Opcode Fuzzy Hash: 19d8cef9d40cb5f6eec943bdf1482a87d63508befa2c44a48ff5201e4d6f36a8
Instruction Fuzzy Hash: D51186A2B26B8585EF49DF78D4553BD6391DB08F94F144535DB6C8B78AEF2CC8908300

Function 00007FF6B539C7CC Relevance: 3.1, APIs: 2, Instructions: 58synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B535E610: CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6B535E65A
Part of subcall function 00007FF6B535E610: Process32FirstW.KERNEL32 ref: 00007FF6B535E69C

Part of subcall function 00007FF6B535CA10: CredEnumerateA.ADVAPI32 ref: 00007FF6B535CA72

Part of subcall function 00007FF6B53A4A30: recv.WS2_32 ref: 00007FF6B53A4C0C

ReleaseMutex.KERNEL32 ref: 00007FF6B539C83B
CloseHandle.KERNEL32 ref: 00007FF6B539C844

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: CloseCreateCredEnumerateFirstHandleMutexProcess32ReleaseSnapshotToolhelp32recv
String ID:
API String ID: 420082584-0
Opcode ID: bece3b694530cfbeca66faa9e7e0d6adff72bc4c5de40ce38d1c4fa0504811a1
Instruction ID: 8ce7354dcdee82f02b3556745461af484ab624a442d29a0d899d8ea0a27191b6
Opcode Fuzzy Hash: bece3b694530cfbeca66faa9e7e0d6adff72bc4c5de40ce38d1c4fa0504811a1
Instruction Fuzzy Hash: 5E210491E3C68641F952B77CA0163F96240AF85F90F586A31EB9EC17DFBE1CAC409712

Function 00007FF6B53CEFC8 Relevance: 3.1, APIs: 2, Instructions: 55COMMON

Download Yara Rule

APIs

_set_fmode.LIBCMT ref: 00007FF6B53CEFDF
_RTC_Initialize.LIBCMT ref: 00007FF6B53CF000

Part of subcall function 00007FF6B53DDB08: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53DDB3A

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Initialize_invalid_parameter_noinfo_set_fmode
String ID:
API String ID: 3548387204-0
Opcode ID: d990e7904117e8ad445fc8e6d111c2d0f5dc5b035b4e5bb7541dde9c55fd2088
Instruction ID: 0c3af58f2bbe84d22a4fee0f9335458f6b202928b348bdfaa8e246eae9d7b13a
Opcode Fuzzy Hash: d990e7904117e8ad445fc8e6d111c2d0f5dc5b035b4e5bb7541dde9c55fd2088
Instruction Fuzzy Hash: E9119901E2C2A711FA1477B844562F812915F94B45F481878EB4ECA3CBFE2EAC958762

Function 00007FF6B539C7FD Relevance: 3.0, APIs: 2, Instructions: 47synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B53A4A30: recv.WS2_32 ref: 00007FF6B53A4C0C

ReleaseMutex.KERNEL32 ref: 00007FF6B539C83B
CloseHandle.KERNEL32 ref: 00007FF6B539C844

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: CloseHandleMutexReleaserecv
String ID:
API String ID: 2659716615-0
Opcode ID: dd2cc705cdbd18044620e585c3dda16eabb8828c2173ec8563691370528ef67d
Instruction ID: 9c6bdd3d1252c64421c0f564580afff57c85a67f6ac36c54194e80d8eb370966
Opcode Fuzzy Hash: dd2cc705cdbd18044620e585c3dda16eabb8828c2173ec8563691370528ef67d
Instruction Fuzzy Hash: EC116A92E2C68641FA62B73CA0163F95340AF85F90F485630EB9EC17DFBE1CAC409711

Function 00007FF6B53C0E9C Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF6B53C0E88,?,?,?,?,00000000,00007FF6B53C0F91), ref: 00007FF6B53C0EE8
GetLastError.KERNEL32(?,?,?,?,?,00007FF6B53C0E88,?,?,?,?,00000000,00007FF6B53C0F91), ref: 00007FF6B53C0EF2

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 85342b8448b5f83962e520861b5040a532baca975cc467821ece28218af4e603
Instruction ID: 95c198be002421b953a67a14729557615c499be83b7382621c88e420121c1035
Opcode Fuzzy Hash: 85342b8448b5f83962e520861b5040a532baca975cc467821ece28218af4e603
Instruction Fuzzy Hash: 5F11B261A28B9181DA108B29A4041AD6361EB45FF4F544331EB7D877DEEF7CE8518700

Function 00007FF6B53CE888 Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B53CE8B8

Part of subcall function 00007FF6B53CF8DC: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6B53CF8E5

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B53CE8BE

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: ad7fb39d7d0572768195cdb96d88edf57c93c5d00d8eaa663e4c704e5b7bea2c
Instruction ID: 98f0043f35e3fe5ffa1826aa78cad4059ec4a3336316390c8129164171a73ab3
Opcode Fuzzy Hash: ad7fb39d7d0572768195cdb96d88edf57c93c5d00d8eaa663e4c704e5b7bea2c
Instruction Fuzzy Hash: 96E09201E2932B05F96AA1AA19150F510400F49F70E181B30DB7D883CBBF2CACA19350

Function 00007FF6B53BD3C8 Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL ref: 00007FF6B53BD3DE
GetLastError.KERNEL32 ref: 00007FF6B53BD3E8

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: b7253a55b1276d1b57d670979138b52c86c30a15e8b70f9b8b054cc625f4c6ce
Instruction ID: 77acd0e343b6f9510baf92b082fa4df44a27414c9027020fb2915cdc476237eb
Opcode Fuzzy Hash: b7253a55b1276d1b57d670979138b52c86c30a15e8b70f9b8b054cc625f4c6ce
Instruction Fuzzy Hash: 5BE0EC41F2AA0692FE5877FAA8451B512925F94F40F444434DB0DC635BFD2CAC958304

Function 00007FF6B5363FF0 Relevance: 1.8, APIs: 1, Instructions: 320COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B5370610: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B5370778
Part of subcall function 00007FF6B5370610: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5370784

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B536447D

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID:
API String ID: 3936042273-0
Opcode ID: 8b63aff671ea4424fcc8d86e58390cf3b414aa6dd3dbafb3b21bf28b59b76f5e
Instruction ID: 1f3c72f20aeda5741e2bfe662106f692ea529ae7deb4c96500dffc4a7d194515
Opcode Fuzzy Hash: 8b63aff671ea4424fcc8d86e58390cf3b414aa6dd3dbafb3b21bf28b59b76f5e
Instruction Fuzzy Hash: D2E15922E28B4184EB51DF69E4912ED3770FB44F98F55412ACF5D97B9AEF38D8A08340

Function 00007FF6B5360CA0 Relevance: 1.7, APIs: 1, Instructions: 234COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5360FA7

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 537b6f56e1df4810c213e73d318223818d58133d769faf41797cf51966d6e2cf
Instruction ID: 97da4208d53c1459f0fcbc9046ad77643ebcc2ce470a64a91ce6267b9bb3e56f
Opcode Fuzzy Hash: 537b6f56e1df4810c213e73d318223818d58133d769faf41797cf51966d6e2cf
Instruction Fuzzy Hash: AFB17D73619B81CADB218F29D0902EC73A1FB48B58F445636EB5D87B9AEF38D954C310

Function 00007FF6B53AD640 Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53AD829

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 7e7f4a0975ce12a370147af02dae87945938562f497badccff8603b604800ab9
Instruction ID: ce788a201ddd015907f39f6b58ae4f1f6047034affd00a51f2c4b50256afa5f4
Opcode Fuzzy Hash: 7e7f4a0975ce12a370147af02dae87945938562f497badccff8603b604800ab9
Instruction Fuzzy Hash: 3851D512F18A818AFB168F7CD4003FC7371AF54B48F045A21DF8D66B9AEF39A9918344

Function 00007FF6B53BD8C8 Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53BD8F0

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 506399ceb7efd258d9ee9312528a7fb0108d3bcc24f039aa6e7519c78468f3b6
Instruction ID: fc396ab5890b90fce10ab642a8e07bfd8cd8e2f3aa761d2b216e91d85f667c91
Opcode Fuzzy Hash: 506399ceb7efd258d9ee9312528a7fb0108d3bcc24f039aa6e7519c78468f3b6
Instruction Fuzzy Hash: B641B232A28A4587FB64AB1CE5412B977A0EB56F90F140531D79EC779AEF3CE802C750

Function 00007FF6B53A5FC0 Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A6147

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: af219e07592d3e4ddcb2aa59d6567795c060df3c327f1d120c968fde123da8b2
Instruction ID: 53ddbb1634391ea304aa8946c9ea71285ab0a5048036513d3366916e98c32e0e
Opcode Fuzzy Hash: af219e07592d3e4ddcb2aa59d6567795c060df3c327f1d120c968fde123da8b2
Instruction Fuzzy Hash: D1412872B25B488EEB408FB9D4413EC73B1E74CB98F005625EF9C66B89EE3495648394

Function 00007FF6B53C080C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53C0892

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: a24f7c79d48368e33d7deb9d4eeecb52ce7ec7a6106812cc151fd4020b53ad0d
Instruction ID: 4c94f7049c1f37d6bd71312b1529c4b23648999c0e737635a27529f122c9bf48
Opcode Fuzzy Hash: a24f7c79d48368e33d7deb9d4eeecb52ce7ec7a6106812cc151fd4020b53ad0d
Instruction Fuzzy Hash: BA31A422A28B6285FA52BB5D94013FC2650AB84FA0F424135EB5D873DBEF7CEC41C754

Function 00007FF6B53620B0 Relevance: 1.6, APIs: 1, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53621A7

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: b4325394841097dc207bbc729bbf94e901fe83a4d13f313c93b63ae7a0871957
Instruction ID: 5c8308a173321c07e1256362dfda7845f0c95eead6c16a89b02ae3041efeaeeb
Opcode Fuzzy Hash: b4325394841097dc207bbc729bbf94e901fe83a4d13f313c93b63ae7a0871957
Instruction Fuzzy Hash: 70312576B1AB4982EF198F69D4902AC3361EB88F88B458436DF4D47369EF3CD891C340

Function 00007FF6B53C4E91 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6B53C4EBF

Part of subcall function 00007FF6B53C4FB8: GetModuleHandleExW.KERNEL32 ref: 00007FF6B53C4FDD
Part of subcall function 00007FF6B53C4FB8: GetProcAddress.KERNEL32 ref: 00007FF6B53C4FF3
Part of subcall function 00007FF6B53C4FB8: FreeLibrary.KERNEL32 ref: 00007FF6B53C501A

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 9e03c0276b42d0bae273c9ceb8b8abd1e24865752fa8da44abca3c0ffcb1668a
Instruction ID: 7169d0cc6c39d77393e24f818a0f59660fae9ddf4952123bf32700a99af945a1
Opcode Fuzzy Hash: 9e03c0276b42d0bae273c9ceb8b8abd1e24865752fa8da44abca3c0ffcb1668a
Instruction Fuzzy Hash: 67217F32E247558AEBA4AF68C4443EC37A0EB44B1DF540635E75D86BDAEF38D884C750

Function 00007FF6B53DE200 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53DE15D

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 277766cc613ac521deff1262cc5973a4c6dda0ce244441028124d0478fb53980
Instruction ID: 4aeb3e3706d3715751072f692ac596c173a8abee7f1061ce6cab894e0fbc43b1
Opcode Fuzzy Hash: 277766cc613ac521deff1262cc5973a4c6dda0ce244441028124d0478fb53980
Instruction Fuzzy Hash: 46113B22A29A4181EA60AF19D4002FEB671BF89F80F444431EB8D9B7DBEE3DDD009740

Function 00007FF6B53DFEF8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53DFF1B

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 4bdd7c7df9abbb715da046ae302baf4d590079e7e30464498c50f0bf6b7ea38d
Instruction ID: 8722883fec0f69418a61a5058bc69118fcfda527461dc509363c2ec7d7e3997e
Opcode Fuzzy Hash: 4bdd7c7df9abbb715da046ae302baf4d590079e7e30464498c50f0bf6b7ea38d
Instruction Fuzzy Hash: 54213032628AC187DB619F18D4807B9B6A4EB85F94F544234E75D877DAEF3DD9108B00

Function 00007FF6B534F380 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B534F3E3

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: c98089154d41e91aef4fb596ab2a74aafa6efc439ad7e522330d1ce16319ce63
Instruction ID: 78898328022e9f469e7edc543ca9a9471a9dfb0669d42e66f1be88409ed3c3bc
Opcode Fuzzy Hash: c98089154d41e91aef4fb596ab2a74aafa6efc439ad7e522330d1ce16319ce63
Instruction Fuzzy Hash: 3AF0C2A2B25BC540EF159B6CE0043AC6351AB44F88F540031C78C4A7ABEF7FD895C340

Function 00007FF6B534DA40 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B534DAA0

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: c574df8fe4f5f00ffea31855a7c07f7e09cae9b3bda18de6976169ed6b791a31
Instruction ID: c4039f62075e6679d7b8672ee3ae70e07f89969a763cf37e3ae995c9e6ceab7e
Opcode Fuzzy Hash: c574df8fe4f5f00ffea31855a7c07f7e09cae9b3bda18de6976169ed6b791a31
Instruction Fuzzy Hash: BBF0B4A2B2868180FF04DB2CD0053AC63A1EB48F88F540831DB4C8675AEF7DCC948340

Function 00007FF6B53A0E00 Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FF6B53A0E48

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 10723b900c3d3fb221c2729e0f2ab508e71a113b43aaaf7fd55bda6ca2804ccb
Instruction ID: f1be82951a4c2b827000c6bc1d164676b865bdceea1c7f96aef426c73e3d921e
Opcode Fuzzy Hash: 10723b900c3d3fb221c2729e0f2ab508e71a113b43aaaf7fd55bda6ca2804ccb
Instruction Fuzzy Hash: 3401A225B28A8585DF508F1AB940569A7A0FB88FD4F485130EF5D43B4EEF28D8418700

Function 00007FF6B5357633 Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE ref: 00007FF6B5357676

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 61598aa622094b9ec1bb0f92b50d03696b3dc6fab078c114e82ad6d4659b4b0f
Instruction ID: 5e5f41cae21134ace95806ea58429fdd178ff5fb7ce4088bd50d1136a08dbc45
Opcode Fuzzy Hash: 61598aa622094b9ec1bb0f92b50d03696b3dc6fab078c114e82ad6d4659b4b0f
Instruction Fuzzy Hash: DF01F42661CA8185EA71CB56F4542AA7364F788FD4F444032DF8D83B5DEE3DD886CB00

Function 00007FF6B53B7374 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B7393

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 68ea0e6e30933e9dd76abf56f21314c638998a57c534cc3687c594a1fb5b02e7
Instruction ID: 6a64893a0c5b203e0d64f5c27c255e60423edfab8d6eddc0df8ff887007f6cb5
Opcode Fuzzy Hash: 68ea0e6e30933e9dd76abf56f21314c638998a57c534cc3687c594a1fb5b02e7
Instruction Fuzzy Hash: 85E06D31A39E4285EFA57AAD91411BC6160AF44FB0F544331EB3C863CBEE7898508710

Function 00007FF6B53DB4C0 Relevance: 1.5, APIs: 1, Instructions: 9fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,?,?,?,00007FF6B534E409), ref: 00007FF6B53DB4C4

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 4104833be8186ecfced91f05a1dc286f8d4e1ac7fad94ea37a2bf5d234dce428
Instruction ID: 65710359fd191957f65bde900094b122634567aa5bc43b74b600f149a854e9f3
Opcode Fuzzy Hash: 4104833be8186ecfced91f05a1dc286f8d4e1ac7fad94ea37a2bf5d234dce428
Instruction Fuzzy Hash: ABC04C15F6E642D1EA541B6B5C821A211E05B54B51F450030C708C0355FD5CA9E68B11

Function 00007FF6B53DD0B4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32 ref: 00007FF6B53DD0BD

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: ebb3c2d15c06801dfe805b6087078b0f501a5fe9f8c446694f4975735c5f9cad
Instruction ID: 7356d89832a43736e94eb09809cd29f76b560c9b11bf4c031ce5df6ace615c13
Opcode Fuzzy Hash: ebb3c2d15c06801dfe805b6087078b0f501a5fe9f8c446694f4975735c5f9cad
Instruction Fuzzy Hash: 8DB09236A289C0D3C611EB08E8420597331FB94B0AFD00020E38E82729DE2CDA2A8F00

Function 00007FF6B53BE8BC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF6B53BE8FA

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: eba47d0c810211a009f984e3ce810decee2d7cb9fb39a7e87e15bbee8ef19542
Instruction ID: 41433fc058fd3b6de298de2c0ae07f22a7189e1d1fec5e8e5efa118ea0287962
Opcode Fuzzy Hash: eba47d0c810211a009f984e3ce810decee2d7cb9fb39a7e87e15bbee8ef19542
Instruction Fuzzy Hash: 4AF03A01B29A0A54FE94766D58106F522805F88F61F490330DA2EC53CBEE2CBC84A321

Non-executed Functions

Function 00007FF6B53A0E90 Relevance: 63.9, APIs: 31, Strings: 4, Instructions: 2698COMMON

Download Yara Rule

Strings

cannot compare iterators of different containers, xrefs: 00007FF6B53A447F, 00007FF6B53A452F, 00007FF6B53A465F
cannot use push_back() with , xrefs: 00007FF6B53A43D3
value, xrefs: 00007FF6B53A16C8
type must be string, but is , xrefs: 00007FF6B53A443D, 00007FF6B53A44ED, 00007FF6B53A45B1, 00007FF6B53A460B

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: cannot compare iterators of different containers$cannot use push_back() with $type must be string, but is $value
API String ID: 73155330-2711811579
Opcode ID: d187969b3f8adc0d7d83df29c316cce47e6f364642cfc6bf6309e0d85370cb42
Instruction ID: c0a9ecd155697250c52af2c9542e9f77a48a20752e8d13b665fc9135c68e28cc
Opcode Fuzzy Hash: d187969b3f8adc0d7d83df29c316cce47e6f364642cfc6bf6309e0d85370cb42
Instruction Fuzzy Hash: AB535E62A14BC589DB719F28D8803ED23A4FB45B58F405635DB5D9BB9EEF38DA84C300

Function 00007FF6B53B1220 Relevance: 49.1, APIs: 25, Strings: 2, Instructions: 1888COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B1557
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B17BA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B1A7D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B1D1D
memcpy_s.LIBCPMT ref: 00007FF6B53B1F2A
memcpy_s.LIBCPMT ref: 00007FF6B53B1FC6
memcpy_s.LIBCPMT ref: 00007FF6B53B247E
memcpy_s.LIBCPMT ref: 00007FF6B53B24B9
memcpy_s.LIBCPMT ref: 00007FF6B53B25E5
memcpy_s.LIBCPMT ref: 00007FF6B53B270C
memcpy_s.LIBCPMT ref: 00007FF6B53B27B7
memcpy_s.LIBCPMT ref: 00007FF6B53B27FF
memcpy_s.LIBCPMT ref: 00007FF6B53B2829
memcpy_s.LIBCPMT ref: 00007FF6B53B28DA
memcpy_s.LIBCPMT ref: 00007FF6B53B2ADA
memcpy_s.LIBCPMT ref: 00007FF6B53B2B1F
memcpy_s.LIBCPMT ref: 00007FF6B53B2BD6
memcpy_s.LIBCPMT ref: 00007FF6B53B2D03
memcpy_s.LIBCPMT ref: 00007FF6B53B23CE

Part of subcall function 00007FF6B53B3664: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B3696

memcpy_s.LIBCPMT ref: 00007FF6B53B2449
memcpy_s.LIBCPMT ref: 00007FF6B53B2EBD

Strings

, xrefs: 00007FF6B53B2DB0
, xrefs: 00007FF6B53B2C83

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: memcpy_s$_invalid_parameter_noinfo
String ID: $
API String ID: 2880407647-227171996
Opcode ID: 49a4e64996860ac975e7d62cf44a3f3077f64a100a8fbd3398d3c45755aa41bf
Instruction ID: 6a14060a66e250abd743b39cd5c8af1a09e0eec17520f3273bc5901e418aa95d
Opcode Fuzzy Hash: 49a4e64996860ac975e7d62cf44a3f3077f64a100a8fbd3398d3c45755aa41bf
Instruction Fuzzy Hash: 0803B672A24AC14BE7759E29D9807F97791FB44B88F005135EB0A97B4DEF39AE01CB40

Function 00007FF6B53AA430 Relevance: 36.0, APIs: 19, Strings: 1, Instructions: 1015stringmemorynativeCOMMON

Download Yara Rule

APIs

RtlAcquirePebLock.NTDLL ref: 00007FF6B53AA473
NtAllocateVirtualMemory.NTDLL ref: 00007FF6B53AA4AB
lstrcpyW.KERNEL32 ref: 00007FF6B53AA50D
lstrcatW.KERNEL32 ref: 00007FF6B53AA5C2
NtAllocateVirtualMemory.NTDLL ref: 00007FF6B53AA649
lstrcpyW.KERNEL32 ref: 00007FF6B53AA6FC
RtlInitUnicodeString.NTDLL ref: 00007FF6B53AA711
RtlInitUnicodeString.NTDLL ref: 00007FF6B53AA726
LdrEnumerateLoadedModules.NTDLL ref: 00007FF6B53AA739
RtlReleasePebLock.NTDLL ref: 00007FF6B53AA73F

Part of subcall function 00007FF6B539EED0: SHGetKnownFolderPath.SHELL32 ref: 00007FF6B539EF29
Part of subcall function 00007FF6B539EED0: CoTaskMemFree.OLE32 ref: 00007FF6B539EFEA

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53AA777
CoInitializeEx.OLE32 ref: 00007FF6B53AA7EA
lstrcpyW.KERNEL32 ref: 00007FF6B53AA9C9
lstrcatW.KERNEL32 ref: 00007FF6B53AABCE
CoGetObject.OLE32 ref: 00007FF6B53AABEC
lstrcpyW.KERNEL32 ref: 00007FF6B53AB269
lstrcatW.KERNEL32 ref: 00007FF6B53AB48C
CoGetObject.OLE32 ref: 00007FF6B53AB4AA
CoUninitialize.OLE32 ref: 00007FF6B53AB972

Strings

0, xrefs: 00007FF6B53AB0AA

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: lstrcpy$lstrcat$AllocateInitLockMemoryObjectStringUnicodeVirtual$AcquireEnumerateFolderFreeInitializeKnownLoadedModulesPathReleaseTaskUninitialize_invalid_parameter_noinfo_noreturn
String ID: 0
API String ID: 2979746431-4108050209
Opcode ID: be3c9c5b6b29e4456c2bc1c511291065cd00b5f8cb3857b0f644a8fdea2a94a5
Instruction ID: f25fefd74df0184a3917214e0cb06d383339ab4d6e87cf1d8d4b8f6f0c774644
Opcode Fuzzy Hash: be3c9c5b6b29e4456c2bc1c511291065cd00b5f8cb3857b0f644a8fdea2a94a5
Instruction Fuzzy Hash: 59C2B936626F988AD7908F69E88169DB3B5F788B88B105225FFCD57B18EF38C154C740

Function 00007FF6B53598CD Relevance: 34.4, APIs: 14, Strings: 5, Instructions: 1142COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535AD5E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535AD74
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535AD7A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535AD80
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535AD86
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535AD8C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535AD92
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535AD98
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535AD9E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535ADA4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535ADAA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535ADB0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535ADB6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535ADBC

Strings

config, xrefs: 00007FF6B5359CDD
content, xrefs: 00007FF6B5359B9F, 00007FF6B5359F27, 00007FF6B535A844
users, xrefs: 00007FF6B535A262
filename, xrefs: 00007FF6B5359B46, 00007FF6B5359ECE, 00007FF6B535A762
status, xrefs: 00007FF6B535AD67

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: config$content$filename$status$users
API String ID: 3668304517-2677590375
Opcode ID: 5961c5f104c8461b027db5d1534595f1a469070d5504b5e383ec641362e7a33b
Instruction ID: 6bb6d851b2f93a3c521ef6052af09ccfdf2b65da46c1dd565af9382bf42f96da
Opcode Fuzzy Hash: 5961c5f104c8461b027db5d1534595f1a469070d5504b5e383ec641362e7a33b
Instruction Fuzzy Hash: 82C25162A15BC285DB319F38D8903ED6361FB45B98F405236DB5D8AB9EEF38DA44C340

Function 00007FF6B539B420 Relevance: 33.7, APIs: 8, Strings: 11, Instructions: 465COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32 ref: 00007FF6B539B9A7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B539BB92
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B539BB98
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B539BB9E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B539BBA4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B539BBAA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B539BBB0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B539BC05

Strings

ios_base::eofbit set, xrefs: 00007FF6B539BBCC
.vbs, xrefs: 00007FF6B539B512
ios_base::failbit set, xrefs: 00007FF6B539BBC5
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+=-&^%$#@!(){}[},.;', xrefs: 00007FF6B539B5B4
.ps1, xrefs: 00007FF6B539B4B4
ios_base::badbit set, xrefs: 00007FF6B539BBBA
.cmd, xrefs: 00007FF6B539B4E3
open, xrefs: 00007FF6B539B91D
.exe, xrefs: 00007FF6B539B485
runas, xrefs: 00007FF6B539B926
.exe, xrefs: 00007FF6B539B56D

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ExecuteShell
String ID: .cmd$.exe$.exe$.ps1$.vbs$abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+=-&^%$#@!(){}[},.;'$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$open$runas
API String ID: 4120902618-4093014531
Opcode ID: 7479964b09d7e937c2731e9b908c03d085839642c0324ba9434fc91e233fbea9
Instruction ID: e946c94696a2b3bcadad6637ef20d2dc23241d7dfecf5f9bb4cb34e1a7448c68
Opcode Fuzzy Hash: 7479964b09d7e937c2731e9b908c03d085839642c0324ba9434fc91e233fbea9
Instruction Fuzzy Hash: F7228272A28B8585EB10DF28D4403ED67A1FB44B98F505235EB5D87BAEEF78D984C340

Function 00007FF6B5357E70 Relevance: 31.1, APIs: 15, Strings: 2, Instructions: 1357COMMON

Download Yara Rule

Strings

exists, xrefs: 00007FF6B5359441
Software, xrefs: 00007FF6B53582ED, 00007FF6B53584BB

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID: Software$exists
API String ID: 0-2364128853
Opcode ID: 754b6d5de3f8b423738aca6b75d482b608bbcfa6901d960764bf722898531e8f
Instruction ID: 0bb8a9636c4fc27dfb65532488828c738ef16340bf70496616e416c0d5aa2bf4
Opcode Fuzzy Hash: 754b6d5de3f8b423738aca6b75d482b608bbcfa6901d960764bf722898531e8f
Instruction Fuzzy Hash: 6BD28073A15BC589EB518F29E8403ED7360FB89B94F105225EB9D57B9AEF78D980C300

Function 00007FF6B5326180 Relevance: 30.2, Strings: 24, Instructions: 238COMMON

Download Yara Rule

Strings

winre.wim, xrefs: 00007FF6B5326500
ntuser.ini, xrefs: 00007FF6B5326359
bootsect.bak, xrefs: 00007FF6B5326246
autorun.inf, xrefs: 00007FF6B53261A8
bootstat.dat, xrefs: 00007FF6B5326415
BOOTNXT, xrefs: 00007FF6B532658D
bootfont.bin, xrefs: 00007FF6B5326220
d3d9caps.dat, xrefs: 00007FF6B53263E6
wpsettings.dat, xrefs: 00007FF6B53264A2
desktop.ini, xrefs: 00007FF6B532626C
bootmgfw.efi, xrefs: 00007FF6B53261F9
bootmgr, xrefs: 00007FF6B532655E
boot.sdi, xrefs: 00007FF6B53264D1
indexervolumeguid, xrefs: 00007FF6B5326473
ntuser.dat.log, xrefs: 00007FF6B532632D
iconcache.db, xrefs: 00007FF6B53262DE
boot.ini, xrefs: 00007FF6B53261D1
thumbs.db, xrefs: 00007FF6B5326388
ntldr, xrefs: 00007FF6B5326292
gdipfontcachev1.dat, xrefs: 00007FF6B53263B7
winsipolicy.p7b, xrefs: 00007FF6B53262B8
reagent.xml, xrefs: 00007FF6B532652F
mib.bin, xrefs: 00007FF6B5326444
ntuser.dat, xrefs: 00007FF6B5326304

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: BOOTNXT$autorun.inf$boot.ini$boot.sdi$bootfont.bin$bootmgfw.efi$bootmgr$bootsect.bak$bootstat.dat$d3d9caps.dat$desktop.ini$gdipfontcachev1.dat$iconcache.db$indexervolumeguid$mib.bin$ntldr$ntuser.dat$ntuser.dat.log$ntuser.ini$reagent.xml$thumbs.db$winre.wim$winsipolicy.p7b$wpsettings.dat
API String ID: 73155330-850610325
Opcode ID: 22dcfd16a23274500c0631d97ecb7b22965bfb45e38d580db89ddce6ecc7947a
Instruction ID: e071c5e9f7a4c3830d3604c89b5c1f88bc2a928f34921db8072d94113c466eaf
Opcode Fuzzy Hash: 22dcfd16a23274500c0631d97ecb7b22965bfb45e38d580db89ddce6ecc7947a
Instruction Fuzzy Hash: 43C1A452D34BCA45E721DB38D8813F55361FBEA744F506736EA88A586BEF68A7C0C340

Function 00007FF6B5325DB0 Relevance: 25.2, Strings: 20, Instructions: 202COMMON

Download Yara Rule

Strings

Program Files (x86), xrefs: 00007FF6B5326101
PerfLogs, xrefs: 00007FF6B5325F34
Program Files, xrefs: 00007FF6B53260D2
ProgramData, xrefs: 00007FF6B5326045
Windows, xrefs: 00007FF6B5325E01
$windows.~ws, xrefs: 00007FF6B5325F89
bootmgr, xrefs: 00007FF6B53260A3
config.msi, xrefs: 00007FF6B5325EC2
#recycle, xrefs: 00007FF6B5325E29
Windows.~bt, xrefs: 00007FF6B5325FB8
AppData, xrefs: 00007FF6B5325FE7
$winreagent, xrefs: 00007FF6B5325F5D
System Volume Information, xrefs: 00007FF6B5325E76
$windows.~bt, xrefs: 00007FF6B5325F0E
Boot, xrefs: 00007FF6B5325E50
ntldr, xrefs: 00007FF6B5326016
$recycle.bin, xrefs: 00007FF6B5325DD8
All users, xrefs: 00007FF6B5326074
Application Data, xrefs: 00007FF6B5325E9C
Windows.old, xrefs: 00007FF6B5325EE8

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: #recycle$$recycle.bin$$windows.~bt$$windows.~ws$$winreagent$All users$AppData$Application Data$Boot$PerfLogs$Program Files$Program Files (x86)$ProgramData$System Volume Information$Windows$Windows.old$Windows.~bt$bootmgr$config.msi$ntldr
API String ID: 73155330-2722463023
Opcode ID: 7d392a795bfbfd6594683dd8fb9872c8abf8b0b593989480866b32def73f354a
Instruction ID: 4e903e01649d8fd4b79490d11604f9cb6a0271d3f33802d1c58c6801300ff0d4
Opcode Fuzzy Hash: 7d392a795bfbfd6594683dd8fb9872c8abf8b0b593989480866b32def73f354a
Instruction Fuzzy Hash: 05A1A452D34BCA45E721DB38D8813F55361FBEA744F506736EA8CA685BEF68A6C4C300

Function 00007FF6B5394D40 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 219COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 00007FF6B5394D9F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B539513A

Strings

@, xrefs: 00007FF6B5394F26

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Initialize_invalid_parameter_noinfo_noreturn
String ID: @
API String ID: 3490963316-2766056989
Opcode ID: 340411d1fce1f4d2458475e6b7cafb7ea6d02391b27961439f40ad3dfb835a2a
Instruction ID: 648f9c254d624bbfc7af8ea6cc41e3e9d1ae8920287f4713d8de9db20ac74f2a
Opcode Fuzzy Hash: 340411d1fce1f4d2458475e6b7cafb7ea6d02391b27961439f40ad3dfb835a2a
Instruction Fuzzy Hash: 61A16C72B28B418AE720CB69E4446AD7761FB88B48F044235DF5E93B9AEF38D954C344

Function 00007FF6B5350E80 Relevance: 23.5, APIs: 8, Strings: 5, Instructions: 747COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5351AD3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5351AEF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5351B05
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5351B1B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5351B21
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5351B3F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5351B45
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5351B4B

Part of subcall function 00007FF6B534D370: __std_fs_code_page.LIBCPMT ref: 00007FF6B534D3A7
Part of subcall function 00007FF6B534D370: __std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF6B534D3EE
Part of subcall function 00007FF6B534D370: __std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF6B534D42A

Strings

exists, xrefs: 00007FF6B5351AC6
content, xrefs: 00007FF6B53514E6
filename, xrefs: 00007FF6B535142E
status, xrefs: 00007FF6B5351AF8, 00007FF6B5351B0E
directory_iterator::directory_iterator, xrefs: 00007FF6B5351AE2, 00007FF6B5351B32

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_fs_convert_wide_to_narrow$__std_fs_code_page
String ID: content$directory_iterator::directory_iterator$exists$filename$status
API String ID: 2212124024-3429737954
Opcode ID: 4a5c084437b6e505fe191a25d1ddd3fa9523bf8bbcd3d4d616036c48336d69b0
Instruction ID: b5db463594c9eb9f33083576f24b42bcf1e942b6401ed7ed361aff513d527608
Opcode Fuzzy Hash: 4a5c084437b6e505fe191a25d1ddd3fa9523bf8bbcd3d4d616036c48336d69b0
Instruction Fuzzy Hash: 3B728332A15BC185EB219F38D8903ED6360FB89B94F445635DB8D87B9AEF78DA44C340

Function 00007FF6B53902C0 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 410COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FF6B5390474
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF6B5390482
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF6B5390705
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF6B5390713
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53908B0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53908B6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53908D9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53908DF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53908E5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5390908
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B539090E

Strings

value, xrefs: 00007FF6B539039A, 00007FF6B5390633

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy
String ID: value
API String ID: 1346393832-494360628
Opcode ID: 58ac9e99c7e9caeb46c8d6d8eb90e0f66bb103b216faee546cb3e1aa741f4388
Instruction ID: a1a4f2e6d81195f76f18ea8649856a7581a220bad53ff81a2a2004ebcc630c25
Opcode Fuzzy Hash: 58ac9e99c7e9caeb46c8d6d8eb90e0f66bb103b216faee546cb3e1aa741f4388
Instruction Fuzzy Hash: 8602A562A29BC185EB41CB78D4403ED6761EB85BA4F105235EB9E86BDFEF2CD584C700

Function 00007FF6B53CA3C8 Relevance: 20.4, APIs: 8, Strings: 3, Instructions: 1156COMMON

Download Yara Rule

Strings

s, xrefs: 00007FF6B53CB4D2
W$, xrefs: 00007FF6B53CA530
s, xrefs: 00007FF6B53CB3F1

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: s$s$W$
API String ID: 3215553584-4165748295
Opcode ID: 9b1f272bfafe38334aa377421cf6210804c5f9af34e63209d09ff03d43a97708
Instruction ID: 393bbec6fa48c569f1d13cb05740e3e7354b5cf596b24406e7ea354bc5bd5469
Opcode Fuzzy Hash: 9b1f272bfafe38334aa377421cf6210804c5f9af34e63209d09ff03d43a97708
Instruction Fuzzy Hash: 73A2C572A283A28BE7658E68D4507FD77A1FB44B48F445135DB09D7B8AEF38AD40CB40

Function 00007FF6B53AA780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 839stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B53AA430: RtlAcquirePebLock.NTDLL ref: 00007FF6B53AA473
Part of subcall function 00007FF6B53AA430: NtAllocateVirtualMemory.NTDLL ref: 00007FF6B53AA4AB
Part of subcall function 00007FF6B53AA430: lstrcpyW.KERNEL32 ref: 00007FF6B53AA50D
Part of subcall function 00007FF6B53AA430: lstrcatW.KERNEL32 ref: 00007FF6B53AA5C2

CoInitializeEx.OLE32 ref: 00007FF6B53AA7EA
lstrcpyW.KERNEL32 ref: 00007FF6B53AA9C9
lstrcatW.KERNEL32 ref: 00007FF6B53AABCE
CoGetObject.OLE32 ref: 00007FF6B53AABEC
lstrcpyW.KERNEL32 ref: 00007FF6B53AB269
lstrcatW.KERNEL32 ref: 00007FF6B53AB48C
CoGetObject.OLE32 ref: 00007FF6B53AB4AA
CoUninitialize.OLE32 ref: 00007FF6B53AB972

Strings

0, xrefs: 00007FF6B53AB0AA

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: lstrcatlstrcpy$Object$AcquireAllocateInitializeLockMemoryUninitializeVirtual
String ID: 0
API String ID: 3636535045-4108050209
Opcode ID: 256d7544adc4c5c9ea952a558105b7fb008bcdf57b8585116dd0ba0e073c8c51
Instruction ID: ad73b9384e652e5115312f1978b7d3104caab8805c24cbdef4c34e6132ee3e27
Opcode Fuzzy Hash: 256d7544adc4c5c9ea952a558105b7fb008bcdf57b8585116dd0ba0e073c8c51
Instruction Fuzzy Hash: 8AB2893662AF988AD7808F69E88155EB3B5F788B88B106215FFCD57B18EF38C154C740

Function 00007FF6B5398440 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 188COMMON

Download Yara Rule

APIs

BCryptOpenAlgorithmProvider.BCRYPT ref: 00007FF6B53984D8
BCryptSetProperty.BCRYPT ref: 00007FF6B5398502
BCryptGenerateSymmetricKey.BCRYPT ref: 00007FF6B539853B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5398557
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B539865B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B5398661

Strings

ChainingMode, xrefs: 00007FF6B53984F7
AES, xrefs: 00007FF6B53984CD
ChainingModeGCM, xrefs: 00007FF6B53984F0

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Crypt$_invalid_parameter_noinfo_noreturn$AlgorithmConcurrency::cancel_current_taskGenerateOpenPropertyProviderSymmetric
String ID: AES$ChainingMode$ChainingModeGCM
API String ID: 2556340343-1213888626
Opcode ID: 4d2ae9936c16117bf66a9a82cdf8c67db15cfebaaeeafde8e0b7fccba3920ac7
Instruction ID: 5183ec67d04ab5b304b556764fcdbee7028b141b1b1887e89114828f81ae80b9
Opcode Fuzzy Hash: 4d2ae9936c16117bf66a9a82cdf8c67db15cfebaaeeafde8e0b7fccba3920ac7
Instruction Fuzzy Hash: 2E61C562A2878545FB249B29E4403E9A360EB84FD4F144631EF5D8BBDBEF3CD9918300

Function 00007FF6B53963A6 Relevance: 11.2, APIs: 3, Strings: 3, Instructions: 653COMMON

Download Yara Rule

Strings

pfHPZt1s0Dk=, xrefs: 00007FF6B53964D1
port, xrefs: 00007FF6B539705F
ZPTcrQssPSx9WOSFMOMK+XoqcG1eYI9iRKFdlGnQ0T0=, xrefs: 00007FF6B5396449

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID: ZPTcrQssPSx9WOSFMOMK+XoqcG1eYI9iRKFdlGnQ0T0=$pfHPZt1s0Dk=$port
API String ID: 0-2592750929
Opcode ID: fe16ae3c725d1eb1c5c11142da1a117778a9c063c3c2cd6928c6efc9df6e0444
Instruction ID: 38c0c78cc270806ea28b9d82e6fa8f9bc193611518ee994d6f46295cd1179a47
Opcode Fuzzy Hash: fe16ae3c725d1eb1c5c11142da1a117778a9c063c3c2cd6928c6efc9df6e0444
Instruction Fuzzy Hash: E27272B2A29BC581D661CB29E4403EAB3A4FB99784F105225EBCD53B5EEF3CD591C700

Function 00007FF6B53C964C Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6B53B9EEC: GetLastError.KERNEL32 ref: 00007FF6B53B9EFB
Part of subcall function 00007FF6B53B9EEC: FlsGetValue.KERNEL32 ref: 00007FF6B53B9F10
Part of subcall function 00007FF6B53B9EEC: SetLastError.KERNEL32 ref: 00007FF6B53B9F9B

Part of subcall function 00007FF6B53B9EEC: FlsSetValue.KERNEL32 ref: 00007FF6B53B9F31

GetUserDefaultLCID.KERNEL32 ref: 00007FF6B53C97BC

Part of subcall function 00007FF6B53B9EEC: FlsSetValue.KERNEL32 ref: 00007FF6B53B9F5E
Part of subcall function 00007FF6B53B9EEC: FlsSetValue.KERNEL32 ref: 00007FF6B53B9F6F
Part of subcall function 00007FF6B53B9EEC: FlsSetValue.KERNEL32 ref: 00007FF6B53B9F80

EnumSystemLocalesW.KERNEL32 ref: 00007FF6B53C97A3
ProcessCodePage.LIBCMT ref: 00007FF6B53C97E6
IsValidCodePage.KERNEL32 ref: 00007FF6B53C97F8
IsValidLocale.KERNEL32 ref: 00007FF6B53C980E
GetLocaleInfoW.KERNEL32 ref: 00007FF6B53C986A
GetLocaleInfoW.KERNEL32 ref: 00007FF6B53C9886

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 2591520935-0
Opcode ID: 35311c5f5cbb088db9cafc063da405a92d1dac0a49a1e36eea51d3b328654a2c
Instruction ID: d689584d1b8d84ab544b4b186ac2ef3bda5065573b97d36a2fe4a763267c379d
Opcode Fuzzy Hash: 35311c5f5cbb088db9cafc063da405a92d1dac0a49a1e36eea51d3b328654a2c
Instruction Fuzzy Hash: FD714723B2972689EB519B68D8606F823A4AB48F44F454435CB1DD378AFF3CF845CB50

Function 00007FF6B53CF2B8 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6B53CF2D4
RtlCaptureContext.KERNEL32 ref: 00007FF6B53CF301
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6B53CF31B
RtlVirtualUnwind.KERNEL32 ref: 00007FF6B53CF35C
IsDebuggerPresent.KERNEL32 ref: 00007FF6B53CF3B0
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6B53CF3CD
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6B53CF3D8

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 6458172863af31e20951f5f8dc1d486a5fb90de472876968ccfd77d10a4e7fe6
Instruction ID: 29bc58f3ccc6769521e56f0e15a0c702aa174886d97b757952a11d208755baff
Opcode Fuzzy Hash: 6458172863af31e20951f5f8dc1d486a5fb90de472876968ccfd77d10a4e7fe6
Instruction Fuzzy Hash: D5315276619B8196EB608F64E8403ED7364FB84B48F44413ADB4E87B9AEF3CD948C714

Function 00007FF6B539C8E0 Relevance: 7.9, APIs: 5, Instructions: 391COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FF6B539C943
ShellExecuteW.SHELL32 ref: 00007FF6B539CF8A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B539D013
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B539D019
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B539D01F

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ExecuteFileModuleNameShell
String ID:
API String ID: 3435646932-0
Opcode ID: a7338904e57405cb7424316b332a1e38ca99d4c22208ccb12818e04892214995
Instruction ID: 29de8114afd1b0a0d1f9697980c75c53a96220fb26aa5b5cb7463b296d73baee
Opcode Fuzzy Hash: a7338904e57405cb7424316b332a1e38ca99d4c22208ccb12818e04892214995
Instruction Fuzzy Hash: 26122B72A29F848ADB408F29E88169EB3A4F788B94F505225EFDD57B59EF38D150C700

Function 00007FF6B53DD804 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6B53DD865
IsDebuggerPresent.KERNEL32 ref: 00007FF6B53DD87D
OutputDebugStringW.KERNEL32 ref: 00007FF6B53DD88E

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF6B53DD887

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: 9ee4415ca50324c33a3d5a57874f9cc99ad178eb9645fb895110d63af1d9e2c1
Instruction ID: c42ec0bce11a8d20d2672718d6cc2ad8e54c48ebedbda487944e640728f1c24c
Opcode Fuzzy Hash: 9ee4415ca50324c33a3d5a57874f9cc99ad178eb9645fb895110d63af1d9e2c1
Instruction Fuzzy Hash: E6113D32A24B42A6F7159B2AD6443F932A4FB44B45F404535C74DC3A9AFF7CE864C750

Function 00007FF6B53CA44F Relevance: 6.4, Strings: 5, Instructions: 198COMMON

Download Yara Rule

Strings

W$, xrefs: 00007FF6B53CA530
1#IND, xrefs: 00007FF6B53CA49F
1#INF, xrefs: 00007FF6B53CA4DB
1#SNAN, xrefs: 00007FF6B53CA4C2
1#QNAN, xrefs: 00007FF6B53CA4CB

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$W$
API String ID: 3215553584-4287779413
Opcode ID: e914ef83dae64b72f50003c00f300a4745ddd1fbbdf1c541f482026cce5ebf66
Instruction ID: 1b29d6b3927aebb7a2decaaa237e58af0b6a7b8f090a820626459eca46fad30a
Opcode Fuzzy Hash: e914ef83dae64b72f50003c00f300a4745ddd1fbbdf1c541f482026cce5ebf66
Instruction Fuzzy Hash: 9971DF72E383664BE7608B6C94447F97291AB94B94F444635DB1DDABCAEF3CED408B00

Function 00007FF6B53CF908 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6B53CF934
GetCurrentThreadId.KERNEL32 ref: 00007FF6B53CF942
GetCurrentProcessId.KERNEL32 ref: 00007FF6B53CF94E
QueryPerformanceCounter.KERNEL32 ref: 00007FF6B53CF95E

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 4ffc0ff1ccd2cf120a16052376350404e0c91ed7b37e0d63ec5629fc76b72274
Instruction ID: 98ee56f73bf5a8efe3ea88392d958f286a054e251f682ed490f4aa8bbe864c37
Opcode Fuzzy Hash: 4ffc0ff1ccd2cf120a16052376350404e0c91ed7b37e0d63ec5629fc76b72274
Instruction Fuzzy Hash: 92113C26B24F028AEB00CF64E8542F833B4FB19B59F441E31DB6D867A9EF78D5648340

Function 00007FF6B53C36A8 Relevance: 5.5, APIs: 3, Instructions: 1005COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53C3ADE
_get_daylight.LIBCMT ref: 00007FF6B53C3B79
_get_daylight.LIBCMT ref: 00007FF6B53C3B92

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID:
API String ID: 1286766494-0
Opcode ID: 91154ea289c3556cf103cf6e37fc2ba0624cd5322ab1aec8ddf48183395d8b30
Instruction ID: 159d164ba0ec37ee1f057803e4f93c609d295efa494d2346f66a21e901fff19f
Opcode Fuzzy Hash: 91154ea289c3556cf103cf6e37fc2ba0624cd5322ab1aec8ddf48183395d8b30
Instruction Fuzzy Hash: 3592AE32A2C7A286EB649F2895502B937A5FB45B84F148135DB8D87B9EEF3DDD14C300

Function 00007FF6B53DB170 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B534C419), ref: 00007FF6B53DB196
FormatMessageA.KERNEL32 ref: 00007FF6B53DB1C9

Strings

!x-sys-default-locale, xrefs: 00007FF6B53DB189

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: e9313e5009c165bfc27bb14f9f63cf4f23352891cc12b2974ad7925588fd8796
Instruction ID: bbbb2e89f60658662c95ebfe500299d12b993e88ccb3eee3bc22ea6a0fc98707
Opcode Fuzzy Hash: e9313e5009c165bfc27bb14f9f63cf4f23352891cc12b2974ad7925588fd8796
Instruction Fuzzy Hash: 9B018472B6878282E7118B1AB4547FA67A1F788B84F444035DB5987B9EDF3CD905CB00

Function 00007FF6B53B3150 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF6B53B31B6
memcpy_s.LIBCPMT ref: 00007FF6B53B31E1

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: eb07a1fe8bff8429000d82fc6708e1dd14e73367c47fa60bb37c8b50ad77a0f3
Instruction ID: 003d828990a3a83ae6048ebd4b34edf86b2af549b05658479451fa0f43c8a248
Opcode Fuzzy Hash: eb07a1fe8bff8429000d82fc6708e1dd14e73367c47fa60bb37c8b50ad77a0f3
Instruction Fuzzy Hash: C0C1E472B28A9587DB24DF1DA0446AAB791F784B84F448135DB4A87749EF3CED01CB00

Function 00007FF6B53A6540 Relevance: 4.7, APIs: 3, Instructions: 187COMMON

Download Yara Rule

APIs

EnumDisplayDevicesW.USER32 ref: 00007FF6B53A6657
EnumDisplayDevicesW.USER32 ref: 00007FF6B53A66FB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A684F

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: DevicesDisplayEnum$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2655931952-0
Opcode ID: 94d2f9f446da62c2dc3d2d668c805b77a80d9ba8f9fb19c76c5bed2a069963bc
Instruction ID: ec22f79aa0eedce99b4128849c762f0f58d4fb03016ad73a71507f661c35b671
Opcode Fuzzy Hash: 94d2f9f446da62c2dc3d2d668c805b77a80d9ba8f9fb19c76c5bed2a069963bc
Instruction Fuzzy Hash: EE81D332A28B8586E711CF25E4443AE77A4F788B88F505225EF9C57B99EF3CD581C700

Function 00007FF6B53D7160 Relevance: 4.2, Strings: 3, Instructions: 408COMMON

Download Yara Rule

Strings

invalid distance too far back, xrefs: 00007FF6B53D7686
invalid literal/length code, xrefs: 00007FF6B53D764C
invalid distance code, xrefs: 00007FF6B53D7669

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID: invalid distance code$invalid distance too far back$invalid literal/length code
API String ID: 0-3255898291
Opcode ID: 6ea04a2f93dd3dc6463ff6e9b99ea612e1d6b379f2849f0432d7824071fe6352
Instruction ID: 75eeb174155e53a3cc85367c264d97fca08eb71769cb53cae6bf49ab619a686b
Opcode Fuzzy Hash: 6ea04a2f93dd3dc6463ff6e9b99ea612e1d6b379f2849f0432d7824071fe6352
Instruction Fuzzy Hash: 1BF11572B286D583DB588F2990447BD7BA2E784B84F048139EB9E437C9EE7CD804CB40

Function 00007FF6B53C14E4 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF6B53C1733
RaiseException.KERNEL32 ref: 00007FF6B53C1744

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 7fa2203b5ce5cf4252278981a869295bf258e597fb1a3e488d01a74adacce12a
Instruction ID: 8488fe1da8b1b52aaf71ef6d239088d569aa07973f83042d4057df8a58223d8a
Opcode Fuzzy Hash: 7fa2203b5ce5cf4252278981a869295bf258e597fb1a3e488d01a74adacce12a
Instruction Fuzzy Hash: 8BB15A73A24B988AEB15CF2DC8463A87BA0F744F48F198921DB5D837A9DF39D851D700

Function 00007FF6B5397EC0 Relevance: 3.1, APIs: 2, Instructions: 86encryptionCOMMON

Download Yara Rule

APIs

CryptProtectData.CRYPT32(?,?,?,?,?,?,?,?,1E5E0F68EF71A387,00007FF6B5397E98), ref: 00007FF6B5397F18
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,1E5E0F68EF71A387,00007FF6B5397E98), ref: 00007FF6B5397FAA

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: CryptDataFreeLocalProtect
String ID:
API String ID: 2714945720-0
Opcode ID: a2378fc87af65e51448867ee86bab5adaeca8e4500ced070fe446fae58ae31d0
Instruction ID: e98f70a8aa52d616d9896c7c62c3b437d3092fd2513bcb65b39ea8bf0bca90c4
Opcode Fuzzy Hash: a2378fc87af65e51448867ee86bab5adaeca8e4500ced070fe446fae58ae31d0
Instruction Fuzzy Hash: 65414B32A28B81CAE3208F34D4403ED37A4FB59B8CF444235EB8D56E8AEF79D5648354

Function 00007FF6B53983C0 Relevance: 3.0, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

BCryptCloseAlgorithmProvider.BCRYPT ref: 00007FF6B53983D9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5398436

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: AlgorithmCloseCryptProvider_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1900905105-0
Opcode ID: d48272242ff38cb51ff281d933a05202fbbbe6e34663287e7ca53ddf03012e02
Instruction ID: 4564de6ac2aeb1db782d32d980aef8733892707d655503f071f0cd9e453f270d
Opcode Fuzzy Hash: d48272242ff38cb51ff281d933a05202fbbbe6e34663287e7ca53ddf03012e02
Instruction Fuzzy Hash: 3A0181E2A15B8541EB589B29D4443BD6351EF98F88F944431DB4D4A78BEF7DC8948340

Function 00007FF6B53C46E4 Relevance: 2.9, Strings: 2, Instructions: 358COMMONLIBRARYCODE

Download Yara Rule

Strings

a/p, xrefs: 00007FF6B53C49FE
am/pm, xrefs: 00007FF6B53C4993

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID: a/p$am/pm
API String ID: 0-3206640213
Opcode ID: d4351435efb39c397654aac4863534f6b364d586ca34e5132229a126b3ed6b80
Instruction ID: e633d87172b0ba3b7d8f19cce2c3cbf7d146cc8218271f44a522947e2df655ee
Opcode Fuzzy Hash: d4351435efb39c397654aac4863534f6b364d586ca34e5132229a126b3ed6b80
Instruction Fuzzy Hash: E1E1AF22A2876285E7A4AF1995547F822A0FF55B86F544132EB4D8778EFF3EED40C300

Function 00007FF6B53C71D8 Relevance: 1.8, APIs: 1, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 068306ddd40209d889ad2deda50cfd289cb5f07b5063c8971a8727913c04ec65
Instruction ID: 554cfbce90bcf3328fa3a4f0df792891c645a96e56311ebfc527bafce430248d
Opcode Fuzzy Hash: 068306ddd40209d889ad2deda50cfd289cb5f07b5063c8971a8727913c04ec65
Instruction Fuzzy Hash: 0FE19032A18B9586E720DB65E4406EE37A0F794B88F404A35DF9D93B5BEF78E645C300

Function 00007FF6B537BDD0 Relevance: 1.7, APIs: 1, Instructions: 221COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B537C0E4

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: e15d2f162ff1955ab864f6985266ecf3f2bc5c0452e497727127c975e7191d30
Instruction ID: 03a0384e2ae9869010829cdc7614142ce99d1e6084de9f75fc9a8300c396ed79
Opcode Fuzzy Hash: e15d2f162ff1955ab864f6985266ecf3f2bc5c0452e497727127c975e7191d30
Instruction Fuzzy Hash: CDA17922A29B99C9EB00CB69D4903EC3BB0F759B48F544426DF8D97B5AEF38D491C350

Function 00007FF6B537B780 Relevance: 1.7, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B537BAA9

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: a9167eaa65478a799c7f3ec9e29dde26aa86ec3791fbfc1cbc06c4d1a3e3b434
Instruction ID: cbcd2f97c9b155531bdd0820b2490be905d5dd1a960547b9ba581726f95da652
Opcode Fuzzy Hash: a9167eaa65478a799c7f3ec9e29dde26aa86ec3791fbfc1cbc06c4d1a3e3b434
Instruction Fuzzy Hash: 4AA18B22A29B99C9EB00CBA9D4903EC37B0F759B48F544126DF8D97B5AEF38D491C300

Function 00007FF6B537B480 Relevance: 1.7, APIs: 1, Instructions: 214COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B537B778

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 1a0b0a27a47120f0dd3118ebd9992b9d6fd92610f51e4eb7e5d0b138f3b139a1
Instruction ID: c936f84bd209b8a657e08bf41119422c24a50338ad01f6b9d97c806687bcab6b
Opcode Fuzzy Hash: 1a0b0a27a47120f0dd3118ebd9992b9d6fd92610f51e4eb7e5d0b138f3b139a1
Instruction Fuzzy Hash: 3EA16B62A29B99C9EB008B69D4903EC67B0FB59B48F544426CF8D97B5AEF3CD491C310

Function 00007FF6B537C420 Relevance: 1.7, APIs: 1, Instructions: 210COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B537C718

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 19b8e35a52236dea822ac287a77672b763b92d4e180ebbf92390928410f80ccd
Instruction ID: e8c9656ceaed20f8310c9df37fe19d0e2eb4bba84229bf18311226bac76c9e6e
Opcode Fuzzy Hash: 19b8e35a52236dea822ac287a77672b763b92d4e180ebbf92390928410f80ccd
Instruction Fuzzy Hash: 76A18B62A29B99C9EB01CB69D4803EC37B0F759B48F584426CF8D97B5AEF38D491C300

Function 00007FF6B53C9310 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B53B9EEC: GetLastError.KERNEL32 ref: 00007FF6B53B9EFB
Part of subcall function 00007FF6B53B9EEC: FlsGetValue.KERNEL32 ref: 00007FF6B53B9F10
Part of subcall function 00007FF6B53B9EEC: SetLastError.KERNEL32 ref: 00007FF6B53B9F9B

Part of subcall function 00007FF6B53B9EEC: FlsSetValue.KERNEL32 ref: 00007FF6B53B9F31

GetLocaleInfoW.KERNEL32 ref: 00007FF6B53C9378

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: ErrorLastValue$InfoLocale
String ID:
API String ID: 673564084-0
Opcode ID: d3f265d93177da05e9e3079d3dae9c7822de4fa7ba26229b0f968e85ede82faf
Instruction ID: 7394674af4cb4cc63fa37fc78a79e29bf2422dda5adb05cedb94edbd4839ecd0
Opcode Fuzzy Hash: d3f265d93177da05e9e3079d3dae9c7822de4fa7ba26229b0f968e85ede82faf
Instruction Fuzzy Hash: F7314432A2878686EB649B69D4613E973A1FB44F84F418135DB4DC378AEF3DF8118B00

Function 00007FF6B5346510 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

QN , xrefs: 00007FF6B5346877

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID: QN
API String ID: 0-3349929942
Opcode ID: 2db597cf25c999939cc3b819fed71c1e326e74b4ad1904394b10da5a057d82d8
Instruction ID: cfd85e09ea1d043c0c951c43df0846214b500c628dd55652e886c50b3b55f33d
Opcode Fuzzy Hash: 2db597cf25c999939cc3b819fed71c1e326e74b4ad1904394b10da5a057d82d8
Instruction Fuzzy Hash: 7002D532915BC489E7628F39E8803D9B7B4F7AD788F105225EBCC66B59EF74D2908740

Function 00007FF6B53C9518 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B53B9EEC: GetLastError.KERNEL32 ref: 00007FF6B53B9EFB
Part of subcall function 00007FF6B53B9EEC: FlsGetValue.KERNEL32 ref: 00007FF6B53B9F10
Part of subcall function 00007FF6B53B9EEC: SetLastError.KERNEL32 ref: 00007FF6B53B9F9B

GetLocaleInfoW.KERNEL32(?,?,?,00007FF6B53C92C2), ref: 00007FF6B53C954F

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: ErrorLast$InfoLocaleValue
String ID:
API String ID: 3796814847-0
Opcode ID: 8a450860209e15821de9f16c01ed0612a725223f9a4b72f88eafb3edea00904a
Instruction ID: 562494ec8bc7cc3de07e0acb8d73faf9b476ded37d48ba400672556eaa82375e
Opcode Fuzzy Hash: 8a450860209e15821de9f16c01ed0612a725223f9a4b72f88eafb3edea00904a
Instruction Fuzzy Hash: 71112B33F2876243E7648719A060ABE2250EB44F54F554631D72E837CAFF29EC818B00

Function 00007FF6B5394EA3 Relevance: 1.5, APIs: 1, Instructions: 34comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00007FF6B5394EFD
CoSetProxyBlanket.OLE32 ref: 00007FF6B5394F52
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B539513A

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: BlanketCreateInstanceProxy_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2651345351-0
Opcode ID: 40773d99c68af0ed28a683e1120cd973a1f3f0d295592a8dd6d360565397851e
Instruction ID: 6372e7064107f4d8c2fc55fc596c962941ebe8668fb83e26b0179bd957c41fc9
Opcode Fuzzy Hash: 40773d99c68af0ed28a683e1120cd973a1f3f0d295592a8dd6d360565397851e
Instruction Fuzzy Hash: 1501A262F18A4586FB22DB69E4013ED6360BB48B58F400536CF4E83B5AEF3CD595C340

Function 00007FF6B53B6164 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6B53B6346

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d56b133698f6429a15668cf33a50c2b0452d3e907794045ce25e286071ddca93
Instruction ID: 6c51ec777f4b0c2cde5546cb4c29161a226efe6a7faaa7cf454ecd57d4daa739
Opcode Fuzzy Hash: d56b133698f6429a15668cf33a50c2b0452d3e907794045ce25e286071ddca93
Instruction Fuzzy Hash: 77B15E72628E8585EB649F2DC0502AD3BA4E745F48F684235CB4E8739BEF39D892C705

Function 00007FF6B53C9EEC Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6B53C9EF0

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 9736d98ff4c00b43741f239e002f48ba729bdd9c0db5a1f9682fb9dc510a38ab
Instruction ID: b1b484b5db7ae7fea2d6da8b2f1e7b236061c3c1b6014405bb4a9537f5362f91
Opcode Fuzzy Hash: 9736d98ff4c00b43741f239e002f48ba729bdd9c0db5a1f9682fb9dc510a38ab
Instruction Fuzzy Hash: C5B09220E27B06C6EA482B597C8225823A47F88B01F990239D20C80325EF2C28E65701

Function 00007FF6B53483D0 Relevance: .8, Instructions: 795COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c60e777daeaea113d67f9bda991af49b1d649395350f0fb3635444d7023d5cec
Instruction ID: b5d94517e7312476d28e1afe580a24a7a9aaa89d8ce7704bc8a3abfa65708524
Opcode Fuzzy Hash: c60e777daeaea113d67f9bda991af49b1d649395350f0fb3635444d7023d5cec
Instruction Fuzzy Hash: 79A28F36615FC88AD7418FAAEC8119973B6F748BA8B101629EFCC57F19EBB4C164C740

Function 00007FF6B5345520 Relevance: .8, Instructions: 792COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b26b264dc319334a57f9a21a87e01f2abcb0f4ad2a21d4ccd67af80162f90e
Instruction ID: 03ab0271e402089f9b4f0a64de0ea7e4247f57dd22b36671cc20378880b24d26
Opcode Fuzzy Hash: 28b26b264dc319334a57f9a21a87e01f2abcb0f4ad2a21d4ccd67af80162f90e
Instruction Fuzzy Hash: 2192D632918BC88AD7718F29E8812DAB7A8F79D748F505325EBCC56B19EF38D254C704

Function 00007FF6B5382750 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8ff783da37649173626c7f7158936b22345755ff077d27462f74136c1878ba
Instruction ID: 1f6353a537f43d89c1c70b0cff8fc5222e727a72529553c60ad07293a02316a5
Opcode Fuzzy Hash: ff8ff783da37649173626c7f7158936b22345755ff077d27462f74136c1878ba
Instruction Fuzzy Hash: 5EC10023B2969587EB1ACF56D9845A9B762F7D4FD0B55C131EB4A83B88DE3CD802C700

Function 00007FF6B5326610 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2058f1c1a01537bbcc10525baaa4b14614c3b84cd64c01d434f607c274e743
Instruction ID: d1ab7f760188ee277c9e122c92fe1a5a08bb9ef0083ab6adb3926d705eb74924
Opcode Fuzzy Hash: bd2058f1c1a01537bbcc10525baaa4b14614c3b84cd64c01d434f607c274e743
Instruction Fuzzy Hash: C412C532919BC98AD7718F29E84129AB3A4F79D788F505325EBCC57B19EF38D250CB04

Function 00007FF6B53BA924 Relevance: .3, Instructions: 309COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodePageValidValue_invalid_parameter_noinfo
String ID:
API String ID: 4023145424-0
Opcode ID: a2379e98abae736fe33e8b4f9fedcc0141c51f1be06055089ccb01d873b85599
Instruction ID: 51e6ed1ad4bd1b5a7d03b8016cf6607a28f3b166ef56c2646fae088581b6c21e
Opcode Fuzzy Hash: a2379e98abae736fe33e8b4f9fedcc0141c51f1be06055089ccb01d873b85599
Instruction Fuzzy Hash: 09C1B562A28E8645EB60AB2994103FA67A0FB94F88F444035DF8DC779EFF3CD9458700

Function 00007FF6B53B666C Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c2dc1868310f7be340402d514fcc5ddbcaaf30b09b4b1a75e66e521b583746
Instruction ID: ab372a0e23b7bca5fc1bb711a45a282335389defbba6f48070a31fcbbfd82b69
Opcode Fuzzy Hash: f0c2dc1868310f7be340402d514fcc5ddbcaaf30b09b4b1a75e66e521b583746
Instruction Fuzzy Hash: 32C1B162A28A4286EB299E2DC4506BD37A0EB45F48F144235CF5DC779BEF39DC86C740

Function 00007FF6B53C8674 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: ErrorLast$Value_invalid_parameter_noinfo
String ID:
API String ID: 1500699246-0
Opcode ID: 468b93f19c7ca54f8d79ce9aecab092ca155e8bca1880fa3cbddf3014db9fedd
Instruction ID: 38acd0f380d4bc3ebe740ac32a32d892155765b675336dd8cf73f050d8a966f4
Opcode Fuzzy Hash: 468b93f19c7ca54f8d79ce9aecab092ca155e8bca1880fa3cbddf3014db9fedd
Instruction Fuzzy Hash: 6EB1A132A2876692EBA5DB29D4116F973A0EB44F88F404131DB59C77CEEF3CEA418740

Function 00007FF6B53B8D50 Relevance: .2, Instructions: 207COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 65cb0e03891be60b6b6053fa39e45d28bcdd28ebeeb85bb53b847996ab939a74
Instruction ID: 5b5398942d1a2a37ac182840868140b8634db461f7b3c354c7c0222dcb947785
Opcode Fuzzy Hash: 65cb0e03891be60b6b6053fa39e45d28bcdd28ebeeb85bb53b847996ab939a74
Instruction Fuzzy Hash: 1081A332A24E1186EBA49F29D4813BD6361FB48F98F144636EF5DC778AEF38D9418340

Function 00007FF6B5374720 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8096616a82d0af589e55529d9e21aaaddb0a4067eb04550f42ec58ec897b5e0e
Instruction ID: 7439f84f686b79b7b60a0aa5be0b67d29e22776a32f58505ec9653f72bd92d35
Opcode Fuzzy Hash: 8096616a82d0af589e55529d9e21aaaddb0a4067eb04550f42ec58ec897b5e0e
Instruction Fuzzy Hash: CA61F522B28BC882DA51CB1DE0406A9A361E759BD4F549235EB9D87B89FF3CE580C340

Function 00007FF6B5395EF0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b24077aedd3f9e8a449d09c4eafcb8d5ede4dcad30c6275166c395dfd1882a
Instruction ID: d2ac0b7bd0eb941c509c516acf1e0bc5afe428f2fd1812988fe246b1f5a6d85d
Opcode Fuzzy Hash: 35b24077aedd3f9e8a449d09c4eafcb8d5ede4dcad30c6275166c395dfd1882a
Instruction Fuzzy Hash: CF61D12321E2C48FD30EDF7C589106D7F61D7A7908388469DEAC5EB74BC514C91ACBA6

Function 00007FF6B53BF7E6 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd72482e03d17e0c267891211c2a08fffdf3b2de236a6c27577c882ac387638
Instruction ID: 8a329f1c1556755d2609766852ca50400cf7488aac0f3a567308d402fe9788c4
Opcode Fuzzy Hash: afd72482e03d17e0c267891211c2a08fffdf3b2de236a6c27577c882ac387638
Instruction Fuzzy Hash: DC51F672A28AC146DB64DB1D94403B9B790FB46B94F105235DB9DC3B9EEF3EE9408B00

Function 00007FF6B53D4E30 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6fef933332038a432e0cbe0650c9c98f510f7709ea3c3125d6e13103ebde481
Instruction ID: 1198c1209931bd2d5ede642e1be6e3ce5eb6759eda066c875370076752a3c2e6
Opcode Fuzzy Hash: e6fef933332038a432e0cbe0650c9c98f510f7709ea3c3125d6e13103ebde481
Instruction Fuzzy Hash: DA51D5B1FA80E107DFAC433DA835FB86DD99B82351B09E039E151C9BDBF41E8512A744

Function 00007FF6B539E2F0 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb7937483d9751731351928e76aee8723c875862e1f4a830a78d4c5ab3ff41f
Instruction ID: 0756c38dea133fc75f0803fee79780ffd4fb52638ea6dee27358b02460cfcf11
Opcode Fuzzy Hash: 8fb7937483d9751731351928e76aee8723c875862e1f4a830a78d4c5ab3ff41f
Instruction Fuzzy Hash: 9B5104A3B0568443DB248B49F842796F7A5FB987C5F00A126EE8D57B69EB3CD5808700

Function 00007FF6B53B5598 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45278502b4de115ed76afef2690a2838d0b28876f14c66dd069eb4612fa83dd3
Instruction ID: 683193802ffc816176e64e76a94cb1baebfb22ed6be3a82fdd833259b30f3fe0
Opcode Fuzzy Hash: 45278502b4de115ed76afef2690a2838d0b28876f14c66dd069eb4612fa83dd3
Instruction Fuzzy Hash: 28516E36A28A5186E7249B2DD0403B927A1EB58F58F245131CB4D9779AFF3AEC43C780

Function 00007FF6B53B579C Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c3f90e6787dc6e65e60abd648d80575bcfa0207306300bab00d1ff848a11e7
Instruction ID: 37adac26144b190b4425de34cee9121a1cdb301f0d1cbdb5e54ca2ba5db33ae3
Opcode Fuzzy Hash: c9c3f90e6787dc6e65e60abd648d80575bcfa0207306300bab00d1ff848a11e7
Instruction Fuzzy Hash: E6514E36B28A5186E7659B2DC0502A837A1EB48F58F244131CB4DD779AEF3AED53C780

Function 00007FF6B53B5394 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac8362b94cbf271fd23ce0d6965fdbbec26e6817efc2dd1af2fcdc0b4ee58872
Instruction ID: 168364ed28d557d4262a49c1ef7b09d965929a5c3d271ee9d457b3e5a59019e7
Opcode Fuzzy Hash: ac8362b94cbf271fd23ce0d6965fdbbec26e6817efc2dd1af2fcdc0b4ee58872
Instruction Fuzzy Hash: BC515F36A38A5186E7249B2DD0403B837A1EB44F59F244131CB4D9779AFF7AED52C740

Function 00007FF6B53CDF10 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d7dbd699fb3bd762dbe675c4fc42dbf179cbe829f533610fd9071a5c01d9a8f
Instruction ID: e909865a05a90fedcfcb28a2c62dcdf6bd78ea6f41d99e60a9ee79ecf090be8c
Opcode Fuzzy Hash: 7d7dbd699fb3bd762dbe675c4fc42dbf179cbe829f533610fd9071a5c01d9a8f
Instruction Fuzzy Hash: E3F062B1B282958AEBA48F2DB84266977D0F708780F908039E78DC3B18DA3C94618F44

Function 00007FF6B53CF498 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261fe6521d892542d75bab8d3c7c41f58578a8ad23917a021c9647768b8a2587
Instruction ID: 299d4648559812499201b4aa2c14f5e87a4997a0b3e695e5f5bc3c58846ed6ad
Opcode Fuzzy Hash: 261fe6521d892542d75bab8d3c7c41f58578a8ad23917a021c9647768b8a2587
Instruction Fuzzy Hash: 55A0022196CE53F5E6048B48E8510B42730FB54B51B800271C20DC266ABF3DAC52C314

Function 00007FF6B5395180 Relevance: 18.5, APIs: 12, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B5394A30: CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6B5394A86
Part of subcall function 00007FF6B5394A30: Process32FirstW.KERNEL32 ref: 00007FF6B5394ACA
Part of subcall function 00007FF6B5394A30: Process32NextW.KERNEL32 ref: 00007FF6B5394ADF
Part of subcall function 00007FF6B5394A30: OpenProcess.KERNEL32 ref: 00007FF6B5394B1B
Part of subcall function 00007FF6B5394A30: OpenProcessToken.ADVAPI32 ref: 00007FF6B5394B42
Part of subcall function 00007FF6B5394A30: CloseHandle.KERNEL32 ref: 00007FF6B5394CB6
Part of subcall function 00007FF6B5394A30: Process32NextW.KERNEL32 ref: 00007FF6B5394CC3
Part of subcall function 00007FF6B5394A30: CloseHandle.KERNEL32 ref: 00007FF6B5394D07

ImpersonateLoggedOnUser.ADVAPI32 ref: 00007FF6B53956C8
RevertToSelf.ADVAPI32 ref: 00007FF6B53956E6
ImpersonateLoggedOnUser.ADVAPI32 ref: 00007FF6B53951DD

Part of subcall function 00007FF6B534F380: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B534F3E3

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53958D5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53958DB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53958E1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53958E7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53958ED
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53958F3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53958F9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5395905

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Process32$CloseHandleImpersonateLoggedNextOpenProcessUser$CreateFirstRevertSelfSnapshotTokenToolhelp32
String ID:
API String ID: 2435156947-0
Opcode ID: 9eb6316bf9a3d5c729c92944e00dde4c55d48e24f54c754d0e24de184432b793
Instruction ID: 623cb845d6fd70736174ee937d734013836951f114e37b908ae9bfcf0c9537bf
Opcode Fuzzy Hash: 9eb6316bf9a3d5c729c92944e00dde4c55d48e24f54c754d0e24de184432b793
Instruction Fuzzy Hash: 6A2271A2A2878185FB009B6CD4443ED6761EB45BA4F505631EB6E86BDFEF7CD884C700

Function 00007FF6B536B780 Relevance: 17.9, APIs: 5, Strings: 5, Instructions: 365COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B536BCDA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B536BCE0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B536BCE6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B536BCEC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B536BCF2

Strings

unexpected , xrefs: 00007FF6B536BB37
; expected , xrefs: 00007FF6B536BC37
; last read: ', xrefs: 00007FF6B536B9AC
while parsing , xrefs: 00007FF6B536B828
syntax error , xrefs: 00007FF6B536B7BF

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: ; expected $; last read: '$syntax error $unexpected $while parsing
API String ID: 3668304517-4239264347
Opcode ID: 4759e7637af97db017a4dc52dc87106eb20a3778af6e12682d5cae83adf0f2e3
Instruction ID: 051e52d3cce930d1ad90d591c64d9bc2fd5ab3007543d87bcc11832ec84b1559
Opcode Fuzzy Hash: 4759e7637af97db017a4dc52dc87106eb20a3778af6e12682d5cae83adf0f2e3
Instruction Fuzzy Hash: 38F16362F18B9189FB109BA8D4503EC2B71AB05BA8F504239DF1D57BDEEF789885D340

Function 00007FF6B53B0254 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 407COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B0283
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B0353

Strings

0, xrefs: 00007FF6B53B037D
0, xrefs: 00007FF6B53B038F
0, xrefs: 00007FF6B53B0325

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0$0$0
API String ID: 3215553584-3137946472
Opcode ID: 4b936a4394e80428ad7bf41d875096a3e7add69c0315c25dc0869b4c3066c4ac
Instruction ID: 914da077517b3e69e369b61b6e5794e2ab26c05d1735ee6187a0a0d33d3a3174
Opcode Fuzzy Hash: 4b936a4394e80428ad7bf41d875096a3e7add69c0315c25dc0869b4c3066c4ac
Instruction Fuzzy Hash: 00E1D53292DE4689F762AA2D80D03FD2791DB51F84F548032C78C8779BEE3DAD598701

Function 00007FF6B539AEA0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 159COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6B539AF1D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF6B539AF65
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B539B0E1
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B539B0F4
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B539B0FA

Strings

false, xrefs: 00007FF6B539AFED
true, xrefs: 00007FF6B539B01C
bad locale name, xrefs: 00007FF6B539B0E7

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name$false$true
API String ID: 164343898-1062449267
Opcode ID: 5c2984d9f35fc82fd5565a6530e0fabf19555f4e36f53be872b21c732f2ac9b9
Instruction ID: 5b7e16d4a9990b15da0abb82f098a40847e6c0deaa1346457ddb5bdba2cde1cd
Opcode Fuzzy Hash: 5c2984d9f35fc82fd5565a6530e0fabf19555f4e36f53be872b21c732f2ac9b9
Instruction Fuzzy Hash: 1C711922B19B418AEB15DF68E4502EC33B5EF44B08F144535DB4DA7B9BEF38A921D344

Function 00007FF6B539B2D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET ref: 00007FF6B539B33B
InternetOpenUrlA.WININET ref: 00007FF6B539B370
InternetReadFile.WININET ref: 00007FF6B539B391
InternetReadFile.WININET ref: 00007FF6B539B3CF
InternetCloseHandle.WININET ref: 00007FF6B539B3DC
InternetCloseHandle.WININET ref: 00007FF6B539B3E5

Strings

File Downloader, xrefs: 00007FF6B539B334

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Internet$CloseFileHandleOpenRead
String ID: File Downloader
API String ID: 4038090926-3631955488
Opcode ID: 2d8777ee4260c80b314c9bed156458a8780df2b315401914807f3b6119ccca09
Instruction ID: 3fcbbcd924315da5067adcadc11ac08f3f04cec7c623b3f263063707e080b2a1
Opcode Fuzzy Hash: 2d8777ee4260c80b314c9bed156458a8780df2b315401914807f3b6119ccca09
Instruction Fuzzy Hash: E731623261878582E710CF59E4506A9B760FB88FC4F544035EF4E83B5AEF7CE9458B00

Function 00007FF6B53B38F0 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B3933
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B3D20
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B3FBC

Strings

p, xrefs: 00007FF6B53B3A5D
p, xrefs: 00007FF6B53B39E5
f, xrefs: 00007FF6B53B3A55

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: eea83e675726579202ae46558f478e57f494447b85c4049c91ddb9471f815998
Instruction ID: 4da5d7e13f6d5846191ce942f6b586789441c27b0708183982fd238a0c3e2656
Opcode Fuzzy Hash: eea83e675726579202ae46558f478e57f494447b85c4049c91ddb9471f815998
Instruction Fuzzy Hash: 51128061A2C96386FB607A18A0542F976A1FB80F50F944135E799C77CEEF3CED848B14

Function 00007FF6B53688C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00007FF6B5368AA3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5368B2D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5368B33
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5368B39
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5368B3F

Strings

other_error, xrefs: 00007FF6B5368932

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy
String ID: other_error
API String ID: 1944019136-896093151
Opcode ID: f2863eced8903010f95aa60885efb369d84bc1512526cd4d3b3634791fd3fac8
Instruction ID: 2ad603e274463307495615ca17388765915263a0c1e413f5b6821fb47b46cd6f
Opcode Fuzzy Hash: f2863eced8903010f95aa60885efb369d84bc1512526cd4d3b3634791fd3fac8
Instruction Fuzzy Hash: 3271B362F29B8189FB01CB78D4403EC6361AB59B98F005235EB6C567DEEE78D595C300

Function 00007FF6B534EF10 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B534F0B2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B534F0B8
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF6B534F0F0
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF6B534F0FD

Strings

at line , xrefs: 00007FF6B534EF9A
, column , xrefs: 00007FF6B534EFC8

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: __std_exception_destroy_invalid_parameter_noinfo_noreturn
String ID: at line $, column
API String ID: 729085983-191570568
Opcode ID: 0568d2328471f8f76334d58d3ad0d9c07eec44adb01daa58e6bbaa1e44269a43
Instruction ID: 66281b0fb5e2b88e93755585b115172a0738ccb3d286cd2a28727a1c4d8ea9ad
Opcode Fuzzy Hash: 0568d2328471f8f76334d58d3ad0d9c07eec44adb01daa58e6bbaa1e44269a43
Instruction Fuzzy Hash: 1051C662A18B8141EA109B19E5442BE7761FB89FD0F144231EBAC47BDBEF3DD891C740

Function 00007FF6B53D43CC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF6B53D467E,?,?,?,00007FF6B53D4370,?,?,?,00007FF6B53D0E4D), ref: 00007FF6B53D4451
GetLastError.KERNEL32(?,?,?,00007FF6B53D467E,?,?,?,00007FF6B53D4370,?,?,?,00007FF6B53D0E4D), ref: 00007FF6B53D445F
LoadLibraryExW.KERNEL32(?,?,?,00007FF6B53D467E,?,?,?,00007FF6B53D4370,?,?,?,00007FF6B53D0E4D), ref: 00007FF6B53D4489
FreeLibrary.KERNEL32(?,?,?,00007FF6B53D467E,?,?,?,00007FF6B53D4370,?,?,?,00007FF6B53D0E4D), ref: 00007FF6B53D44F7
GetProcAddress.KERNEL32(?,?,?,00007FF6B53D467E,?,?,?,00007FF6B53D4370,?,?,?,00007FF6B53D0E4D), ref: 00007FF6B53D4503

Strings

api-ms-, xrefs: 00007FF6B53D4471

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 081807f0f237e99e654a6d52eb3ba83cc0c1c8883019cc9f4ec60aedd52be443
Instruction ID: 87bbeadc8a5f79213d1524436435f6f2b1dfece7837dcbe95152f990d1e365cf
Opcode Fuzzy Hash: 081807f0f237e99e654a6d52eb3ba83cc0c1c8883019cc9f4ec60aedd52be443
Instruction Fuzzy Hash: 5031A321A2AB4291EE52EB0AA8005B523F4BF44F64F498535DF1D8778AFF7CE8908300

Function 00007FF6B53B9EEC Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6B53B9EFB
FlsGetValue.KERNEL32 ref: 00007FF6B53B9F10
FlsSetValue.KERNEL32 ref: 00007FF6B53B9F31
FlsSetValue.KERNEL32 ref: 00007FF6B53B9F5E
FlsSetValue.KERNEL32 ref: 00007FF6B53B9F6F
FlsSetValue.KERNEL32 ref: 00007FF6B53B9F80
SetLastError.KERNEL32 ref: 00007FF6B53B9F9B

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 234b12f341dec54f59bcc24a3b45c090fbebf6e7b37c81ec12f591380fe05ed0
Instruction ID: 471864d740f3ab88b8265c0a784719af2363e5e518120dc1666b12928843ccd9
Opcode Fuzzy Hash: 234b12f341dec54f59bcc24a3b45c090fbebf6e7b37c81ec12f591380fe05ed0
Instruction Fuzzy Hash: 32213021B2DA4242FA59772955611B962415F44FB5F144B34EB2D867CFFE2CFC418710

Function 00007FF6B53CC8CC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6B53CC8FD
GetLastError.KERNEL32 ref: 00007FF6B53CC909
CloseHandle.KERNEL32 ref: 00007FF6B53CC921
CreateFileW.KERNEL32 ref: 00007FF6B53CC94C
WriteConsoleW.KERNEL32 ref: 00007FF6B53CC96B

Strings

CONOUT$, xrefs: 00007FF6B53CC92D

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 53dac6272d403f79ff27e653aa55d51cb6535fcae6368453f164039c5e4e95e8
Instruction ID: a02217fe49b10b5a38154aa283418b8678090b018a4701172f5756bf640b80f0
Opcode Fuzzy Hash: 53dac6272d403f79ff27e653aa55d51cb6535fcae6368453f164039c5e4e95e8
Instruction Fuzzy Hash: FC118E31A28B4186E7508B4AF8543A977A0FB88FE4F040234EB5DC77A9EF3CE9548740

Function 00007FF6B53DD42C Relevance: 9.2, APIs: 6, Instructions: 239COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00007FF6B53DD4D9
MultiByteToWideChar.KERNEL32 ref: 00007FF6B53DD575
MultiByteToWideChar.KERNEL32 ref: 00007FF6B53DD61E
MultiByteToWideChar.KERNEL32 ref: 00007FF6B53DD648
MultiByteToWideChar.KERNEL32 ref: 00007FF6B53DD6F0
CompareStringEx.KERNEL32 ref: 00007FF6B53DD73D

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: ByteCharMultiWide$CompareInfoString
String ID:
API String ID: 2984826149-0
Opcode ID: 26eb7e015d5d110b74ff0d84bcaa31491d724dbf353ec7a17117fafe3eaea0ab
Instruction ID: 0d0ba0e1ba68184cc81a796c59430a1d9332fd242ef49e71417b17df76b25f7c
Opcode Fuzzy Hash: 26eb7e015d5d110b74ff0d84bcaa31491d724dbf353ec7a17117fafe3eaea0ab
Instruction Fuzzy Hash: F0A18062A6978246FB619F2894503F977A2AB41F98F444A31DB5D877CAFF3CEC448340

Function 00007FF6B53B0840 Relevance: 9.2, APIs: 6, Instructions: 157COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B08B2
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B08E3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B0923
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B0965
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B099A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B0A17

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 619b2885e3fd1682f6a864358b33df5452abb606e6c6f730ccce56a3fdc98189
Instruction ID: 87bc3fa9559e7b80594da723e6884b58648d4dfc5bb2cc21a737559160ba0740
Opcode Fuzzy Hash: 619b2885e3fd1682f6a864358b33df5452abb606e6c6f730ccce56a3fdc98189
Instruction Fuzzy Hash: 57513E2292DE8685FB93AF2890A02FD7791AB45F44F448071C78C8739BEE2D9C46C742

Function 00007FF6B53D1F14 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 320COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6B53D20B2
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6B53D23DB

Strings

csm, xrefs: 00007FF6B53D1FF9
csm, xrefs: 00007FF6B53D205B
csm, xrefs: 00007FF6B53D20D9

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: c1d1beaa4113af996e1338b12892c8267a8f52db6b2a83b87ebed410bd88f7c3
Instruction ID: a0760362d71977526460d0f950a603bd96057fdbbb9540f79a97d85b6fa3349a
Opcode Fuzzy Hash: c1d1beaa4113af996e1338b12892c8267a8f52db6b2a83b87ebed410bd88f7c3
Instruction Fuzzy Hash: AFE19F629687828AE7519B68D4802ED77B0FB44B48F114235EF8D877DBEF38E981C700

Function 00007FF6B5356490 Relevance: 7.8, APIs: 5, Instructions: 312COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5356922
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5356928
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535692E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B5356934
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B535693A

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 803ca54e3e655cfce5e0d02a6eb01fa19050cbeec9da1d7b51a4c3d1aa9fb0d7
Instruction ID: d6f49fee5683f8445ff95e5e722e38ab154f23faffd3f9b72910bdd95eaa3293
Opcode Fuzzy Hash: 803ca54e3e655cfce5e0d02a6eb01fa19050cbeec9da1d7b51a4c3d1aa9fb0d7
Instruction Fuzzy Hash: 29D1A162F28B8185FA109B69E4402ED6761EB45BE8F101631EF5D97BDEEF78D881C300

Function 00007FF6B53D1314 Relevance: 7.8, APIs: 5, Instructions: 290COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FF6B53D1437
__AdjustPointer.LIBCMT ref: 00007FF6B53D1482

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 3df3621708c9e1d29be45954cd8076bff015c977087edb3d15e3ad851c434b44
Instruction ID: badbb7d536fcd3109490b096e7d3e3fb3c0b03a6c0ef1d9c24338e55961f281e
Opcode Fuzzy Hash: 3df3621708c9e1d29be45954cd8076bff015c977087edb3d15e3ad851c434b44
Instruction Fuzzy Hash: 5AB1A322EA968682EA659B59D1406B863B1AF44FC4F198435DF4D877CFFE3CEC528300

Function 00007FF6B53C11C8 Relevance: 7.7, APIs: 5, Instructions: 196COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6B53C1207
_set_statfp.LIBCMT ref: 00007FF6B53C1225
_set_statfp.LIBCMT ref: 00007FF6B53C124E
_set_statfp.LIBCMT ref: 00007FF6B53C148A

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: dafef7e4c20223e5ca6141b6b5924ce650fb2efe4a4f2b5535d10e0333dca376
Instruction ID: c5929ef3b9132c0f2406ff0bd1b74c15b4816854b81e951756a388f885c1899b
Opcode Fuzzy Hash: dafef7e4c20223e5ca6141b6b5924ce650fb2efe4a4f2b5535d10e0333dca376
Instruction Fuzzy Hash: 9981DA12D28B5645F6729B3DA4002FAA260AF55B94F044331EB4EA679EFF3CEC919700

Function 00007FF6B53AA260 Relevance: 7.6, APIs: 5, Instructions: 123COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00007FF6B53AA280
FreeEnvironmentStringsW.KERNEL32 ref: 00007FF6B53AA37B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53AA3A5
RtlInitUnicodeString.NTDLL ref: 00007FF6B53AA3EE
RtlInitUnicodeString.NTDLL ref: 00007FF6B53AA3FB

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: EnvironmentInitStringStringsUnicode$Free_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1868271193-0
Opcode ID: f38410d1663a3c3ea2f5305d9f7767b79f8e6583bd52c22dc4790f0fe6c50e43
Instruction ID: 9b257c344365714304d444fe0be91738531475474eafde45d6648c9f0a62e8b4
Opcode Fuzzy Hash: f38410d1663a3c3ea2f5305d9f7767b79f8e6583bd52c22dc4790f0fe6c50e43
Instruction Fuzzy Hash: F8518072A18B8182EB118F19E4403AD7760FB94F94F549225DB9D43B9AEF7CE5E1C300

Function 00007FF6B536F2C0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 292COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B536F4C6
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B536F4D2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B536F6D1

Strings

Nk, xrefs: 00007FF6B536F5AD

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID: Nk
API String ID: 3936042273-1353404103
Opcode ID: 47971b2b297099cf51065093ee76f174fdeaffe5bb93d43a9961e66d31b14998
Instruction ID: 476f010d9336e585a0a2ee7588e42f9c384b47a75a6b47f4b1054c176704e88b
Opcode Fuzzy Hash: 47971b2b297099cf51065093ee76f174fdeaffe5bb93d43a9961e66d31b14998
Instruction Fuzzy Hash: 8CC17D33A18B858AE711CF69E4402ED73B1FB59B98F045625DF8D53B5AEF38E5A08300

Function 00007FF6B53D2688 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6B53D26F8
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6B53D2743

Strings

MOC, xrefs: 00007FF6B53D270C
RCC, xrefs: 00007FF6B53D2714

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 9c00d47a1c5516f7bd2be0d164cd20731702100fa42f3d3dd2f3d47e27ffce20
Instruction ID: 77b1331018cda7a00e215a6a4b62cdc4261dbdd870bc7a590a0b9c9648d4bcad
Opcode Fuzzy Hash: 9c00d47a1c5516f7bd2be0d164cd20731702100fa42f3d3dd2f3d47e27ffce20
Instruction Fuzzy Hash: 3E91C673A18B819AE751CB68E4802ED77B0FB44B88F14412AEF4D9779AEF38D595C700

Function 00007FF6B53D2418 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6B53D2477
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6B53D24C3

Strings

RCC, xrefs: 00007FF6B53D2493
MOC, xrefs: 00007FF6B53D248B

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: a60986bc9adbf2c75a94aae45f25198f4bb40c34f31260bb5ef7955aadcba44f
Instruction ID: 4f2ace02d510ebf2fe5e3670a787ba3afad70d27d0ec921a5aabbb4c6a330635
Opcode Fuzzy Hash: a60986bc9adbf2c75a94aae45f25198f4bb40c34f31260bb5ef7955aadcba44f
Instruction Fuzzy Hash: 9B61B232918BC591D7219B29E4807EAB7A0FB84F94F044225EF8C43B9AEF7CD590CB00

Function 00007FF6B53A0526 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A0647
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B53A064D

Part of subcall function 00007FF6B53D0E88: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,-2723E8D8DEBC5094,00007FF6B53DC3D2), ref: 00007FF6B53D0ED8
Part of subcall function 00007FF6B53D0E88: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,-2723E8D8DEBC5094,00007FF6B53DC3D2), ref: 00007FF6B53D0F19

Strings

exists, xrefs: 00007FF6B53A0663
ios_base::badbit set, xrefs: 00007FF6B53A0685, 00007FF6B53A06BC, 00007FF6B53A06FA

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ExceptionFileHeaderRaise
String ID: exists$ios_base::badbit set
API String ID: 240014264-2074760687
Opcode ID: a4f327a84339e12cc55e92ce62d72d2997565a8db53c75ec50c66e7b8b607d78
Instruction ID: 968589648d82fc7abe7be5e5d4c2d32e385cb71bb633dc6efce0896206b53dc6
Opcode Fuzzy Hash: a4f327a84339e12cc55e92ce62d72d2997565a8db53c75ec50c66e7b8b607d78
Instruction Fuzzy Hash: 25410D72619BC695EA21DB18E4942EA7761FB84B40F804532D78D83BAEEF7CD905CB40

Function 00007FF6B53DB210 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,00007FF6B53DB8FA), ref: 00007FF6B53DB226
GetProcAddress.KERNEL32(?,?,?,00007FF6B53DB8FA), ref: 00007FF6B53DB236

Strings

kernel32.dll, xrefs: 00007FF6B53DB21F
GetTempPath2W, xrefs: 00007FF6B53DB22C

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetTempPath2W$kernel32.dll
API String ID: 1646373207-1846531799
Opcode ID: 85c4015c5df5ee79752990f65a767554006cfd6127e60443cb10f02faa6b2ab0
Instruction ID: 66813f885c3914f9df97819d14cc5bd74e853fe920fe68ae4aa47689eb24c914
Opcode Fuzzy Hash: 85c4015c5df5ee79752990f65a767554006cfd6127e60443cb10f02faa6b2ab0
Instruction Fuzzy Hash: 05E01221B28B0691EE049B59F9844F97321BF48F81B985035CA0E8733AFF3CE8598700

Function 00007FF6B539D620 Relevance: 6.4, APIs: 4, Instructions: 370COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B539DB64
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B539DB6A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B539DB76
SysFreeString.OLEAUT32 ref: 00007FF6B539DB97

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FreeString
String ID:
API String ID: 1965679434-0
Opcode ID: e707a254593d276e9d81f7da790380d37dd460deab93068eb36779375bd74940
Instruction ID: 2087190758d1572011e1b02be3f44d1f75cbf450dbc6eb272c72b5ce17800771
Opcode Fuzzy Hash: e707a254593d276e9d81f7da790380d37dd460deab93068eb36779375bd74940
Instruction Fuzzy Hash: F2E19162F28B818AFB00DBA9D4512EC23B2EB45B98F404535DF1D97B9FEE38D9558340

Function 00007FF6B53BC578 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6B53BC5F7
WriteFile.KERNEL32 ref: 00007FF6B53BC8BF
WriteFile.KERNEL32 ref: 00007FF6B53BC905
GetLastError.KERNEL32 ref: 00007FF6B53BC9BB

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 51ca5d62aa19301a18794717acfbf1a46562df65ce568f5fb7798e040ec77a5b
Instruction ID: 3775dfb0562ea7f7b44e289bb7a97a54a9a5348cbeccdecb76565f877924db7f
Opcode Fuzzy Hash: 51ca5d62aa19301a18794717acfbf1a46562df65ce568f5fb7798e040ec77a5b
Instruction Fuzzy Hash: A5D1D332B28A4589E721DF69D4406EC37B1FB55F98B084236CF5D97B9AEE38D806C740

Function 00007FF6B536B3D0 Relevance: 6.1, APIs: 4, Instructions: 147COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B536B528
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B536B52E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B536B534
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B536B59C

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: dc1f7467f6b438ed16d1ac356133b9821a069205ebe8ddfd552de79892740363
Instruction ID: 109083aac7aa5309231fec5ec454ba26b332b871a6d9fc8973366c7785c60fcc
Opcode Fuzzy Hash: dc1f7467f6b438ed16d1ac356133b9821a069205ebe8ddfd552de79892740363
Instruction Fuzzy Hash: 55518E7272AB8581EE14CF68E4542AC73A5FB44F94F544635DBAC47B8AEF2CD8A0C340

Function 00007FF6B53B06FC Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B0775
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B07D1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B080C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53B0831

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f1f9df1a05da3301ed415653e8360f7cb12179a044a2575d07df28b1a0800ec9
Instruction ID: 0fa664588b7b14d5e30531e32f59cc91202ed08ac807f316558dd0c369a7a88e
Opcode Fuzzy Hash: f1f9df1a05da3301ed415653e8360f7cb12179a044a2575d07df28b1a0800ec9
Instruction Fuzzy Hash: D3416122929E8589EB53EF28C4552FD7BA0AB45F84F49C071C78C8738BEE3D9945C711

Function 00007FF6B53678A0 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6B53678CB
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6B53678F0
std::_Facet_Register.LIBCPMT ref: 00007FF6B536799B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B53679E6

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 1168246061-0
Opcode ID: fce11bbf2716b712929d21612f2a8f238f427733906def6abb3c40e1e27c6ea6
Instruction ID: cf07df01ef8d387416c06796e161eeff06386542da911954d5aab11c79c2aa28
Opcode Fuzzy Hash: fce11bbf2716b712929d21612f2a8f238f427733906def6abb3c40e1e27c6ea6
Instruction Fuzzy Hash: 12414121A2CB4280EA15DB19E4542E967B0FB44FA4F580135DB8D877AEEF7CE851C710

Function 00007FF6B5364E10 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6B5364E3B
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6B5364E60
std::_Facet_Register.LIBCPMT ref: 00007FF6B5364F0B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B5364F56

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 1168246061-0
Opcode ID: acbc9ea0ed55ab8395d29e3490695ccec0bb7a6dea11a1816461c93234175631
Instruction ID: d8033b1aaa95ed273a3dc69d82d41e931ff826d8c7bd20ac8430f8fd14641c66
Opcode Fuzzy Hash: acbc9ea0ed55ab8395d29e3490695ccec0bb7a6dea11a1816461c93234175631
Instruction Fuzzy Hash: 6D417321A2CB4280EA55DF19E4842F97760FB88F94F580135EB4D877AEEE3CE8528700

Function 00007FF6B53DB3F4 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF6B53DB43D
GetLastError.KERNEL32 ref: 00007FF6B53DB44B
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00007FF6B53650C9), ref: 00007FF6B53DB480
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00007FF6B53650C9), ref: 00007FF6B53DB48E

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: b0c4d9c72fcc6461851340ae7f6c093d4e41e08a8bab11e5154c9cbc0382217d
Instruction ID: 812b3ee3b2827cac1ac6a2059f3ad2631f400594bb9849e8a3c28c01442d6678
Opcode Fuzzy Hash: b0c4d9c72fcc6461851340ae7f6c093d4e41e08a8bab11e5154c9cbc0382217d
Instruction Fuzzy Hash: C2215176A28B4587E720CF15E45436E7AB4F789F94F140138DB8997B99EF3CE8118B00

Function 00007FF6B53DB8E0 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B53DB210: GetModuleHandleW.KERNEL32(?,?,?,00007FF6B53DB8FA), ref: 00007FF6B53DB226
Part of subcall function 00007FF6B53DB210: GetProcAddress.KERNEL32(?,?,?,00007FF6B53DB8FA), ref: 00007FF6B53DB236

GetLastError.KERNEL32 ref: 00007FF6B53DB904

Part of subcall function 00007FF6B53B98B4: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6B53AF8CA,?,?,-2723E8D8DEBC5093,00007FF6B53B8156), ref: 00007FF6B53B98DA

GetFileAttributesW.KERNEL32 ref: 00007FF6B53DB913
__std_fs_open_handle.LIBCPMT ref: 00007FF6B53DB93C
CloseHandle.KERNEL32 ref: 00007FF6B53DB94E

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Handle$AddressAttributesCloseErrorFeatureFileLastModulePresentProcProcessor__std_fs_open_handle
String ID:
API String ID: 156590933-0
Opcode ID: 6a84e7cc61d3f6faa1a02f0b285c9e89f06a54f244136a8e8d2e5cb925bd3053
Instruction ID: 9d590cec49b00ec6bd0efbbe4fe38cf4ac332932426f8b7999dcd61a07920def
Opcode Fuzzy Hash: 6a84e7cc61d3f6faa1a02f0b285c9e89f06a54f244136a8e8d2e5cb925bd3053
Instruction Fuzzy Hash: EA114621A7C68245EA50572DA0942BA6671DB44FB0F141634E77EC67EEEE3CD8418F00

Function 00007FF6B53D2E40 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6B53D2E6A

Strings

csm, xrefs: 00007FF6B53D2E8F
csm, xrefs: 00007FF6B53D2FFE

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: 4d7a57ad738694d133ebd4354881888b3b35db442aff29f4f0bd919a509eac2d
Instruction ID: 8378c743516ddd0094c36efe972f7c28748bafaeb3b7ccc4112d20cd452adc68
Opcode Fuzzy Hash: 4d7a57ad738694d133ebd4354881888b3b35db442aff29f4f0bd919a509eac2d
Instruction Fuzzy Hash: 4971806251868186EB618A29D4807B9BAA0FB44F85F148175EF4D87BCEEF3CD991C740

Function 00007FF6B53D089C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6B53D08C7
RtlUnwindEx.KERNEL32 ref: 00007FF6B53D09B8

Strings

csm, xrefs: 00007FF6B53D0945

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: Unwind__except_validate_context_record
String ID: csm
API String ID: 2208346422-1018135373
Opcode ID: b6b4ec287b03b43af7135d47e4a928fccc53e45a76218f894a62c54d13e92dd1
Instruction ID: 8068dcfaa929bb32ff36c36181f108d8b0c0ff2440bb29482ab2c6909026a317
Opcode Fuzzy Hash: b6b4ec287b03b43af7135d47e4a928fccc53e45a76218f894a62c54d13e92dd1
Instruction Fuzzy Hash: 2F517122B6A6068AEB55CB19E044ABC27A1EB44F94F548131DB5E877DAFF7CEC41C700

Function 00007FF6B536A600 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6B536A66F
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF6B536A6B7

Strings

bad locale name, xrefs: 00007FF6B536A796

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 3ed45f339c8c002eab9b665f8468a7d6672470220fe7fd7aec0b4e39f8eb7c09
Instruction ID: 621f06f2a289d10289c57ceb9c5a4cace05562cf972111bfdef140ab6c5fb0be
Opcode Fuzzy Hash: 3ed45f339c8c002eab9b665f8468a7d6672470220fe7fd7aec0b4e39f8eb7c09
Instruction Fuzzy Hash: 42514B32B19B41C9EB54DFB8E4502EC33B5EF44B48F044439EB4DA6B9AEE38D9259344

Function 00007FF6B53C2D58 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6B53C8138: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B53C816B

_get_daylight.LIBCMT ref: 00007FF6B53C2E70
_get_daylight.LIBCMT ref: 00007FF6B53C2E81

Strings

?, xrefs: 00007FF6B53C2E01

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 8cc10c94a39c9ff88641584515667495cb56c14fac55e8e90be5500fd08faa51
Instruction ID: 86bd87c774263690aa102022ca53e8167c0d2bcf008c6acce5129b0793699f63
Opcode Fuzzy Hash: 8cc10c94a39c9ff88641584515667495cb56c14fac55e8e90be5500fd08faa51
Instruction Fuzzy Hash: 7241D512A287A246FB64972D98453BA5650EB91FA4F144235FF9C86BDAFF3CD8418700

Function 00007FF6B53D3530 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6B53D35DA
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF6B53D3603

Strings

csm, xrefs: 00007FF6B53D3703

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: 30dd612b4e4b9212e9166655247be16b5f23695bfc4863c6a6ebc2986465c29c
Instruction ID: 92e46716d0bffc9494a7886adfaff8ca239e2960e1f9a5b77e1da835c062e4a6
Opcode Fuzzy Hash: 30dd612b4e4b9212e9166655247be16b5f23695bfc4863c6a6ebc2986465c29c
Instruction Fuzzy Hash: CB51827666874586D660EF19E0402AD77B4F789F91F100534EB8D87B9AEF3CE851CB01

Function 00007FF6B537B198 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B537B382

Strings

iterator does not fit current value, xrefs: 00007FF6B537B3C4
iterator out of range, xrefs: 00007FF6B537B3F8

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: iterator does not fit current value$iterator out of range
API String ID: 3668304517-1046077056
Opcode ID: c783f45f6ac9ed78e5ccc847484a86fd53dc522b74bb063e9fdd151bce9c54cb
Instruction ID: 4ed5491b5496bf9913f8dcf88afb1f6bf7ea4486c88dad62b2be51ecdfca4de4
Opcode Fuzzy Hash: c783f45f6ac9ed78e5ccc847484a86fd53dc522b74bb063e9fdd151bce9c54cb
Instruction Fuzzy Hash: 184181A3F18A8696E711DB68D4952EC27709B51B48F944076CB0D83BDFEE38995AC340

Function 00007FF6B537B1F5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6B537B382

Strings

iterator does not fit current value, xrefs: 00007FF6B537B3C4
iterator out of range, xrefs: 00007FF6B537B3F8

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: iterator does not fit current value$iterator out of range
API String ID: 3668304517-1046077056
Opcode ID: 5241b744fb5bd14edf4650fb39449879ec2e0fa76d064271e4a9ac59758b63dd
Instruction ID: 8aa206daad9a36f921f2965023db61ada799d3d07f9af12d7af04cc98a1879b8
Opcode Fuzzy Hash: 5241b744fb5bd14edf4650fb39449879ec2e0fa76d064271e4a9ac59758b63dd
Instruction Fuzzy Hash: 7D4194A3F19A8596FB11DB64D8952EC23709B50B48F94447ACB0D83BDFFE389969C340

Function 00007FF6B53D0E88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,-2723E8D8DEBC5094,00007FF6B53DC3D2), ref: 00007FF6B53D0ED8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,-2723E8D8DEBC5094,00007FF6B53DC3D2), ref: 00007FF6B53D0F19

Strings

csm, xrefs: 00007FF6B53D0F06

Memory Dump Source

Source File: 00000000.00000002.2422055903.00007FF6B5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B5320000, based on PE: true

Associated: 00000000.00000002.2422031968.00007FF6B5320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422144649.00007FF6B53F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422195982.00007FF6B5450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422246901.00007FF6B5452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422274890.00007FF6B5455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422302366.00007FF6B5458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b5320000_duschno.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: b70c8f01ca01e1ec4819aea0aadbf8579bb2f3e39c9b562f706c3da26c2f4cc1
Instruction ID: 218e00a383b2b73b96cbe0c24e609d267e10aa3dfc747220344325c8510dedaf
Opcode Fuzzy Hash: b70c8f01ca01e1ec4819aea0aadbf8579bb2f3e39c9b562f706c3da26c2f4cc1
Instruction Fuzzy Hash: 65112E32619B8582EB618F19F440299B7E4FB88F84F584235EB8D47B99EF3CD9518700

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report duschno.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Meduza Stealer

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
duschno.exe

Function 00007FF6B53A8330 Relevance: 50.4, APIs: 19, Strings: 9, Instructions: 1376
COMMON

Function 00007FF6B5386350 Relevance: 46.6, APIs: 20, Strings: 6, Instructions: 1136
COMMON

Function 00007FF6B53A5B70 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 225
windowCOMMON

Function 00007FF6B535D570 Relevance: 35.9, APIs: 17, Strings: 3, Instructions: 862
libraryloaderCOMMON

Function 00007FF6B5352CA0 Relevance: 32.3, APIs: 13, Strings: 5, Instructions: 789
registryCOMMON

Function 00007FF6B53520B0 Relevance: 28.7, APIs: 12, Strings: 4, Instructions: 684
registryCOMMON

Function 00007FF6B538D080 Relevance: 28.6, APIs: 11, Strings: 5, Instructions: 599
COMMON

Function 00007FF6B53DB5B0 Relevance: 27.2, APIs: 18, Instructions: 229
fileCOMMON

Function 00007FF6B535CA10 Relevance: 21.7, APIs: 11, Strings: 1, Instructions: 671
COMMON

Function 00007FF6B5369F80 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 417
COMMON

Function 00007FF6B539C600 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 170
COMMON

Function 00007FF6B5385970 Relevance: 17.8, Strings: 14, Instructions: 304
COMMON

Function 00007FF6B539EBF0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 194
windowCOMMON

Function 00007FF6B539FCA0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 226
networkCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre